By following the simple steps described here, you can mitigate risks and keep your company's data secure and protected at all times.
To operate SafeGuard Enterprise in a certification-compliant mode, see the SafeGuard Enterprise Manual for certification-compliant operation.
On SafeGuard Enterprise protected endpoints, encryption keys might be accessible to attackers in certain sleep modes where the endpoint's operating system is not shut down properly and background processes are not terminated. Protection is enhanced when the operating system is always shut down or hibernated properly.
Train users accordingly or consider centrally disabling sleep mode on endpoints that are unattended or not in use:
Avoid sleep (stand-by/suspend) mode as well as hybrid sleep mode. Hybrid sleep mode combines hibernation and sleep. Setting an additional password prompt after resume does not provide full protection.
Avoid locking desktops and switching off monitors or closing laptop lids as modes of protection when not followed by a proper shut down or hibernation. Setting an additional password prompt after resume does not provide sufficient protection.
You can configure the appropriate power management settings centrally using Group Policy Objects or locally through the Power Options dialog on the endpoint's Control Panel. Set the Sleep button action to Hibernate or Shut down.
Implement a strong password policy and force password changes at regular intervals, particularly for endpoint logon.
Passwords should not be shared with anyone nor written down.
Train users to choose strong passwords. A strong password follows these rules:
SafeGuard Power-on Authentication provides additional logon protection on the endpoint. With SafeGuard Full Disk Encryption, it is installed and enabled by default. For full protection, do not disable it. For more information, see Sophos knowledgebase article 110282.
Code injection, for example DLL pre-loading attacks might be possible when an attacker is able to place malicious code, for example executables, in directories that may be searched for legitimate code by the SafeGuard Enterprise encryption software. To mitigate this threat:
Install middleware loaded by the encryption software, for example token middleware in directories that are inaccessible to external attackers. These are typically all sub-folders of the Windows and Program Files directories.
The PATH environment variable should not contain components that point to folders accessible to external attackers (see above).
Regular users should not have administrative rights.
Only drives that have a drive letter assigned are considered for disk encryption/decryption. Consequently, drives without a drive letter assigned may be abused to leak confidential data in plaintext.
To mitigate this threat: Do not allow users to change drive letter assignments. Set their user rights accordingly. Regular Windows users do not have this right by default.
SafeGuard Enterprise offers Fast Initial Encryption to reduce the time for initial encryption of volumes by only accessing the space that is actually in use. This mode leads to a less secure state if a volume has been in use before it was encrypted with SafeGuard Enterprise. Due to their architecture, Solid State Disks (SSD) are affected even more than regular hard disks. This mode is disabled by default. For more information, see Sophos knowledgebase article 113334.
For further information, see Securing transport connections with SSL.
To provide extra protection for endpoints you can prevent local uninstallation of SafeGuard Enterprise in a Specific machine settings policy. Set Uninstallation allowed to No and deploy the policy on the endpoints. Uninstallation attempts are cancelled and the unauthorized attempts are logged.
If you use a demo version, make sure that you set Uninstallation allowed to Yes before the demo version expires.
Apply Sophos Tamper Protection to endpoints using Sophos Endpoint Security and Control.