SafeGuard LAN Crypt Administration - Suggested division of roles between system administrators and security officers

  • Article ID: 106501
  • Updated: 22 Sep 2010

All supported versions of SafeGuard LAN Crypt Administration.

IMPORTANT SafeGuard LAN Crypt Administration version 3.30 retires on September 30th 2010. We recommend you update your version as soon as possible. For further information please contact your Sophos sales representative.

Client OS

Windows 7, Windows Vista, Windows XP

What is the recommended way to divide roles between system administrators and security officers.

Security officers should not get access to files. The system administrator must ensure that the security officer physically cannot get at the data to be protected. For this, means of the operating system are used.

Security officers must keep the keys secret from the system administrator. For this reason, the profile databases and keys are stored locally, i.e. not in the Active Directory. Thus, system administrators must not get profiles with keys to which they should not have access. It is possible for system administrators to register into user groups and therefore get access to confidential keys by group membership. The security officer must protect against this effectively, in the following ways:

  • The security officer must ensure that system administrators do not get a certificate assigned. This ensures that a profile cannot be generated for a system administrator.
  • After the rollout is completed, the security officer should only generate profiles for individual users, e.g. if there is a new user or a user is changing, and not for entire groups. Doing this means that a profile cannot be accidentally created for a system administrator or for a smuggled-in user.
  • If it is necessary to create profiles for entire groups (e.g. during the rollouts or at re-organizations), we recommend that the security officer should have control of the membership of the users groups before profiles are created by the profile resolver.
Following these rules helps to avoid problems. However, the security officer can go one step further and administer the users and groups himself. The disadvantage of this is that the user administration has to be done a second time, in parallel with the system administration. The advantage is that dangers are eliminated by the system administrator.
  • On the administration computer, the security officer can locally set up users and groups as in a domain. But this requires that he has administration rights on this computer.
  • Alternatively, a csv file defining users and groups can be generated from a spreadsheet. The file is imported into the administration. The security officer can easily create this file (e.g. by MS Excel) and does not require administration rights on his computer.

In both cases mentioned above, profiles can also be created for Active Directory users when the user ID is the same.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent