SSProtect does not provide a web interface. This minimizes its' attack surface, which is the collection of resources exposed to untrusted systems and actors. Many of the Account-specific configuration items you'd expect to find in a web interface are instead presented in the Administer Users and Account Configuration displays. The former is for Privileged Users to manage Organization Accounts, while the latter - the subject of this article - is for both Individual and Organization Accounts. Access this display by clicking the SSProtect icon in the notification tray, then by choosing the menu item of the same name.
The Account Configuration display is context-sensitive, and some items are only present in certain circumstances, as shown below:
This interface provides opportunities to:
- ...modify the Login Session duration
- ...adjust the Conversion Delay
- ...change your Password and/ or adjust Password Policy*
- ...configure a 2nd-Factor Authentication Token
- ...review Account Identification and Quota
- ...verify both Enhanced (Login) and Task-based 2-Factor Authentication
- ...enable/ disable :Recover operation, and switch associated Conversion Modes*
- ...enable/ disable Split vChain Policy*
- ...manage dynamic operation of :Recover based on target file size
- ...set a maximum file size for use with :Recover
- ...configure Integrity Check Overrides*
- ...enable configuration for Honeypots in Protected Files
To configure/ enable components and features, refer to the License and Components interface, which among other operations, allows you to:
- ...add/ remove optional system components
- ...install and update :Email
- ...manually update the :Foundation Client
- ...convert from an Individual Account to an Organization Account
- ...modify vChain Policy*
The remainder of this text describes Account Configuration details, with references to additional information in related articles.
* Certain capabilities can only be modified by Individual Account holders, while others require Support to enable advanced features. Organization Accounts are managed in the Administer Users interface available to Privileged Organization Users. Continue below for specific details.
As noted, the set of features presented in this display depends on the context of the caller. There are two major variations that depend on the presence of :Shell. This is the component that integrates with Explorer to provide In-Place Encryption, and it's typically present except when using SSProtect as an Email-only solution with Outlook. Additional variations are described in the following paragraphs.
Login Session Duration
Modify the Local Login session length to change the duration for which your Username/ Password combination remains valid. This is the timeframe during which you can execute management, administrative, and protective actions using your 2nd-factor USB token (or software simulated token) without re-entering your Login password. Once this timeframe passes, a subsequent request that requires authorization results in a prompt for your password.
Session duration can be as little as 10 minutes or slightly greater than 8 hours (485 minutes, to take into account the 5 minute deadband). The latter is not recommended when not using a hardware 2nd-factor, though the system doesn't prohibit it.
This value is an advanced setting that you should not change without guidance. This affects In-Place Encryption, though since 2015 it has only been used in one documented situation.
If however you are unable to consistently access protected content using native workflows, i.e. when you double-click from Explorer to open a managed file, or use File/ Open from within the default application for a managed file (based on its' extension), contact Support so we can work with you to make the required adjustments.
The Pwd Policy button is enabled for Individual Accounts. Organization Users cannot change policy as it applies to all Organization Accounts. As such, modifications are made from the Administer Users interface available to Privileged Organization Users. For more information, see the article, Password Policies in the :Access Topic.
Note that the Policy Active checkbox is informational - it reflects whether or not a Password Policy is in effect for your Account (and/or Organization, when applicable).
Two-Factor Authentication Token
The 2FA Token button is enabled for all users, and is also available for Privileged Users in the Administer Users display. This allows you to configure a hardware token as a 2nd Authentication Factor, critical to the stringent application of protective policies. Individual Account holders will modify these details directly, whereas Organization Account holders are managed by their Administrator and/ or Delegates. For details, see the article Configuring a 2nd-Factor USB Token for Data Access in the :Access Topic.
Software ID, Moving Factor, and Hardware ID
These display-only fields provide information specific to your Account. The Software ID is a unique 12-digit identifier assigned to your Account when it is provisioned. This never changes.
The Hardware ID is specific to the 2FA Token, when configured, and this value can change if you lose or replace your hardware token. This can be done without any loss of data.
Finally, the Moving Factor is a resource used when simulating 2-Factor Authentication without hardware. For more information, see Simulating the 2nd-Factor.
This display-only field describes your Account's 2-Factor Authentication configuration. It shows two different instances of 2FA - one for Login, and one for Task-based authentication. These are split such that more flexibility can be applied to Login processing, which is more infrequent and can as a result use many more forms of 2FA. Enhanced partner services are provided by integration with Duo Security (external link), described in the article, Enhanced Login 2FA with Duo Security.
The Task-based 2FA option is specific to that configured using the 2FA Token option previously noted. In this case, it is disabled.
:Recover Backup/ Restore Configuration
Once :Recover is associated with an Account - whether through an Organization, Individual Sign-Up, or requested using the License and Components interface, it can be enabled/ disabled independently. For Organization Accounts, this field displays the current setting, as it is centrally managed by Privileged Organization Users from Administer Users.
Individual Accounts can use this display to dynamically enable/ disable :Recover. When :Recover is disabled, operation reverts to Optimized Offloading, described in the article, Operating Modes.
Conversion Mode and Version Chaining
The Double and Split vChain checkboxes are, by default, not enabled - these are advanced options that are only available through coordination with Support.
Double Conversion is more fully described in the article, Operating Modes, while Version Chaining is described in the article, Version Chain Policy.
Both options, when enabled, are available to Individual Accounts. Organization Users can only view status since configuration is managed by Privileged Users from the Administer Users interface.
Quota Used/ Available
Used Quota and Avail Quota allow you to monitor remaining :Recover storage space for your Account. For a Quota increase, Individual Account holders should contact Support while Organization Users should contact a Privileged Organization User.
You may notice, in monitoring Used Quota, that (at some point) the value will not change in perfect alignment with the size of a managed item you've protected. This will only occur when you are at or near your Quota Limit (Used approaches Avail). This is described below.
:Recover is designed to make certain that activity associated with a few large files will not consume all available Quota space. This is achieved by maintaining the last three instances of every managed item before discarding older instances when space is needed.
Note that Avail Quota does not take into consideration materials that are subject to removal when extra space is required. This, together with the Quota Limit and your managed item size, lead to potentially confusing results when operating near the Limit. For additional insight, contact Support.
NOTE: Prior to provisioning, an Organization Administrator can request a change to the preconfigured minimum number of managed item instances retained in the :Recover Archive. Individual Account holder cannot request changes to the default target of three. This setting cannot currently change after provisioning.
Dynamic Switch to Optimized Offloading
Sw to Opt Offloading allows you to set a limit on the size of a managed item at which it no longer stores data in the :Recover Archive though still maintains protection. This is done by dynamically switching from Hybrid (or Double) Conversion to Optimized Offloading. Conversion Modes are more fully described in the article, Operating Modes.
Prompt interrupts Conversion and allows you to choose whether or not to maintain an Archived Version for recall (using Quota space) or dynamically switch to Optimized Offloading. Notify automatically transitions to Optimized Offloading, while Disabled ignores the target file size and proceeds with Hybrid (or Double) Conversion.
Dynamic Switching is ignored when using Bulk Conversion.
IMPORTANT: This setting is host-global, meaning its' value applies independent from the locally managed Account/ Profile that is being used on the local host computer.
Max Item Size for :Recover
Max Item Size for :Recover sets an upper limit on the size of a managed item but only when Sw to Opt Offloading is Disabled. Use a value of 0 to disable this feature, else when Sw to Opt Offloading is disabled and a managed item's size exceeds your Max Item Threshold, conversion fails. This acts as a safeguard against converting arbitrarily large files, such as full HD movies (many GBs of data).
NOTE: Though you can modify this setting at any time, it is only applied when Sw to Opt Offloading is Disabled. It is also host-global as described in the previous section.
Integrity Check Overrides
SSProtect provides Data Integrity assurances using HMAC-SHA512, which can be enabled in the License and Components dialog available to both Privileged Users and Individual Account holders. Integrity assurances apply to content managed with all Conversion Modes.
Integrity Checks let data consumers know when any single bit of data has been modified since content has been protected. When this is the case, access and/ or Releasing Protections are denied to protect from potentially dangerous content.
Individual Account holders can check Override Integrity Failure to permit a Release operation on modified content. In this case, you will be prompted with notification that data has been corrupted and given a choice to proceed or not.
Note that this setting is different - and independent from - :Respond Remediation described in the article, Using Data Integrity.
IMPORTANT: Integrity Protection Overrides are only suitable when studying corrupted materials (perhaps when investigating an attack), though in some cases content is too corrupted for decryption to succeed. Never use the resulting plaintext, and when possible, work in a secured and isolated environment then securely wipe results. For assistance, contact Support or your DefiniSec Representative.
NOTE: This setting does not persist for Individual Account holders, and is always disabled (unchecked) for subsequent Login Sessions (and must as a result be manually re-enabled). Privileged Organization Users manage this option in Administer Users, and Overrides are limited to Privileged Accounts.
Honeypots are resources that aim to draw attention away from legitimate resources, often acting as traps that can expose malicious intent since the target is ultimately of no value. This interface provides the mechanism for both setting an independent Honeypot Password, and also logging in to enable Honeypot controls in the Managed Files/Restore interface described in the article, Managing Host Data.
For Honeypot details, see the article, Configuring a Honeypot.
For More Information
For information regarding product features and content, consult the Document Index, or send email with specific questions to firstname.lastname@example.org.
This article was updated w/ v9.1.2 of the :Foundation Client