Security recommendations

 WinClient

By following the simple steps described here, you can mitigate risks and keep your company's data secure and protected at all times.

Encryption best practices

  • Ensure that all drives have a drive letter assigned.

    Only drives that have a drive letter assigned are considered for disk encryption/decryption. Consequently, drives without a drive letter assigned may be abused to leak confidential data in plaintext.

    To mitigate this threat: Do not allow users to change drive letter assignments. Set their user rights accordingly. Regular Windows users do not have this right by default.

  • Apply Fast Initial Encryption cautiously.

    SafeGuard Enterprise offers Fast Initial Encryption to reduce the time for initial encryption of volumes by only accessing the space that is actually in use. This mode leads to a less secure state if a volume has been in use before it was encrypted with SafeGuard Enterprise. Due to their architecture, Solid State Disks (SSD) are affected even more than regular hard disks. This mode is disabled by default. For more information, see Sophos knowledge base article 113334.

  • Only use algorithm AES-256 for data encryption.
  • Use SSL/TLS (SSL version 3 or above) for protection of the client/server communication.

    For further information, see Securing transport connections with SSL.

  • Prevent uninstallation.

    To provide extra protection for endpoints you can prevent local uninstallation of SafeGuard Enterprise in a Specific machine settings policy. Set Uninstallation allowed to No and deploy the policy on the endpoints. Uninstallation attempts are cancelled and the unauthorized attempts are logged.

    If you use a demo version, make sure that you set Uninstallation allowed to Yes before the demo version expires.

    Apply Sophos Tamper Protection to endpoints using Sophos Endpoint Security and Control.

Avoid sleep mode

On SafeGuard Enterprise protected endpoints, encryption keys might be accessible to attackers in certain sleep modes where the endpoint's operating system is not shut down properly and background processes are not terminated. Protection is enhanced when the operating system is always shut down or hibernated properly.

Train users accordingly or consider centrally disabling sleep mode on endpoints that are unattended or not in use:

  • Avoid sleep (stand-by/suspend) mode as well as hybrid sleep mode. Hybrid sleep mode combines hibernation and sleep. Setting an additional password prompt after resume does not provide full protection.

  • Avoid locking desktops and switching off monitors or closing laptop lids as modes of protection when not followed by a proper shut down or hibernation. Setting an additional password prompt after resume does not provide sufficient protection.

  • Always shut down or hibernate endpoints. SafeGuard Power-on Authentication is always activated the next time the computer is used, thus providing full protection.
    Note It is important that the hibernation file resides on an encrypted volume. Typically it resides on C:\.

    You can configure the appropriate power management settings centrally using Group Policy Objects or locally through the Power Options dialog on the endpoint's Control Panel. Set the Sleep button action to Hibernate or Shut down.

Implement a strong password policy

Implement a strong password policy and force password changes at regular intervals, particularly for endpoint logon.

Passwords should not be shared with anyone nor written down.

Train users to choose strong passwords. A strong password follows these rules:

  • It is long enough to be secure: A minimum of 10 characters is recommended.
  • It contains a mixture of letters (upper and lower case), numbers and special characters/symbols.
  • It does not contain a commonly used word or name.
  • It is hard to guess but easy to remember and type accurately.

Do not disable SafeGuard Power-on Authentication

 FDE

SafeGuard Power-on Authentication provides additional logon protection on the endpoint. With SafeGuard Full Disk Encryption, it is installed and enabled by default. For full protection, do not disable it.

Protect against code injection

Code injection, for example DLL pre-loading attacks might be possible when an attacker is able to place malicious code, for example executables, in directories that may be searched for legitimate code by the SafeGuard Enterprise encryption software. To mitigate this threat:

  • Install middleware loaded by the encryption software, for example token middleware in directories that are inaccessible to external attackers. These are typically all sub-folders of the Windows and Program Files directories.

  • The PATH environment variable should not contain components that point to folders accessible to external attackers (see above).

  • Regular users should not have administrative rights.