This article explains SSProtect Account management for feature selection and maintenance.
SSProtect does not provide a web interface. This minimizes its' attack surface, which is the collection of resources exposed to untrusted systems and actors. Many of the Account-specific configuration items you'd expect to find in a web interface are instead presented in the Administer Users and Account Configuration displays. The former is for Privileged Users to manage Organization Accounts, while the latter - the subject of this article - is for both Individual and Organization Accounts. Access this display by clicking the SSProtect icon in the notification tray, then by choosing Account Configuration.
The Account Configuration display is context-sensitive, and some items are only present in certain circumstances, as shown below:
This interface provides opportunities to:
- ...modify the Login Session duration
- ...adjust the Conversion Delay
- ...change your Password and/ or adjust Password Policy*
- ...configure a 2nd-Factor Authentication Token*
- ...review Account Identification and Quota
- ...verify both Enhanced (Login) and Task-based 2-Factor Authentication
- ...enable/ disable :Recover operation, and switch associated Conversion Modes*
- ...enable/ disable Split vChain Policy*
- ...manage dynamic operation of :Recover based on target file size
- ...set a maximum file size for use with :Recover
- ...configure Integrity Check Overrides*
- ...enable configuration for Honeypots in Protected Files
To configure/ enable components and features, refer to the License and Components interface, which among other operations, allows you to:
- ...add/ remove optional system components*
- ...install and update :Email
- ...manually update the :Foundation Client
- ...convert from an Individual Account to an Organization Account*
- ...modify vChain Policy*
The remainder of this text describes Account Configuration details, with references to additional information in related articles.
* Certain capabilities can only be modified by Individual Account holders, while others require Support to enable advanced features. Organization Accounts are managed in the Administer Users interface available to Privileged Organization Users. Continue below for specific details.
As noted, the set of features presented in this display depends on the context of the caller. There are two variations that depend on the presence and active configuration of :Shell, the component that integrates with Explorer to provide In-Place Encryption. :Shell is enabled unless you're using the Alternate Package for installation and use, which requires special consideration and approval. Dependencies and impact are discussed at that time.
Other variations are described in the paragraphs that follow.
Login Session Duration
Modify the Local Login session length to change the duration for which your Username/ Password combination remains valid. This is the timeframe during which you can execute management, administrative, and protective actions using your 2nd-factor USB token (or software simulated token) without re-entering your Login password. Once this timeframe passes, a subsequent request that requires authorization results in a prompt for your password.
Session duration can be as little as 10 minutes or slightly greater than 8 hours (485 minutes, to take into account the 5 minute deadband). The latter is not recommended when not using a hardware 2nd-factor, though the system doesn't prohibit it.
This value is an advanced setting that you should not change without guidance. This affects In-Place Encryption, though since 2015 it has only been used in one documented situation.
If however you are unable to consistently access protected content using native workflows, i.e. when you double-click from Explorer to open a managed file, or use File/ Open from within the default application for a managed file (based on its' extension), contact Support so we can work with you to make the required adjustments.
The Pwd Policy button is enabled for Individual Accounts. Organization Users cannot change policy as it applies to all Organization Accounts. As such, modifications are made from the Administer Users interface available to Privileged Organization Users. For more information, see the article, Password Policies in the :Access Section.
Note that the Policy Active checkbox is informational - it reflects whether or not a Password Policy is in effect for your Account (and/ or Organization, when applicable).
Two-Factor Authentication Token
The 2FA Token button is enabled for Individual Account holders; Privileged Users use the Administer Users display. This allows you to configure a hardware token as a 2nd Authentication Factor, critical to the stringent application of protective policies. Individual Account holders will modify these details directly, whereas Organization Account holders are managed by their Administrator and/ or Delegates. For details, see the article, Configuring a 2nd-Factor USB Token for Data Access in the :Access Section.
Software ID, Moving Factor, and Hardware ID
These display-only fields provide information specific to your Account. The Software ID is a unique 12-digit identifier assigned to your Account when it is provisioned. This never changes.
The Hardware ID is specific to the 2FA Token, when configured, and this value can change if you lose or replace your hardware token. This can be done without any loss of data.
Finally, the Moving Factor is a resource used when simulating 2-Factor Authentication without hardware. For more information, see Simulating the 2nd-Factor.
(Enhanced Login) 2FA
This display-only field describes your Account's 2-Factor Authentication configuration. It shows two different instances of 2FA - one for Login, and one for Task-based authentication. These are split such that more flexibility can be applied to Login processing, which is more infrequent and can as a result use many more forms of 2FA. Enhanced partner services are provided by integration with Duo Security, described in the article, Enhanced Login 2FA with Duo Security.
The Task-based 2FA option is specific to that configured using the 2FA Token option previously noted. In this case, it is disabled.
:Recover Backup/ Restore Configuration
Once :Recover is associated with an Account - whether through an Organization, Individual Sign-Up, or requested using the License and Components interface, it can be enabled/ disabled independently. For Organization Accounts, this field displays the current setting, as it is centrally managed by Privileged Organization Users from Administer Users.
Individual Accounts can use this display to dynamically enable/ disable :Recover. When :Recover is disabled, operation reverts to Optimized Offloading, described in the article, Operating Modes.
Conversion Mode and Version Chaining
The Double checkboxes is not, by default, enabled - this is an advanced options available through coordination with Support and more fully described in the article, Operating Modes.
Note that Organization Users can only view status since configuration is managed by Privileged Users from the Administer Users interface.
Quota Used/ Available and Retention Policy
Used Quota and Avail Quota allow you to monitor remaining :Recover storage space for your Account. For a Quota increase, Individual Account holders should contact Support while Organization Users should contact a Privileged Organization User.
You may notice, in monitoring Used Quota, that (at some point) the value will not change in perfect alignment with the size of a managed item you've protected. This will only occur when you are at or near your Quota Limit (Used approaches Avail) and using Retention Policy, evidenced by the non-zero Retain Versions value.
:Recover is designed to make certain that activity associated with a few large files will not consume all available Quota space. This is achieved by implementing a scheme that retains a minimum number of recent managed Versions before making room for incoming content. Details are described in the article, Archives, Quotas, and Retention Policy.
Dynamic Switching and Optimized Offloading
Switch to Optimized Mode allows you to set a limit on the size of a managed item at which it no longer stores data in the :Recover Archive, though the item still maintains protection. This is done carried out by Dynamic Switching, a procedure that adjust from Hybrid (or Double) Conversion to Optimized Offloading when a threshold (or the :Recover maximum, see below) is exceeded. Conversion Modes are more fully described in the article, Operating Modes.
Set the Switch Threshold (MB) to define the limit, and use the Switch to Optimized Mode setting to adjust operation as follows:
- Prompt interrupts Conversion with a UI question that allows you to choose whether or not to maintain an Archived Version for recall (using Quota space) or dynamically switch to Optimized Offloading.
- Notify automatically transitions to Optimized Offloading, placing an event in the Host Debug Log but only after prompting the user with the UI (which must be acknowledged to proceed).
- Disabled ignores the target file size and proceeds with Hybrid (or Double) Conversion (when the target file does not exceed the :Recover maximum size, see below).
Note that a 0 value for the Switch Threshold disables Dynamic Switching.
Dynamic Switching and :Recover Maximum Conversion Size
:Recover will not be used when a target file's size exceeds 1 GB. When this is the case, if the Switch Threshold is 0 (Disabled) or the Switch to Optimized Mode setting is Disabled, the request will fail.
Use the Max :Recover Size (MB) value to set a :Recover Conversion maximum limit less than 1 GB.
During Bulk Conversion, Dynamic Switching ignores the Prompt setting, automatically switching to Optimized Offloading when the Switch Threshold (or 1 GB maximum) is exceeded.
Dynamic Switching Scope
Dynamic Switching settings, as described in the previous two sections, are specific to a Windows Account on a specific host computer. As a result, these settings apply to any and all SSProtect Profiles utilized on a single host computer by a specific Windows Account. This setting thus differs for each Windows Account on a specific host computer.
Integrity Check Overrides
SSProtect provides Data Integrity assurances using HMAC-SHA512, which can be enabled in the License and Components dialog available to both Privileged Users and Individual Account holders. Integrity assurances apply to content managed with all Conversion Modes.
Integrity Checks let data consumers know when any single bit of data has been modified since content has been protected. When this is the case, access and/ or Releasing Protections are denied to protect from potentially dangerous content.
Individual Account holders can check Override Integrity Failure to permit a Release operation on modified content. In this case, you will be prompted with notification that data has been corrupted and given a choice to proceed or not.
Note that this setting is different - and independent from - :Respond Remediation described in the article, Using Integrity Remediation.
Caution Against Integrity Override Use
Integrity Protection Overrides are only suitable when studying corrupted materials (perhaps when investigating an attack), though in some cases content is too corrupted for decryption to succeed. Never use the resulting plaintext, and when possible, work in a secured and isolated environment then securely wipe results. For assistance, contact Support or your DefiniSec Representative.
NOTE: This setting does not persist for Individual Account holders, and is always disabled (unchecked) for subsequent Login Sessions (and must as a result be manually re-enabled). Privileged Organization Users manage this option in Administer Users, and Overrides are limited to Privileged Accounts.
Honeypots are resources that aim to draw attention away from legitimate resources, often acting as traps that can expose malicious intent since the target is ultimately of no value. This interface provides the mechanism for both setting an independent Honeypot Password, and also logging in to enable Honeypot controls in the Managed Files/Restore interface described in the article, Managing Host Data.
For Honeypot details, see the article, 2nd Generation Honeypots.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v10.5.1 of the :Foundation Client