SafeGuard Enterprise: Imaging of Clients using a previously used hostname

  • Article ID: 110597
  • Updated: 06 May 2010
SafeGuard Enterprise: Imaging of Clients using a previously used hostname.

Known to apply to the following Sophos product(s) and version(s)
SafeGuard Enterprise Client 5.2x, 5.3x, 5.40.0

Operating System
Windows XP SP2, SP3, Windows Vista SP1, SP2, Windows 7

What to Do

When you install a new SafeGuard Enterprise (SGN) Client which has a previously used hostname, under certain circumstances the required key may not be correctly sent to the database.

Until the machine key is released, the machine will be unable to perform a challenge/ response and data may be lost!

How do I know if I am affected?
If you have re-imaged SGN machines, please run this SQL script statement below to see if the SGN machines in your network are affected.

SELECT Distinct SGD_NAME FROM SAFE_GUARD_DIR where SGD_SCHEMA_CLASS_NAME in ('sgcomputer','computer') AND SGD_NAME in (SELECT Distinct Substring(SUBSTRING(KIN_SYMBOLIC_NAME,0, (patindex('%@%', KIN_SYMBOLIC_NAME))),6,100) FROM KEY_INFO WHERE Substring(SUBSTRING(KIN_SYMBOLIC_NAME,0, (patindex('%@%', KIN_SYMBOLIC_NAME))),6,100) <> '' AND KIN_IN_USE = 0) AND SGD_ID not in (SELECT KAS_SGD_ID FROM KEY_ASSIGN)

Solutions

Q. How do I avoid having problems when installing images of an SGN client using a previously used hostname?
A. Update to SafeGuard Enterprise (SGN) 5.50

Q. What should I do if I have already installed an image of an SGN client with a previously used hostname and have not updated to SGN 5.50?
A. You must ensure that no machine key (e.g. boot_machinename@DSN) is assigned to the machine in the Management Center!

Before installing an SGN image which has a previously used hostname, it is strongly recommended that you check your database prior to any re-imaging, using the SQL script statement . This SQL statement will find and display which machines in the SQL database do not have their current machine key backed-up.

After identifying the “problem” machines, please follow these steps:
  1. Delete the "old" computer object in the SafeGuard Enterprise Management Center.
  2. The SafeGuard Enterprise Security Officer must ensure that the machine-key (e.g. boot_machinename@DSN) is no longer assigned to any object.

    A typical scenario would be that the key is assigned to a SafeGuard Enterprise user to perform recovery tasks. Once these actions are finished, un-assign the machine-key immediately. The key should then be displayed in the "inactive keys" area of the SafeGuard Enterprise Management Center. The new machine-key is not stored in the SafeGuard Enterprise Database until the "old" key is completely unassigned.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments