Endpoint Encryption

 View Only

  • 1.  SEE Management Password for Helpdesk Recovery?

    Posted Jul 20, 2015 09:33 AM

    Hi,  

    Product: Symantec Encryption 11.0.1

    I need to limit access to SEE Manager for our helpdesk guys so all they can access in SEE is the helpdesk recovery tool. 

    I opened up the SEE Manager whilst logged on as a helpdesk staff member and started the Help Desk component but each time I get a prompt to enter the SEE management password. 

    I don't want to give this password out for obvious reasons.

    I've locked down all of the other snap ins using group policy.

    The helpdesk user has db_reader permissions on the SEEMSD and I've added the user to Manage Server roles "Helpdesk" only, so I shouldn't be getting  the administrator password pormpt?

    Help, thanks.



  • 2.  RE: SEE Management Password for Helpdesk Recovery?
    Best Answer

    Posted Jul 20, 2015 10:54 PM

    Hi Ghath,

    Below scenario require to enter the Management Password to:

    ■ Install and upgrade Symantec Endpoint Encryption Management Server

    ■ Install and upgrade the Management Console

    ■ Access the Help Desk Recovery snap-in in the Management Console

    ■ Create the Autologon utility installation package

    Management password is a minimum requirement for helpdesk recovery, and that is the reason the Helpdesk agent machine will have limited access only to the Helpdesk MMC, to limit the usage of Management Password.



  • 3.  RE: SEE Management Password for Helpdesk Recovery?

    Posted Jul 21, 2015 06:15 AM

    Sorry I missed you post in the other thread.  Did you get a chance to go through the Policy Admin guide I linked (copied below below)?

    http://www.symantec.com/docs/DOC8204

    Essentially, the Administrator Roles are the same as the GPO options of the SEE 7/8, they merely grant control over what SEE snap-ins an administrator is allowed to access.  The snap-ins themselves currently behave the same as they always have, which is why you're still being prompted to enter the Management Password in order to get into the HelpDesk snap-in.

    This is why I provided the links confirming Helpdesk chaps require only read-only rights to the DB, as it has always been a concern that the Management Password needed to be shared.



  • 4.  RE: SEE Management Password for Helpdesk Recovery?

    Posted Aug 07, 2015 05:17 PM

    Why hasn't this issue been addressed? Restricting the snap in access simply isnt enough. The helpdesk should never even know the managment password. Besides , restricting the Helpdesk user to read only in the database seems to cause errors while managing computers. Not able to encrypt and decyrpt managed systems etc. Has anyone ran into that? That password should be set and "locked away" with only high level system administrators having access to it. I wonder how many organizations weren't able to move forward with this product because of security hole this specfic function opens up.

    Why aren't Helpdesk users prompted to enter a "Helpdesk password" rather than the managment password, this makes more sense to me..