Configuring advanced parameters in the registry base

Some advanced parameters in SDS Enterprise must be configured in the Windows registry base.

To edit the registry base:

  1. Access the registry by running regedit.exe with administrator rights.

  2. In the tree view, select the key shown or create it if necessary.

  3. Change the value of the key.

  4. Quit the registry database.

  5. Restart the machine.

Changing the dates of the last access

When Stormshield Data Team is installed on a workstation, the date of the last access changes when a folder is browsed. The AccessTimeAction registry key restores the true date of last access to the files.

Key

AccessTimeAction (DWORD)

Location

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBoxTeamDrv\Parameters

Values
  • 0x00000000: The access date modified by Stormshield Data Team is kept (default value),
  • 0x00000001: The access date is restored on standard file systems,
  • 0x00000002: The access date is restored on NFS file systems,
  • 0x00000008: The access date is restored on standard file systems with a potential slowdown in performance. This option enables compatibility with file systems considered standard, such as NAS EMC or non-standard CIFS servers.

In general, the default value 0x00000000 is recommended. However, when using an archive solution based on a NAS EMC, the value 0x00000008 is recommended.

Check user key certificate

The user’s encryption key certificate is checked every two hours (120 minutes).

You can modify this value, which is taken into account when the user logs in, by creating the following registry key:

Key

CheckCertificateTimeout (REG_SZ)

Location

HKEY_CURRENT_USER\SOFTWARE\Arkoon\Security BOX Suite\Team\ or

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Suite\Team\

Value
  • Positive integer.

For the three registry keys below, the location differs according to the type of account:

KS1: Password account with a single key to sign and/or encrypt.

KS2: Password account with two different keys to sign and encrypt.

GP1: Card account with a single key to sign and/or encrypt.

GP2: Card account with two different keys to sign and encrypt.

Specify that keys are generated by SDS Enterprise

In card or token mode (GP1 or GP2), encryption and signature keys are generated by the card/token, i.e. by the card itself or in memory, depending on the manufacturer's implementation or configuration of its PKCS#11 layer.

You can specify that keys are generated exclusively by SDS Enterprise in memory. This allows the keys to be exported later.

Create the following registry key:

Key

InternalKeys (REG_SZ)

Locations

Suite\SBox.KeyRenewalWizardGP\ or

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Suite\SBox.KeyRenewalWizardGP\

HKEY_CURRENT_USER\SOFTWARE\Arkoon\Security BOX Suite\SBox.KeyRenewalWizardGP1\ or

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Suite\SBox.KeyRenewalWizardGP1\

HKEY_CURRENT_USER\SOFTWARE\Arkoon\Security BOX Suite\SBox.KeyRenewalWizardGP2\ or

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Suite\SBox.KeyRenewalWizardGP2\

Value
  • 0

Choose how to keep keys for exporting later

If an encryption or signature key has been generated by SDS Enterprise in memory (if InternalKeys = 0), it will be exportable. For this, you must assign the value 1 to the ExportKeys registry key in order to display the window offering the user two choices:

  • Save this key in a PKCS#12 file and assign a password,

  • Copy this key to the user’s account file.

Create the following registry key:

Key

ExportKeys (REG_SZ)

Location

HKEY_CURRENT_USER\SOFTWARE\Arkoon\Security BOX Suite\SBox.KeyRenewalWizardGP\ or

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Suite\SBox.KeyRenewalWizardGP\

HKEY_CURRENT_USER\SOFTWARE\Arkoon\Security BOX Suite\SBox.KeyRenewalWizardGP1\ or

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Suite\SBox.KeyRenewalWizardGP1\

HKEY_CURRENT_USER\SOFTWARE\Arkoon\Security BOX Suite\SBox.KeyRenewalWizardGP2\ or

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Suite\SBox.KeyRenewalWizardGP2\

Value
  • 1

The cachemov.exe utility can be used to move the - <%WINDIR%>\CSC - system folder, which contains files available offline.

Stormshield Data Team must be configured as follows to manage this particular environment:

Key

SkipFolderR(DWORD)

Location

HKLM\SYSTEM\CURRENTCONTROLSET\Services\SBoxTeamDrv\Parameters

Value

Add the folder containing the CSC database.

When Stormshield Data Team is used, users' workstations may slow down. To keep the usual levels of performance, the following registry keys can be applied:

Improving performance when browsing encrypted trees

To reduce the time it takes to determine whether a folder is encrypted in “smart card” mode (this determines the icon of the folder), the value of the OverlayIconAccuracy parameter can be changed.

Key

OverlayIconAccuracy (DWORD)

Location

HKEY_LOCAL_MACHINE\SOFTWARE\ARKOON\Security BOX Enterprise\Properties\Team

Value
  • 0x40: Greatly reduces the time it takes to determine whether a folder is encrypted in smart card or token mode.

Excluding Windows processes that access encrypted folders

Some Windows processes can slow down the workstation by regularly accessing folders that Stormshield Data Team encrypts.

To reduce the frequency of these slowdowns, you can exclude in the registry database the processes that are considered safe and do not cause any file modifications. If the SkipApp key does not exist, you can create it by choosing a REG_MULTI_SZ value.

Key

SkipApp (MULTI_SZ)

Location

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SboxTeamDrv\Parameters

Value

Add one process to exclude per line. We recommend that you exclude the following processes:

SearchIndexer.exe

searchUI.exe

MsMpEng.exe

SearchProtocolHost.exe

SearchFilterHost.exe

mobsync.exe

msdtc.exe

mstsc.exe

mobsync.exe

wfica32.exe

vmtoolsd.exe

SecurityHealthService.exe

SearchApp.exe

NisSrv.exe

As well as the specific Dell processes:

HostStorageService.exe

HostControlService.exe

Excluding Windows Defender extensions and scans

To prevent your workstation from slowing down, you can also exclude the extensions and scans that Windows Defender runs:

Key

Extensions(DWORD)

Location

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions

Value

Add the list of extensions to exclude. We recommend excluding the following extensions: .box, .sbox, .sbt, .sdsx, .usi, .usr.

Key

Processes(DWORD)

Location

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions

Value

Add the list of processes to exclude. We recommend that you exclude the following processes: SBDSRV, SBoxDiskSrv as well as antivirus and other EDR processes.

When selecting the coworkers you want to share the folder with, coworkers who hold the Windows permissions that enable accessing the folder concerned are automatically suggested in a group which name is Windows permissions.

You can disable this feature by creating the following registry key:

Key

SuggestCoworkersThroughACL (DWORD)

Location

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Enterprise\Kernel\

Value
  • 0

When selecting coworkers authorized to access a secure folder, the LDAP directory search is based on the common name by default.

If the common name is not enough, you can configure a custom search filter to search through multiple LDAP attributes, using the following registry keys:

Key

 SearchFilter (REG_SZ)

Location

 HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Enterprise\Properties\CoworkerSelector

Value

Specify the filter you want to apply when performing an LDAP search. Use the logical connectors “&” (and) and “|” (or). For example:

  • (|(cn=?)(mail=?)) searches for the character string entered by the user in the common name OR in the email address.

  • (&(|(cn=?)(mail=?))(usercertificate;binary=*)) searches for the string entered by the user in the common name OR in the email address AND the user must have a certificate in the LDAP directory.

The “?” character is replaced by the character string entered by the user in the search field.

Key

SearchPattern (REG_SZ)

Location

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Enterprise\Properties\CoworkerSelector

Value

Optional key. Replaces the default character "?" used in the filter if necessary.

In the About SDS Enterprise window, the license key value is hidden.

You can display the value of the key by creating the following registry key:

Key

DontShowLicenceKey (REG_SZ)

Location

HKEY_CURRENT_USER\SOFTWARE\Arkoon\Security BOX Suite\Logon\ or

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Suite\Logon\

Value
  • 0

Specify a card or token reader

If several card or token readers are connected to the workstation (e.g. a standard reader and a 3G network card), all readers are taken into account.

You can select a specific reader by defining a filter to identify it. In this case, only the drive indicated by the SlotInfoDescriptionPrefix or SlotInfoManufacturerIdPrefix registry keys is taken into account by SDS Enterprise.

Create the following registry key:

Key

SlotFilterOn (REG_SZ)

Location

HKEY_CURRENT_USER\SOFTWARE\Arkoon\Security BOX Suite\Logon\ or

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Suite\Logon\

Value
  • 1

Filter card or token readers by their description

If several card or token readers are connected to the workstation (e.g. a standard reader and a 3G network card), all readers are taken into account.

You can specify a prefix to filter on the description field returned by the reader (slotinfo.SlotDescription at PKCS#11 level). For example, if you specify the SER prefix, SERIAL will be accepted, whereas USB will not.

Create the following registry key:

Key

SlotInfoDescriptionPrefix (REG_SZ)

Location

HKEY_CURRENT_USER\SOFTWARE\Arkoon\Security BOX Suite\SlotFilter\ or

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Suite\SlotFilter\

Value
  • Case-sensitive string

Filter card or token readers by manufacturer ID

If several card or token readers are connected to the workstation (e.g. a standard reader and a 3G network card), all readers are taken into account.

You can specify a prefix to filter on the ManufacturerId field returned by the reader (slotinfo.ManufacturerId at PKCS#11 level). For example, if you specify the AX prefix, AXALTO will be accepted, while GEMPLUS will not.

Create the following registry key:

Key

SlotInfoManufacturerIdPrefix (REG_SZ)

Location

HKEY_CURRENT_USER\SOFTWARE\Arkoon\Security BOX Suite\SlotFilter\ or

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Suite\SlotFilter\

Value
  • Case-sensitive string

Prohibit modification of card or token type

By default, the user is authorized to modify the type of card or token defined in the card extension configurator.

You can prohibit user modification by creating the following registry key:

Key

CPLCanChangePKCS11 (REG_SZ)

Location

HKEY_CURRENT_USER\SOFTWARE\Arkoon\Security BOX Suite\External PKCS11 Policy\ or

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Suite\External PKCS11 Policy\

Value
  • 0

By default, synchronized workspace folders protected by an automatic Share protection rule do not have an icon to identify them.

You can replace the default Windows folder icon with a custom SDS Enterprise icon for easy identification.

To replace the Windows folder icon, create the following registry key:

Key

cloudSecuredFolderIcon

Location

HKEY_LOCAL_MACHINE\SOFTWARE\Arkoon\Security BOX Enterprise\Share

Value
  • 0: feature disabled. Folders protected by an automatic protection rule have the default Windows folder icon. Same behavior as when the key is missing.
  • 1: the default Windows folder icon is replaced by the custom SDS Enterprise icon when the folder is protected by an automatic protection rule.

The custom icon is displayed only on folders with the automatic protection rule, not on sub-folders. Files in folders have a small blue padlock.

This feature does not apply to local folders protected by automatic protection rules.