ZoneCentral : User Guide
in-place encryption engine
Version 2.51
User and Operating
Guide
Guide revision 3
Reproduction and rights
Copyright © Prim'X Technologies 2003, 2004, 2005, 2006.
All reproduction, even partial, of this document is strictly prohibited without the prior written approval of Prim'X Technologies or one of its legal representatives. Any request for publication, in any form whatsoever, must be accompanied by an example of the planned publication. Prim'X Technologies hereby reserves the right to reject any proposal, without providing justification.
All rights reserved. Use of the ZoneCentral software is subject to the terms and conditions of the license agreement undertaken with the user or their legal representative.
ZoneCentral is a registered trademark of Prim ' X T
ECHNOLOGIES
.
Head Office: 10 Place Charles Béraudier 69428 Lyon Cedex 03 France - Phone: +33 (0)4.26.68.70.02 -
Fax:+33 (0)4.26.68.70.04
Sales office: 42 Avenue Montaigne 75008 Paris France - Phone: +33 (0)1.72.74.11.59 - contact@primx.fr
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 1
Contents
Ungrouping a subfolder from an encrypted zone to make it into an independent zone ........18
Preview of ZoneCentral administration tools ...................................................26
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 2
Foreword
This User and Operating Guide is intended to guide the first steps of user/administrators, by providing the following:
Preview of general features
Simple, standardized instructions for quickly learning basic operations
"Key points" required in the software’s use and administration.
In the case of corporate deployments, this Guide is not really intended for the users themselves, as it will not be suited to the defined context and cases.
Î For an in-depth assessment of the product, or to define a deployment and use policy, you are strongly recommended to refer to the
Z
ONE
C
ENTRAL
T
ECHNICAL
M
ANUAL which can be downloaded separately on the www.primx.fr
site. This manual provides a detailed description of the zone, access and access file concepts, together with administration procedures, security strategies, etc.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 3
General description
ZoneCentral is a security product for computers running under Windows 2000 and
Windows XP. Its role is to preserve the confidentiality of documents handled by the users, on standalone computers, laptops, or workstations connected to a corporate network.
It can manage encrypted storage of the files without modifying their characteristics
(location, name, date and size), in the most transparent way possible for the users. The files are encrypted ' in place ' (where they are located) and ' on the fly ' (without special handling by the user).
To simplify the management of the encrypted files, ZoneCentral is based on the zone principle: an encrypted zone is a volume or a folder, including all it contains (files and subfolders), in which every existing or future file is kept encrypted, with no unencrypted copy existing at any time.
The set of encrypted zones defines a secured area for the users; this can include their
'Windows user profile' (with their 'My Documents' folder, their 'Desktop', their Web browser cache, temporary files, etc.), their usual workspace (the place where they usually manage their files), the network shares they access (file servers), or the USB memory sticks they use.
For every encrypted zone, a number of accesses can be defined: the access of the main user, a work colleague or possibly a department manager, the access reserved for the
Security Officer, the corporate SOS access (recovery), etc. These accesses can be defined as required, but the product includes administrative functions and mechanisms for enforcing certain accesses or access types.
An access corresponds to an access key (cryptographic key) that a user owns. This key may be a password, or an RSA key stored in a key holder (key file, smart card, etc.).
To ensure enhanced security, ZoneCentral also encrypts the computer's virtual memory swap file (the swap ), which can contain residual information (portions of memory from the applications used).
It also integrates an automatic, transparent secured deletion (wiping) service: every file
(encrypted or unencrypted) deleted on a local disk is automatically wiped (its content is rewritten with 'noise') before it is actually deleted. This also applies to the temporary files created by applications.
ZoneCentral also integrates a product called Zed!
which enables users to create encrypted containers into which they copy files, and which they can send to recipients or archive. The user can define the accesses to these containers themselves, to incorporate a password which they have agreed with a recipient, for example.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 4
Installation
You must have "administrator" rights on the computer in order to install the product.
To install the product, run the " Setup ZoneCentral " installation program that you have been supplied. This installation is standard and quick, and the default options are suitable in most cases.
The installation is used to install the 'user' part of the product and the administration tools
(this option is not selected by default, except in the evaluation version).
When the installation is complete, the computer must be restarted.
Notes:
The centralized installation option (Setup /A) is compatible with the remote installation software on the market (Microsoft Installer 2x and higher), and the installation can be configured to be "quiet", when the computer is started or the session is opened;
The product's 'policies' can be personalized and masterized for installation with the software.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 5
First operations
The Monitor shows that ZoneCentral is active
After it has been installed and the computer has been restarted, ZoneCentral is already active on the computer:
The system swap file is encrypted (and kept encrypted);
All files deleted on local disks are automatically erased (their content is wiped) before they are actually deleted. In the case of files which are not erased but whose size is reduced, ZoneCentral processes the unused space occupied by the files, to reduce their size.
Activate the ZoneCentral Monitor, which appears in the Windows Start menu.
The first two tabs show the opened encrypted zones and the provided access keys. For the moment, there are none.
Click the "Status" tab, which shows the software's status.
The next step consists in defining encrypted zones.
Creating a first encrypted zone
1 - Choose an existing folder , or, as a first test, create a new folder containing several files.
2 - Open the folder's properties
In Windows Explorer, select this folder and display its properties; an "Encryption" tab has been added.
3 - Activate the folder's encryption
As the selected folder is not yet encrypted, an initial conversion must be performed to encrypt its content. Subsequently, any file created in this folder, or in its subfolders, will be automatically encrypted.
Click the "Encrypt" button.
Alternatively, you can right-click the folder in
Windows Explorer to display the contextual menu, and then click "Encrypt" on the contextual menu.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 6
4 - Choose an access key : As this is the first time you are using ZoneCentral, you are asked to choose your access key. Different choices are available depending on the key management policy in your environment.
For this first test, choose the 'password' option.
If the first 'spot' does not become green, your password is not 'strong' enough, and so you must strengthen it. The second spot becomes green when the second password input is identical to the first.
Note: These passwords are input in protected mode, by the capture of the input characters at a low level in the system.
Ensure you remember the password, because at this stage in the demonstration, we have not yet defined any SOS or recovery key!
This operation to select your personal key and create your Personal Access File occurs only the first time you use ZoneCentral for encryption (of a zone or a container).
This access can be prepared "in advance", by the Security Officer, so avoiding this step.
When this Personal Access File has been created, the initially requested operation
(encrypt the folder) begins.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 7
5 - Encrypt the folder initially : The encryption wizard appears and guides you through the rest of the process. You will be asked only for a confirmation at the end of each step in the process. There are three steps: analyzing the folder, encrypting it, and checking it.
The analysis step consists in checking that the files to be encrypted have not already been opened by applications, that the access rights allow the files to be modified, etc.
This initial encryption is performed very thoroughly and is highly protected (particularly against power outages). The files which are encrypted are checked systematically (via decryption tests, comparison with the initial content, etc.), and the unencrypted image of the file, which existed at the start, is erased
(its content is wiped).
If a file cannot be encrypted for some reason, the wizard displays the fact and then continues with its processing. This is the case, for example, if an application has opened the file. That application must then be closed.
6 - It's completed!
The folder's properties now show that it is encrypted. Windows
Explorer now shows it with a small lock.
Tip: If the lock has a "keyhole", this is because the folder is an
"encrypted zone head folder". If it does not, this is because it is an
(encrypted) subfolder of an encrypted folder.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 8
Using this encrypted zone
1 - Open the Monitor ; you can see that it now shows your access key (on the second tab).
In the encrypted folder, try creating an new file, for example. The zone opens automatically because the access key is present.
2 - The files contained in the folder are encrypted, but there is no difference in the way they are used . Open one of the files as usual; the application runs and you work on the file, there is no difference!
As you have already provided your access key previously, the zone is opened and you can access the files.
In addition, all new files and subfolders will be automatically encrypted; feel free to try all the usual file handling operations: copy/paste, rename, drag and drop, "Save As" in an application, etc. From now on, any file which "enters" this encrypted zone will be natively encrypted.
Notice that all subfolders also have an icon with a lock.
3 - In the Monitor, click the "Close All" button ; this action will close all opened encrypted zones and the access keys already provided.
4 - Open the encrypted zone
Return to the folder and open one of the files, or try to copy it elsewhere; ZoneCentral automatically requests an access key for the encrypted zone.
Notice the ScreenTip that shows the file accessed and the application concerned.
A reminder may also appear in the Taskbar if this window is hidden.
Whenever the CONTENT of an encrypted file in an encrypted folder is accessed (to read it or write to it), for any reason, the access key must be provided so that ZoneCentral can encrypt what is written or decrypt what is read.
Note: The zones and keys are also closed automatically when the Screen Saver runs, if you close your session or the computer is shut down. There are also simple, quick key sequences which close the zones and keys, but they must be configured by an administration tool.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 9
First conclusions
There is never an unencrypted copy of the encrypted files; decryption and encryption is performed entirely 'on the fly', regardless of the application and the operation performed.
When a new encrypted zone is created, the existing files are encrypted for the first time
(migrated), but all future files (and folders) in this zone will be natively, systematically and transparently encrypted.
As long as a file remains in an encrypted zone or moves from one encrypted zone to another, it remains inaccessible to anyone who does not have an access key, even if they use advanced methods (starting up using another system, network access, etc.), because the file is stored in encrypted form. If you copy or move a file to an unencrypted location, on the other hand, its contents will be available in unencrypted form, of course.
How it works...
ZoneCentral detects all file access performed by applications or the system itself, at a low level of the system.
When a file in an encrypted zone (that is, an encrypted folder, or one of its subfolders) is accessed, ZoneCentral checks on-the-fly whether it has an authorized access key for that encrypted zone. If it has, it uses it to decrypt the data read, or encrypt the data written, in all access by the applications. It processes only the "portions" of data requested by the applications, when they request them.
If it does not have an access key authorizing encryption/decryption, it requests one from the user, who must provide it, allowing them to "open the encrypted zone" and work with the existing or future files that it contains.
If the access key is not provided, access to the requested file is denied.
This process is only performed when there is any actual access to the data in the files. When this access relates to information linked with the file but not to its content,
ZoneCentral remains transparent.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 10
Advanced basics
Your 'Personal Access File'
In the first zone encryption operation, you were asked to choose your personal access key (and, as a first test, we chose a password access).
This resulted in the creation of a special file, the name of which is a combination of your computer's name and your Windows user name
(for example, in the case of the computer ' PC2412 ' and the Windows user ' Paul ', this gives " PC2412 Paul.zaf
", where zaf is an abbreviation of ZoneCentral Access File ).
This file was saved in your Windows profile, in the " My Documents\ZoneCentral Profile " folder.
In addition, if the personal key you chose was a .pfx key file (that your administrator gave you), a copy of this file was also saved in this folder (so that you can find it easily).
What does my 'Personal Access File' contain? In the example we have chosen, it only contains the definition of your acces s with the access key you selected.
In a centralized configuration, however, it can also contain other accesses defined and enforced by your Security Officer (access by a work colleague, department manager, the
Security Officer, or else a recovery access for the company). This guarantees that anything you might need to encrypt (folders, containers, etc.) can be decrypted by SOS accesses.
This Personal Access File is very important and it must not be deleted, except by an experienced user or an administrator, because it is the only link between an encrypted zone and, finally, the access keys used to decrypt its content. You are strongly recommended to make a backup copy of this 'personal access' file. As a precautionary measure, this file is read-only.
If you delete this file (to perform another test with another personal key, for example), check first that you have decrypted all the encrypted zones (or else simply change the file name to keep it, just in case).
Note: For the Security Officer, there are other precautionary measures of this type.
Mandatory accesses (' mandatory members ') are, additionally and in all cases, added directly to encrypted zones and to containers (providing protection against the loss of these "Personal Access Files").
The 'access file' concept is a more generalized concept in ZoneCentral, enabling authorization lists to be created and then applied to encrypted zones. This concept will be covered later.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 11
Adding accesses to an encrypted zone
1 - Look at the accesses
In Windows Explorer, select the folder that you already encrypted in the previous step and display its properties (on the 'Encryption' tab).
For the moment, there is only one access (yours), which you defined when you first encrypted a folder.
As explained in the previous paragraph, this access bears the name of your computer and your
Windows user name. If you display its content details, you will then see that it indeed displays your password access as you defined it.
The "New" and "Delete" buttons are used to manage the accesses to the encrypted zone, subject to certain conditions however, depending on what your administrator authorizes (for the moment, we are demonstrating the product with its default options, which are non-exhaustive).
Note: With this graphical interface, accesses can be added only to an "encrypted zone head folder", that is to say, to the highest-level encrypted folder, which defines the entire zone and includes any subfolders. Other advanced methods exist for adding accesses to 'lower-level' folders if necessary, however.
Click the "New" button. If the zone is not open, you are asked to open it, to check that you do indeed have access to it.
You can then choose between various modes of adding accesses: adding a password access, or adding an RSA key access by using the certificate associated with the RSA key; this certificate can be selected in a file or in a certificate server.
2 - Add a password access
You need only to give a name to the access (the equivalent of a user ID), and choose a password for it.
Here too, the colored spots give an indication of the strength of the chosen password (this strength can be configured by the administrator).
You can add several accesses in this way if necessary.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 12
3 - Add an access from a certificate read in a file or store
Click the small button representing a folder and select one or more files which can contain certificates (their file extension must be .cer, .crt, or
.p7b); all usable certificates found are displayed in the list, and you can check those corresponding to the people to whom you want to give access to the encrypted zone.
The second button represents your computer's certificate stores.
It is used to display the c ertificates available in the "personal" a nd
"other people" stores.
If the certificate cannot be used, it appears in red, and a ScreenTip shows why. It may be outdated, not allow encryption, not come from a Trust Authority, or else the black lists concerning it (it or its hierarchy) may not be available (they are downloaded in real time if necessary).
Note: ZoneCentral uses the certificate store "Trust Authorities" (including the computer's
"company" Trust Authorities) to find intermediate authorities and trust roots.
4 - Add an access from a certificate found in an LDAP server
If you have LDAP certificate servers , you can search for the certificate for that recipient in that server; simply give the name of the LDAP server and enter the recipient's name.
For example, use the 'directory.verisign.com' public server and search for 'Parker', or
'clinton', etc.
Note: If the LDAP server supports the function, several search criteria can be entered, even incomplete ones, separated by semicolons, as in "Par;Clint".
Most of the time, these LDAP servers will be internal to your organization, possibly with their own search policies. Your
ZoneCentral administrator can also predefine the list of LDAP servers available.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 13
Displaying all zones on a computer
In Windows Explorer, right-click "My Computer" to display the contextual menu, and then click "Encrypt" on the contextual menu.
The second tab is used to display all known encrypted zones (opened or closed) on the computer.
Encrypting a USB memory stick
When a USB memory stick is inserted in a USB port in the computer, ZoneCentral detects the fact and automatically proposes to encrypt the memory stick , that is to say, make it into an encrypted zone.
If you accept, the encryption wizard appears (as for a folder) and encrypts the USB memory stick's existing content. Subsequently, any file copied t that memory stick will be aut omatically o encrypted without any user interventi on.
If you decline, Zon eCentral records the volume's serial number in order not to automatically propose encryption the nex t time the volume is inserted. If, subsequently, you want to encrypt it nevertheless, you must perform the operation yourself from the volume's 'Properties' tab.
During this operation, the w izard copies your "Personal Access File" to your USB memory stick and, if you use one, your key file, so that you can use the encrypted zone directly on another computer with ZoneCentral installed.
It may happen that this operation canno t be performed due to lack of space on the
USB memory stick. If this is the case, you must first make space on the memory stic k
(copy its content to your computer), and then repeat the operation, and finally return th e
USB memory stick's initial content to it. To repeat the operation, simply reinsert the USB memory stick into the computer or, even more simply, display the properties of the USB volume (H: for example) and repeat the previous procedure for a folder.
The ZoneCen tral administrator can additionally disallow the copying of unen crypted files onto a USB memory stick , to ensure that all file copies on a USB memory stick will be protected by encryption. In this case, an unencrypted memory stick will, in practice, work in "read-only" mode, and any 'information output' will be disallowed if it is not encrypted.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 14
Creating an encrypted share
With ZoneCentral, encrypted zones remain encrypted when shared.
If the client workstation which connects to this share does not have ZoneCentral installed, it will only see the encrypted files, with no means of decrypting them. A share is therefore not dangerous in terms of confidentiality.
If the client workstation that connects to this share has ZoneCentral installed, it detects that this is an encrypted zone and asks its user to provide a valid access key for the zone concerned. Once this has been provided, the zone is opened (for them and their workstation only), and the file encryption and decryption is performed on their workstation
(by their ZoneCentral software).
This means that, even if the encrypted share is opened by a client workstation, the network traffic remains encrypted and the share's opening relates only to that single workstation. If another workstation connects to the share, it too must provide an access key.
The fact that the (shared) encrypted zone is opened and can be accessed locally or closed does not change these principles in any way.
With ZoneCentral, the 'share' concept therefore does not change, and several workstations can use and access files. What changes is that the content of the files remains encrypted and, in order to access them, the same rules as with local access apply: the user must have a valid access key.
For an encrypted folder to be shared, it must be an "encrypted head folder" (and not merely a folder within an encrypted zone). When you perform the operation to share the folder, therefore, ZoneCentral automatically transforms this folder into an independent zone, enabling you in particular to allocate personalized accesses for this zone (to authorize specific people to decrypt its encrypted content).
Encrypting (and accessing) a share on a file server
This procedure is normally reserved only for the Security Officer, but this share on a file server can also be a personal area.
ZoneCentral does not need to be installed on the file server, and this server can run under Windows or other systems (UNIX, etc.). This is because it is the ZoneCentral client workstations which access the files and perform the encryption and decryption operations locally (by construction, the network traffic therefore consists in portions of encrypted files).
The operation is exactly the same as for a local folder, and with the same constraints, notably those of having read and write access rights for the server folder to be encrypted.
Subsequently, this share will also be accessed exactly like a local folder. As with shares on workstations, each client workstation must provide its access key in order to access the encrypted area on the server, and each workstation will use the file or files it requires.
Authorization management can be organized as required. However, as common areas shared between several users are involved, as a general rule a specially chosen person
(the department manager, for example) is responsible for authorization management.
Here, we are entering a more general administration context which will be covered later, notably including the concepts of rights and access files.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 15
Using a key file (.pfx)
A key file is a "key holder" containing a set of RSA keys (including the private key) and the associated certificate. This file is protected by an access code.
To use a key file which your Security Officer has provided you (undoubtedly from a PKI infrastructure), you need only to select the second symbol ('key file') when your 'Personal
Access File' is created (in your very first encryption operation), and specify your file's location. The access code for the file must also be provided.
If you have already created your Personal Access File, you must go into the
"My Documents\ZoneCentral Profile" folder, locate the existing ("Computer
WindowsUserName.zaf") file and either delete it or rename it (the latter is recommended, because you may still have test folders encrypted using the old one and it is better to keep it, just in case), and then perform the folder encryption procedure.
Note that the key file shown is automatically copied into the "My Documents\ZoneCentral
Profile" folder so that you can find it easily. It does not have to be in this folder, however.
Subsequently, when you open an encrypted zone or an encrypted container, ZoneCentral will automatically propose a key file access and propose the correct file directly, leaving you only to enter its code.
Using a RSA smart card (or a USB device)
The procedure is the same as with a key file, except that you must insert the smart card or USB device and enter its PIN code when your Personal Access File is created.
ZoneCentral is supplied with a default configuration enabling it to automatically recognize smart cards produced by certain manufacturers. If your smart card does not appear in the list, this is because it is not recognized. ZoneCentral administration
(policies) can be used to add 'modules that are 'to be recognized,' if you have the
PKCS#11 module provided by the manufacturers, however.
Subsequently, when you open an encrypted zone or an encrypted container, if the smart card is present it will be proposed automatically.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 16
Using a CSP provider (Windows container)
To use a RSA key referenced in your Windows computer's containers, it must be present when you create your Personal Access File (see the previous paragraphs).
Simply click the fourth button (displayed opposite); if any keys are available, they are proposed.
Subsequently, when you open an encrypted zone or an encrypted container, the procedure is very different from the previous cases, because it is then the CSP itself that performs the authentication, with its own windows. The ZoneCentral zone opening dialog will only appear if there is no key available in the CSP containers.
If you use the Microsoft standard CSP, with no special protection, your access key is unlocked by Windows as soon as you open your Windows session, no zone opening dialog is displayed, and the zones are opened automatically.
If you use the Microsoft standard CSP and you have activated some strengthened protection, this protection will then display its own window (either simply requesting validation of access key use, or requesting the appropriate code).
If you use a CSP provided by a RSA smart card (or USB device) manufacturer, then it is this manufacturer's PIN code request window that will be displayed in order to open the zone.
Operations on zones
These operations are only available if the ZoneCentral administrator has not hidden and/or forbidden them.
They can be performed on a folder, a volume, or the entire computer. In the case of a folder, it may be stored on an external share.
These operations can be requested from the following:
The folder or volume contextual menus, in the Windows Explorer. By default, only the
"simple" operation is proposed (encrypt or decrypt). If the contextual menu is called with the SHIFT key pressed, the "advanced" operations are also proposed if they are applicable (transcrypt, ungroup, group, check, etc.);
Folder or volume properties, in the Windows Explorer. The "Encryption" tab shows the accesses and proposes the "simple" operations (encrypt or decrypt). The "Advanced" button is used to access more complex operations;
The "Encryption..." contextual menu command from My Computer;
The ZoneCentral administration tools.
Decrypting a zone
Simply select the "head folder", display its properties ('Encryption' tab) and click the
'Decrypt' button.
If the folder is not itself an encrypted zone head folder, the properties display the name of the head folder, with a link enabling you to access it rapidly.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 17
Transcrypting a zone, or all zones on a volume
Transcryption consists in renewing the encryption keys of the files in the encrypted zones.
This is a "crypto-sanitary" operation which must be performed at the intervals specified in the company's security policy (annually or every two years, in general).
This operation combines decryption (with an old key) with encryption (with a new key).
Note that this does not concern access keys (passwords, key files, smart cards, etc.) but internal keys used in zone encryption, instead.
It therefore processes all files in all subfolders of an encrypted zone thoroughly and securely (no unencrypted copy, systematic checking before and after transformation, protection against power outages, etc.).
The graphical user interface is the same as that used in encryption.
To process all zones on a volume (even if the volume root is not encrypted), display the volume properties, click the 'Encryption' tab, and then click the 'Transcrypt' button.
Ungrouping a subfolder from an encrypted zone to make it into an independent zone
This operation "detaches" an encrypted subfolder from the zone to which it belongs, and so makes the subfolder into a zone in its own right (including all it contains). The aim of this operation is to allocate accesses different from those of the zone 'above,' for example.
It can then also enable the subfolder to be decrypted in order to make it into an unencrypted zone (without having had to modify the zone 'above' and its other subfolders).
Note: Although they are separate, both zones keep identical encryption properties
(algorithms and internal keys).
Grouping an encrypted zone with a 'parent' encrypted zone
This operation is proposed only if it is appropriate and possible (that is, both zones use the same algorithms and the same internal keys, and so are the result of ungrouping; see the previous paragraph). Confirmation is requested, particularly if the accesses of the two zones are different; in this case, the 'parent' zone's accesses are kept and those of the grouped zone disappear (because they no longer exist).
Checking an encrypted zone
This operation is used to check that the zone complies with the implemented "Policies."
If any modifications must be made, they are carried out automatically. This particularly consists in applying or reapplying the "mandatory accesses" enforced by the Security
Officer (for recovery situations).
This operation is also available for access files.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 18
Dis playing an encrypted zone's advanced details
These are displayed by clicking the " Details/Advanced..." button displayed at the bottom of the 'Encryption' tab of an encrypted folder's properties.
This window combines all possible functions and features (management information, accesses list, file exceptions list, and buttons for performing appropriate operations).
The 'General' tab opposite shows the zone's (free-text) label, file encryption algorithm and key length (strength), together with management information.
"Marking" a zone as unencrypted
When a zone is encrypted, all subfolders (and so on) are considered to be encrypted.
To specify that a subfolder of an encrypted zone is unencrypted, the subfolder must be "marked" with that characteristic (if not, ZoneCentral will think that its content is encrypted).
Example 1: The C:\Marketing folder is encrypted.
We ungroup the C:\Marketing\Public Sheets subfolder to make it into an independent zone and then we decrypt it, because its content is finally judged public. This folder (and all it contains), which is unencrypted in an encrypted zone, will be automatically "marked" as being unencrypted.
Example 2: At the time we encrypt the C:\Marketing folder, we already know that the (large) Public
Sheets subfolder is not confidential. We will firstly mark it as being "unencrypted" and encrypt
C:\Marketing only then; this encryption will not be applied to this location because it has been explicitly marked.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 19
SOS access
SOS accesses form part of the recovery techniques proposed by ZoneCentral. They can be configured by the Security Officer.
These comprise a technique for "operational recovery of a specific computer or user through a centralized recovery process." Except where specified otherwise, ZoneCentral generates a special access, called "SOS" access and protected by a long (strong) password, for every access file.
1/ The administrator sets up a general recovery plan , using a RSA key and a certificate, for example, which they keep centrally and securely. They use the
ZoneCentral "policies" to enforce the use of this recovery access in everything that is encrypted, and notably in the (Personal) Access Files, of which they have a copy
(thanks to the various synchronization systems of ZoneCentral).
2/ A user traveling abroad forgets their password or loses their smart card. They call for the help of the Security Officer, who finds the user's Personal Access File, opens it with the general recovery key and displays its properties. In the "Access" tab, they use the "SOS Access" contextual menu command to display this password, which they can then read out or fax to the user:
3/ The user can then open their zones using a special mechanism; they have been helped and can work . The administrator now has the necessary time to send them another smart card or another access file.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 20
Which folders can be (or must be) encrypted?
You can decide for yourself which folders must be encrypted (with their subfolders). In this case, you need only to repeat the operations described earlier. Once this is done, you have nothing more to take care of, unless you want other folders, elsewhere, to be encrypted too one day.
You can also ask the ZoneCentral Wizards to decide for themselves which zones must be encrypted on a computer, system disk, another volume, or a user profile. The principle is then as follows:
The 'Windows' and 'Program Files' folders will not be encrypted, because the system itself must not be encrypted and the applications themselves are not confidential (you can encrypt certain folders in Program Files without causing any problems, however).
In fact, ZoneCentral generally does not encrypt certain types of files by default, particularly programs, key files and some specific files used by Windows Explorer
(such as desktop.ini, etc.). This list can be configured by the ZoneCentral administrator.
The user profile will be encrypted , with all that it contains (My Documents, Desktop, temporary file area, Internet cache, etc.), with the exception of some highly technical hidden folders, the encryption of which is not recommended because this would disrupt certain Windows functions.
The other user profiles (administrator, etc.) will not be encrypted (because they undoubtedly do not have the same access key).
The "Documents and Settings" folder, which includes the user profiles, will not be encrypted so that, by default, a new user of the computer does not find themselves with an encrypted profile without having the corresponding access key.
Lastly, all the other folders on the volume will be encrypted , although the exceptions relating to the file types described above will be applied, however.
To ensure proper computer security , we recommend encrypting the user's usual workspace, that is to say, the volumes or folders in which they usually put their files,
AND their user profile. This is because, unlike more traditional encryption solutions, such as encrypted virtual volumes, ZoneCentral is a product which can provide more global computer security management, particularly by encrypting the temporary copies of files
(when an attachment is opened in Outlook, for example), the countless temporary files, browser cache (containing Intranet or Extranet information), and lastly the file locations used for the comfort of users (files copied to the Desktop, for example).
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 21
Example of operating on a Windows computer
C:\
Windows
CSC (offline)
Program Files
Documents & Settings
John
Admin.
D:\
E:\
Documents & Settings\John
Sensitive zones in profile:
Desktop
Key
Clear zone
Internet/Intranet cache
My Documents Encrypted zone
Temporary files
The ZoneCentral encryption wizard will automatically adopt these policies and achieve this result, completely if the encryption is globally applied (My Computer), or partially if it is applied to C: or to Peter (for example).
Special cases with roaming profiles and offline (synchronized) folders : For more information on operating procedures, refer to the ZoneCentral Technical Manual. Offline synchronized folders, in particular, must be "head folders".
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 22
Using encrypted containers
The use of encrypted containers is highly intuitive and very similar to the use of
'compressed folders' under Windows XP.
1 - Create a container:
On the Desktop, or in a Windows Explorer folder, right-click the desktop or window background and select the 'New' contextual menu command; the 'Encrypted container' option appears.
A 'container-holder' file is then created at that location, with a default name which you can change.
The file extension of the encrypted containers is " .zed
".
Note: At this stage, the container has not yet been actually initialized; this occurs the first time it is used.
2 - Open the container:
Simply double-click it, or else right-click it and then select the
'Open' contextual menu command. The container is displayed. It does not yet contain any files. It has been initialized, however, and the access keys for its content have been automatically defined, notably including your user key (which was chosen when you created the first encrypted zone was created).
If you have not yet opened an encrypted zone or encrypted container and you have not yet provided your personal access key, you will be asked to provide this now.
3 - Add files to the container ; you can do this in several ways: dragging and dropping files inside the container or onto its icon, copying and pasting files, or else using the "Add" menu command.
Note: The container cannot contain folders.
4 - Modify the container's content ; you can add files, rename existing files, delete files, replace some of them, etc.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 23
5 - Add an access to the container for a recipient
If this container (and its content) is intended for sending to a recipient as an encrypted attachment, you must give it an access.
Display the contextual menu by right-clicking the container file or the container background, and then select the "Access list..." command as shown:
For the moment, the container has only a single access
(yours), with your personal access key (this access bears a name calcul ated from the computer name and your Windows us er name).
Using the "Add" and "Remove" buttons, you can manage all of the accesses you wish for this encrypted container.
The procedure for adding accesses to an encrypted container is identical to that used to add password accesses or certificate accesses
(RSA) to an encrypted zone.
If you possess a certificate (RSA) for your recipient, you can simply select this certificate file (second tab) to add this recipient; as they hold the corresponding access key, they will be able to decrypt the container.
If you have LDAP certificate servers , you can search for the certificate for that recipient in that server; simply give the name of the LDAP server and enter the recipient's name.
For example, use the 'directory.verisign.com' public server and search for 'Parker', or
'clinton', etc.
If not, you can always agree on a password with your recipient (by phone, for example), and use this password when you exchange files.
Tip: If you exchange files frequently with certain people, a widespread practice consists in "preparing" various containers in advance
(john.zed, paul.zed, marketing.zed, etc.), putting them in an easily accessible place (on your Desktop, for example), and then always using the same ones when you exchange files, simply changing the files they contain.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 24
6 - Send the encrypted container to your recipient
Simply attach the container to an e-mail as an attachment.
Another "traditional" use of encrypted containers consists in copying them to a USB memory stick.
Of course, your recipient must possess software enabling them to open and decrypt the container's content. If they possess ZoneCentral, this causes no problems.
If they do not, they can install a freely available and free-to-use module called
" Zed! Limited Edition ," which will enable them to open the encrypted container.
This module is present on your computer, and you can send it to them directly; it can be found in the ZoneCentral installation folder (generally under C:\Program
Files\PrimX\ZoneCentral), and it is called "Setup Zed! Limited Edition.exe".
This limited-edition version offers the same possibilities as those described above, except that it cannot be used to create a new container or modify the accesses of existing containers.
Your recipient will therefore be able to open your attachments and extract the files from the container (provided that they supply their access key, such as the password which you agreed on with them).
They can also change the container's content (add files, remove some, etc.), meaning they can reply to you , returning the same container with different content.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 25
Preview of ZoneCentral administration tools
These tools can be used to do the following:
Configure certain aspects of ZoneCentral behavior, and its policies;
Manage accesses, encrypted zone profiles, or predefined access files;
Perform "advanced" operations on zones or areas, particularly on shared areas on file servers;
Automate certain repetitive administrative operations.
Once the Project Manager has assimilated and learned the basics of the product, they can use them to define a Security and Deployment Plan and manage its implementation.
Policies [gpedit]
The behavior of ZoneCentral on users computers can be adjusted through rules defined in 'Policies' (in the Windows sense of the word).
Policies are settings which can be defined for individual computers or for individual domains. If you have a domain controller which supports the Policies concept, these settings can then be defined centrally, and each workstation connected to that domain will then inherit them, with an integrated update system.
If you do not have a domain controller, the Policies system still exists but it is local to each computer. There are several ways to avoid having to configure each computer, either by
'masterizing' the
ZoneCentral image to be installed, or by a utomating a ZoneCentral Policies update command .
A shortcut is available in the ZoneCentral Start menu commands for displaying the "Policie s" policy editor.
The Policies a re described in detai l in a separate document.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 26
Zone profile and access file editing tool [zcedit]
This tool can be used by the administrator to perform many different operations. In particular, they can act directly upon an encrypted zone, upon their computer, upon a file server, or upon a users computer, in order to transcrypt it, modify its accesses, etc.
They can also (and especially) use them to define "prefabricated" access files containing accesses including the following, for example:
Mandatory accesses (Security Officer, and Recovery);
User group lists for accesses to common shared resources on file servers;
Potentially, if they wish to manage this themselves, the 'users personal' access lists.
All of this is dependent upon the chosen deployment and operating plan.
A shortcut to this "Zone Management" tool is available in the Start menu.
The important concepts employed in this tool include that of 'encrypted zone templates'.
The use of these templates is not mandatory because they are almost the equivalent of an access list, except that they are more complete. This is because certain additional settings are taken from Policies when a folder is encrypted applying an access file, whereas they are taken from the template concerned (which also will certainly have taken them from Policies) when a zone template is applied.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 27
Access files also include some additional settings for the settings they contain. These can be used to do the following:
Mark an access as being a SOS (recovery) access, which differentiates it from the others (and by default, ZoneCentral does not allow this type of access to be used to open a zone; it must firstly be authorized in policies);
Mark an access as having administrator rights over the access file itself as well as over all zones to which the access file is linked; this right is needed in order to be able to encrypt a zone with this access file, decrypt a zone, or modify a zone's accesses.
Note: In the case of Personal Access Files, the user has this right.
Command line administration console [zcacmd]
This tool can be used to carry out, as a command line, all operations which can be performed from the graphical interfaces and, in certain cases, some operations which are even more complex (in particular, 'forcing' a zone to be unencrypted, which does not exist as a graphical interface command).
Although it is presented in command line form, this tool is thoroughly documented to facilitate its learning. It has an integrated interactive mode (in which it asks questions on the settings which it needs), a 'try' mode (which does not perform the operation but which, finally, displays the command which should have been entered so that no questions are displayed), and it is documented for inclusion in automation scripts.
The [zcucmd.exe] tool, which can be used to open or close zones from a command line, should also be noted.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 28
The wizard [ZCApply]
This is the wizard which is activated, directly or indirectly, every time a zone transformation operation (encryption, decryption, etc.) is to be carried out.
It is installed on each user's computer and is not, properly speaking, an administration tool, but it can be run independently via an administration command .
It can be given many instructions as execution parameters, and it can be run remotely and possibly automatically (login scripts, SMS commands, etc.).
It can be configured to run fully automatically or with varying levels of user confirmations.
These parameters can be displayed by typing "ZCAPPLY /?".
Windows logs and events
ZoneCentral generates a certain number of events in the logs of Windows Event Viewer
(Eventvwr). The list of these events can be configured in policies.
During every zone transformation operation (zone encryption, decryption, transcryption, access updates, etc.), on the other hand, ZoneCentral generates a log file of the operation, documenting all events and the actions performed. This file's location can be specified in policies (which can be practical for having it generated on a server).
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 29
Important administration operations
Reading the "ZoneCentral Technical Manual"
It can be downloaded separately on the www.primx.fr
site.
Defining the Access File locations
When a user opens an encrypted zone or an encrypted container, ZoneCentral examines the list of accesses mentioned in the zone or container.
These may be so-called " direct " or "isolated" accesses (in which there is no intermediary; all information needed to open the object with a password or an RSA key is present), or indirect or "grouped" accesses which make use of an access file (a .ZAF file).
In particular, this "grouped" access mode can be used to concentrate or centralize access management, ensuring, for example, that N encrypted zones reference the same access file. In this way, when modifications are required it can be simpler to modify the access file once rather than modifying each encrypted location. This is, moreover, a feature offering many possibilities, because each zone or container can have N access files, and each access file can itself reference several others
(for example, PAUL, which is referenced in MARKETING and in DIRECTION which are themselves both referenced in COMPANY).
Indirect accesses are only mentioned by their name and label, not by the physical location of the .ZAF file (so that they can be moved easily). ZoneCentral must therefore search these access files so that it can propose and validate the users’ accesses.
To do so, it uses a reference location and a cache . The reference location always takes priority; if the access file is found there, it is this file that is taken into account and a copy of it is put into the cache. If it is not found there, ZoneCentral uses the cache copy if one exists. This structure was defined so that the reference location can be on a network share (file server), and the cache can be used by laptops disconnected from the network.
Lastly, if neither of these solutions produce any results, ZoneCentral searches for the access file in the zone itself (in the zone's head folder), and then in the
'My Documents\ZoneCentral Profile" area of the user profiles (notably, where the
Personal Access Files are normally located).
When using access files for shares on file servers, or for SOS/recovery accesses, it is therefore important to firstly define the reference location of the access files. It is there that they must then be put once they have been created.
To do so, the " Special/Advanced policies - Access file location " policy must be defined.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 30
Defining the SOS/recovery accesses
We recommend choosing RSA keys for these accesses, but passwords can also be used.
In order to implement them, the " Special/Advanced policies - Mandatory members " policy must be defined. This is a 'list' type of policy, meaning that several items can be defined.
Activate the group policies editor (displayed as "Policies" in the Start menu), and find this policy in the tree structure. Request the details and choose to activate it. It is here that the list can be defined. Only the first field (value name) is used; the second field is not used
(you can use it to enter a comment).
You must enter the name of a file, which can be either a certificate or an access file
(a .ZAF file). You can enter it either with its full file path, or without it (in this case,
ZoneCentral will search for the file in the standard location for access files (see the previous paragraph).
We recommend using a .ZAF file created using the ZCEDIT administration tool.
Using ZCEDIT, request the creation of a new access file. Give it a meaningful name, such as "MANDATORY". Add the SOS/recovery access certificate(s) you want, depending on your organization. You can also define a password-based SOS access. For each of these accesses, ensure you set the "Recovery access" option. If, as is likely, one of these accesses will also be used by the Security Officer, you should choose the "Admin access" option instead.
ZoneCentral - User Guide - GZC251Rev3 - © Prim'X Technologies 2003, 2004, 2005, 2006. 31
