Installing DeviceLock : Installing DeviceLock Content Security Server : Perform Configuration and Complete Installation : Server administrators and certificate
  
Server administrators and certificate
On this page of the wizard, you can set up the list of users that have administrative access to DeviceLock Content Security Server, and install DeviceLock Certificate (the private key) if needed.
Enable Default Security
In the default security configuration all users with local administrator privileges (i.e. members of the local Administrators group) can connect to DeviceLock Content Security Server using a management console, change its settings, run search queries, configure content detection settings, and run discovery tasks.
To turn on the default security, select the Enable Default Security check box.
If you need to define more granular access to DeviceLock Content Security Server, turn off the default security by clearing the Enable Default Security check box.
Then you need to specify authorized accounts (users and/or groups) that can connect to DeviceLock Content Security Server. To add a new user or group to the list of accounts, click Add. You can add several accounts simultaneously.
To delete a record from the list of accounts, use the Delete button. Using Ctrl and/or Shift you can highlight and remove several records simultaneously.
To determine the actions allowed to a user or group, select the desired level of access to the server:
Full access - Allows the user or group to install and uninstall DeviceLock Content Security Server, connect to it by using DeviceLock Management Console, and perform any actions on the server, such as: view and change server settings; create and run search queries and tasks; view and change content detection settings; create and run discovery tasks and reports.
Change - Same as full access to the server with the exception of the right to make changes to the list of server administrators or change the level of access to the server for the users or groups already in that list.
Read-only - Allows the user or group to connect to DeviceLock Content Security Server by using DeviceLock Management Console; view server settings; run search queries; view and run existing search tasks; view content detection settings; view discovery reports and manually create new reports based on the existing reports and data already prepared by discovery tasks. This option does not give the right to run discovery tasks, make any changes on the server, or create a new index for the Search Server.
For users and groups with Change or Read-only access, the Shadow Data Access option can be selected to allow access to shadow copies and user activity records. The users and groups with this option selected are allowed to search the content of shadow copies and user activity records, and open, view, and save shadow copies and user activity records from search results.
Without access to shadow data, DeviceLock Content Security Server administrators cannot open, view, or save shadow copies and records of user activity. Search results do not have the Open, Save, and View links, and asterisks are displayed instead of text snippets of shadow copies and user activity records. Logins and passwords in document parameters for user activity records are also replaced with asterisks.
 
Important: We strongly recommend that DeviceLock Content Security Server administrators be given local administrator rights as installing, updating and uninstalling this server may require access to Windows Service Control Manager (SCM) and shared network resources.
Certificate Name
You may need to deploy the private key to DeviceLock Content Security Server if you want to enable authentication based on DeviceLock Certificate.
There are two methods of DeviceLock Search Server authentication on a remotely running DeviceLock Enterprise Server:
User authentication - The DeviceLock Content Security Server service is running under the user’s account that has administrative access to DeviceLock Enterprise Server on the remote computer. For more information on how to run DeviceLock Content Security Server on behalf of the user, please read the description of the Log on as parameter.
DeviceLock Certificate authentication - In situations where the user under which the DeviceLock Content Security Server service is running cannot access DeviceLock Enterprise Server on the remote computer, you must authenticate based on a DeviceLock Certificate.
The same private key should be installed on DeviceLock Enterprise Server and on DeviceLock Content Security Server.
There are three methods of DeviceLock Discovery Server authentication when scanning a remote computer:
User authentication - The DeviceLock Content Security Server service is running under a certain user account, and these credentials are used to access remote computers being scanned. These credentials will be supplied to either DeviceLock Service, DeviceLock Discovery Agent, or the remote computer if scanning is performed without an agent. For more information on how to run DeviceLock Content Security Server on behalf of a user, please read the description of the Log on as parameter.
Alternative credentials authentication - The DeviceLock Content Security Server service is running under a user account that has administrative privileges at least on the local computer. DeviceLock Discovery Server will use alternative credentials to log in to remote computer being scanned.
DeviceLock Certificate authentication - Authentication based on a DeviceLock Certificate is used to authenticate on remote computers running DeviceLock Service with the certificate’s public key installed.
To install DeviceLock Certificate, click the button, and select the file containing the certificate’s private key. To remove DeviceLock Certificate, click Remove.
Click Next to apply changes and proceed to the next page of the configuration wizard.