File Share Encryption

Hi

I've an question on finding detailed information of an user being locked out after exceeding the allowable attempts to login a fully encrypted laptop.

Been searching through the logs page of SEMS but I just couldn't be able to find the detailed logging information other than user being locked out and WDRT is generated.I believe its stored in the client's log?

I need the following detailed information

Time and date of 1st, 2nd and 3rd attempt of login with the relevent error message. (btw. policy set to 3 failed attempts before lock-out)

User has been very adamant that he keyed in the correct password but its PGP that causing the issue that he being locked out.

Your help will be greatly appreciated.

Dear Samuel,

I have just attempted to reproduce your issue in my lab. Initially, the server showed no logon failures, since I had not yet booted the machine ( The Pre-boot booguard screen does not upload data to the server )

I attempted to logon and failed many times, and locked out the account. Still no items showing on the server.

Later, I authenticated with a WDRT, and booted the system.

After the boot completed, the system checked in with the server. I now see some items in the server logs where the client has started, and checked in. However it did not show the login failures immediately.

Sometimes a full check-in on a client will not happen until there is a "Disk event". So, I added a second passphrase user to the client in order to force a disk event. I then forced a policy update on the client, and found a WDE Login failure notification on the home screen.

So, you may need to force a disk event to get some more details regarding the incident... Below is an excerpt of what a WDE failure log should look like

 CLIENT-00013: WDE Event [time Mon 23 Mar 2015 02:48:54 PM PDT, machine e76ea8e6-9816-4424-9dde-461db4bad02c, device e76ea8e6-9816-4424-9dde-461db4bad02c, partition 2] mount: failure, user <WDRT>, events 7, time Mon 23 Mar 2015 02:35:06 PM PDT, time Mon 23 Mar 2015 02:35:43 PM PDT

From the above example, you can see that there were 7 login attempts right around 2:35 PM.. So you can try searching your client logs for mount: failure...

Additionally, under Consumers -> Devices -> "Hostname of Device in question"  - You should find a section for Disk Login Failures. This will essentially contain the same information in a more human readable format. It gives the UUID of the machine, common name of the drive, partion, first logon attempt failed, number of failures, and time of successful logon. That will help give you a window of time during which someone was attempting to log in with the wrong passphrase.

Feel free to let me know if there is anything I can help clarify here.

Best Regards,

Phil

Hi Phil

Thanks for the info and helping to interprete the logs.

I know about the more human readable portion of the logs but unforunately, there isn't anyway to drill down further to look at the exact timing at each time the logging failed.

Hope it could be a feature upgrade in future editions of the SEMS with drill down capability and also on the reporting, its really raw. Need to do alot of massaging of data to generate reports.

We are dealing with around 2800 registered users and 3000+ laptops. Nightmare generating reports.

Following up on your solution, got another question, since our clients do uploading off logs once daily, so how is the timestamp being determined? I'm sure some of the users might have timestamp off the SEMS. 

How does SEMS deal with that?

Unfortunately, I do not believe we have any documentation which discusses that level of detail on timestamp creation. It appears to be a time stamp that occurs on the client side. My guess would be, it is the BIOS time picked up by the Bootguard component. Then when the mahcine is successfully logged in, it reports the number of WDE login failures. The first time the failed login occured, and then the time of the successful login. So, with the current software, there is not much of a chance of itemizing each failed login. Just a timeframe starting with the first failed login. 

As for the feature request, if that reporting piece is extremely important to your organization, I would suggest calling in to support and requesting to make, or add to an existing feature request. You may not be the first admin to have such a request, and it certainly does help to push those features along when more people are added onto a feature request.

Best Regards,

Phil