Sophos SAFEGUARD Data protection

Download

xp~ÑÉdì~êÇ

∆

=b~ëóz

xa~н~=йкзнЙЕнбзе=Ду=ЙеЕкуйнбзеz

ñÅ

sЙклбзе=QKRMKP

tбеЗзпл∆=pЙкоЙк=OMMP tбеЗзпл tбеЗзпл

∆

=um

∆

=OMMM

No part of this documentation may be reproduced or processed, copied, distributed by a retrieval system in any form (print, photocopies or any other means) except for personal use without prior written consent of Utimaco Safeware AG.

Utimaco Safeware AG reserves the right to modify or supplement the documentation at any time without previous announcement. Utimaco Safeware AG is not liable for misprints and damage resulting from this.

CryptoServer and SafeGuard are registered marks of Utimaco Safeware AG.

Windows, Windows NT, Windows 2000, Windows XP, Windows 2003 Server and Windows CE are registered marks of Microsoft Corporation.

Patents rights of Ascom Tech Ltd. given in EP, JP, US. IDEA is a Trademark of Ascom, Tech Ltd.

All other brand and product names mentioned in this manual are marks of the respective owners and are recognized as such.

Microsoft, Windows, and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.

Utimaco Safeware AG P.O. Box 20 26 DE-61410 Oberursel Phone +49 (61 71) 88-0 Fax +49 (61 71) 88-10 10 info.pds@utimaco.com

www.utimaco.com

qЙЕЬебЕ~д=pмййзкн

Online Documentation

Our knowledge database provides answers to many typical questions about the SafeGuard product range, including its functionality, implementation, administration and troubleshooting.

pмййзкн

Link to support area: http://www.utimaco.com/myutimaco

To access the public area of the knowledge database you can logon as a guest user. To access the restricted area of the knowledge database you need a valid software maintenance agreement. Our support staff continually adds to the contents of both areas, and keeps them up to date on an on-going basis.

Advanced support services and telephone support

For customers with a valid maintenance contract, qualified support staff is available to provide advice and assistance. To receive a contract offer tailored to your specific needs, please contact your Utimaco sales partner.

We hope you understand that some enquiries from customers without a maintenance agreement may require several working days to process. In urgent cases, please contact the Utimaco sales partner from whom you bought your licenses or software subscription.

ñÅ

N=lоЙкобЙпKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =N

NKN `Йенк~д=лЙЕмкбну=СмеЕнбзел KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =O

NKO lнЬЙк=лЙЕмкбну=СмеЕнбзел KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=Q

NKP kЙп=СЙ~нмкЙл=бе=p~СЙdм~кЗ=b~лу KKKKKKKKKKKKKKKKKKKKKKKKK=NM

NKQ `Ь~еЦЙл=нз=йкЙобзмл=оЙклбзел KKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NO

NKR pулнЙг=кЙимбкЙгЙенл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NP

NKS aзЕмгЙен~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NS

NKT dЙеЙк~д=езнЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NS

NKU iбЕЙелЙ=езнЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NU

O=dЙннбеЦ=лн~кнЙЗ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NV

OKN mêÉé~êáåÖ=Ñçê=áåëí~ää~íáçå KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NV

OKO fелн~дд~нбзе=йкЙкЙимблбнЙлKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =ON

OKP fелн~дд~ДдЙ=гзЗмдЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OO

OKQ rлЙк=бенЙкС~ЕЙ=д~еЦм~ЦЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=OP

P=içÅ~ä=áåëí~ää~íáçå= KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OR

PKN píÉé=Äó=ëíÉé KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OS PKNKN bеЕкуйнбзе=гзЗЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PN

PKO ^ÑíÉê=áåëí~ää~íáçåKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PP

PKP aблйд~убеЦ=ЙеЕкуйнбзе=йкзЦкЙлл KKKKKKKKKKKKKKKKKKKKKKKKKK =PQ PKPKN pпбнЕЬбеЦ=зСС=нЬЙ=лн~нмл=лЕкЙЙеKKKKKKKKKKKKKKKKKKKKKKK =PQ PKPKO aЙСбебеЦ=ЙеЕкуйнбзе=лйЙЙЗ KK KKKKKKKKKKKKKKKKKKKKKKKKKKK =PR

ñÅ

PKQ `Ь~еЦбеЦ=нЬЙ=Д~ЕвЦкзмеЗ=Дбнг~й=бе=нЬЙ=

tбеЗзпл=дзЦзе=Зб~дзЦ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PU

PKR fелн~ддбеЦ=p~СЙdм~кЗ=b~лу=зе=~=m`=пбнЬ=гмднбйдЙ=

зйЙк~нбеЦ=лулнЙгл=KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QM

Q=`Éåíê~ä=áåëí~ää~íáçå KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QN

QKN `кЙ~нбеЦ=нЬЙ=ЕзеСбЦмк~нбзе=СбдЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKK =QO

QKO fелн~дд~нбзе=пбнЬ=^ЕнбоЙ=aбкЙЕнзкуKKKKKKKKKKKKKKKKKKKKKKKKK =QP QKOKN mкЙкЙимблбнЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QP QKOKO rлбеЦ=~е=ЙЗбнзк=нз=гзЗбСу=jpf=СбдЙл KKKKKKKKKKKKKKKKK =QQ QKOKP aЙйдзубеЦ=jpf=СбдЙлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QS

QKP fелн~дд~нбзе=пбнЬзмн=^ЕнбоЙ=aбкЙЕнзку KKK KKKKKKKKKKKKKKKK=QU QKPKN `çãã~åÇ=äáåÉ=ëóåí~ñ=Ñçê=

ме~ннЙеЗЙЗ=белн~дд~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=QV

QKPKO pЙдЙЕнЙЗ=зйнбзел=млЙЗ=Ду=

tбеЗзпл=fелн~ддЙкKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =RN

QKQ p~СЙdм~кЗ=b~лу=СЙ~нмкЙл=~еЗ=й~к~гЙнЙкл KKKKKKKKKKK =RO QKQKN p~СЙdм~кЗ=b~лу=СЙ~нмкЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =RO QKQKO p~СЙdм~кЗ=b~лу=лЙнмй=й~к~гЙнЙкл KKKKKKKKKKKKKKKKKK=RR

R=réÇ~íÉKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =RV

RKN içÅ~ä=ìéÇ~íÉ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =SM

RKO rе~ннЙеЗЙЗ=мйЗ~нЙ=пбнЬ=гбЦк~нбзе=СбдЙ KKKKKKKKKKKKKKK=SQ

RKP pулнЙг=вЙкеЙд=ЕЬЙЕв=пЬЙе=нЬЙкЙ=бл=~е=мйЗ~нЙKKKK =SS RKPKN tЬ~н=Ь~ййЙел=бС=нЬЙ=лулнЙг=вЙкеЙд=бл=езн=lh\=ST RKPKO ^Дзмн=нЬЙ=кЙй~бк=йкзЦк~гKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =SU RKPKP m~к~гЙнЙкл=Сзк=нЬЙ=кЙй~бк=йкзЦк~г KKKKKKKKKKKKKKKKKK =SV

S=rебелн~дд~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=TP

SKN iзЕ~д=мебелн~дд~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =TQ

SKO rебелн~дд=пбнЬ=`Ь~ддЙеЦЙLoЙлйзелЙKKKKKKKKKKKKKKKKKKKKKK =TR

SKP rе~ннЙеЗЙЗ=мебелн~дд=пбнЬ=ЕзеСбЦмк~нбзе=СбдЙ KKKKKKK =TT

T=pулнЙг=Дззн=~еЗ=дзЦзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =TV

TKN iзЦЦбеЦ=зе=~л=~=кЙЦмд~к=млЙкKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =UM

TKO iзЦЦбеЦ=зе=~л=~=ЗЙС~мдн=млЙкKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =UN TKOKN bснЙеЗЙЗ=дзЦзе=об~=СмеЕнбзе=вЙу=xcOz KKKKKKKKKKKKK =UO

TKP iзЦЦбеЦ=зе=млбеЦ=~=нзвЙе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =UP

TKQ `Ь~еЦбеЦ=нЬЙ=p~СЙdм~кЗ=b~лу

й~ллпзкЗ=об~=нЬЙ=xcNMz=вЙу KKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKK=UQ

TKR eЙдй=СмеЕнбзе=Сзк=кЙлЙннбеЦ=СзкЦзннЙе=й~ллпзкЗл=

îá~=íÜÉ=xcVz=âÉóKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK = UR

TKS c~бдЙЗ=дзЦзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =US

TKT mкЙллбеЦ=xcOz=нз=СзкЕЙ=дзЦзе=пбнЬ=m_^ KKKKKKKKKKKKKKKKK =UT

TKU iзЦЦбеЦ=зе=нз=нЬЙ=зйЙк~нбеЦ=лулнЙг=

~ìíçã~íáÅ~ääó= UU

TKV `згй~нбДбдбну=пбнЬ=дзЦзе=ЕзгйзеЙенл=лмййдбЙЗ=

Ду=знЬЙк=оЙеЗзкл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =UV

ñÅ

U=^Згбеблнк~нбзе=зоЙкобЙп KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =VN

UKN pЙй~к~нбзе=зС=СмеЕнбзел KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =VO

UKO pн~кнбеЦ=нЬЙ=^Згбеблнк~нбзе=СмеЕнбзе=~еЗ=нЬЙ=

`зеСбЦмк~нбзе=cбдЙ=tбт~кЗ= KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =VP

UKP qЬЙ=^Згбеблнк~нбзе=СмеЕнбзеKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =VQ UKPKN ^Згбеблнк~нбзе=пбеЗзп KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=VR UKPKO qççäÄ~ê KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=VS

UKQ `зеСбЦмк~нбзе=cбдЙ=tбт~кЗ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=VU UKQKN oЙмлЙ=зС=ЕзеСбЦмк~нбзе=СбдЙл=Скзг=здЗЙк=

оЙклбзел=зС=p~СЙdм~кЗ=b~луKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =VV UKQKO `кЙ~нбеЦ=~=еЙп=ЕзеСбЦмк~нбзе=СбдЙ KKKKKKKKKKKKKKKKKK=NMM UKQKP `кЙ~нбеЦ=~=ЕзеСбЦмк~нбзе=СбдЙ=Сзк=белн~дд~нбзе KK =NMN UKQKQ `кЙ~нбеЦ=~=ЕзеСбЦмк~нбзе=СбдЙ=

Сзк=кЙгзобеЦ=p~СЙdм~кЗ=b~луKKKKKKKKKKKKKKKKKKKKKKKK =NMR UKQKR `кЙ~нбеЦ=~=ЕзеСбЦмк~нбзе=СбдЙ=Сзк=~=ЕЬ~еЦЙ=

áåëí~ää~íáçå=E?ÇÉäí~=ÑáäÉ?F KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NMS UKQKS oìå=íÜÉ=ÇÉäí~=ÑáäÉKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NNM UKQKT `Ь~еЦбеЦ=~=ЕзеСбЦмк~нбзе=СбдЙ KKKKKKKKKKKKKKKKKKKKKKK K =NNN

UKR `çãã~åÇ=äáåÉ=ëóåí~ñ=Ñçê=ÅêÉ~íáçå=çÑ=~=

ЕзеСбЦмк~нбзе=СбдЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NNO

UKRKN bс~гйдЙл=зС=млЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NNQ

UKS `Ь~еЦбеЦ=СкЙимЙендуJмлЙЗ=oЙЦблнку=лЙннбеЦл=пбнЬ=

p~СЙdм~кЗ=b~луЫл=~Згбеблнк~нбоЙ=нЙгйд~нЙ KKKKKKKKK =NNT

V=mкЙJ_ззн=^мнЬЙенбЕ~нбзе=Em_^FKKKKKKKKKKKKKKKKKKKK =NON

VKN `Ь~еЦбеЦ=нЬЙ=д~еЦм~ЦЙ=млЙЗ=бе=йкЙJДззн=

~мнЬЙенбЕ~нбзе=~н=~=д~нЙк=йзбен=бе=нбгЙ KKKKKKKKKKKKKKK=NOO

VKO pпбнЕЬбеЦ=зе=й~ллпзкЗ=~н=лулнЙг=лн~кн=Em_^FKKKK =NOP

VKP j~ЕЬбеЙ=бЗЙенбСбЕ~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NOQ VKPKN j~ЕЬбеЙ=бЗЙенбСбЕ~нбзеKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NOR

VKPKO iЙЦ~д=езнбЕЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NOS

NM =j~лнЙк=_ззн=oЙЕзкЗ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NOT

NMKN j_o=йкзнЙЕнбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NOV

NMKO j_o=ЗЙС~мдн=~Енбзел KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NPM

NMKP pмййзкн=`згй~и=pЙнмй=й~кнбнбзеKKKKKKKKKKKKKKKKKKKKKK =NPM

NN =bеЕкуйнбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NPN

NNKN `зеСбЦмкбеЦ=ЙеЕкуйнбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NPP

NNKO pмййзкнЙЗ=Зблв=ЗкбоЙлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NPQ NNKOKN bеЕкуйнбеЦ=Зблв=ЗкбоЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NPU

NNKP hЙул KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQM NNKPKN hЙу=г~е~ЦЙгЙен KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQM NNKPKO `кЙ~нбеЦ=вЙул KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQM NNKPKP hЙу=дЙеЦнЬKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQN NNKPKQ qкбоб~д=вЙулKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQN NNKPKR o~еЗзг=вЙул KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQN NNKPKS aЙСбебеЦ=вЙул KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQO NNKPKT `Ь~еЦбеЦ=~=вЙуKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQO

NNKQ ^дЦзкбнЬглKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NQP NNKQKN pЙдЙЕнбеЦ=~е=~дЦзкбнЬгKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NQP NNKQKO p~СЙdм~кЗ=b~лу=~дЦзкбнЬглKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQP NNKQKP `Ь~еЦбеЦ=~е=~дЦзкбнЬг KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQR

NNKR aблйд~убеЦ=ЙеЕкуйнбзе=лн~нмл=

бе=tбеЗзпл=bсйдзкЙк KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQS

NNKS `êÉ~íáåÖ=~å=áã~ÖÉ=çÑ=~å

ЙеЕкуйнЙЗ=Ь~кЗ=Зблв=ЗкбоЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQT

ñÅ

NO =`кЙ~нбеЦ=млЙк=йкзСбдЙлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NQV

NOKN aЙСбебеЦ=~Згбе=н~лвл KKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKK=NRM

NOKO mкЙJЗЙСбеЙЗ=млЙклKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKK=NRN NOKOKN qЬЙ=pvpqbj=млЙк KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NRN NOKOKO qЬЙ=rpbo=млЙк KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NRN NOKOKP qЬЙ=G^rqlrpbo KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NRO

NOKP `кЙ~нбеЦ=млЙкл K KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NRP

NOKQ `зйубеЦ=~=млЙк KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NRQ

NOKR aЙдЙнбеЦ=млЙкл K KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NRR

NOKS rлЙк=СЙ~нмкЙлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NRS NOKSKN jбебгмг=млЙк=е~гЙ=дЙеЦнЬ KKKKKKKKKKKKKKKKKKKKKKKKKKK =NRS NOKSKO qзвЙе=дзЦзеKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NRT NOKSKP aЙС~мдн=млЙк=Eй~ллпзкЗ=зедуF KKKKKKKKKKKKKKKKKKKKKKKK =NRT NOKSKQ fллмЙ=~ДДкЙоб~нЙЗ=`Lo=`зЗЙ KKKKKKKKKKKKKKKKKKKKKKKKKK=NRT NOKSKR rлЙк=~ЕЕзмен=нЙгйд~нЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NRU NOKSKS bсйбк~нбзе=З~нЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NRV

NOKT rлЙк=кбЦЬнлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NSM NOKTKN ^ллбЦебеЦ=млЙк=кбЦЬнлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NSO NOKTKO qк~елСЙккбеЦ=млЙк=кбЦЬнл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NSP

NP =m~ллпзкЗ=лЙннбеЦлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NSR

NPKN mкЙJЗЙСбеЙЗ=й~ллпзкЗ=кмдЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NSS

NPKO mЙкгбннЙЗ=вЙул=Сзк=нЬЙ

p~СЙdм~кЗ=b~лу=й~ллпзкЗKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NST

NPKP `зеСбЦмкбеЦ=p~СЙdм~кЗ=b~лу=Сзк=млЙ=бе=

бенЙке~нбзе~д=ЙеобкзегЙенл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NSU NPKPKN qЬЙ=ЙССЙЕнл=зС=ЗбССЙкЙен=вЙуДз~кЗ=д~узмнлKKKK=NSU NPKPKO dЙеЙк~нбеЦ=бенЙке~нбзе~дду=мебСзкг=З~н~=Сзк=

p~ÑÉdì~êÇ=b~ëó KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NSV

NPKQ dЙеЙк~д=й~ллпзкЗ=кмдЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NTN NPKQKN m~ллпзкЗ=~н=лулнЙг=лн~кнKKKKKKKKKK KKKKKKKKKKKKKKKKKKKKK =NTO NPKQKO eбЗЗЙе=й~ллпзкЗ=Йенку KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NTO NPKQKP jбебгмг=й~ллпзкЗ=дЙеЦнЬ KKKKKKKKKKKKKKKKKKKKKKKKKKKK =NTO NPKQKQ jбебгмг=й~ллпзкЗ=~ЦЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NTO NPKQKR m~ллпзкЗ=ЬблнзкуKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NTP NPKQKS pуен~с=кмдЙл=EЕЬ~к~ЕнЙклI=ЗбЦбнлI=лугДздлI=

зййзлбнЙ=Е~лЙFKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NTQ

NPKR cзкДбЗЗЙе=й~ллпзкЗл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NTR NPKRKN aЙСбебеЦ=СзкДбЗЗЙе=й~ллпзкЗлKKKKKKKKKKKKKKKKKKKKKK =NTR NPKRKO fгйзкнбеЦ=~=й~ллпзкЗ=дблнKKKKKKKKKKKKKKKKKK KKKKKKKKKKKK=NTS

NPKS rлЙкJлйЙЕбСбЕ=й~ллпзкЗ=кмдЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKK =NTT NPKSKN m~ллпзкЗ=ЕЬ~еЦЙ=~ддзпЙЗKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NTU NPKSKO m~ллпзкЗ=ЕЬ~еЦЙ=~СнЙкKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NTU NPKSKP `Ь~еЦЙ=й~ллпзкЗ=~н=еЙсн=дзЦзе KKKKKKKKKKKKKKKKKKK =NTU

NPKT aЙСбебеЦ=~=й~ллпзкЗ KKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKKK=NTV

NQ =qпбеДззнL_ззн=j~е~ЦЙк KKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NUN

NQKN cмеЕнбзе~дбнуKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NUN

NQKO mкЙкЙимблбнЙл KKKKKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NUO

NQKP bñ~ãéäÉKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NUP

ñÅ

NQKQ `зеСбЦмкбеЦ=qпбеДззн KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NUQ

NQKR `зеСбЦмкбеЦ=_ззн=j~е~ЦЙк KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NUS NQKRKN dЙеЙк~д=лЙннбеЦлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NUS NQKRKO _ззн=ЗкбоЙлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NUT

NQKS bсЕЬ~еЦбеЦ=З~н~=ДЙнпЙЙе=Дззн=й~кнбнбзел=

EpЬ~кЙ=mд~бе=m~кнбнбзелFKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NVM

NR =qзвЙе=лмййзкн KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NVN

NRKN _ЙеЙСбнл=зС=дзЦЦбеЦ=зе=млбеЦ=~=нзвЙе KKKKKKKKKKKKKKKK =NVO

NRKO pмййзкнЙЗ=нзвЙелKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NVQ

NRKP qзвЙе=СмеЕнбзел KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKK=NVR

NRKQ fелн~дд=нзвЙе=лмййзкнKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=NVS

NRKR iзЦЦбеЦ=зе=Сзк=нЬЙ=Сбклн=нбгЙ=пбнЬ=~=нзвЙе=бе=

нЬЙ=йкЙJДззн=~мнЬЙенбЕ~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKK =NVV

NRKS eзп=нз=ЕЬ~еЦЙ=нЬЙ=нзвЙе=й~ллпзкЗKKKKKKKKKKKKKKKKK =OMN

NRKT eзп=нз=ЕЬ~еЦЙ=зк=ЗЙдЙнЙ=p~СЙdм~кЗ=b~лу=

~ЕЕЙлл=З~н~ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OMN

NRKU fллмбеЦ=~=нзвЙеKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OMO NRKUKN qзвЙе=бллмбеЦ=гзЗЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OMP NRKUKO rе~ннЙеЗЙЗ=бллмбеЦ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OMQ

NRKV qзвЙе=лмййзкн=Сзк=p~СЙdм~кЗ=b~лу=

^Згбеблнк~нбзе=qзздл K KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =ONM NRKVKN bе~ДдбеЦ=дзЦЦбеЦ=зе=нз=нЬЙ=^Згбеблнк~нбзе=

qзздл=пбнЬ=~=нзвЙе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =ONN NRKVKO oЙЦблнЙкбеЦ=нЬЙ=нзвЙеЫл=mh`p@NN=гзЗмдЙKKKKKK =ONO NRKVKP rебоЙкл~д=qзвЙе=fенЙкС~ЕЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =ONR

NRKNMiзЦЦбеЦ=зе=нз=нЬЙ=зйЙк~нбеЦ

лулнЙг=пбнЬ=нзвЙе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=ONU NRKNMKN fллмбеЦ=~=нзвЙе=пбнЬ=зйЙк~нбеЦ=лулнЙг=З~н~KK =ONU NRKNMKO p~обеЦ=tбеЗзпл=З~н~=бе=нЬЙ=p^i=СбдЙKKKKKKKKKKKKKK =OOM

NRKNNfллмбеЦ=~=нзвЙе=пбнЬ=нЬЙ=qзвЙе

^Згбеблнк~нбзеKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OON NRKNNKN fелн~ддбеЦ=нЬЙ=qзвЙе=^Згбеблнк~нбзеKKKKKKKKKKKKKKK =OOO NRKNNKO oЙгзобеЦ=p~СЙdм~кЗ=b~лу=З~н~=Скзг=

нЬЙ=нзвЙе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OOP

NRKNNKP fгйзкнбеЦ=нЬЙ=p~СЙdм~кЗ=b~лу=З~н~=Скзг=~=

ЕзеСбЦмк~нбзе=СбдЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OOQ

NRKNOnмбЕвду=ЕЬ~еЦбеЦ=нЬЙ=p~СЙdм~кЗ=b~лу=млЙкKKKKKKK=OOS NRKNOKN mкЙкЙимблбнЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OOS NRKNOKO bс~гйдЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OOT

NRKNPoЙгзнЙ=ЬЙдй KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=OOU NRKNPKN mкЙкЙимблбнЙл=Сзк=`Ь~ддЙеЦЙLoЙлйзелЙKKKKKKKKKKK =OOV NRKNPKO `Ь~ддЙеЦЙLoЙлйзелЙ=Йс~гйдЙл KKKKKKKKKKKKKKKKKKKKKK =OOV NRKNPKP ^ЗгбеблнЙк беЦ=нзвЙе=кЙгзнЙду=пбнЬ=нЬЙ=

qзвЙе=^Згбеблнк~нбзеKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OPQ

NS =iЙезоз=cбеЦЙкйкбен=pЙелзк KKKKKKKKKKKKKKKKKKKKKKKKKK =OPT

NSKN oЙимбкЙгЙенлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OPU

NSKO pмййзкнЙЗ=Ь~кЗп~кЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OPV

NSKP fелн~ддбеЦ=iЙезоз=СбеЦЙкйкбен=лмййзкнKKKKKKKKKKKKKKKK =OQN

NSKQ `Ь~еЦбеЦ=нЬЙ=p~СЙdм~кЗ=b~лу=й~ллпзкЗKKKKKKKKKKK =OQR

NSKR cкЙимЙенду=~лвЙЗ=имЙлнбзелKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OQT

NT =`зеСбЦмкбеЦ=tбеЗзпл=дзЦзеKKKKKKKKKKKKKKKKKKKKKKKK =OQV

NTKN pЙЕмкЙ=^мнзг~нбЕ=iзЦзе=Ep^iF KKKKKKKKKKKKKKKKKKKKKKKKK=ORM NTKNKN fелн~ддбеЦ=pЙЕмкЙ=^мнзг~нбЕ=iзЦзе=Ep^iF KKKKKK =ORN NTKNKO pЙЕмкЙ=^мнзг~нбЕ=iзЦзе=пбнЬ=лг~кнЕ~кЗ=

Epã~êíÅ~êÇ=p^iFKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =ORQ

NTKNKP pпбнЕЬбеЦ=pЙЕмкЙ=^мнз=iзЦзе=

зСС=нЙгйзк~кбду KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =ORS NTKNKQ eбЗбеЦ=нЬЙ=p^i=Зб~дзЦKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=ORU NTKNKR oЙгзобеЦ=З~н~=Сзк=p^iLp`p^i KKKKKKKKKKKKKKKKKKKKKKK =ORV NTKNKS oЙлнкбЕнбзеKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OSM

ñÅ

NTKO iзЦЦбеЦ=зенз=tбеЗзпл=~еЗ=p~СЙdм~кЗ=b~лу=

млбеЦ=нЬЙ=л~гЙ=й~ллпзкЗ= Eй~ллпзкЗ=луеЕЬкзебт~нбзеF KKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OSN

NTKOKN =_ЙеЙСбнл=зС=й~ллпзкЗ=луеЕЬкзебт~нбзе KKKKKKKKK =OSN

NTKOKO mкЙй~кбеЦ=Сзк=й~ллпзкЗ=луеЕЬкзебт~нбзеKKKKKKK =OSO NTKOKP pпбнЕЬбеЦ=зе=й~ллпзкЗ=луеЕЬкзебт~нбзе KKKKKKK =OSP NTKOKQ `~ккубеЦ=змн=й~ллпзкЗ=луеЕЬкзебт~нбзе KKKKKKKK =OSQ NTKOKR `Ь~еЦбеЦ=нЬЙ=tбеЗзпл=й~ллпзкЗ=пЬЙе=

й~ллпзкЗ=луеЕЬкзебт~нбзе=бл=~ЕнбоЙKKKKKKKKKKKKKKK=OST NTKOKS `Ь~еЦбеЦ=нЬЙ=p~СЙdм~кЗ=b~лу=й~ллпзкЗ KKKKKKK =OSU NTKOKT `~еЕЙддбеЦ=нЬЙ=й~ллпзкЗ=луеЕЬкзебт~нбзе=

Зб~дзЦKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=OSV NTKOKU oЙлнкбЕнбзел KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OTM NTKOKV tЬ~н=лЬзмдЗ=f=ЗзI=бС=KKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OTO

NTKP ^ЗЗбнбзе~д=tбеЗзпл=iзЦзе=зйнбзелKKKKKKKKKKKKKKKKKK =OTP NTKPKN q~бдзкбеЦ=нЬЙ=tбеЗзпл=iзЦзе=лЕкЙЙе KKKKKKKKKKKK=OTQ NTKPKO tзквлн~нбзе=дзЕв KKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OTT NTKPKP pЕкЙЙе=л~оЙкKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OTV NTKPKQ dfk^=кЙй~бк KKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OUO NTKPKR kзоЙдд=дзЦзеKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OUP

NU =p~ÑÉdì~êÇ=b~ëó=

пзквлн~нбзе=дзЕв KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OUR

NUKN mкЙкЙимблбнЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=OUS

NUKO ^Енбо~нбеЦ=нЬЙ=tбеЗзпл=pЕкЙЙе=p~оЙк=пбнЬ=

й~ллпзкЗ=йкзнЙЕнбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OUT

NUKP pпбнЕЬбеЦ=зСС=нЬЙ=p~СЙdм~кЗ=b~лу=

пзквлн~нбзе=дзЕв KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=OUU

NV =pЙЕмкЙ=t~вЙJlеJi^k KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OUV

NVKN lоЙкобЙп KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OVM

NVKO iзЕвбеЦ=нЬЙ=tбеЗзпл=iзЦзеKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OVN

NVKP ^ЗамлнбеЦ=tli=Зб~дзЦ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OVO

NVKQ qЙгйзк~ку=кЙгзо~д=зС=

t~вЙJlеJi^k=дзЕвл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OVP

NVKR `зеСбЦмкбеЦ=t~вЙJlеJi^k KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OVQ

OM =eбДЙке~нбзеKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OVR

OMKN lоЙкобЙпKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OVR

OMKO eбДЙке~нбзе=~еЗ=p~СЙdм~кЗ=b~лу KKKKKKKKKKKKKKKKKKKKKK=OVS

OMKP mкЙкЙимблбнЙл=~еЗ=кЙлнкбЕнбзелKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OVT

OMKQ pЙннбеЦ=мй=ЬбДЙке~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OVU

ON =qзЦЦдбеЦ=Сдзййу=Зблв=

~еЗ=ЗЙобЕЙ=ЙеЕкуйнбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =OVV

ONKN kЙЕЙлл~ку=млЙк=кбЦЬнлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PMM

ONKO pпбнЕЬбеЦ=ЙеЕкуйнбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PMN

ONKP ^ллбЦебеЦ=вЙул=пбнЬ=pЦЙ`куйн KKKKKKKKKKKKKKKKKKKKKKKKKKK =PMO

ONKQ rлбеЦ=нЬЙ=Езгг~еЗ=дбеЙ=нз=лпбнЕЬ=ЙеЕкуйнбзе=

лЙннбеЦл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PMQ

ñÅ

ONKR kçíÉë KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PMR

OO =cfmp=NQMJO=EiЙоЙд=NF=ЕЙкнбСбЕ~нбзеKKKKKKKKKKKKKKKKK =PMT

OOKN kЙп=СмеЕнбзелKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PMU

OOKO fелн~ддбеЦ=p~СЙdм~кЗ=b~лу=нз=ДЙ=cfmpJЕзгйдб~ен =PMV

OOKP pЙЕмкЙ=млЙ=зС=p~СЙdм~кЗ=b~лу=бе=ЕЙкнбСбЙЗ=

ЕзеСбЦмк~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=PNN

OP =p~ÑÉdì~êÇ=b~ëó=~åÇ=

iЙезоз=qЬбевs~ен~ЦЙ=qЙЕЬездзЦбЙл=J= bгДЙЗЗЙЗ=pЙЕмкбну=pмДлулнЙг= EiЙезоз=bpp=`ЬбйF KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PNP

OPKN p~ÑÉdì~êÇ=b~ëó=~åÇ=qmjKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PNR

OPKO mêÉé~êáåÖ=íÜÉ=bppLqmj=`Üáé=Ñçê=ìëÉKKKKKKKKKKKKKKKKKK K =PNS

OPKP oЙимбкЙЗ=лЙннбеЦл=Сзк=`pp=бенЙЦк~нбзе KKKKKKKKKKKKKKK=PNT

OPKQ oЙимбкЙЗ=лЙннбеЦл=Сзк=ЦЙеЙк~нбеЦ=к~еЗзг=вЙул=

млбеЦ=qmj=`Ьбй KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =POM

OPKR oЙимбкЙЗ=лЙннбеЦл=Сзк=млбеЦ=нЬЙ=qmj=ЕЬбй=нз=

лЙЕмкЙ=нЬЙ=`дбЙенLpЙкоЙк=^мнЬЙенбЕ~нбзеKKKKKKKKKKKK =PON

OPKS oЙимбкЙЗ=лЙннбеЦл=Сзк=j~ЕЬбеЙ=_беЗбеЦ KKKKKKKKKKKKK =POR OPKSKN fебнб~д=j~ЕЬбеЙ=_беЗбеЦ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =POS OPKSKO j~ЕЬбеЙ=_беЗбеЦ=С~бдЙЗ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =POU OPKSKP j~ЕЬбеЙ=_беЗбеЦ=кЙЕзоЙку KKKKKKKKKKKKKKKKKKKKKKKKKKKKK =POV OPKSKQ oЙЕзоЙку=гзЗЙ=ЕзеСбЦмк~нбзе KKKKKKKKKKKKKKKKKKKKKKK =PPO

OQ =p~ÑÉdì~êÇ=b~ëó=~åÇ=

iЙезоз=qЬбевs~ен~ЦЙ=qЙЕЬездзЦбЙл=J= oЙлЕмЙ=~еЗ=oЙЕзоЙку KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PPR

OQKN lоЙкобЙп KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PPR

OQKO oЙлЕмЙ=~еЗ=oЙЕзоЙку=пбнЬ=p~СЙdм~кЗ=b~лу KKKKKK =PPS OQKOKN ^Зо~ен~ЦЙл=зС=ЕзгДбебеЦ=oЙлЕмЙ=~еЗ=

oЙЕзоЙку»=~еЗ=p~СЙdм~кЗ=b~лу KKKKKKKKKKKKKKKKKKK =PPT OQKOKO oЙимбкЙгЙенлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PPT

OQKP fелн~дд~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PPU OQKPKN tЬЙе=еЙбнЬЙк=oЙлЕмЙ=~еЗ=oЙЕзоЙку=езк=

p~ÑÉdì~êÇ=b~ëó=~êÉ=áåëí~ääÉÇKKKKKKKKKKKKKKKKKKKKKKKKK =PPV OQKPKO p~ÑÉdì~êÇ=b~ëó=áë=~äêÉ~Çó=áåëí~ääÉÇ KKKKKKKKKKKKKKK =PQM

OQKQ rйЦк~ЗЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=PQN OQKQKN rйЦк~ЗбеЦ=p~СЙdм~кЗ=b~луKKKKKKKKKKKKKKKKKKKKKKKKKKKK=PQN OQKQKO rйЦк~ЗбеЦ=oЙлЕмЙ=~еЗ=oЙЕзоЙку KKKKKKKKKKKKKKKKKK =PQN

OQKR rебелн~дд~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=PQN

OQKS eçï=íç=ÅêÉ~íÉ=~=Ä~Åâìé KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PQO

OQKT oЙлнзкбеЦ=СбдЙ=Д~Евмйл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=PQQ

OQKU oЙлнзкбеЦ=нЬЙ=лулнЙг KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=PQR OQKUKN _ззн=ЙеобкзегЙен KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=PQS OQKUKO oЙлнзкбеЦ=~=p~СЙdм~кЗ=b~лу=лулнЙг KKKKKKKKKKKKKK =PQT

OQKV pЙкобЕЙ=~еЗ=С~Ензку=кЙЕзоЙку=й~кнбнбзел KKKKKKKKKKKK =PQT OQKVKN cЙ~нмкЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PQU

OQKNMtЬ~н=лЬзмдЗ=f=ЗзI=бС=KKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=PQV

OR =`згй~нбДбдбну=пбнЬ

^ДлздмнЙ=`згймнк~ЕЙ=лзСнп~кЙ KKKKKKKKKKKKKKKKKK =PRN

OS =oЙгзнЙ=г~бенЙе~еЕЙ

E`Ь~ддЙеЦЙLoЙлйзелЙF=== KKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PRP

OSKN eзп=бн=пзквлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PRQ OSKNKN fелн~ддбеЦ=ma^=оЙклбзе=зС=нЬЙ=oЙлйзелЙ=`зЗЙ=

táò~êÇ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PRR

OSKO dЙеЙк~нбеЦ=~=ЕЬ~ддЙеЦЙ=ЕзЗЙKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PRS

OSKP oЙлйзелЙ=`зЗЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PRU OSKPKN `кЙ~нбеЦ=~=кЙлйзелЙ=ЕзЗЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PRV

OSKQ lйнбзе~д=ЙснЙелбзел=зС=нЬЙ=`Ь~ддЙеЦЙLoЙлйзелЙ=

ЕзеЕЙйн KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKK=PST OSKQKN eЙдйЗЙлв=`зелздЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PST OSKQKO tЙД=pЙдС=eЙдй KKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKKKK =PSU OSKQKP slf`bKqorpq KK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PSV

ñÅ

OT =`кЙ~нбеЦ=ЙгЙкЦЙеЕу=гЙЗб~=~еЗ=л~обеЦ=нЬЙ=

лулнЙг=вЙкеЙдKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PTN

OTKN eзп=нз=ЕкЙ~нЙ=~е=ЙгЙкЦЙеЕу=СдзййуLлулнЙг=

вЙкеЙд=Д~Евмй KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PTO OTKNKN oмеебеЦ=нЬЙ=ЙгЙкЦЙеЕу=Зблв=пбт~кЗ KKKKKKKKKKKKK =PTP OTKNKO rлбеЦ=нЬЙ=Езгг~еЗ=дбеЙ=нз=л~оЙ=нЬЙ=

лулнЙг=вЙкеЙдKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=PTS

OTKNKP eзп=нз=л~оЙ=p~СЙdм~кЗ=b~лу=ЙгЙкЦЙеЕу=

СбдЙл=нз=Сдзййу KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PTS

OTKO eçï=íç=ÅêÉ~íÉ=~=Äççí~ÄäÉ

ЙгЙкЦЙеЕу=ЗблвKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PTT

OTKP eзп=нз=ЕкЙ~нЙ=~=Дззн~ДдЙ=ЙгЙкЦЙеЕу=`aKKKKKKKKK =PTU

OTKQ eзп=нз=ЕкЙ~нЙ=~=Дззн~ДдЙ=ЙгЙкЦЙеЕу=

rp_=гЙгзку=лнбЕвKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PTV

OTKR mЙкСзкгбеЦ=~е=ЙгЙкЦЙеЕу=Дззн KKKKKKKKKKKKKKKKKKKKKKKK =PUM OTKRKN oЙлнзкбеЦ=~=лулнЙг=вЙкеЙд KKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PUN OTKRKO oЙй~бкбеЦ=нЬЙ=лулнЙг=вЙкеЙд KKKKKKKKKKKKKKKKKKKKKKKKKK =PUO OTKRKP bгЙкЦЙеЕу=мебелн~дд=зС=p~СЙdм~кЗ=b~лу KKKKKKKK=PUP OTKRKQ kзнЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PUR

OTKS ^ЕЕЙллбеЦ=ЙеЕкуйнЙЗ=З~н~=

пЬЙе=ДззнбеЦ=Скзг=~е=

ЙснЙке~д=гЙЗбмг KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PUS OTKSKN mкЙкЙимблбнЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PUT OTKSKO mкзЕЙЗмкЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PUU OTKSKP kзнЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PUV OTKSKQ tЬ~н=лЬзмдЗ=f=ЗзI=бС=KKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PVM

OU =aблйд~убеЦ=p~СЙdм~кЗ=b~лу=лулнЙг=лн~нмл KKK =PVN

OUKN oЙйзкнбеЦ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PVN

OUKO m~к~гЙнЙкл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PVO

OV =^мЗбнбеЦ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PVP

OVKN eзп=нз=млЙ=^мЗбнбеЦKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PVQ

OVKO fелн~ддбеЦ=^мЗбнбеЦ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PVR

OVKP `зеСбЦмкбеЦ=^мЗбнбеЦKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PVS

OVKQ `зеСбЦмкбеЦ=bоЙен=iзЦЦбеЦ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=PVT OVKQKN aЙСбебеЦ=ЗЙлнбе~нбзел KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =PVT OVKQKO `кЙ~нбеЦ=~=еЙп=ЗЙлнбе~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKK =PVV OVKQKP oЙгзобеЦ=~=ЗЙлнбе~нбзеKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=QMM OVKQKQ `зйубеЦ=~=ЗЙлнбе~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=QMM

OVKR pЙдЙЕнбеЦ=ЙоЙенлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QMN OVKRKN `зеСбЦмкбеЦ=~дд=ЙоЙенлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=QMP OVKRKO `Ь~еЦбеЦ=нЬЙ=обЙпKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QMQ

OVKS sбЙпбеЦ=~мЗбнЙЗ=ЙоЙенлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QMR OVKSKN bоЙен=sбЙпЙк KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QMS OVKSKO iзЦ=СбдЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QMU

OVKT kçíÉë KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QMV

PM =`Йенк~д=~Згбеблнк~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QNN

PMKN cмеЕнбзе~дбнуKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=QNO PMKNKN p~СЙdм~кЗ=b~лу=pЙкоЙкL

p~СЙdм~кЗ=b~лу=a~н~Д~лЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QNQ PMKNKO p~СЙdм~кЗ=b~лу=^Згбеблнк~нбзе=`зелздЙ KKKKKKK =QNS PMKNKP p~СЙdм~кЗ=b~лу=`дбЙенлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QNT PMKNKQ pмййзкнЙЗ=p~СЙdм~кЗ=b~лу=`дбЙенJL

p~СЙdм~кЗ=b~лу=pЙкоЙк=ЕзгДбе~нбзелKKKKKKKKKKKK =QNU

ñÅ

PMKO bсЕЬ~еЦбеЦ=a~н~=ДЙнпЙЙе

`дбЙен=~еЗ=pЙкоЙк KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QNV PMKOKN pЙЕмкЙ=ЕзггмебЕ~нбзеKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QNV PMKOKO bсйЙЕнЙЗ=еЙнпзкв=дз~ЗKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QON PMKOKP aЙСбебеЦ=нЬЙ=бенЙко~д=Сзк=З~н~=ЙсЕЬ~еЦЙ KKKKKKKK =QOO

PMKP fелн~дд~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QOQ PMKPKN fелн~ддбеЦ=p~СЙdм~кЗ=b~лу=pЙкоЙкLa~н~Д~лЙKKKK=QOR PMKPKO fелн~ддбеЦ=p~СЙdм~кЗ=b~луЫл=^Згбеблнк~нбзе

`зелздЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=QOT PMKPKP fелн~ддбеЦ=p~СЙdм~кЗ=b~лу=`дбЙенлKKKKKKKKKKKKKKKKKKK =QOU PMKPKQ j~сбгмг=Е~й~Ебну=зС=нЬЙ=p~СЙdм~кЗ=b~лу=

a~н~Д~лЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QPN PMKPKR oЙлнзкбеЦ=~=p~СЙdм~кЗ=b~лу=pЙкоЙк=зк=

a~í~Ä~ëÉ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QPO

PMKQ jбЕкзлзСн=pni=pЙкоЙк=лмййзкн KKKKKKKKKKKKKKKKKKKKKKKKKKK =QPP PMKQKN fгйзкн~ен=беСзкг~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QPP PMKQKO dЙеЙк~нбеЦ=~е=Йгйну=p~СЙdм~кЗ=b~лу=

З~н~Д~лЙ=зе=нЬЙ=pni=pЙкоЙк==KKKKKKKKKKKKKKKKKKKKKKKK=QPQ PMKQKP oЙЦблнЙкбеЦ=нЬЙ=еЙп=EЙгйнуF=p~СЙdм~кЗ=b~лу=

a~н~Д~лЙ=зе=нЬЙ=p~СЙdм~кЗ=b~лу=pЙкоЙк KKKKKKK=QQM

PN =^Згбеблнк~нбзе=`зелздЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QQT

PNKN iзЦЦбеЦ=зе=нз=нЬЙ=^Згбеблнк~нбзе=`зелздЙ KKKKKKK =QQT PNKNKN `Ь~еЦбеЦ=нЬЙ=~ЕЕЙлл=З~н~=Сзк=нЬЙ=З~н~Д~лЙ KK =QQV

PNKO ^Згбе=`зелздЙ=млЙк=бенЙкС~ЕЙKKKKKKKKKKKKKKKKKKKKKKKKKKK =QRN PNKOKN p~обеЦ=нЬЙ=ЕзенЙенл=зС=~=н~Д=~л=~=нЙсн=СбдЙ KKKKK =QRP

PNKP aблйд~убеЦ=нЬЙ=ЕмккЙен=ЕзеСбЦмк~нбзе=зС=~=

p~СЙdм~кЗ=b~лу=`дбЙен KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QRQ

PNKPKN `Ь~еЦбеЦ=~=p~СЙdм~кЗ=b~лу=`дбЙен=

ЗЙлЕкбйнбзеKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QRR PNKPKO oЙгзобеЦ=~=p~СЙdм~кЗ=b~лу=`дбЙен KKKKKKKKKKKKKKKK =QRR

PNKQ oЙJкЙЦблнЙкбеЦ=~=p~СЙdм~кЗ=b~лу=`дбЙен KKKKKKKKKKKKK=QRS PNKQKN oЙJкЙЦблнЙкбеЦ=лЙоЙк~д=p~СЙdм~кЗ=b~лу=

`дбЙенл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QSM

PNKR oЙЦблнЙкбеЦ=p~СЙdм~кЗ=b~лу=`дбЙенл=зе=~езнЬЙк=

p~СЙdм~кЗ=b~лу=pЙкоЙк KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QSN

PNKS aЙСбебеЦ=Цкзмйл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QSS PNKSKN `кЙ~нбеЦLЗЙдЙнбеЦ=Цкзмйл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QST PNKSKO ^ллбЦебеЦ=~=p~СЙdм~кЗ=b~лу=`дбЙен=нз=~=

ЦкзмйLкЙгзобеЦ=~=p~СЙdм~кЗ=b~лу=`дбЙен=

Скзг=~=ЦкзмйKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QST PNKSKP cбеЗбеЦ=змн=Цкзмй=гЙгДЙклЬбйKKKKKKKKKKKKKKKKKKKKK=QSU PNKSKQ `Ь~еЦбеЦ=~=Цкзмй=е~гЙ KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=QSV PNKSKR oЙгзобеЦ=Цкзмйл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=QSV

PNKT aЙСбебеЦ=кмдЙл=Сзк=Зблйд~убеЦ=пзквлн~нбзелL

ЦкзмйлLкЙимЙлнлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QSV PNKTKN `зеСбЦмкбеЦ=~=СбднЙк KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QTM PNKTKO ^Енбо~нбеЦ=~=СбднЙк KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QTO

PNKU oЙимЙлнл=~еЗ=nмЙмЙлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QTO PNKUKN `кЙ~нбеЦ=ЕЬ~еЦЙл=EкЙимЙлнлF KKKKKKKKKKKKKKKKKKKKKKKKK =QTQ PNKUKO `кЙ~нбеЦ=~=еЙп=кЙимЙлн KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=QTR PNKUKP rлбеЦ=~е=ЙсблнбеЦ=ЕзеСбЦмк~нбзе=СбдЙ=~л=

~=кЙимЙлнKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QTS PNKUKQ c~бдЙЗ=кЙимЙлнлKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QTT PNKUKR `Ь~еЦбеЦ=~=кЙимЙлн=е~гЙ KKKK KKKKKKKKKKKKKKKKKKKKKKKKK =QTU PNKUKS aЙдЙнбеЦ=~=кЙимЙлнKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QTU PNKUKT aблйд~убеЦ=~=имЙмЙKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=QTU

ñÅ

PNKV pн~нЙ=зС=~=p~СЙdм~кЗ=b~лу=`дбЙен KKKKKKKKKKKKKKKKKKKKKKK =QUM PNKVKN pн~нЙ=?pн~еЗ~кЗ=ElедбеЙF? KKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=QUN PNKVKO pн~нЙ=?lССдбеЙ? KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QUO PNKVKP pн~нЙ=?mмлЬ=xзеz? KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QUP PNKVKQ pн~нЙ=?mмлЬ=xзССz?KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QUQ PNKVKR pпбнЕЬбеЦ=нЬЙ=p~СЙdм~кЗ=b~лу=`дбЙен=Скзг=

pн~еЗ~кЗ=ElедбеЙF=нз=lССдбеЙ=гзЗЙ KKKKKKKKKKKKKKK =QUR PNKVKS dЙеЙк~нбеЦ=ЕзеСбЦмк~нбзе=мйЗ~нЙл=Сзк=зССдбеЙ=

ЕдбЙенл=бе=нЬЙ=^Згбеблнк~нбзе=`зелздЙKKKKKKKKKKKK=QUT PNKVKT iз~ЗбеЦ=~=ЕзеСбЦмк~нбзе=мйЗ~нЙ=зенз=~е=

lССдбеЙ=`дбЙен=пбнЬ=pdbqo^kpKKKKKKKKKKKKKKKKKKKKKKKK =QVM

PNKNM^мнзг ~нбЕ=лулнЙг=вЙкеЙд=Д~ЕвмйKKKKKKKKKKKKKKKKKKKKKK =QVN PNKNMKN _~ЕвбеЦ=мй=нЬЙ=лулнЙг=вЙкеЙд=

бенз=нЬЙ=_~Евмйл=СздЗЙк KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QVO PNKNMKO `кЙ~нбеЦ=~=еЙп=Д~Евмй=СздЗЙкKKKKKKKKKKKKKKKKKKKKKKK=QVP PNKNMKP bсйзкнбеЦ=нЬЙ=лулнЙг=вЙкеЙдKKKKKKKKKKKKKKKKKKKKKKKKKK =QVP

PO =oЙгзнЙ=^Згбеблнк~нбзе KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =QVR

POKN mкЙкЙимблбнЙл KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=QVS

POKO fелн~ддбеЦ=oЙгзнЙ=^Згбеблнк~нбзе KKKKKKKKKKKKKKKKKKKKKK =QVU

POKP bлн~ДдблЬбеЦ=~=ЕзееЙЕнбзе=нз=~=p~СЙdм~кЗ=b~лу=

`дбЙенKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =RMM

PP =bêêçê=ãÉëë~ÖÉë KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK =RMP

N =lоЙкобЙп

Personal computers often contain personal data, confidential and company information or other sensitive data.

The danger caused by the theft of notebooks should not be underestimated. Highly sensitive client information on a sales representative’s notebook could fall into the hands of a competitor, resulting in serious damage for the company.

SafeGuard Easy is the ideal way to safeguard against such risks without spending too much time on implementing security measures.

How does SafeGuard Easy protect workstations against unauthorized access? The program’s most important security features are its drive encryption and boot protection, which are used to prevent access to a workstation via an external data medium.

The biggest benefits of SafeGuard Easy are that the program

 simply but effectively protects the confidentiality of stored data

ñÅ

 can be implemented quickly

 is very user-friendly

 offers a security concept suitable for many different application

areas.

SafeGuard Easy is easy to install. For this reason, it is particularly well suited for stand-alone systems and mobile units such as notebooks.

NKN `Йенк~д=лЙЕмкбну=СмеЕнбзел

Encryption

SafeGuard Easy uses online encryption to protect the confidentiality of data that is stored on hard disks, floppy disks and removable media in a simple and effective manner. Here, "online" means that the data is decrypted, when it is read and loaded into RAM, and then automatically encrypted again when it is saved. The key is not saved on the hard disk or PC. It is determined again, from the user’s SafeGuard Easy password, each time the PC is switched on.

SafeGuard Easy encrypts not only the entire contents of hard disks, but also the contents of removable media such as floppy disks, ZIP or JAZ disks or USB memory sticks. This allows secure data medium exchange to be implemented within the company, while simultaneously protecting the contents of mobile data media against unauthorized access. It also provides an effective way of preventing the unauthorized importing of data such as unlicensed software or viruses via removable media, since users without the appropriate authorization cannot use plain text media.

Different algorithms can be selected to encrypt floppy disks, removable media and the individual partitions on hard disks. The algorithms that can be used for this purpose include AES, Rijndael, XOR, STEALTH-40, IDEA, BLOWFISH, DES and 3DES.

Access control with Pre-Boot Authentication (PBA) and boot protection

Pre-Boot Authentication is an additional central security function in SafeGuard Easy. PBA ensures that only the SafeGuard Easy user who is registered on the system can log onto it.

ñÅ

When the hard disk is encrypted, any attempt to boot the computer from another data medium, such as a system floppy disk, a CD-ROM or another hard disk, will fail: the hard disk remains blocked. In fact, this means that the system actually does boot, but it is not possible to read the encrypted data on the hard disk.

When PBA is implemented on a workstation along with the Boot protection option, the workstation cannot been booted with an external data medium unless the user knows the correct SafeGuard Easy user data.

NKO lнЬЙк=лЙЕмкбну=СмеЕнбзел

Support for Lenovo’s (IBM’s) ThinkVantage technologies - Client Security Solution (CSS) 8.10 and Rescue and Recovery 4.20

SafeGuard Easy already supports earlier versions of Lenovo’s ThinkVantage technologies. The current version of SafeGuard Easy is still compatible to Lenovo’s Client Security Solution (CSS) and Rescue and Recovery (RnR).

Rescue and Recovery (RnR): SafeGuard Easy supports Lenovo’s Rescue and Recovery. This means customers can use this efficient backup and recovery method along with SafeGuard Easy encrypted operating system partitions. This functionality is unique amongst disk encryption products. Backups from encrypted SafeGuard Easy systems can be stored on any disk drive used by RnR. Therefore, in an emergency, a system can be restored by loading a backup from CD/ DVD, a network drive, a second internal hard disk or a USB hard disk or stick.

TCPA/TPM support (ESS chip/CSS): SafeGuard Easy is the first hard disk encryption product to use the security chips, specified by the Trusted Computing Group (TCG), that are nowadays integrated in the latest notebooks. Among other things, SafeGuard Easy uses these chips to secure the link between the client and administration server, and also to generate random numbers. Naturally, SafeGuard Easy’s Secure Auto Logon (SAL or SSO) function can also be used to provide optimum integration in the ESS chip infrastructure.

Certification to FIPS 140-2 Level 1

SafeGuard Easy now complies with the guidelines of FIPS 140-2 Level 1 (FIPS= Federal Information Processing Standard) certification set out by the American National Institute of Standards and Technology (NIST). NIST defines the security criteria for encryption products used by the American government.

SafeGuard® Easy is already certified in accordance with the Common Criteria standard, Evaluation Assurance Level 3 (EAL 3).

Optional two-factor authentication in the Pre-Boot phase

SafeGuard Easy can be configured in such a way that only users with an appropriate token can access the PC. Besides being used in Pre-Boot Authentication (PBA), the token can also, of course, be used at operatingsystem level for other, certificate-based applications, via the PKCS#11 or CSP standard. Furthermore, the token can also be used by the SafeGuard Easy administrator to log on to the administration programs. SafeGuard Easy users who have forgotten their password or token can be helped by a central help desk.

SafeGuard Easy supports

 various Aladdin eTokens

 Verisign USB token

 RSA SecurID 800 token

Biometric logon with Lenovo Fingerprint Sensor

In addition to logon with USB token (RSA, Aladdin), SafeGuard Easy also supports logon via "fingerprint" in the pre-boot authentication phase. The benefit of using a fingerprint is that a user does not have to remember SafeGuard Easy passwords or the PIN for a USB token. They can identify themselves to a Lenovo notebook, for example, simply by passing their fin ger over the sensor that is installed on it.

ñÅ

Hibernation (Suspend to Disk) support

This is especially useful for mobile device users who usually avoid booting by simply "pausing" and then later "restoring" their current work session, because these options are provided by modern operating systems. In contrast to most other hard disk encryption products, SafeGuard Easy supports use of hibernation mode, even encrypting the generated image data in order to store it securely on the hard disk. This provides round-theclock security, reduces power consumption and saves users time, in comparison with normal boot procedures that are currently in use.

Compatibility with Absolute’s Computrace software

When Computrace is installed, a stolen computer can report its location via a network. SafeGuard Easy has been prepared to ensure it is compatible with Computrace. This compatibility with SafeGuard Easy means that this feature also works with encrypted hard disks.

Full compatibility requires a version of Computrace Software that, at present (12/2008)) has not yet been released by Absolute Software.

Web Self Help

SafeGuard Easy’s Self-Help enables an ordinary user to help themselves if they forget their SafeGuard Easy password. This will lead to an overall decrease in the number of help desk calls that are solely due to forgotten passwords, and therefore the help desk personnel will have more time to work on more complex support cases. There are also various solutions for Challenge/Response in a purely software or cryptobased variant.

Self Help is also available as separate add-on.

Password rules

SafeGuard Easy offers a multitude of options for implementing special password rules in the PBA such as a configurable list of forbidden passwords, extended rules for special characters, UID etc., to provide even better functionality for implementing pre-defined corporate rules.

Auditing in the PBA and operating system

SafeGuard Easy also logs events involving security issues, such as failed logon attempts, in the Pre-Boot phase, and later passes on these log entries to the Windows Event Log for evaluation. Alternatively (via an additional component) they can be transferred to a central server, and evaluated there. As a result, attacks can be recognized more quickly and statuses diagnosed more easily.

Optional central administration database

In addition to its functions for reliably distributing configuration files, SafeGuard Easy includes a dedicated, central administration software system. This is responsible for system kernel backups, the distribution of configuration data and the integration of offline clients.

SafeGuard Easy uses a Microsoft Access or Microsoft SQL Server database as the default database type for saving information about SafeGuard Easy clients. With the "Remote Administration" module, which is also available, it is possible to configure a specific individual client over the network.

Same user password for SafeGuard Easy and Windows (password synchronization)

For many support staff, calls from users who have forgotten their password are part of everyday life. The rule is: the fewer passwords a user needs to remember, the less work there is for support staff. SafeGuard Easy’s password functionality helps reduce the number of user calls because the software can be configured to make the Windows and SafeGuard Easy password the same ("synchronized") with just one mouse click. After successful synchronization, a user can then use the same password to log on to SafeGuard Easy in Pre-Boot Authentication and to the operating system.

Secure Wake-On-LAN support

SafeGuard Easy’s Pre-Boot authentication offers the best-possible protection against attacks from hackers. However, maximum security is also needed when distributing software via Wake-On-LAN when active hard disk encryption is in operation, and so SafeGuard Easy offers a range of functions for that purpose.

Secure remote administration (Challenge/Response)

Helpdesk staff can help users who have forgotten their password. The Challenge/Response procedure is secure and ideal for mobile users, since it does not require a PC to have a direct online link with the help desk.

ñÅ

Challenge/response for PDA

SafeGuard Easy users who have forgotten their passwords or token can quickly return to work with help from a central help desk. Helpdesk staff can also carry out their work on an entirely mobile basis, using a PDA (Pocket PC), so they are no longer dependent on having access to a PC.

Windows Installer-based installation

As the installation procedure is fully compliant with the current Windows Installer (MSI) standard it can be distributed and installed easily and efficiently in Windows networks.

Integrated boot manager (Twinboot)

Today, it is a frequent requirement that a notebook’s hard disk is split into a private, unprotected partition, managed by the user, and an encrypted partition that is managed by the user’s company. SafeGuard Easy provides an integrated boot manager for this purpose, with which configurations of this kind, or similar ones, can be implemented easily and securely, from one central point. In this way the company data remains protected and the user has absolute freedom on their private partition, even when it comes to choosing the operating system.

Removable media encryption covers USB memory media

SafeGuard Easy supports the current generation of Plug and Play memory cards (USB memory sticks), so they can also be used for secure data exchange. In addition, it is possible to temporarily switch encryption for a particular diskette drive or removable media disk drive on or off, separately from the others.

Flexible user management during Pre-Boot Authentication

When a user is logging on, SafeGuard Easy can also add an additional message, specified by the administrator, that informs the user of legal requirements, ownership of the device, or similar.

Reusing configuration files from older versions (from SafeGuard Easy 3.20 onwards)

Companies use SafeGuard Easy’s configuration files if a large number of clients are to use the same SafeGuard Easy configuration. In this situation the "old" configuration files can be imported to provide an easy way of reusing settings and keys during an upgrade without having to type them in again.

Emergency boot from diskette and CD

Nowadays, PC systems are usually equipped with CD/DVD drives instead of diskette drives. SafeGuard Easy has taken these hardware developments into account and now also accepts CDs as emergency boot devices, alongside floppies. Boot media are supported for both MS DOS and Windows PE.

Standard Windows logon instead of SafeGuard dialog

After SafeGuard Easy has been installed, you only see the Windows dialog when you log on to the operating system. However, customers can also customize the default logon and use a dialog that is based on the Utimaco design instead of the Windows logon dialog.

SafeGuard plug-in for Aladdin’s Token Management System (TMS)

The Aladdin Token Management System (TMS) is a tool based on Active Directory and is used to issue eTokens. From version 1.1 the Aladdin TMS can be used to integrate plug-ins from third-party suppliers. In this way Utimaco has made it possible to use a plug-in to write SafeGuard Easy (PBA) data and SGAS Windows logon data can be to the eToken. The combination of TMS and Utimaco plug-in mean there is no need to use SafeGuard Token Administration to issue eTokens, but both programs can also be used in parallel. The SafeGuard TMS plug-in can be bought separately. A 10-user demo license is supplied with SafeGuard Easy (it can also be downloaded).

"Faster" user switch with token

Users who use SafeGuard’s token-based logon also benefit from another feature: if it is necessary to change the SafeGuard Easy rights profile on a multi-user PC (for example, to switch off the right to encrypt removable media), the token users simply need to log off from Windows. There is no longer any need to reboot the PC completely or log on to PBA, as was previously the case.

ñÅ

NOTE: Do not confuse the SafeGuard Easy user switch with the Microsoft feature that has the same name!

Compatibility with Windows XP’s Volume Shadow Copy service

Windows XP’s Volume Shadow Copy service creates an "immediate backup" of opened files or databases. This means that there is no need for staff to stop working while an administrator saves their data. SafeGuard Easy provides full support for the Volume Shadow Copy service, so no changes have to be made manually to system configurations.

NOTE: as an alternative to the Windows XP copy function, users can also use other SafeGuard Easy-compatible tools such as Rescue and Recovery (which is also available for non-Lenovo platforms).

NKP kЙп=СЙ~нмкЙл=бе=p~СЙdм~кЗ=b~лу

Version 4.50 of SafeGuard Easy has resolved some problems identified in previous versions. For further details please refer to file

kЙп=СЙ~нмкЙл=бе=p~СЙdм~кЗ=b~лу=QKRM

Support of the latest operating system service releases

The SafeGuard Easy Client has been tested to work with the latest version of its supporting platforms which include Windows XP Service Pack 3 as well as Windows Server 2003 Service Pack 2.

Support of latest token hardware and middleware

SafeGuard Easy has been updated to support the latest versions of Aladdin (CardOS) and RSA (SID800) hardware and middleware.

SafeGuard Easy also supports Aladdin NG-Flash USB token. The token can be used to authenticate the user in SafeGuard Easy Pre-Boot Authentication (PBA) and management applications in the same way as other tokens from Aladdin, VeriSign and RSA.

SafeGuard Easy 4.50 is compatible with the RSA data format SID800.

Optional installation of SafeGuard Easy Logging

The SafeGuard Easy Logging feature is no longer installed by default during the installation of SafeGuard Easy Client. This feature is now selectable as an optional feature in the main setup of SafeGuard Easy Client under Administration Tools.

Readme.txt.

Various minor improvements

Various minor improvements have been made, for example:

The setup will check for the operating system and will deny the installation in case of Windows Vista. With Windows Vista the preferred choice of a security solution would be to deploy SafeGuard Enterprise.

The tool RepPBA.exe will be delivered on the SafeGuard Easy product CD.This tool allows for changing the logon method within PBA, e.g. from logon with keyboard to logon with token.

You can find a complete list of all improvements in the file Readme.txt.

ñÅ

NKQ `Ь~еЦЙл=нз=йкЙобзмл=оЙклбзел

Re-issuing a USB token

USB tokens that were issued with SafeGuard Easy prior to version 4.11 cannot automatically be reused in the current version because the data format used on the token has been changed. These "old" tokens must be re-issued before you can log on to the PBA in the usual way.

In most cases, the user themselves is responsible for re-issuing the token (assuming that they have the appropriate SafeGuard Easy authorization). The first attempt to log on to the new version of SafeGuard Easy using the "old" token is met with the response "No SafeGuard Easy data on the token, please re-issue the token". However, people who are using "old" tokens should not be alarmed by this message: they should simply enter their SafeGuard Easy data in the pre-defined fields. If this data is correct it is written to the token and means that the only data they need the next time they log on is the token PIN.

If a user does not know their SafeGuard Easy data, they should get in touch with a support/help desk contact person. The contact person will then write the data to the token using the new SafeGuard Easy Plug-in for Token Administration.

The SafeGuard Easy Plug-in for Token Administration is stored in the \TOOLS directory (SCAdmin_SGEasy.msi) on the product CD.

SGEInteg replaces CheckArea/MigHelp

From Version 4.30, the repair function used when the SafeGuard Easy system kernel is updated is called "SGEInteg". SGEInteg provides the functionality previously provided by CheckArea/MigHelp. You will find it in the \TOOLS folder on the program CD.

NKR pулнЙг=кЙимбкЙгЙенл

pмййзкнЙЗ=зйЙк~нбеЦ=лулнЙгл=EгбебгмгF

 Windows 2000 Professional (Service Pack 4)

 Windows XP Home Edition (Service Pack 2)

 Windows XP Professional Edition (Service Pack 2)

 Windows 2000 Server (Standard Edition only)

 Windows Server 2003 (Standard Edition only)

Current Service Packs are recommended.

SafeGuard Easy has not been tested with Windows XP Media Edition.

Note concerning Windows XP

SafeGuard Easy versions 4.50 can be also used under Windows XP SP2 or SP3. It is also possible to upgrade from e.g. SP2 to SP3 while SafeGuard Easy is installed.

Note about Windows XP SP 2/Windows Server 2003 SP 1

If you use the optional central administration server or SafeGuard Easy 4.x Remote Administration you must make a few special configuration settings in Windows XP in SP2 and Windows Server 2003 SP 1.

You will find a description of all the settings you need in our Knowledge Database "106898 SafeGuard Easy and SP2 Configuration for Windows XP". Use the Knowledge Database’s "Search" field to look for "106898".

http://www.utimaco.com/myutimaco in Knowledge Item

ñÅ

An application with which you can set the configuration settings automatically has also been provided. This enables Central Administration and Remote Administration to be used with Windows XP Service Pack 2. You will find this application on the CD, in the \Tools\DCOMWizard folder, or in the Knowledge Database: look for it with the keywords "SP2" or "SGE".

Note about Windows XP Home Edition:

SafeGuard Easy does not support

 Secure automatic Logon with Smartcard (Smartcard-SAL)

 Centralized Auditing (Logging)

Note about Windows Server Edition:

SafeGuard Easy does not support

 SMP

 64-bit server

pмййзкнЙЗ=СбдЙ=лулнЙгл

 FAT-12

 FAT-16

 FAT-32

 HPFS

 NTFS

 NTFS5

pмййзкнЙЗ=гЙгзку=гЙЗб~

 Hard disks (IDE, SCSI, serial ATA, Firewire, USB)

 Floppies

 Removable media such as ZIP/JAZ

 USB memory sticks

 RAID 0 (Hardware-RAID 0)

SafeGuard Easy does not support:

- additional RAID classes)

- Software-RAID 0

pмййзкнЙЗ=йкзЕЙллзкл

 AMD

 Intel

 Multi-processors/hyperthreading

SafeGuard Easy 4.x has been installed and tested successfully on both multi-processor computers and computers with hyperthreading (e.g. Pentium IV).

e~кЗп~кЙ=кЙимбкЙгЙенл

 Hard disk capacity

SafeGuard Easy requires between 5 MB (minimum) and 15 MB (maximum) depending on the selected installation method. SafeGuard Easy has the same minimum requirements as the operating system currently in use.

Although SafeGuard Easy runs smoothly and without any problems on the systems described, encryption comes at a cost. For this reason we recommend that you use hardware that exceeds these minimum requirements.

ñÅ

 Number of hard disks

SafeGuard Easy supports a maximum of 4 hard disks per machine, with a maximum of 8 partitions per hard disk. The system displays a warning if an unsupported partition type is found.

NKS aзЕмгЙен~нбзе

SafeGuard Easy is supplied with this manual and the SGEasy0409.chm online help file.

NKT dЙеЙк~д=езнЙл

In normal operation, the following points should be taken into account:

 SafeGuard Easy does not support Windows XP’s "Fast User

Switching". After SafeGuard Easy has been installed, the Welcome screen switches off automatically.

 If the workstation is integrated in a peer-to-peer LAN, parts of hard

disks must not be assigned to other users of this LAN.

 Hard disk drive encryption and decryption are protected against

power cuts and similar disruptions. As soon as the power is restored, the process continues from the correct place without any need for a user action.

NOTE:

The initial encryption of hot-pluggable hard disks must not be interrupted!

 When you leave the workstation for a short time, you should

enable Windows screen-blanking ([Lock workstation] button). If you want to leave the workstation for a longer period of time, switch off the PC and then switch it on, and reboot it, when you return.

 By correctly setting the recommended installation system

configuration, you prevent logical access to hard disks after booting from diskettes. To give the system with additional protection against trojan viruses that might be used to find out a SafeGuard Easy password, use a mechanical lock or another internal measure to protect the workstation from being booted from diskette.

ñÅ

NKU iбЕЙелЙ=езнЙ

All cases of unauthorized duplication of this manual or the software supplied by SafeGuard Easy will be pursued in law. You can only install SafeGuard Easy on one PC.

If you misuse the backup copy to install SafeGuard Easy on several PCs, you will contravene the terms of the license and be liable to punishment. If you want to protect several PCs you must purchase a license for each PC.

The terms and conditions of the software license contract apply.

Other license notes:

STEALTH Encryption Copyright (c) 1994 Intelligence Quotient International Limited. All rights reserved. Patents pending. STEALTH encryption is a trade mark of Intelligence Quotient International Limited.

Patent rights of Ascom Tech Ltd. given in EP, JP, US. IDEA is a trademark of Ascom, Tech Ltd.

Credits:

Special thanks go to Dr. Brian Gladman, whose AES implementation we used as the basis for building our AES encryption drivers.

O =dЙннбеЦ=лн~кнЙЗ

This chapter explains how to prepare for, and perform, your SafeGuard Easy installation successfully.

OKN mêÉé~êáåÖ=Ñçê=áåëí~ää~íáçå

You must make some preparations prior to installation: please read the following list carefully and ensure that you comply with all the points.

 Before installing SafeGuard Easy please make a complete back up

of your data media.

 All the hard disks that are to be encrypted must already be

connected to the PC and switched on before SafeGuard Easy is installed.

 The partitions on your hard disk should be completely formatted

and should have a drive letter assigned to them.

 Removable media or USB memory sticks that are to be encrypted

do not have to be connected to the PC before SafeGuard Easy is installed.

 Use CHKDSK to check the hard disks for errors.

You will find more information on this subject in the Utimaco Knowledge Database http://www.utimaco.com/myutimaco

Use the Knowledge Database’s "Search" field to look for key words like "NTFS" or "File System".

 Virus scanners should be switched off during installation/

uninstallation.

ñÅ

 If you use a boot manager, consider reinstalling the system without

the boot manager.

 If you used a clone tool (Drive Image Ghost) to write data to the

hard disk, we recommend that you "re-write" the MBR. To install SafeGuard Easy you need a "spotless" master boot record. The use of Image/Clone programs may have affected the state of this record.

You should clean the master boot record by booting from floppy, CD or DVD (we recommend you use the same system that is used on the hard disk) and run fdisk /MBR.

 If the boot partition has been converted from FAT to NTFS, and the

system has not been reset by rebooting, SafeGuard Easy should not be installed. In this case it may be that the installation will not be completed because the file system was still FAT at the time of installation while NTFS was found when it was activated. In this case you have to reboot the machine once before SafeGuard Easy is installed.

SafeGuard Easy is undergoing constant further development. This means that your version may contain new features which were not included in the manual or online help because they were not ready in time for publication deadlines. These new changes or features are described in the

Readme.txt file.

OKO fелн~дд~нбзе=йкЙкЙимблбнЙл

Various prerequisites must be fulfilled on a workstation before SafeGuard Easy can be installed:

 Microsoft Windows Software Installer (MSI) v2.0

- Installed by default in Windows XP.

- Installed in Windows 2000 from Service Pack 3 onwards.

 High Encryption package (only necessary for Central

Administration with SafeGuard Easy Database)

The Central Administration system, using the SafeGuard Easy Database and SafeGuard Easy Server, requires that Windows supports encryption with 128-bit keys.

- Installed by default in Windows XP

- Installed in Windows 2000 from Service Pack 2 onwards.

ñÅ

OKP fелн~дд~ДдЙ=гзЗмдЙл

SafeGuard Easy consists of different "modules" that work independently of each other.

The different modules are MSI packages which are stored on the product CD in the SGEASY\INSTALL folder in the CLIENT, SERVER and RUNTIME folders. You will find the files you need in the sub-folders, sorted by language.

These modules are available:

SGEasy.msi

Runtime.msi

Server.msi

SafeGuard Easy, the runtime system, and the SafeGuard Easy Server, are installed as different products. As a result, they also appear separately in the list of software present on a system.

Client Application for SafeGuard Easy

Runtime system

SafeGuard Easy Server

OKQ rлЙк=бенЙкС~ЕЙ=д~еЦм~ЦЙ

If you start the installation via "setup.exe", the user interface language used during and after the installation of SafeGuard Easy is the one set using the Regional Options in the Control Panel. SafeGuard Easy supports German, English and French. If, for example, "German" is the current Regional Option, the user interface is displayed in German. The same applies for "English (United States)" and "French".

The online help is always available in whatever language you selected during installation. If you change the Regional Options you do not change the language in which the online help is displayed.

If you start the installation via an msi file, the user interface language is always English. To support other languages (French/German) you must perform a number of "transforms". The Windows Installer uses transform files to automatically toggle the installation package to the new language. The following transform files are currently available:

Sgeasy_f.mst (for French) and Sgeasy_g.mst (for German).

To change the language in which text appears during installation, run this command before installation:

msiexec /I <MSI package> TRANSFORMS=<transform file>

For example, for a German-language installation you must execute this command line:

msiexec /I Sgeasy.msi TRANSFORMS=Sgeasy_g.mst

Note that the TRANSFORMS parameter must always be written in capital letters!

ñÅ

To simplify installation you can use the setup.exe file which automatically selects the set language for the Installation Wizard and runs

SGEasy.msi. SGEasy.msi uses the Setup.ini file in which

additional parameters can be defined, provided they are entered using the syntax

CmdLine= {Parameter1, Parameter2,..}.

The same applies for the installation of the runtime system (

Runtime.msi) and the SafeGuard Easy Server (SGEasy.msi).

P =içÅ~ä=áåëí~ää~íáçå=

In a local installation, SafeGuard Easy is installed on a single stand-alone client from the product CD. To perform a local installation, follow these steps.

The user who is to install SafeGuard Easy must be logged on with Windows Administrator rights, as it will be necessary to access the hard disk, and install drivers and system services that also require administrator rights.

ñÅ

PKN píÉé=Äó=ëíÉé

How to install SafeGuard Easy:

1. If you use a program CD, installation starts automatically after you insert the CD in the CD-ROM drive. (If it does not, run the file in the \CLIENT folder on the program CD). An Installation Wizard then leads you through the installation. Click [Next].

2. The License Agreement dialog is displayed. If you agree to the license terms, select the "I accept the license agreement" check box. If you do not agree to the license terms, the installation ends. Click [Next].

3. The Target Folder dialog is displayed. Enter the required target folder. The standard installation folder is \UTIMACO\SafeGuard on the boot drive. If a SafeGuard product is already present on the workstation, its installation folder is selected automatically.

Do not enter special characters in the folder name!

Click [Next].

4. In the Select Installation Type dialog, select which features are to be installed. Select the features you require. Then click [Next].

Encryption

installs SafeGuard Easy complete with all its available features. The only optional ones are:

Setup.exe

 Secure Auto Logon (SAL)

Remembers the Windows access data used in initial logon so that only the SafeGuard Easy user data needs to be entered in PreBoot Authentication to log on (see ’

(SAL)’).

Secure Automatic Logon

 Server connection (network agent)

This is essential for encrypted communication between the client and server, if the workstation is to be administered centrally. The network agent does not need to be installed if the workstation is only to be used as a stand-alone device (see ’

administration’).

 Smartcard Auto Logon

Automatically transfers the Windows access data to a smartcard so that only the SafeGuard Easy user data needs to be entered in Pre-Boot Authentication for logon (see ’

with smartcard (Smartcard SAL)’).

 FIPS Mode

Guarantees that SafeGuard Easy runs in accordance with FIPS 140-2 Level 1 (see ’

Administration tools

You do not need to install all the product features on an administrator workstation that will only be used to administer SafeGuard Easy clients. Usually you only need the administration tools (warning: SafeGuard Easy Administration is not installed with administration tools). The administration tools include

FIPS 140-2 (Level 1) certification’).

Central

Secure Automatic Logon

ñÅ

 SafeGuard Easy Logging (Auditing)

Used for auditing security related log events triggered by installed SafeGuard products. In addition to pure logging this feature also includes a filter mechanism that supports the administrator in selecting the relevant events (see ’

 Configuration File Wizard

Generates files that update the current configuration of a client once they have been run, for example by adding a new user (see

’

Configuration File Wizard’).

 Response Code Wizard

Used to permit users to perform specific actions (for example, set new password), even if the administrator is not present (see

’

Remote maintenance (Challenge/Response)’).

Auditing’).

 Administration Token Support

Permits token-based logon to SafeGuard administration tools, including Administration (see ’

You will find more detailed information about the installation options in the relevant chapters.

5. If "Server Connection" was selected, enter the name of the SafeGuard Easy Server.

Secure Automatic Logon (SAL)’).

6. Next, select the encryption mode for the hard disks on your PC. You

will find a detailed description of this under

’Encryption mode’.

ñÅ

7. In the next step you make the specific configuration settings. You will find a detailed description of the settings in the relevant chapters in the manual.

NOTE:

The "with token only" setting (see General / Authentication / Logon) means that SafeGuard Easy requires token-based logon for all SafeGuard Easy users on a workstation.

If the "with token only" method is selected, a user can only log on in PBA if the token already contains valid SafeGuard Easy data. If the token is blank you cannot log on in PBA.

8. In the next step you are prompted to enter passwords for the predefined SafeGuard Easy user profiles SYSTEM and user. These passwords must correspond to the SafeGuard Easy password rules.

NOTE:

Please remember the passwords that are entered here. If the "Password at system start" (= Pre-Boot authentication) option in the General folder is enabled, you can only log on to your workstation with these user names and passwords!

9. The installation is now finished.

10. Reboot the PC.

PKNKN= bеЕкуйнбзе=гзЗЙ=

Encryption mode must be specified if SafeGuard Easy is installed interactively or within a configuration file that has the "Install" attribute.

ñÅ

 Partitioned

In this mode, SafeGuard Easy only applies the encryption to individual partitions. You should select this setting if your hard disk drive(s) has/have several partitions and you do not want to encrypt all of them. In the Encryption settings you decide which partitions you want to encrypt.

 Full disk encryption

All hard disks connected to your workstation are completely encrypted. SafeGuard Easy automatically recognizes whether your computer has one or more hard disk drives. The program can be installed under Windows on systems with up to four physical hard disk drives. If more than four hard disks are identified, SafeGuard Easy discontinues the installation procedure. Up to eight logical partitions can be present on each of these hard disks.

 Boot Protection

Boot protection ensures is that no-one without the appropriate authorization can boot the computer from a system floppy disk/CD/ DVD to access the computer’s hard disk. Boot protection is only effective when combined with activated Pre-Boot Authentication (see ’

Switching on password at system start (PBA)’).

Boot Protection completely encrypts partitions that are not formatted or that it cannot identify. In the case of FAT and FAT32 the system areas are encrypted. In the case of NTFS, the partition is encrypted from the start of the partition to the end of the MFT (Master File Table).

 Twinboot (available with two primary partitions only)

If you select this option, two partitions are generated. One is encrypted, and one is unencrypted. Both must be bootable primary partitions. If the PC is booted from the encrypted partition, there is no way of accessing the unencrypted partition, and vice versa. In this way private data can be kept quite separate from commercial data.

If the PC is booted from the encrypted partition, the user must enter the SafeGuard Easy password for PBA. There is no SafeGuard Easy password protection for the unencrypted partition.

You will find details about the Twinboot procedure in chapter

’

Twinboot/Boot Manager’.

PKO ^ÑíÉê=áåëí~ää~íáçå

Reboot the workstation

After the installing (or removing) SafeGuard Easy, the workstation must be shut down and restarted. Any applications open at this point in time are also closed without being saved. To avoid losing your data, we strongly recommend that you close all active applications before installation/ deinstallation.

PBA appears after the second reboot

After the first reboot, PBA is inactive. At this time a Windows user only has *AUTOUSER rights. As soon as a Windows user logs on and shuts down the workstation, the PBA logon screen appears (if PBA is switched on) and a SafeGuard Easy user can log on to the system.

System start from floppy

If the system has not yet finished encrypting the hard disk when a session is ended, the computer ALWAYS reboots directly from the hard disk, i.e. it is not possible to boot from a system floppy disk. This also applies for the first restart after encryption has completed.

Do not change the partitioning on the hard disk

If the first hard disk drive (or a partition) was encrypted, do not add or remove partitions! To reorganize the first hard disk drive, uninstall SafeGuard Easy (=decrypt the first hard disk drive), create/remove partitions and re-install SafeGuard Easy again.

Do not interrupt the initial encryption of "Hot-Pluggable" drives

"Hot-pluggable" is the term used to describe USB devices that can be connected and disconnected without the need to reboot the computer. You must not interrupt the initial encryption of hot-pluggable hard disks.

Initial encryption

Allow between 20 and 30 minutes for SG Easy to perform initial encryption on 10 GB of data, with AES-256, on a modern notebook.

ñÅ

If, for any reason the initial encryption fails and the computer cannot be booted anymore, please contact Utimaco’s support team.

PKP aблйд~убеЦ=ЙеЕкуйнбзе=йкзЦкЙлл

If hard disk or partition encryption was activated during installation, the Encryption Status screen is displayed: it shows the encryption progress.

Encryption progress of a drive

Encryption progress of all drives

Encryption speed

The encryption procedure runs entirely in the background, i.e. the user can continue working at their computer throughout the encryption process. If very small partitions are being encrypted, or only the system area, the screen may not be displayed.

PKPKN= pпбнЕЬбеЦ=зСС=нЬЙ=лн~нмл=лЕкЙЙе

SafeGuard Easy can suppress the encryption status screen. To do so, you must enter a new registry key [DWORD]:

HKEY_LOCAL_MACHINE SOFTWARE Utimaco SGEasy

ShowECView"=0

PKPKO= aЙСбебеЦ=ЙеЕкуйнбзе=лйЙЙЗ

The default setting for the encryption speed is 100%, but you can use the regulator to adjust this. The higher the selected percentage, the faster encryption takes place.

percentage regulator

If you use the regulator to reduce the encryption speed, SafeGuard Easy does not save the reduced encryption speed. After the workstation is rebooted, encryption starts again at full speed (100%).

pЙннбеЦ=~=ЗЙС~мдн=ЙеЕкуйнбзе=лйЙЙЗ=о~дмЙ=

The speed value for the encryption process can be adjusted. Every time the system boots, the encryption speed is set to that value. To do this, enter a new registry key [DWORD]:

HKEY_LOCAL_MACHINE SOFTWARE Utimaco SGEasy

"DefaultCPUUsage"=<percentage>

If the registry key is present, the encryption process resumes after a restart with the percentage value you specified. However, you can use the regulator to increase or decrease this percentage value.

ñÅ

pЙннбеЦ=~=г~сбгмг=ЙеЕкуйнбзе=лйЙЙЗ=о~дмЙ

The default maximum encryption speed (100%) can be reduced. To do this, enter a new registry key [DWORD] and enter a percentage value (for example "75"):

HKEY_LOCAL_MACHINE SOFTWARE Utimaco SGEasy

“MaxCPUUsage”=<percentage>

aЙ~Енбо~нбеЦ=нЬЙ=кЙЦмд~нзк

To prevent users from changing or affecting the speed of the encryption process, you can also deactivate the regulator by generating the [DWORD] registry key

HKEY_LOCAL_MACHINE SOFTWARE Utimaco SgEasy

"ChangeCPUUsage"

and setting the value to "0".

The regulator then appears grayed out.

`Ь~еЦбеЦ=ЙеЕкуйнбзе=лйЙЙЗ=лЙ ннбеЦл=бе=нЬЙ=~Згбеблнк~нбоЙ=

нЙгйд~нЙ

The CPU settings can also be switched on or off via a policy in Utimaco’s administrative template (

SafeGuard Easy’s administrative template’).

’Changing frequently-used Registry settings with

You will find this policy in

Computer configuration

\Administrative templates \SafeGuard \SGEasy

On the Properties tab of the "SGEasy" policy the "Default CPU usage for encryption" and "CPU usage for encryption changeable" options are provided for this purpose.

ñÅ

PKQ `Ь~еЦбеЦ=нЬЙ=Д~ЕвЦкзмеЗ=

Дбнг~й=бе=нЬЙ= tбеЗзпл=дзЦзе=Зб~дзЦ

You can choose a different bitmap for the system to display when the user enters their SafeGuard Easy user data. This allows customers to modify the background displayed for SafeGuard Easy to meet their company’s own requirements.

The default background bitmap displayed is called SgeLogo.bmp and is stored in the selected SafeGuard Easy folder.

To swap the title bitmap, simply replace the default bitmap with a modified bitmap with the same name and size.

If you do not want ANY background bitmap to be displayed, set the

HKEY_LOCAL_MACHINE SOFTWARE Utimaco SgEasy SgeLogoBackGnd

registry key to "0"

The size of the title bitmap is 640x480 pixels and it has a maximum color depth of 8 bits.

You can also switch off the background bitmap via Utimaco’s administrative template. You will find the policy in

Computer configuration

\Administrative Templates \SafeGuard \Sgeasy

On the "SGEasy" property page deselect the "Show background image on Winlogon Desktop" option and the SafeGuard Easy bitmap will no longer appear.

ñÅ

PKR fелн~ддбеЦ=p~СЙdм~кЗ=b~лу=зе=~=m`=

пбнЬ=гмднбйдЙ=зйЙк~нбеЦ=лулнЙгл=

SafeGuard Easy can be installed on a computer to protect the data on it, even if several operating systems are installed in separate partitions on the computer. To ensure that the operating systems can also be booted correctly after SafeGuard Easy has been installed, you must perform a full installation of SafeGuard Easy on one of the operating systems and, on each of the other operating systems, install what is known as the "runtime system".

You run the Runtime System MSI package, Runtime.msi, from the \RUNTIME folder on the CD. A runtime system also installs SGECRYPT, the program for toggling floppy disk drive and device encryption.

How to install SafeGuard Easy on a PC with multiple operating systems:

1. Select one Windows installation as the primary installation.

2. Now boot all non-primary Windows installations, in sequence, and install the runtime system on each of them. For each installation, select a different folder.

3. Finally, boot your primary Windows installation and then install SafeGuard Easy.

4. After encryption is complete you can then also boot all the non-primary Windows installations.

Q =`Éåíê~ä=áåëí~ää~íáçå=

Administrators can set up the entire configuration for user PCs as part of central software distribution.

To do so, an Administrator creates a file on their PC that contains the all necessary SafeGuard Easy settings for the user PCs. SafeGuard Easy calls this file a "configuration file". This configuration file is used to install SafeGuard Easy on the user PCs. You can always make changes to the SafeGuard Easy configuration later via other configuration files.

SafeGuard Easy can be installed in an environment in which Active Directory is also installed, or not.

ñÅ

QKN `кЙ~нбеЦ=нЬЙ=ЕзеСбЦмк~нбзе=СбдЙ

How to create a configuration file:

1. Call the Configuration File Wizard via Programs/Utimaco/SafeGuard Easy/Configuration file wizard.

2. To install SafeGuard Easy, select the "Install" property for the configuration file. The configuration file is generated once all the required settings and entries have been made in the individual admin pages in the configuration program.

3. When the configuration file is generated, a file is created, which is

Install.cfg by default in the case of an installation.

called

This .cfg file contains all the details of the required configuration on the target computer. It is encrypted and contains the keys (for the hard disks/ floppy disk drives/removable media) and the passwords for the users.

For more details see ’Configuration File Wizard’.

NOTE:

Configuration files must be protected from unauthorized access. Regular users must not access configurations files.

QKO fелн~дд~нбзе=пбнЬ=^ЕнбоЙ=aбкЙЕнзку

You install SafeGuard Easy on clients in an Active Directory environment by adding a (modified) MSI package ( distribution function of a group policy object (GPO).

To modify the MSI file you need an editor that can edit MSI files (for example, ORCA or NetInstall). ORCA is provided in the Microsoft Windows Installer Software Development Kit (SDK).

QKOKN= mкЙкЙимблбнЙл

 You must ensure that either Windows 2000 or Windows XP is

running on the user PCs.

 All the devices on which installation is to be performed must first

have been added to the organizational unit for which the configured GPO (group policy object) is used.

 Client PCs are assigned to the directory domain for central

software distribution, and a computer account has been set up and is active for each PC.

SGEasy.msi) to the software

ñÅ

 There is enough disk space available on the system partition.

QKOKO= rлбеЦ=~е=ЙЗбнзк=нз=гзЗбСу=jpf=СбдЙл=

If, for example, you are working with ORCA, you must specify which SafeGuard Easy "Features" are to be installed. To do this, change the value in the "Level" column.

3 = Feature will be installed. 4 = Feature will not be installed.

You will find a detailed description of all the features at ’SafeGuard Easy

features’.

NOTE:

If you want to install a feature you must also install its “Feature Parent”.

The "Property" table section lists the SafeGuard Easy parameters. In the SafeGuard Easy "CFGFILE" parameter, for example, you enter the location of the configuration file.

ñÅ

You will find a detailed description of all parameters in ’SafeGuard Easy

setup parameters’.

Please refer to the appropriate Microsoft documentation to learn more about modifying msi files with ORCA.

QKOKP= aЙйдзубеЦ=jpf=СбдЙл

To do this:

1. Share a local drive on the Administrator’s PC (remove the writeprotection) and copy all the required .msi files to this drive. Ensure that the clients can access the shared drive!

2. In Windows, click Start/Settings/Control Panel/Administrative Tools. There, select Active Directory users and computers.

3. Right-click a domain or organizational unit and select Properties.

4. Select the Group Policy tab in the Properties dialog.

5. Create a new group policy object (e.g. "GPO installation") by clicking the [New] button.

6. Click the [Edit] button.

7. Windows displays the "GPO installation" group policy.

8. Select Computer Configuration/Software Settings/Software Installation. In the Software Installation’s context menu, create a link

to the file server that will deploy the software packages.

NOTE:

Only add msi packages to the Software installation of the Computer Configuration. Installations via User Configuration are not supported.

9. Right-click Software installation and then select New and Package.

10. Select one (or more) .msi files from the shared directory. Load the files from the real network path (UNC path)!

11. When you have confirmed all the prompts, Windows adds the .msi file to the group policy object’s installation routine.

12. Close the dialog.

13. If you want the operating system language to be ignored on the client side, open the context menu of the installed Msi package and select Properties/Deployment/Advanced/Ignore language when deploying that package.

ñÅ

The "GPO installation" group policy object will now be used on all computers/users present within the domains of an organizational unit. The next time these workstations are rebooted, the packages will be installed there unattended.

Before rebooting the connected PCs, please check, if

 the PCs designated for installation have also been added to the

organizational unit for which the GPO is configured.

 the clients are attached to the folder domain to perform central

software distribution. In addition, an active computer account for the client PCs must be created on the domain.

 there is enough space available on the system partition.

QKP fелн~дд~нбзе=пбнЬзмн=^ЕнбоЙ=

aбкЙЕнзку

To install SafeGuard Easy without an Active Directory environment you need software distribution programs from third-party suppliers.

In this case, create an installation package that contains

 the SafeGuard Easy program files

 a script with the command line for the preconfigured installation

Distribute the installation package to the clients.

QKPKN= `çãã~åÇ=äáåÉ=ëóåí~ñ=Ñçê=

ме~ннЙеЗЙЗ=белн~дд~нбзе

If you to install SafeGuard Easy without Active Directory, use the MSIEXEC program. MSIEXEC comes as standard with Windows 2000 and Windows XP. If the system administrator creates configuration files, this installation program is used to run them automatically. In this program the system administrator can specify both the source and target for installation, so that a uniform installation can be performed on a number of PCs.

`çãã~åÇ=äáåÉ=ëóåí~ñ

msiexec /i <path+msi Package Name> /qn ADDLOCAL=ALL |

The command line syntax contains the following information:

 parameters used by Windows Installer that, for example, log

warnings and error messages in a file during installation.

ñÅ

 SafeGuard Easy features that are to be installed with a

SafeGuard Easy packet (for example, Response Code Wizard).

 SafeGuard Easy’s own parameters, used, for example, to

specify which configuration files are to be used.

 a configuration file, for an installation with the "Install" property.

Example:

msiexec /i F:\Sgeasy.msi /qn /L* I:\Temp\SGE.log ADDLOCAL=Sgeasy,Encryption,SGSAL Installdir=C:\SGE CFGFILE=F:\Install.cfg

SafeGuard Easy is installed with SAL in the installation folder, C:\SGE, and the log file SGE.log is created in the I:\Temp folder (which must already be present). The preconfigured settings for SafeGuard Easy are stored in the

List the individual features, separated only by a comma, with no additional blank spaces. Ensure you spell the names of individual features using the correct upper and lower case letters.

If you select a feature you must also add all the parent features to the command line!

Install.cfg configuration file.

QKPKO= pЙдЙЕнЙЗ=зйнбзел=млЙЗ=Ду=

tбеЗзпл=fелн~ддЙк=

NOTE:

Run msiexec.exe from the Windows command prompt. The system then displays all available Windows Installer options.

Shows that an installation is involved.

/qn

Installs without user interaction and does not display a user interface.

ADDLOCAL=

Lists the features that are to be installed. If this parameter is not specified, all the features that form part of a Full disk encryption installation are installed.

ñÅ

ALL

Installs all available features.

REBOOT=Forcerestart | NORESTART

Forces or prevents restart after installation. If you do not specify a value, restart is forced after installation (default = Force).

/L* <path + file name> Logs all warnings and error messages in the specified log file. To only log error messages, enter the parameter

Installdir= <folder>

Specifies the folder in which SafeGuard Easy is installed. If you do not specify a value, the default installation folder is used: <SYSTEM>:\Program Files\UTIMACO.

/Le <path + file name>.

QKQ p~СЙdм~кЗ=b~лу=СЙ~нмкЙл=~еЗ=

й~к~гЙнЙкл

To perform a central installation you must make a few advance preparations. You must specify which SafeGuard Easy features/ parameters are to be installed on the clients. To install SafeGuard Easy in an Active Directory environment you can, for example, use the ORCA tool to modify the MSI file. Without Active Directory, the features must be listed in the command line.

QKQKN= p~СЙdм~кЗ=b~лу=СЙ~нмкЙл

The following tables show all the SafeGuard Easy features that can be installed automatically with one of SafeGuard Easy’s .msi files. They are exactly the same as the features that can be selected during an interactive installation.

In the example, you see all the Sgeasy.msi features that can be selected during a Custom interactive installation.

cЙ~нмкЙл=нЬ~н=Е~е=ДЙ=белн~ддЙЗ=пбнЬ=pdb~луKглб

Feature Feature Parent Description

Sgeasy --- Installs all the files required for using

SafeGuard Easy. No features are active after an automatic restart. They can be activated at any time without user interaction (or manually via Control Panel/Add/Remove Programs).

Encryption Sgeasy Installs a working SafeGuard Easy

(incl. SafeGuard GINA).

SGSAL Encryption Installs the SAL

ServerCon Encryption Installs the Server connection (network

agent) for Central Administration

ñÅ

SCSAL Encryption Installs the SAL with Smartcard

FIPS Encryption Installs FIPS mode

AdmTools Sgeasy Installs the administration tools

(e.g.Configuration File Wizard, Response Code Wizard)

No features are active after an automatic restart, but they can be activated at any time either without user interaction (or manually via Control Panel/Add/Remove Programs).

cЙ~нмкЙл=нЬ~н=Е~е=ДЙ=белн~ддЙЗ=пбнЬ=pdb~луKглб

Auditing AdmTools Installs SafeGuard Easy Logging.

CfgWiz AdmTools Installs the Configuration File Wizard.

RcWiz AdmTools Installs the Response Code Wizard.

TokenSup AdmTools Installs token-based logon to the

administration tools.

SGAuth_UVM SGSAL Extends the Windows Logon

Procedure by supporting the ThinkVantage Client Security Integration Features.

SGAuth_Machine Binding

Encryption Extends the Windows Logon

Procedure by supporting TPM Machine Binding Features.

cЙ~нмкЙл=нЬ~н=Е~е=ДЙ=белн~ддЙЗ=пбнЬ=oменбгЙKглб

Feature Feature Parent Description

RuntimeSys --- Installs a runtime system.

cЙ~нмкЙл=нЬ~н=Е~е=ДЙ=белн~ддЙЗ=пбнЬ=pЙкоЙкKглб=

Feature Feature Parent Description

Server --- Installs the SafeGuard Easy Server

including Auditing.

SgeServer Server Installs the SGE Server.

RemAdmSupport Server Installs support for Remote

Administration.

AdmConsole Server Installs the Administration Console.

QKQKO= p~СЙdм~кЗ=b~лу=лЙнмй=й~к~гЙнЙкл

NOTE:

You must use upper case letters to enter all the parameters in the command line syntax.

AUTOBACKUP=0|1

Specifies whether the Emergency Disk Wizard is to run automatically, to generate a system kernel backup, after a successful installation. By default it runs automatically (AUTOBACKUP=1).

CFGFILE=<configuration/migration file>

This parameter specifies the complete name of a SafeGuard Easy configuration file for an installation/migration.

ñÅ

KERNELDRV=<Name of the drive (C,D, etc.)>

Specifies the disk drive to which the SafeGuard Easy system kernel is to be saved. By default this is the Windows boot drive. It is a good idea to specify the disk drive to which the SafeGuard Easy system kernel is to be saved, for example, if you want to recover the Windows system partition with tools such as Ghost. Otherwise the restore would delete the SafeGuard Easy system kernel because the default setting is for it to be stored in the system partition

The target drive must be on the first hard disk!

NOACTIVATION=0|1

If NoActivation=1 although SafeGuard Easy files are copied to only one PC, the program itself is not activated. Not activated means that the mas ter boot record is not exchanged and the SafeGuard Easy system kernel is not installed. SafeGuard Easy is activated afterwards from a configura tion file with the "execcfg" command (e.g. execcfg /f:C:\SGE\Install.cfg). The default setting is for SafeGuard Easy to be active (NoActivation=0).

PARTCHECK=0|1

Specifies whether the partition types present support known file systems (FAT, FAT32, NTFS, etc.). If the partition type is unknown, the installation is cancelled. By default the check is active (PARTCHECK=1).

SERVER=<Server name>

Specifies the name of the workstation on which the SafeGuard Easy Server is installed. You can only use this parameter if the "Server connection" feature (which supports Central Administration on a client) has been selected for this installation.

GROUPS=<group name1,group name2, etc.>

Specifies the (SafeGuard Easy) groups to which the workstation is assigned in central administration, when they register on the SafeGuard Easy Server. You can only use this parameter if the "Server connection" feature (which supports Central Administration on a client) has been selected for this installation.

GINASYS=0|1

Specifies whether the SafeGuard GINA System is to be installed to control Windows logon. The default setting is that SafeGuard GINA is installed (GINASYS=1).

WARNING:

We recommend that you always implement the Utimaco GINA. The Utimaco GINA system is an important element of SafeGuard Easy. The GINA system will gain even more importance in the future, as we plan to implement new functionality. If the GINA is not installed, some functionality will not be available for migration to the new version. A missing GINA can even impair future migrations.

If you do not install the Utimaco GINA, some SafeGuard Easy functions will not be available after installation:

 The dialog for encryption/decryption (ECVIEW) will not be

displayed if the user is not logged on.

 SAL logon and automatic smartcard logon do not work.

 Windows logon cannot be blocked with active Wake-On-LAN.

 Password synchronization between Windows and SafeGuard

Easy does not work.

ñÅ

R =réÇ~íÉ

If an earlier version of SafeGuard Easy is already installed on your workstation, you will find it easy to upgrade. If you do, any settings you have already made (user name, user password etc.) are reused.

You can update to the current version of SafeGuard Easy from all SafeGuard Easy versions >=4.11 (build no.

You can either initiate migration during installation, or automatically, with the help of a preconfigured migration file. In both cases you use the Migration Wizard.

4.11.0.138).

ñÅ

RKN içÅ~ä=ìéÇ~íÉ

How to run a local update:

1. On the SafeGuard Easy program CD select the \Client folder and run

Setup.exe.

2. SafeGuard Easy discovers that an older version is already installed on a workstation and displays a dialog to tell you.

3. A program checks the system kernel.

4. If there are no problems in the system kernel, the update runs smoothly and the welcome screen appears.

If the system kernel is corrupt, it must be repaired.

5. Then, accept the terms of the licence agreement, specify the SafeGuard Easy installation directory and select the features (SAL, Server Connection etc.) you require.

6. The update starts.

7. The "SafeGuard Easy Administrator" dialog appears.

Only the "SYSTEM" SafeGuard Easy user can perform a migration on a workstation. Enter the appropriate SafeGuard Easy password for authentication.

ñÅ

8. The "Token usage for login" dialog appears.

Versions of SafeGuard Easy before 4.0 did not support tokens. You can now "retrofit" this additional functionality during the update.

 Use token for login

Specifies if token-based logon is supported or not.

NOTE: If you want to enable token-based logon after an update, you will have to reinstall SafeGuard Easy.

 Token for logon required

Specifies whether all SafeGuard Easy users must log on with a token, or only selected users.

- Mandatory: Defines if token logon is required for all SafeGuard Easy users. If the token is lost, the Challenge/Response procedure cannot be used to provide remote help.

- User-dependent: This rule gives users increased flexibility, because the right to use a token can be granted or denied to them even after SafeGuard Easy has been installed.

 Token issue mode in PBA

Specifies who is entitled to write SafeGuard Easy data to a token.

- Issue always allowed: SafeGuard Easy user is allowed to issue the token.

- External permission required: The Helpdesk is involved in the issuing process (using the Challenge/Response procedure).

- Issue is not allowed: SafeGuard Easy user is not allowed to issue the token: it is issued centrally with Token Administration.

You will find more detailed information in the Token Support chapter.

9. The "Target directory" dialog appears.

Specify the path on which you want to save the SGEMig.cfg migration file. The migration file contains the SYSTEM password and the settings for token support.

The program recognizes the folder in which the previous version of SafeGuard Easy was stored and displays this path as the default. Click the [Browse] button to select which disk drive and folder the file is stored in.

Click [Next] to create the migration file and start migration.

ñÅ

RKO rе~ннЙеЗЙЗ=мйЗ~нЙ=пбнЬ=

ãáÖê~íáçå=ÑáäÉ

An automated update of SafeGuard Easy requires an migration file, which must be created with the Migration Wizard in the latest/new version of SafeGuard Easy. Then, to update SafeGuard Easy automatically, simply run the msiexec command line.

`êÉ~íáåÖ=~=ãáÖê~íáçå=ÑáäÉ=

How to create a migration file

1. Install SafeGuard Easy’s Configuration File Wizard on your Administrator PC. After this, the Migration Wizard is also installed.

2. Start the Migration Wizard with the WIZLDR.exe command in the SafeGuard Easy folder.

3. Enter all required data in the Migration Wizard’s dialogs (see ’Local

update’).

4. The SGEMig.cfg file is created in the selected directory.

`çãã~åÇ=äáåÉ=Ebñ~ãéäÉF

msiexec /i D:\Sgeasy.msi CFGFILE=D:\SGEmig.cfg /qn

Special case: Central Administration

If you want a SafeGuard Easy Client to be administered centrally with SafeGuard Easy tools after it has been updated, you must add the corresponding feature (ServerCon) and parameter (SERVER) in the command line, e.g.

msiexec /i D:\Sgeasy.msi ADDLOCAL=Sgeasy,Encryption,ServerCon CFGFILE=D:\SGEmig.cfg SERVER=Server01 /qn

NOTE:

If you want to add Central Administration (Server Connection) to a SafeGuard Easy client Easy.

^ÑíÉê=íÜÉ=ìéÇ~íÉ

After the update the client restarts and migration is complete.

after an update, you must re-install SafeGuard

ñÅ

RKP pулнЙг=вЙкеЙд=ЕЬЙЕв=пЬЙе=нЬЙкЙ=

áë=~å=ìéÇ~íÉ

For an update to be successful, the SafeGuard Easy system kernel must be intact. From Version 4.20.1 SafeGuard Easy will check this before each update, and display a message for the user in the Setup dialog ("Your file system is being analyzed, please wait...").

If the system kernel is OK, the update will run without any problems.

If the system kernel is not OK, the system displays an error message

that indicates possible problems and recommends that you run a repair program (SGEInteg) before the update.

RKPKN= tЬ~н=Ь~ййЙел=бС=нЬЙ=лулнЙг=вЙкеЙд=

áë=åçí=lh\

1. Run SafeGuard Easy Update.

2. The SGEInteg repair program runs in the background, analyzes the system kernel and discovers that it is not OK.

3. It displays a dialog message ("SGEInteg: File system is inconsistent. The SafeGuard Easy migration failed. Please check the SafeGuard Easy user manual to execute SGEInteg /R.”).

The setup stops at this point. During an automatic installation the error number “2006” is written to the Windows Installer log file (logging must be switched on).

4. Run "SGEInteg /R" on the command line. You will find the SGEInteg program in the \Tools folder on the SafeGuard Easy CD.

5. SGEInteg repairs files and the file system in two steps: First it repairs all file errors that do not require a restart. Then, if it finds file errors that require a restart, SGEInteg triggers the checking of the hard disk (chkdsk). If the user agree that the computer should be restarted, chkdsk runs.

ñÅ

RKPKO= ^Дзмн=нЬЙ=кЙй~бк=йкзЦк~г

The repair program runs automatically when you trigger an update to the current version of SafeGuard Easy. A user/administrator can also run it manually (for example, with an additional parameter) from the Tools folder on the CD.

When it is run with the parameter /R, SGEInteg repairs the file system. SGEInteg reports both repairable and fatal errors. If a repair is performed, it may also then be necessary to run the chkdsk program to check the hard disk. Usually, the computer then reboots.

RKPKP= m~к~гЙнЙкл=Сзк=нЬЙ=кЙй~бк=йкзЦк~г

SGEInteg can be called with these parameters:

SGEINTEG [/?] [/c] [/r] [/p] [/d] [/len] [/v] [/y]

/? Help

Displays all parameters.

/c Starts the analysis of the file system.

/r Activates Repair mode

Any file system errors it identifies will be repaired. If you call "SGEInteg /R", the system also runs the ’/P’ parameter and performs a file system analysis. However this may result in a reboot.

/p Corrects the SafeGuard Easy path details in

HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run

Older versions of SafeGuard Easy enter path details in this registry entry without quotation marks. This may mean that these programs cannot be run in newer versions of Windows. SGEInteg uses this parameter to correct the path details. You must then reboot the computer.

If you call ’SGEInteg’ without parameter, the system corrects the path details and performs a file system analysis.

ñÅ

/d Restores the CRAREA Registry entry.

Older versions of SafeGuard Easy had difficulties generating this Registry entry during installation. If the Registry entry is not present this can cause problems during uninstall and updates to new versions.

SGEInteg /d restores the entry in HKEY_LOCAL_MACHINE SOFTWARE Utimaco SGEasy CRAREA

/len Fixes a problem involving Rescue and Recovery (RnR)

When an update is performed to the current version of SafeGuard Easy, the following problem can occur if RnR is installed:

The ’SGEDemon.exe’ program is displayed after each restart and then stops running. As SGEDemon.exe is only needed once after the update, it can be switched off without any negative consequences.

SGEInteg /len removes SGEDemon.exe from HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run

/v Activates Verbose mode

Verbose mode displays more detailed status/error messages on screen.

/y Activates unattended mode

All dialogs are automatically confirmed with YES.

/V Activates verbose mode

Verbose mode displays more detailed status and error messages on screen.

/R Activates repair mode.

In this mode, the system repairs identified file system errors.

If ’SGEInteg /R’ is run, the path details (parameter /P) and a file system analysis are run, unattended, in the background. The system may be rebooted.

/Y Activates unmonitored mode

In this mode, all dialogs are automatically confirmed with yes.

ñÅ

/P Corrects the SafeGuard Easy path details in

HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run

Older versions of SafeGuard Easy insert path details in this registry key without quotation marks. In newer versions of Windows, in some circumstances, this can prevent these programs from being executed. When this parameter is used, SGEInteg corrects the path details. You should then reboot the computer afterwards.

If ’SGEInteg’ is run without any parameter, the system corrects the path details and runs a file system analysis.

S =rебелн~дд~нбзе

The uninstallation of SafeGuard Easy has the following effects:

 All formerly encrypted areas of the hard disk(s) are decrypted.

 Pre-Boot Authentication is removed, if installed.

 The original Windows logon appears again if SAL was installed.

 All SafeGuard Easy files are deleted.

 All SafeGuard Easy registry entries are removed.

By default, SafeGuard Easy can only be uninstalled by the SYSTEM user. If another person has been granted the uninstall right, this person can also carry out an uninstall.

Do not attempt to remove SafeGuard Easy by simply deleting the files. If SafeGuard Easy is not uninstalled correctly, its registry entries will remain. This may prevent SafeGuard Easy from being re-installed. In this case you must re-install your operating system.

ñÅ

SKN iзЕ~д=мебелн~дд~нбзе

Select Start/Settings/Control Panel/Add/Remove Programs and then "SafeGuard Easy" (or also SafeGuard Easy features such as Server or Runtime).

If you select [Remove] and click [Next], in the welcome screen, you access the Logon to SafeGuard Easy dialog.

The user who wants to uninstall the program is prompted to enter their SafeGuard Easy user name and password. This user must have the right to remove SafeGuard Easy. After entering the correct user data, click [Next] and confirm the security check. SafeGuard Easy will be removed automatically.

SKO rебелн~дд=пбнЬ=`Ь~ддЙеЦЙL

oЙлйзелЙ=

If a SafeGuard Easy user is not authorized to uninstall SafeGuard Easy, according to their user profile, the Administrator can assign them this right by using the Challenge/Response procedure. To do this, the user and the administrator exchange a challenge code and response code.

The person generating the response code (Administrator) must know a SafeGuard Easy user profile on the user PC that is permitted to uninstall SafeGuard Easy. This user profile must also always have at least the same rights as the user, on the user’s computer.

How to uninstall SafeGuard Easy with Challenge/Response:

1. The user initiates the uninstall procedure (see ’Local uninstallation’) and reaches the Logon to SafeGuard Easy dialog.

2. In Logon to SafeGuard Easy dialog, they enter their SafeGuard Easy data, request the challenge code and use the telephone, SMS or e-mail to pass it to the administrator.

1. Enter SGE data

3. Pass on to administrator

2. Request challenge code

4. Enter response code administrator

from

ñÅ

3. The administrator uses the Response Code Wizard to generate a response code containing the SafeGuard Easy access data of the user (in the example above, user "emiller"). The response code is assigned the right to uninstall SafeGuard Easy.

4. SafeGuard Easy is uninstalled once the challenge code and response code have been exchanged.

SKP rе~ннЙеЗЙЗ=мебелн~дд

пбнЬ=ЕзеСбЦмк~нбзе=СбдЙ

Uninstalling SafeGuard Easy can be automated if the MSIEXEC command is used to run a configuration file with the property "uninstall".

`çãã~åÇ=äáåÉ=ëóåí~ñ

msiexec /x D:\SGEasy\Sgeasy.msi CFGFILE=D:\Uninstall.cfg /qn

ñÅ

Sophos SAFEGUARD Data protection

Specifications and Main Features

Frequently Asked Questions

User Manual