Symantec Endpoint Encryption SQL configurations

Specops Key Recovery requires access to the SQL database used by Symantec Endpoint Encryption. To configure Specops Key Recovery with Symantec Endpoint Encryption, you will need to:

  1. Create a Specops Key Recovery security group
  2. Add Specops Gatekeepers as members of the Specops Key Recovery security group
  3. Enable remoting on the Symantec Endpoint Encryption SQL Server
  4. Configure SQL permissions for the Specops Key Recovery security group
  5. Restart the Gatekeeper service

Once you have completed the steps in this guide, Specops Key Recovery will be able to read:

  • SIDs
  • Usernames of users
  • The computers users are linked to
  • When the computer was last used
  • Type of encrypted used on the computer’s drive
  • Domain and name of the computer

Note: No sensitive data from the Symantec Endpoint Encryption SQL database can be accessed by Specops Key Recovery.

When configuring Specops Key Recovery from the setup wizard, the above steps will be handled through the provided PowerShell scripts. Alternatively, you can complete the steps manually with the below steps.

Create a Specops Key Recovery security group

  1. Open Active Directory Users and Computers.
  2. Create a security group called Specops Key Recovery in your chosen location.

Add Specops Gatekeepers as members of the Specops Key Recovery security group

Open Active Directory Users and Computers and add your Specops Authentication Gatekeepers security group as a member of the Specops Key Recovery security group.

Enable remoting on the Symantec Endpoint Encryption SQL Server

  1. Locate your Symantec Endpoint Encryption SQL Server.
  2. Start SQL Server Management Studio and authenticate as an administrator.
  3. Right-click on the Server in the tree menu.
  4. Select Connections.
  5. Ensure that the Allow remote connections to this server checkbox is selected.
  6. Open SQL Server Configuration Manager.
  7. Expand SQL Server Network Configuration.
  8. Select Protocols for MSSQLSERVER.
  9. Right-click TCP/IP.
  10. Select Enabled.
  11. Restart your MSSQLSERVER service.

Configure SQL permissions for the Specops Key Recovery security group

  1. Open SQL Server Management Studio.
  2. Click Logins.
  3. Select New login and add a login for the Specops Key Recovery security group.
  4. Right-click Users and select New user.
  5. Create a user in the SEEMSDb table for the Specops Key Recovery login.
  6. Right-click Database Roles and select New role.
  7. Name the new role SpecopsKeyRecovery.
  8. Ensure that the Specops Key Recovery user is a member of this role.
  9. Grant the SpecopsKeyRecovery role permission to select the following:
    • On the Computers table: CompID, LastCheck In, Encrypt Service, Visible, DomName, CompName.
    • On the Users table: CompID, UserSID, UserName.
  10. Restart the Gatekeeper service.