SafeGuard Enterprise: Imaging of Clients using a previously used hostname.
Known to apply to the following Sophos product(s) and version(s)
SafeGuard Enterprise Client 5.2x, 5.3x, 5.40.0
Windows XP SP2, SP3, Windows Vista SP1, SP2, Windows 7
What to Do
When you install a new SafeGuard Enterprise (SGN) Client which has a previously used hostname, under certain circumstances the required key may not be correctly sent to the database.
Until the machine key is released, the machine will be unable to perform a challenge/ response and data may be lost!
How do I know if I am affected?
If you have re-imaged SGN machines, please run this SQL script statement below to see if the SGN machines in your network are affected.
SELECT Distinct SGD_NAME FROM SAFE_GUARD_DIR where SGD_SCHEMA_CLASS_NAME in ('sgcomputer','computer') AND SGD_NAME in (SELECT Distinct Substring(SUBSTRING(KIN_SYMBOLIC_NAME,0, (patindex('%@%', KIN_SYMBOLIC_NAME))),6,100) FROM KEY_INFO WHERE Substring(SUBSTRING(KIN_SYMBOLIC_NAME,0, (patindex('%@%', KIN_SYMBOLIC_NAME))),6,100) <> '' AND KIN_IN_USE = 0) AND SGD_ID not in (SELECT KAS_SGD_ID FROM KEY_ASSIGN)
How do I avoid having problems when installing images of an SGN client using a previously used hostname?
Update to SafeGuard Enterprise (SGN) 5.50
What should I do if I have already installed an image of an SGN client with a previously used hostname and have not updated to SGN 5.50?
You must ensure that no machine key (e.g. boot_machinename@DSN) is assigned to the machine in the Management Center!
Before installing an SGN image which has a previously used hostname, it is strongly recommended that you check your database prior to any re-imaging, using the SQL script statement . This SQL statement will find and display which machines in the SQL database do not have their current machine key backed-up.
After identifying the “problem” machines, please follow these steps:
- Delete the "old" computer object in the SafeGuard Enterprise Management Center.
- The SafeGuard Enterprise Security Officer must ensure that the machine-key (e.g. boot_machinename@DSN) is no longer assigned to any object.
A typical scenario would be that the key is assigned to a SafeGuard Enterprise user to perform recovery tasks. Once these actions are finished, un-assign the machine-key immediately. The key should then be displayed in the "inactive keys" area of the SafeGuard Enterprise Management Center. The new machine-key is not stored in the SafeGuard Enterprise Database until the "old" key is completely unassigned.