Jump to content
Kaspersky Support Forum

FDE implementation best practices [KES for Windows]

Antipova Anna
 Share

Recommended Posts

Antipova Anna

Antipova Anna

Posted
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This article is about Kaspersky Endpoint Security for Windows (KES for Windows)

This is a rough guide for testing FDE prior to implementation in production.

 

  1. Make sure that the encrypted hosts will be serviced by a healthy KSC infrastructure (backups are performed regularly, no errors in Kaspersky Event log that need to be addressed, healthy database with plenty room for growth, no cloned hosts, etc.).

  2. Create a scope of devices for FDE testing, that will consist of devices representing most widespread hardware & software configurations that is used in the enterprise infrastructure. Devices should have default firmware settings configured on them.

  3. Attach to the test devices as much peripheral devices as possible (most widespread configurations that is likely to be attached to encrypted devices during its regular usage) USB headsets, dongles, external flash drives, tokens, card-readers, etc...

  4. Run current FDE precheck version on the test devices. Analyze the precheck's output. In case of errors, handle each of them individually. After addressing them all, proceed to the next step.

  5. Prior to starting full disk encryption, you are advised to make sure that the computer is not infected. To do so, start the Full Scan or Critical Areas Scan task. Performing full disk encryption on a computer that is infected by a rootkit may cause the computer to become inoperable.
  6. Ensure that disk is healthy. Corrupted disk may cause the computer to become inoperable.

  7. Deploy FDE and encrypt devices using actual KES version on a limited scope of test devices in production.

  8. Monitor the user experience on the test devices in actual production environment during the pilot testing period.

  9. Prohibit the end-users to adjust firmware setting on the hosts with encryption, prior to deploying FDE to production on the whole set of devices, by setting a BIOS password, for example. 

  10. Deploy FDE to production.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...