Date post: | 01-Dec-2014 |
Category: |
Documents |
Upload: | yuriy-petrenko |
View: | 257 times |
Download: | 7 times |
McAfee® Endpoint Encryption Manager
Administration Guide
Version 5.2.5
McAfee, Inc.
McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USA
Tel: (+1) 888.847.8766
For more information regarding local McAfee representatives please contact your local McAfee office, or visit:
www.mcafee.com
Document: Endpoint Encryption Manager Administration Guide Last updated: Tuesday, 30 March 2010
Copyright (c) 1992‐2010 McAfee, Inc., and/or its affiliates. All rights reserved.
McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non‐McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners.
Contents
Preface ........................................................................................... 6 About this guide ............................................................................................. 6
Audience ................................................................................................. 6 Conventions ............................................................................................ 7 Related Documentation ............................................................................. 7 Acknowledgements .................................................................................. 7 Contacting Technical Support .................................................................... 7
Introduction ................................................................................... 8 Why Endpoint Encryption? ......................................................................... 8 Design Philosophy .................................................................................... 8 How Endpoint Encryption Solutions Work .................................................... 8 Objects, Entities, and Attributes explained. ................................................. 9 The Endpoint Encryption Components ........................................................ 10
Installing Endpoint Encryption Manager ....................................... 14 Upgrading the Endpoint Encryption Manager .............................................. 14
Endpoint Encryption Manager Interface ........................................ 15 Administration Level ................................................................................ 15 Starting Endpoint Encryption Manager ....................................................... 16 Groups of Users, Machines and other Objects ............................................. 16 Audit Trails. ........................................................................................... 18
The Endpoint Encryption Object Directory .................................... 19 The Object Directory Structure ................................................................. 19 Object locking ........................................................................................ 20
Creating and Configuring Users .................................................... 21 User Administration Functions .................................................................. 22 User configuration Options ....................................................................... 23 Setting User Administrative Privileges ........................................................ 35 Some Example Administration Structures ................................................... 36
Tokens .......................................................................................... 38
File Groups and Management ........................................................ 40 Setting file group functions ...................................................................... 41 Importing new files ................................................................................. 41 Exporting Files ........................................................................................ 41 Deleting Files.......................................................................................... 41 Setting File Properties ............................................................................. 41
Auditing ........................................................................................ 44 Introduction ........................................................................................... 44 Common Audit Events ............................................................................. 44
Managing Object Directories ......................................................... 49 Managing Connections ............................................................................. 49 Adding a new directory connection ............................................................ 49
Endpoint Encryption Server .......................................................... 51 Installing the Endpoint Encryption Server Program ...................................... 51 Creating a new Server ............................................................................. 51 Starting The Endpoint Encryption Server for the first Time ........................... 52
Server Configuration ............................................................................... 53 Starting the Endpoint Encryption Server as a Service .................................. 53 Using Server / Client Authentication .......................................................... 53 Connecting to a new Endpoint Encryption Server ........................................ 54 Checking a Server’s Status Remotely ........................................................ 54 Using Restricted User ID's for Servers ....................................................... 54
Keys .............................................................................................. 56 About Keys ............................................................................................ 56 Key Administration Functions ................................................................... 56 Key Configuration Options ........................................................................ 57
Policies ......................................................................................... 59 About Policies ......................................................................................... 59 Policy Administration Functions ................................................................. 59 Assigning a policy object to a user ............................................................ 60 Assigning a policy object to a machine ....................................................... 60
Endpoint Encryption Connector Manager ...................................... 62 Adding and Removing Connector Instances ................................................ 62
NT Connector (NTCon) .................................................................. 64 Summary of connected attributes ............................................................. 64 General Options ...................................................................................... 65 Group Mappings ...................................................................................... 65 User Information ..................................................................................... 66
LDAP Connector (LDAPCon) .......................................................... 67 Summary of connected attributes ............................................................. 67 General Options ...................................................................................... 68 Group Mappings ...................................................................................... 70 Using Binary Data Attributes .................................................................... 74 LDAP Browser from Softerra ..................................................................... 74
Active Directory Connector (ADCon) ............................................. 76 Summary of connected attributes ............................................................. 76 General Options ...................................................................................... 77 Group Mapping ....................................................................................... 80 User Information ..................................................................................... 82
Endpoint Encryption webHelpdesk Server..................................... 86 About Endpoint Encryption HTTP Server ..................................................... 86 webRecovery .......................................................................................... 86 Remote Password Change ........................................................................ 87 Pre-Requisites ........................................................................................ 87 Password Expiration Warning .................................................................... 88
Activating Endpoint Encryption webHelpdesk ............................... 89 Installing a SSL Certificate ....................................................................... 89 Configuring the webHelpdesk Server ......................................................... 90 Configuring webRecovery ......................................................................... 92
Recovering Users using webHelpdesk ........................................... 93 With Challenge-Response ......................................................................... 93 By Directly Changing their Password ......................................................... 95
User self recovery - webRecovery .................................................................... 96 Registering for webRecovery .................................................................... 96 Recovery using webRecovery.................................................................... 98
License Management .................................................................. 101
Common Criteria EAL4 Mode Operation ...................................... 103
Algorithm Certificate Numbers ................................................................ 104
Tuning the Object Directory ........................................................ 106 The Name Index ................................................................................... 106 About Name Indexing ............................................................................ 106 Enabling and Configuring Name Indexing: ................................................ 106 Enabling Directory Compression .............................................................. 107
Endpoint Encryption Configuration Files ..................................... 109 sbnewdb.ini .......................................................................................... 109 sberrors.ini .......................................................................................... 109 sbhelp.ini ............................................................................................. 109 sbadmin.ini .......................................................................................... 109 sbfeatur.ini .......................................................................................... 109 sbfiledb.ini ........................................................................................... 109 dbcfg.ini .............................................................................................. 109 sdmcfg.ini ............................................................................................ 110 SBServer.ini ......................................................................................... 111 sbconmgr.ini ........................................................................................ 111 Cmsettings.ini ...................................................................................... 112 LDAPCon Manual Settings ...................................................................... 112 LDAPCon / ADCon Manual Settings .......................................................... 112 SBHTTP.ini ........................................................................................... 112 EXE Files .............................................................................................. 114 DLL Files .............................................................................................. 114 SYS Files .............................................................................................. 114 srg files ............................................................................................... 114
Error Messages ........................................................................... 115 Module codes ....................................................................................... 115 5501 Web Server Page Errors ................................................................. 116 5502 Web Server User Web Recovery ...................................................... 117 5C00 Communications Protocol ............................................................... 117 5C02 Communications Cryptographic ...................................................... 119 C100 Scripting Errors ............................................................................ 120 DB00 Database Errors ........................................................................... 121 DB01 Database Objects ......................................................................... 124 DB02 Database Attributes ...................................................................... 125 E000 Endpoint Encryption General .......................................................... 125 E001 Tokens ........................................................................................ 125 E012 Licences....................................................................................... 127 E013 Installer ....................................................................................... 127 E014 Hashes ........................................................................................ 128 E016 Administration Center .................................................................... 129
Technical Specifications and Options .......................................... 130 Encryption Algorithms ........................................................................... 130 Smart Card Readers .............................................................................. 130 Tokens ................................................................................................ 130 Language Support ................................................................................. 131 System Requirements............................................................................ 131
Index .......................................................................................... 133
Preface
6 |
Preface The team at McAfee is dedicated to providing you with the best in security for
protecting data on personal computers. Applying the latest technology, deployment
and management of users is enhanced using simple and structured administration
controls.
The Endpoint Encryption Manager and associated products are designed to protect
your mobile data on PCs, PDAs and across networks.
Through the continued investment in technology and the inclusions of industry
standards we are confident that our goal of keeping Endpoint Encryption at the
forefront of data security will be achieved.
About this guide This document will aid corporate security administrators in the correct implementation
and deployment of the Endpoint Encryption Manager. Although this guide is complete
in terms of setting up and managing Endpoint Encryption systems, it does not attempt
to teach the topic of "Enterprise Security" as a whole.
Readers should refer to the Administration Guides for individual Endpoint Encryption
products, such as the Endpoint Encryption for PC, for specific information.
Audience This guide was designed to be used by qualified system administrators and security
managers. Knowledge of basic networking and routing concepts, and a general
understanding of the aims of centrally managed security is required.
For information about cryptography topics, readers are advised to consult the following
publications: -
Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition, Bruce
Schneier, Pub. John Wiley & Sons; ISBN: 0471128457
Computer Security, Deiter Gollman, Pub. John Wiley and Sons; ISBN: 0471978442
Security in Computing, Charles P. Pfleeger, Pub Prentice Hall PTR; 3 edition; ISBN
0130355488
Preface
| 7
Conventions This guide uses the following conventions:
Bold Condensed All words from the interface, including options, menus, buttons, and dialog box names.
Courier The path of a folder or program; text that represents something the user types exactly (for example, a command at the system prompt).
Italic Emphasis or introduction of a new term; names of product manuals.
Blue A web address (URL); a live link.
Note Supplemental information; for example, an alternate method of executing the same command.
Caution Important advice to protect your computer system, enterprise, software installation, or data.
Related Documentation The following materials are available from our web site, http://www.mcafee.com, and
from your Endpoint Encryption Distributor:
• Endpoint Encryption Manager Administration Guide (this document)
• Endpoint Encryption for PC Administration Guide
• Endpoint Encryption for Files and Folders Administration Guide
• Port Control Administration Guide
• Endpoint Encryption for PC Quick Start Guide
• Endpoint Encryption for Files and Folders Quick Start Guide
Acknowledgements Endpoint Encryption’s Novell NDS Connector and LDAP Connectors make use of
OpenLDAP (0www.openldap.org) and OpenSSL (1www.openssl.org). Due credit is given
to these organizations for their free API’s.
Contacting Technical Support Please refer to www.mcafee.com for further information.
Introduction
8 |
Introduction Why Endpoint Encryption? Around 1,000,000 laptops go missing each year, causing an estimated 4 billion USD
worth of lost data. Is your data safely stored? Ever thought about the risks you run for
your company and your clients? The Endpoint Encryption product range was developed
with the understanding that often the data stored on a computer is much more
valuable than the hardware itself.
Design Philosophy The Endpoint Encryption product range enhances the security of devices by providing
data encryption and a token-based logon procedure using, for example a Smart Card,
Fingerprint or USB Key. McAfee also has optional File and Media encryption programs
(VDisk, File Encryptor and Endpoint Encryption for Files and Folders), as well as
hardware VPN solutions further enhancing the security offered. Endpoint Encryption
supports all current Microsoft Operating Systems, and also common PDA platforms:
• Microsoft Windows 7
• Microsoft Windows 2000 through SP4
• Microsoft Windows XP through SP3 (32bit only)
• Microsoft Windows 2003 through SP2 (32bit only)
• Microsoft Vista 32bit and 64bit (all versions)
• Microsoft Pocket Windows 2002 and 2003
• Microsoft Windows Mobile 5.0/6.0/6.1
• Palm OS 3.5 through 5.4
All Endpoint Encryption products are centrally managed through a single system,
which supports scalable implementations and rich administrator control of policies.
How Endpoint Encryption Solutions Work
Management
Every time a Endpoint Encryption protected system starts, and optionally every time
the user initiates a dial-up connection or after a set period of time, Endpoint
Encryption tries to contact its Object Directory. This is a central store of configuration
information for both machines and users, and is managed by Endpoint Encryption
Administrators. The Object Directory could be on the user’s local hard disk (if the user
is working completely stand-alone), or could be in some remote location and accessed
Introduction
| 9
over TCP/IP via a secure Endpoint Encryption Server (in the case of a centrally
managed enterprise).
Endpoint Encryption applications query the directory for any updates to their
configuration, and if needed download and apply them. Typical updates could be a new
user assigned to the machine by an administrator, a change in password policy, or an
upgrade to the Endpoint Encryption operating system or a new file specified by the
administrator. At the same time Endpoint Encryption uploads details like the latest
audit information, any user password changes, and security breaches to the Object
Directory. In this way, transparent synchronization of the enterprise becomes possible.
Objects, Entities, and Attributes explained. The Endpoint Encryption database stores information about users, machines, servers,
PDAs etc in collections called "objects" - from an internal point of view it does not
matter to Endpoint Encryption what an "object" represents, only the information it
contains. So an object representing a user, say "John Smith", and an object
representing a machine, for example "Johns Laptop" both contain information about
encryption keys, account status and administration level.
Within the object are collections of configuration data called "attributes", again the
same type of attribute may exist across many object types. To take our previous
example of John and his laptop, the details of the encryption keys, user status and
administration level would all be stored as separate attributes.
Entities are applications within the Endpoint Encryption system. Because of the
generality of the "object" design, all Endpoint Encryption applications also have some
generality about them, for instance the entity representing the Endpoint Encryption
client, and the entity representing the Endpoint Encryption Server, both authenticate
to the Object Directory in the same way - as an "object" which could be a machine or
user - which it is does not matter. This generality is mainly hidden from users and
administrators, but because of this core design, you will find that many Endpoint
Encryption related functions and tasks are common between users, machines and
entities.
Introduction
10 |
The Endpoint Encryption Components
Endpoint Encryption Manager
Figure 1. Endpoint Encryption Manager
The most important component of the Endpoint Encryption enterprise is the Endpoint
Encryption Manager, the administrator interface. This utility allows privileged users to
manage the enterprise from any workstation that can establish a TCP/IP link or file link
to the Object Directory. Typical procedures that the Endpoint Encryption Administrator
handles are: -
• Adding users to machines
• Configuring Endpoint Encryption protected machines
• Creating and configuring users
• Revoking users logon privileges
• Updating file information on remote machines
• Recovering users who have forgotten their passwords
• Creating logon tokens such as smart cards for users
Endpoint Encryption Server
The Endpoint Encryption Server facilitates connections between entities such as the
client, the Endpoint Encryption Manager and the central Object Directory over an IP
connection (rather than the file based "local" connection). The server performs
Introduction
| 11
authentication of the entity using DSA signatures, and link encryption using the Diffie-
Hellman key exchange and bulk algorithm line encryption. This ensures that
"snooping" the connection cannot result in any secure key information being disclosed.
The server exposes the Object Directory via fully routed TCP/IP, meaning that access
to the Object Directory can be safely exposed to the Internet / Intranet, allowing
clients to connect wherever they are. As all communications between the Server and
client are encrypted and authenticated, there is no security risk in exposing it in this
way.
There is a unique PDA Server which provides similar services to PDAs such as
Microsoft Pocket Windows and PalmOS devices. More information about this can be
found in later chapters.
Endpoint Encryption Object Directory
The Endpoint Encryption Object Directory is the central configuration store for
Endpoint Encryption for PC and is used as a repository of information for all the
Endpoint Encryption entities. The default directory uses the operating systems file
system driver to provide a high performance scalable system which mirrors an X500
design. Alternative stores such as LDAP are possible – contact your Endpoint
Encryption representative for details. The standard store has a capacity of over 4
billion users and machines.
Typical information stored in the Object Directory includes:
• User Configuration information
• Machine Configuration information
• Client and administration file lists
• Encryption key and recovery information
• Audit trails
• Secure Server Key information
Introduction
12 |
Endpoint Encryption for PC Client
Figure 2. Endpoint Encryption Client
The Endpoint Encryption for PC client software is largely invisible to the end user. The
only visible part is an entry in the user’s tool tray (the Endpoint Encryption icon).
Clicking on this icon allows the user to lock the PC with the screen saver (if the
administrator has set this option there one is selected). Right-clicking on the monitor
allows them to perform a manual synchronization with their Object Directory, or,
monitor the progress of any active synchronization.
Normally the Endpoint Encryption client attempts to connect to its home server or
directory each time the machine boots, or, establishes a new dial-up connection.
During this process, any configuration changes made by the Endpoint Encryption
administrator are collected and implemented by the Endpoint Encryption client. In
addition, information such as the last audit logs are uploaded to the directory.
Endpoint Encryption PDA Server
The Endpoint Encryption PDA Server facilitates connections between entities such as
the Endpoint Encryption client, the Management Center and the central Object
Directory over an IP connection (rather than the file based "local" connection). The
server performs authentication of the entity using DSA signatures and link encryption
using Diffie-Hellman key exchange and bulk algorithm line encryption. This ensures
that "snooping" the connection cannot result in any secure key information being
disclosed.
Note: The default port for PDA Server is 5557.
The server exposes the Object Directory via fully routed TCP/IP, meaning that access
to the Object Directory can be safely exposed to the Internet / Intranet, allowing
clients to connect wherever they are. As all communications between the server and
Introduction
| 13
client are encrypted and authenticated, there is no security risk in exposing it in this
way.
Endpoint Encryption for Mobile
Endpoint Encryption for Mobile provides authentication and crypt services for mobile
devices. Every time you activate it you are prompted to enter a secure, recoverable
password or pin.
As with Endpoint Encryption for PCs, every time you activate, or dock a PDA device
protected with Endpoint Encryption it tries to communicate with its home Endpoint
Encryption PDA Server and set its security profile - again, set from the Endpoint
Encryption Manager.
Endpoint Encryption File Encryptor
By right clicking on a file, users can elect to encrypt it using various keys. Files can be
encrypted with other Endpoint Encryption users’ keys, and/or passwords.
Once protected in this way the file can be sent elsewhere, for example via e-mail, or
on a floppy disk, without the risk of disclosure.
When the file needs to be used, it just needs to be double clicked, a password or login
prompt will be presented for authentication, if correct the file will be decrypted.
The File Encryptor also has an option to create an RSA key pair for recovery – if the
password to a file is lost, then the file can still be recovered using the correct recovery
key.
Endpoint Encryption Connector Manager
Endpoint Encryption’s directory used to keep track of security information is designed
so that synchronization of details between Endpoint Encryption and other systems is
possible. The Connector Manager is a customizable module which enables data from
systems such as X500 directories (commonly used in PKI infrastructures) to propagate
to the Endpoint Encryption Object Directory. Using this mechanism, it's possible to
replicate details such as a user’s account status between the Endpoint Encryption
Manager and other directories. Current connector options include LDAP, Active
Directory, and a NT Domain Connector. For information on these components, see
your Endpoint Encryption representative.
Installing Endpoint Encryption Manager
14 |
Installing Endpoint Encryption Manager
NOTE: Readers unfamiliar with Endpoint Encryption should follow the Endpoint Encryption Quick Start
Guide for the product you are installing, before tackling any of the topics in this guide. The Quick Start
guides provide an overview of setting up an Endpoint Encryption enterprise.
Endpoint Encryption Manager is the administration part of Endpoint Encryption and is
the core tool for managing all Endpoint Encryption aware applications. If this is the
first time you have installed an Endpoint Encryption application, then please read the
Quick Start Guide for that application. You will find this either on your Endpoint
Encryption download.
Install Endpoint Encryption Manager by running the appropriate setup.exe from the
Endpoint Encryption CD. You should run this first on the machine which you want to be
the “master” or administrators machine. If you have a multi-language CD, select the
language (for example, English) you want to install.
The Endpoint Encryption Manager will now install on your machine. Follow the on-
screen prompts to install the software, you may be prompted to select a language,
smart card reader, and encryption algorithm. Once completed you may need to restart
your system.
The Endpoint Encryption Manager suite adds some items to your start menu:
Endpoint Encryption Manager starts the Endpoint Encryption Manager; Endpoint
Encryption Server starts the communication server which provides encrypted links
between clients and the configuration. You may also have icons for the Endpoint
Encryption Connector manager.
After rebooting, run the Endpoint Encryption Manager program. A wizard will walk you
through the creation of a new Endpoint Encryption directory. If you have an existing
Object Directory in your network, you can connect to it by canceling the wizard and
manually configuring a connection. For information on this procedure please see
Managing Object Directories.
Upgrading the Endpoint Encryption Manager 1. Download the Endpoint Encryption Manager software from the McAfee
download site.
2. Run the setup file and complete the upgrade. See the Endpoint Encryption
Update and Migration Guide (contained in the download) for more detail.
Endpoint Encryption Manager Interface
| 15
Endpoint Encryption Manager Interface
The Endpoint Encryption Manager allows certain classifications of user to manage and
interact with the backend Object Directory. Users and machines can perform certain
tasks and change certain details within the directory, depending upon their assigned
"Administration Privilege", and administrative rights.
Administration Level Each object in the directory has a certain "administration privilege" with a range of
between 1 (lowest) to 32 (root administrator), no object except the root administrator
can change the attributes of an object of its privilege or above, but some attributes
can be read regardless. This mechanism stops low privilege users from changing their
own configuration, and protects high-level administrators from the activities of lower
levels.
The recommended assigned privileges are:
User Classification Administration Level
Root Administrator 32
Other Administrators 10
Normal Users 1
Normal Machines 1
NOTE: As there are no objects with a privilege above 32, all level 32 objects are treated equally and
without restraint (except delete rights). This means that any top‐level admin can edit the properties of any
other top‐level admin. However, a level 32 administrator with limited admin functions cannot add those
restricted functions to another level 32 administrator. For this reason it is recommended that general
Endpoint Encryption administrators use accounts with a privilege below 32, and the master (or root)
administrator account should be used only in extreme circumstances.
In addition to this rule, extra restrictions on what administration processes an
individual may use can be set when they are created, for instance the ability to add
users may be blocked, as may be the ability to create install sets.
Endpoint Encryption Manager Interface
16 |
This gives the ability to create high-privilege users with no admin abilities - these
users cannot be administered or recovered by lower privilege users although the lower
level users may have access to the administration functions.
Starting Endpoint Encryption Manager Endpoint Encryption Manager communicates with the Object Directory and requests a
user authentication on start-up, which it uses to connect to an Object Directory. Users
and administrators authenticate using their Endpoint Encryption credentials, so if they
usually use a smart card to login to Endpoint Encryption, they will need the same card
to access Endpoint Encryption Manager.
NOTE: for details on setting up connections to directories, see Managing Object Directories.
There is no real limit to the number of concurrent Endpoint Encryption sessions that
can be connected to each directory, either directly or via an Endpoint Encryption
Server. In the case of two administrators updating an objects configuration at the
same time, the last one to click Save overrides all others. The limiting factor is the
hardware supplying access to the directory, i.e. the network and server speed.
Groups of Users, Machines and other Objects Within the Endpoint Encryption Directory, objects are "grouped" in order to simplify
configuration. For example, in a large corporate with many departments, the Endpoint
Encryption administrator may choose to create groups of machines based on their
physical location - for instance "Sales" and "Helpdesk". The configuration of these two
groups would be similar, but not identical - for instance, the "Sales" group of PCs may
not synchronize with the Object Directory so often, and the "Helpdesk" PCs would not
be receiving some sales-related database information.
To facilitate configuration at group level, two types of group can be created:
Controlled Groups
Members of configuration-controlled groups cannot have their core configuration
altered on a member-by-member basis (non-core items include machine description
for instance). All changes have to be made at group level, and immediately affect all
members of the group. When an object is moved into a controlled group, it
immediately loses its individuality and inherits the group’s properties.
Controlled groups are used where it is not necessary or desirable to have many
individual objects with their own configurations, for example an administrator may
choose to enforce a strict security policy which must be adhered to. In this situation
then there is no scope for objects to have individual configurations. Another use is
Endpoint Encryption Manager Interface
| 17
where a collection of machines needs to have their configurations synchronized as
one. For example, if there was a controlled group of 200 machines with the property of
Endpoint Encryption enabled set as false, if the option was enabled at group level,
this change would affect each machine in the group. Each machine would
automatically enable Endpoint Encryption the next time it synchronized with the
directory.
Free Groups
Free groups have no master control; objects inherit the properties of the group when
they are created, but this configuration is stored individually for the object and can be
altered at any time. Existing objects moved into a free group do not inherit any group
properties; they simply retain their own configurations. Changing the group
configuration only effects new objects created within the group, it does not affect
existing objects.
One Group for each object type is defined as the default. Unless otherwise specified
this is the group which new Objects (machines, users etc) appear under and inherit
their initial attributes. This group may or may not be configuration controlled, and is
displayed in bold type in the object tree. To set the default group, select it and use the
right-click menu option Set as Default Group.
Finding Objects
You can search the object trees by either typing into the Find box on the tool bar of
Endpoint Encryption Manager, or, by using the Filter or Find by ID options from the
Objects Menu.
Finding orphaned objects using Group Scan
The Group Scan feature within the Groups drop down menu allows you to scan
through any group and identify missing objects, e.g. machines, users, etc.
1. Select a group from the Users, System, Policies, or Devices tabs.
2. Click the Groups option from the menu bar.
3. Click Group Scan.
4. Select a group from the drop down list.
5. Click Ok. This will begin a search across the selected group for orphaned
objects. The report output will appear in the bottom right pane.
Endpoint Encryption Manager Interface
18 |
Audit Trails. Endpoint Encryption audits to most types of object. To view the current audit, select
the object in question and use the right-click menu option View Audit. Audit trails
can be exported as comma delimited files for use in other applications.
The ability for a user to be able to view another user’s audit is a function of their
relative administration level, and their View Audit administration right. It is
recommended that not all users are given this permission.
The Endpoint Encryption Object Directory
| 19
The Endpoint Encryption Object Directory
Endpoint Encryption stores all its configuration and security information in a central,
generic data store referred to as the Object Directory. This store resembles a tree-
based modular, object-structured directory, similar in design to an X500 directory. The
Endpoint Encryption Configuration Manager on the protected machine periodically
checks this store via a connection manager (the Directory Manager) to see if there are
any changes to apply, and delivers any updates necessary in return. The directory
stores information for the configuration of users, machines etc in logical Objects
containing data blocks ("attributes").
The Object Directory Structure The Object Directory manages three levels of information, object type, actual Objects,
and attributes. This can be viewed as a correlation of a file or directory system. The
top level has the various object classifications, user, group, and machine. Below this
level is the individual Objects, for example, in the case of the user tree, there would
be Objects containing the attributes for users. For each object there are many
attributes, e.g. account status, private key and password.
NOTE ‐ Supported accessible Objects are Users, Machines, Servers, Files, Directories, and Groups. Endpoint
Encryption makes no distinction between the different types of object at the management and access level.
Only the Attributes stored within them differ. This independence greatly increases the speed the object
store can work at.
There is no requirement for any particular type of directory within as long as the
directory engine can support the minimum layout. All data sources are viable, e.g.
ODBC, Access, LDAP, DAP, X500 etc.
Endpoint Encryption ships with two directory drivers, one, a high performance file
system based driver for large corporate users, and a small single-file "transport"
directory driver designed for single use and disconnected deployment. For information
on porting Endpoint Encryption's backend directory to an alternate system, please
contact your McAfee Services representative.
A simple pictorial layout of the directory structure could be explained thus:
Root Directory
|
Users-------Machines-------Groups-------Servers--------Files (Object Classes)
|
User.0-----User.1-----User.2-----User.3-.. User.n (User level)
|
The Endpoint Encryption Object Directory
20 |
Attrib.0----Attrib.1-----Attrib.2------Attrib.n (Attributes containing
Configuration information)
This structure mirrors an X500 directory, and allows fast access to attributes and
modification (adding new attributes, new object classes etc) without significant effort.
Object locking To prevent problems where two or more processes try to access the same data
simultaneously, only one process can have write permission to an Object at any time.
Normally an object such as a user is only locked during the actual write process, if
there is a conflict in locks, one process will wait for the other to release. This usually
takes only a few seconds. In the standard file managed directory, object locking is
provided by the operating system itself.
Creating and Configuring Users
| 21
Creating and Configuring Users
Figure 3. Creating New Users
New users can be created in Endpoint Encryption Manager by selecting the group they
need to be in, and using the menu option Create User. You can also create users
automatically using a connector to another directory, such as Active Directory, or an
automated script. Please see the Endpoint Encryption Connector Manager chapter, or,
the Endpoint Encryption Scripting Tool Users Guide.
The new user’s logon id and recovery information about them can be entered. The
user’s password or token is inherited from the group, and can be set or generated at
this point.
The fields of information are used to identify the user in case of a helpdesk issue, such
as the user forgetting their password. The helpdesk and user can see the majority of
these fields, but some may be defined as "hidden from user" - in this example, the
field Group Access is one of those. Hidden fields can only be seen by administrators
with a higher privilege than the user, or the root administrator.
This gives the helpdesk operator the ability to ask the user a question to validate their
identity. For more information on recovery, see the Recovery chapters of your product
administrators’ guide.
Once created, the user assumes the configuration of the group they were created in. If
this group is "controlled", then only a few options are available to be configured on a
user-by-user basis. If the group is "Free" then although the user assumes the
properties of the group on creation, the parameters can then be set individually
afterwards.
Creating and Configuring Users
22 |
User Administration Functions
Create Token
Creates a new Token for the selected user - this could be a soft (password) token, or a
hard token such as a smart card or eToken.
NOTE: In the case of hard tokens, creating the token does not necessarily set the user to actually use that
token. This must be accomplished separately from the user’s Token properties page.
Reset Token
Resets the token authentication to the default. In the case of the soft (password)
token resets the password to 12345.
NOTE: Some hard tokens may not be able to be reset using Endpoint Encryption ‐ for example Datakey
Smart Cards. In this case contact the manufacturer of your token to determine the correct re‐use
procedure.
Set SSO Details
Sets the Single-Sign-On details for the user. For more information on SSO see the
Endpoint Encryption for PC Administration Guide.
Force Password Change at Next Logon
Forces the user to change their password at their next logon. This policy option applies
to both the Endpoint Encryption Manager and all compatible applications, such as
Endpoint Encryption for PC.
View Audit
Displays the audit for the user.
Reset (All) to Group Configuration
Resets the configuration of the user, or all the users in the group, to the groups
configuration.
Create Copy
Creates a new object based on the selected object.
Properties
Displays the properties of the selected object.
Creating and Configuring Users
| 23
User configuration Options
General
Figure 4. User Options ‐ General
User ID
The user ID of a given user is the system-wide identifier that Endpoint Encryption uses
internally to keep track of the user. This number is unique within the Object Directory
and is displayed for technical support purposes. The user’s recovery screens also show
this number.
Auto-boot users
Special user ids containing the tag “$autoboot$” with a password of “12345” (or set by
administrators) can be used to auto-boot a Endpoint Encryption Endpoint Encryption
for PC protected machine. This option is useful if an auto boot of a machine is needed,
for example when updating software using a distribution package such as SMS or
Zenworks. This ID should be used with caution though, as it effectively bypasses the
security of Endpoint Encryption.
You can find out more about the “$autoboot$” user from the Endpoint Encryption for
PC Administration Guide.
Enabled
Shows whether the user account is enabled or not. The enabled status is always user
selectable.
Once a machine has synchronized, it checks the user account list to ensure that the
currently logged on user is still valid (because they logged on at boot time before the
network and Object Directory was available). Users with disabled accounts (or users
Creating and Configuring Users
24 |
who have been removed from the user list) will find the screen saver will activate and
they will be unable to log in.
NOTE: If you want to force a Endpoint Encryption machine to synchronize (and hence immediately stop the
user from accessing the machine), you can use the force sync option of the machines right‐click menu to
force an update. For more information see the Endpoint Encryption for PC Administration Guide.
Valid From / Until
Sets the period that this account is valid until. Once the period has past, the user will
no longer be able to log on. If the user is logged on while the account expires, the will
NOT be automatically logged off the system (but if they reboot, or the screen saver
activates, they will not be able to log on again).
Both Valid From and Valid Until settings can be made. This enables the
administrator to set up accounts that self-activate sometime in the future and/or
expire at some fixed point (e.g. for contracted employees with a fixed term contract
starting and expiring on a given day).
Change Picture
Allows the administrator to set a picture for the user. The picture aids the helpdesk in
the identification of a user when doing a challenge/response password reset. The
imported picture can be any size bitmap image.
User Defined Labels (Information Fields)
When a user is created several fields of information may be set to aid the helpdesk
identify the user during the recovery process. For a full description of the use of these
fields see Creating Users, and Recovering Users and Machines.
Creating and Configuring Users
| 25
Password Parameters
Figure 5. User Configuration ‐ Password Parameters
Force Change if "12345"
Ticking this option prevents users from continuing to use the Endpoint Encryption
default password of "12345". If this password is ever used, for instance after
recovering a user, it must be changed before Endpoint Encryption will allow the
operating system to boot. The force password change mechanism is also supported in
the Windows Screen Saver.
Prevent Change
Disables the Change Password option on the Endpoint Encryption boot screen, and
on the directory login screen.
Enable Password History
Endpoint Encryption records previous passwords, and stops the user repeating old
passwords when they are forced to change them.
The maximum number of previous passwords that can be saved is limited by the
user’s token, typically a password token can remember 19 previous passwords,
whereas a smart card token only 10. Passwords are added to the history list when the
user sets them, so the default password (“12345”) may be used ONCE again, as is not
added to the history list when a user is created .
Special smart card scripts can be made available which increase the maximum history
count beyond 10, at the expense of the time needed to log in. For information on
these scripts please contact your Endpoint Encryption representative.
Require Change After
Creating and Configuring Users
26 |
Forces the user to change their password after a period of days.
Warn
Warns the user that their password will expire a set number of days in advance of
their password change.
Timeout password
When logging on, the user has three attempts to present Endpoint Encryption with a
correct password. If the user fails, then a "lockout" period of 60 seconds commences.
The user cannot log in while this period is in force, and if they reboot the PC, the
period starts again.
Once the period has expired, the user is allowed further logon attempts, which the
time period between each logon doubling, i.e.
• 1st incorrect attempt No lockout
• 2nd incorrect attempt No lockout
• 3rd incorrect attempt 60 seconds lockout
• 4th incorrect attempt 120 seconds lockout
• 5th incorrect attempt 4 min lockout.
• 9th incorrect attempt 64 min lockout
64 minutes is the maximum lockout period that may be set.
Invalidate Password after
After a sequence of incorrect passwords, Endpoint Encryption can disable the user’s
account. To log on again once this has happened, the user will need to call their
Endpoint Encryption helpdesk for a password reset. The number of incorrect
passwords that have to be entered before this occurs is normally 10, but can be set as
needed.
Creating and Configuring Users
| 27
Password Template
Figure 6. User Configuration ‐ Password Template
Password Length
Sets the expected length of the user’s password between two extremes.
Recommended settings are a minimum length of 5 characters, and a maximum length
of 40 characters.
Enforce Password Content
Enforcing content in password forces the user to pick more secure passwords, but also
reduces the number of possible passwords the user can select from. Content is not
case sensitive. The following options can be set :-
Alpha
A minimum number of characters from the range a-z and A-Z.
Alphanumeric
A minimum number of non-symbol chars from the range a-z, A-Z, and 0-9.
Numeric
Numbers only, from the range 0-9.
Symbols
!"£$%^&*()_+{}~@:><,./ :;@'~#<,>.?/¬¦`[], and other non alpha and non
numeric characters.
Content restrictions force the user to be more particular when they change their
password. Depending upon the selected options, passwords, which are related, will not
be accepted. The following restrictions can be set:
Creating and Configuring Users
28 |
No Anagrams
"wordpass" is not acceptable after a password of "password".
No palindromes
The passwords "1234321", "asdsa" etc are unacceptable.
No Sequences
"password2" after "password1" is unacceptable, as are passwords such as “aaaaaa”
and “111111”.
No Simple Words
Allows an administrator-defined dictionary to be set containing forbidden passwords.
You can create this dictionary using a unicode text editor. Place each forbidden word
on its own line in the file. Name the file TrivialPWDs.dat and place it in your client
install set in the [appdir]\SBTokens\Data folder. The password “password” is
excluded by default.
Can’t Be User Name
Prevents users from using their user name as their password.
Windows content rules
Mirrors the standard Windows password content rule. For passwords to be accepted
they must contain at least 3 of the following:
• Lower case letters
• Upper case letters
• Numbers
• Symbols and special characters
Creating and Configuring Users
| 29
Token Type
Figure 7. User Configuration ‐ Token Selection
Sets the token for a given user / group of users. The list of available tokens is created
from the token modules installed in the Object Directory. For information on particular
token options, please see the Tokens chapter.
Some tokens may be incompatible with other options - for instance, you cannot use
the Floppy Disk token if the users floppy disk access is disabled, set to read only, or
set as Encrypted.
Assigning a token to a user does not necessarily mean they will be able to log into a
machine – for example giving a user a smart card does not mean their machine has a
smart card reader, or the software needed to drive such a reader.
NOTE: When you change a user’s token, Endpoint Encryption automatically brings up the token creation
wizard. You need to remember to create Soft Tokens even though they’re just passwords.
Recovery Key
You can reset a user’s password, or change their token type using the recovery
process – this involves the user reading a small “challenge” of 18 characters from the
machine to an administrator, then typing in a larger “response” from the
administrator.
The recovery key size defines the exact length of this code exchange. The range of
options of the recovery key is dependent apron the maximum key size of the
algorithm in use. A key size of “0” disables the user recovery system.
Allow web-based self recovery
Creating and Configuring Users
30 |
You can prevent a password-only user from registering for web recovery by selecting
this option.
Administration Rights
Figure 8. User Configuration ‐ Administration Rights
Administration Level
The administration level of a given user defines their Administration Scope. Users can
only work with directory objects (machines, other users etc) below their own level,
thus a level 2 user can only administer users of level 1. All users are by default
created at level 1, and are therefore unable to administer each other. The user who
first created the directory is created at level 32, and can therefore administer any
other object in the directory.
NOTE: A special case exists for the highest level of user (“root users”), allowing them to administer at level
32.
Administration Functions
Options in the administration functions box select what administrative options are
available to a given user / group of users.
When creating a new user, the administration rights of the creator are reflected to the
new user.
Most administration functions are obvious but the following may require more
explanation:
• Users/Allow Administration – controls a user’s right to start administration
systems such as the Endpoint Encryption Manager or Connector Manager. If
Creating and Configuring Users
| 31
this option is removed for all users, the management environment will be
unavailable.
Logon Hours
Figure 9. User Configuration ‐ Logon Hours
Endpoint Encryption can prevent a user from accessing any machine during particular
time periods. In the example above, the user "John Smith" can access any machine
his account has been allocated to during the hours of 9am - 5pm any day. If the
Force user to logoff box is not ticked, restricting the logon hours of a user does not
prevent them continuing to use a machine out of hours if they were logged on when
the restriction comes into force, however it does prevent them logging on after this
time, for instance at a screen saver prompt.
Devices
This is used by Endpoint Encryption for PC only. Please see the Endpoint Encryption for
PC Administration Guide.
Application Control
This policy is used by Endpoint Encryption for PC only. Please see the Endpoint
Encryption for PC Administration Guide
Creating and Configuring Users
32 |
Policies
Figure 10. Policies
Endpoint Encryption can control other systems through the Policies Interface. You can
define the actual parameters of a policy through its entry on the System Tree, and
assign which policies are enforced for a particular user, or group of users, from the
policies tab. For more information on policies see the Policies chapter.
Add / Remove
Click Add or Remove to associate a policy with a user. You can only associate one
policy of each type with a user.
Bindings
Figure 11. Connector Bindings
Creating and Configuring Users
| 33
The Endpoint Encryption Connectors use the bindings specified for a user to match
their Endpoint Encryption account with their account on an alternate system. When a
connector creates a new Endpoint Encryption user, it automatically fills in the binding
tabs to make the association. It is possible though to connect one, or many users
created in Endpoint Encryption to a connected account, by manually editing the
bindings list.
For information on the correct system tag to use for a given connector, please see the
Endpoint Encryption Connector Manager chapter and those after it.
Local Recovery
The Local Recovery option allows the user to reset a forgotten password by answering
a set of security questions.
The full list of security questions is set by the administrator using the Endpoint
Encryption Manager. Note: Endpoint Encryption contains a generic set of questions.
When the user first sets up their local recovery feature they will be prompted to select
a number of questions and provide the answers to them. These form the basis for
their local self recovery feature.
Setting Local Recovery for a user name or user group
Using Endpoint Encryption Manager, the administrator assigns the local recovery
option to the user’s logon, or, to a user group. The local recovery options are available
from the user logon or group Properties screen. See below.
Figure 12 ‐ Setting the Local Recovery options
Enable Local Recovery
Creating and Configuring Users
34 |
Selecting this check box will set Local Recovery for the specified user or user group.
Require ? questions to be answered
This option determines how many questions the user must select to perform a Local
Recovery.
Allow ? logons before forcing user to set answers
This option determines how many times a user can logon without setting their Local
Recovery questions and answers.
Add
The Add button will load the Local Self Recovery Question dialog box and allow you
to create a new question. You can also specify the language that question should be in
and the minimum number of characters the user must specify when configuring the
answer to this question.
Remove
The Remove button will remove a selected question from the list.
Edit
The Edit button will allow you to edit the configuration of a selected question.
Apply
The Apply button will save any changes that have been made.
Restore
The Restore button will undo your changes and restore the Local Recovery options to
the previous settings (providing you have not clicked the Apply button).
See the Endpoint Encryption for PC Administrators Guide or the Help File for the user
local recovery procedures.
Creating and Configuring Users
| 35
Administration Groups
Figure 13 ‐ Administration Groups
The groups which an administrator can manage can be restricted – this gives the
ability to create high privilege administrators who can only work a particular
population of users and machines – for instance departmental administrators. You can
specify all group types for the restriction, so you can also create administrator
accounts that have the ability to manage only servers, certain groups of users, or
certain groups of machines.
When group restrictions are in place, the users’ view of the database is restricted to
only the groups specified.
Leaving the admin groups box empty gives the account admin capability throughout
the Object Directory.
When an administrator with group restrictions creates a new user, the group
restrictions are reflected into the new users properties. If the new user also inherits
groups from their group membership, these too will be set.
NOTE: Do not restrict the administrative scope of the root administrator or you may not be able to make
configuration changes in the future.
Setting User Administrative Privileges Endpoint Encryption has a powerful and flexible administration structure. You can set
three conditions that must be met before a user can perform an administration task:
Administration Level
Creating and Configuring Users
36 |
This must be higher than the object you are trying to administer, or in the case of top-
level objects (level 32), must also be level 32.
Groups
If there are any groups specified for administration, the object you are trying to
administer must be in one of the groups.
Administration Functions
The feature or command you are trying to use must be enabled in you Admin Rights
list
If all these conditions are met then the user will be able to perform the function. Using
a selection of these features enables certain administration hierarchies to be created.
We advise that the minimum administration rights are given to each user, to prevent
unauthorized configuration of the security. By delegating responsibility, administration
can become a simple task.
Some Example Administration Structures
Example 1. Top-down administration.
• Root User – level 32.
• Master Administrator(s) – Level 30, no other restrictions.
• Sub Admin(s) – Level 20, no other restrictions.
• Users – Level 1, all rights removed.
In this scenario there is a simple top-down chain of administration.
Example 2. Tree administration.
• Root User – Level 32
• Enterprise Administrator(s) – Level 30, no other restrictions.
• Department A Administrator(s) – Level 20, restricted to user and machine
groups in department A only. Rights for server management removed.
• Department B Administrator(s) – Level 20, restricted to user and machine
groups in department B only. Rights for server management removed.
• Department A Users – Level 1, all rights removed.
• Department B Users – Level 1, all rights removed.
In this scenario, the departmental administrators are prevented from managing each
other’s department by the group restriction. Administrators are also prevented from
Creating and Configuring Users
| 37
adding any of their users to machines in the other department by the same
mechanism. Only the Enterprise Administrator(s) can start or manage Endpoint
Encryption Servers.
Example 3. Function / Department Administration.
• Root User – Level 32
• Enterprise Administrator – Level 30, no other restrictions.
• Server Manager – Level 30, groups restricted to servers only, Rights
restricted to managing servers only.
• Department A Administrator – Level 20, restricted to user and machine
groups in department A only. Rights for server management removed.
• Department B Administrator – Level 20, restricted to user and machine
groups in department B only. Rights for server management remove.
• Department A Users – Level 1, all rights removed.
• Department B Users – Level 1, all rights removed.
In this scenario, there are additional accounts for the Server Manager – a person
responsible for keeping the Endpoint Encryption Server running. Their account has no
ability to manage users or logon to clients. There could also be other accounts with the
ability to add/remove users (for example used by the personnel department).
Tokens
38 |
Tokens The Endpoint Encryption Manager and connected applications support many different
types of logon token, for example passwords, smart cards, fingerprint readers and
others. Before a user can use a non-password token, you must ensure any machine
they are going to use has been suitably prepared.
Supported Smart Cards and Tokens
The link below contains the supported smart cards and tokens:
https://kc.mcafee.com/corporate/index?page=content&id=pd20895
Hardware Device Support
Ensure the machine has the appropriate Windows drivers for the hardware tokens it
needs to support, for example, if you intend to use Aladdin eTokens you need to install
the Aladdin eToken RTE (Run Time Environment).
If you intend to use smart cards, you need to ensure that a Endpoint Encryption
supported smart card reader is installed, along with its drivers – for example the
Mako/Infineer LT4000 PCMCIA smart card reader must be installed.
In both cases, the appropriate device drivers are available either direct from the
manufacturer, or from the Endpoint Encryption install CD in the Tools directory.
Endpoint Encryption Application Support
Once you have installed hardware support for the devices, you can enable software
support for them. See the dedicated product administration guide for details how to
enable tokens for that particular product.
Assign the token to the user and create it.
From the user’s Token properties pane, select the token you want that user to log in
with. Endpoint Encryption will prompt you to insert the token and will create the
appropriate data files on it.
If all steps are followed, when you install Endpoint Encryption, or after the machines
synchronize, users will be able to log in using their new token.
Upek Fingerprint Reader
1. The Upek Protector Suite QL software must be installed and configured on the
client machine. The software can be found on the McAfee Endpoint Encryption
Tokens
| 39
Tools download. Please consult your McAfee representative for further
information.
2. From the Endpoint Encryption Manager:
• Create a file group for the Upek token and import the token files:
SbTokenUpek.dll and SbTokenUpek.dlm.
• The Upek file group must be assigned to the machine or machine group.
• The fingerprint reader must be assigned to a user or a user group. See the
user or user group Properties Tokens screen.
3. The user logs onto the client machine using the Upek token module in
password mode.
4. The user will be presented with a dialog which will ask them to register their
fingerprints with Endpoint Encryption; the user configures the fingerprint
reader to work with one or more of their fingerprints.
5. From then on the user will need to authenticate to Endpoint Encryption with
their fingerprint instead of a password.
File Groups and Management
40 |
File Groups and Management
Figure 14. Endpoint Encryption File Groups
The Endpoint Encryption Manager uses central collections of files, called Deploy Sets
to manage what versions of files are used many Endpoint Encryption applications. For
information on a particular applications support for File Groups, please see the
Administration Guide.
When Endpoint Encryption Manager is installed, it automatically adds the entire
standard Endpoint Encryption administrator files into the file groups and also may
create language sets, for example "English Language". An INI files, ADMFILES.INI
determines the contents of the core groups. INI files such as these can be edited to
allow custom collections of files to be quickly imported and then applied using the
Import file list menu option. For more information on ADMFILES.ini see the Endpoint
Encryption Configuration Files chapter.
Other file sets created as standard include those to support login tokens (such as
smart card readers, and USB Key tokens).
File Groups and Management
| 41
Setting file group functions
Figure 15. File Group Content
You can specify the function of a file group by right-clicking it and selecting its
properties. Some file selection windows, for example, the file selector for machines,
only display certain classes of file group (in this example, those marked as Client
Files).
Importing new files New files can be imported one by one into an existing deploy set using the Import
files menu option (right-click menu). Simply select the file, Endpoint Encryption will
then import it into the directory, and add it to the deploy set.
Exporting Files You can export a file group, or an individual file back to a directory. This may be
useful, for example if you have an out of date administration system driver and there
is an updated file in the Object Directory.
Deleting Files You can delete individual files from a file set. With connected applications this usually
results in the deletion of the file from their local directory at the next synchronization
event.
Setting File Properties To see the properties of a file, right click on the file in question and select Properties.
Two screens of information are available.
File Groups and Management
42 |
Figure 16. File Properties, File Information
The name of the file is the actual name, which will be used when deploying the file on
the remote machine. The ID is the Object Directory object ID used as a reference for
the file from the client PC. The version number is an incremental version of the file.
When the file is updated, the version is incremented. This is used by the clients to
check whether an update is needed. Other information such as the name of the user
who imported the file and its size may be shown.
Figure 17. File Properties, Advanced
File Types
Set the type of the file.
File Location
Set the destination directory for the file.
File Groups and Management
| 43
Operating System
Because some files are only applicable to some operating system(s), the target
operating system(s) for the file must be selected. This is to prevent Windows NT
drivers being installed on Windows 98 machines, or windows 9x registry files being run
on Windows 2000 servers.
Appid
If you are installing file which is shared between multiple Endpoint Encryption
applications, you can specify this applications ID. This prevents one application from
installing files shared by another.
Update
Specify when Endpoint Encryption should update the file.
Auditing
44 |
Auditing Introduction The Endpoint Encryption Manager audits user, machine, and server activity. By right-
clicking on a object in the Endpoint Encryption Object Directory, you can select the
view audit function.
Audit trails are uploaded to the central directory by both the Administration Center
and connected Endpoint Encryption Applications such as Endpoint Encryption for PC
and Endpoint Encryption for Files and Folders.
The permission to view or clear an audit log can be controlled on a user or group
basis. Both the administration level and administration function rights are checked
before allowing access to a log. For more information on setting these permissions see
the Creating and Configuring Users chapter.
Audit trails can be exported to a CDF file by using the Audit menu option, or by right-
clicking the trail and selecting Export. Also, the entire audit of the directory can be
exported using the Endpoint Encryption Scripting Tool – for information on this option
please contact your McAfee representative.
The Object Directory audit logs are open-ended, i.e. they continue to grow indefinitely,
but can be cleared on mass again using SBAdmCL.
Common Audit Events The text displayed in the audit log will depend on your localization and language
settings. The following table lists the common events and their ID codes for the
American English version of Endpoint Encryption. Many events can appear at multiple
places, for example the Login Successful event will be logged both in the user
account doing the login, and the machine being logged into simultaneously.
You can find out about product specific events from its dedicated administration guide
– for example to find out about Endpoint Encryption for PC events, refer to the
Endpoint Encryption for PC Administration Guide.
Information Events Description Event
Audit cleared 01000000
Boot started 01000001
Auditing
| 45
Description Event
Boot complete 01000002
Booted non‐secure 01000003
Backwards Date Change 01000005
Booted from floppy 01000004
Token battery low 01000010
Power fail 01000011
A virus was detected 01000013
Synchronization Event 01000014
Add group 01000082
Add object 01000083
Delete group 01000084
Delete object 01000085
Import object 01000086
Export object 01000087
Export configuration 01000088
Update object 01000089
Import file set 01000090
Create token 01000091
Reset token 01000092
Export key 01000093
Recover 01000094
Create database 01000095
Reboot machine 01000096
Auditing
46 |
Description Event
Move Object between groups 01000098
Rename Object 01000099
Server started 010000C0
Server stopped 010000C1
Try Events Description Event
Logon attempt 02000001
Change password 02000002
Forced password change 02000003
Recovery started 02000016
Database logon attempt 02000081
Logon successful 04000001
Password changed successfully 04000002
Boot once recovery 04000016
Password reset 04000017
Password timeout 04000018
Lockout recovery 04000018
Change token recovery 04000019
Screen saver recovery 0400001A
Database logon successful 04000081
Logon failed 08000001
Password change failed 08000002
Auditing
| 47
Description Event
Password invalidated 08000005
Recovery failed 08000017
Database logon failed 08000081
Machine configuration expired Undefined
A virus was detected Undefined
Succeed Events Description Event
Logon successful 04000001
Password changed successfully 04000002
Boot once recovery 04000016
Password reset 04000017
Password timeout 04000018
Lockout recovery 04000018
Change token recovery 04000019
Screen saver recovery 0400001A
Database logon successful 04000081
Failure Events Description Event
Logon failed 08000001
Password change failed 08000002
Password invalidated 08000005
Machine configuration expired 08000012
Recovery failed 08000017
Auditing
48 |
Description Event
Database logon failed 08000081
Managing Object Directories
| 49
Managing Object Directories All Endpoint Encryption Manager connected applications require a connection and
logon to an Object Directory. The Endpoint Encryption logon screen provides an
interface to manage these connections, whether they are direct to local directories or
through Endpoint Encryption servers.
The logon system automatically remembers the last token which was used, and
displays that interface to the user – if you want to log on with a different token, for
instance a smart card, or fingerprint scan, simply cancel the login box and select a
different token from the token selection list.
Managing Connections You can add and remove directory connections by clicking Cancel on the Endpoint
Encryption Manager Login box, then selecting Edit Connections on the Select Your
Login Method dialog.
Figure 18. Endpoint Encryption Database Connections
The Endpoint Encryption Database Connections window lists the currently
configured directory locations and types. Local directories are accessed directly;
remote directories are accessed through a Endpoint Encryption server. Where
authentication parameters for the directory connection have been imported, the
connection appears with a tick.
Adding a new directory connection Click Add to create a new connection. If you are going to access the directory directly,
for example in the case of the Endpoint Encryption file directory, it is stored on your
local machine, or on an accessible network drive, select the Local option from the
Managing Object Directories
50 |
connection type dropdown list. If the directory has an Endpoint Encryption server
supplying its information, use the Remote option.
Remote Directories
Description
Type a description for the directory - this is used to identify the directory in the list.
Server Address
Supply the address or DNS name of the server, and the port it is running on.
Server Port
Set the port the server should communicate on. The default is 5555.
Authenticate
Server authentication prevents a malicious "rogue" server masquerading as a valid
Endpoint Encryption server, by forcing DSA key checking between the server and
Endpoint Encryption application. If the key the server returns is invalid, the Endpoint
Encryption application will refuse to connect to the server and inform the user of a key
mismatch.
When adding a new server, if you elect to create an authenticated link, you will be
promoted to provide a key file (.spk file). You can obtain this key from an existing
connected administrator by asking them to right-click on the server definition in the
Endpoint Encryption Manager, and choose Export Public Key.
NOTE: If you are authenticated to a directory, you can add alternate Endpoint Encryption server
connections to this directory to the list by simply right clicking on the server’s directory entry in the system
tree, and selecting Add to Directories. This process sets up the connection in advance and adds all the key
information if available.
Local Directories
Local directories (accessed without a Endpoint Encryption server) need a UNC or
mapped drive data path (or a file location in the case of a file directory) and a
description. Endpoint Encryption servers ALWAYS use a local directory - you cannot
chain one server onto another.
The default driver for Endpoint Encryption’s Directory is sbfiledb.dll.
Endpoint Encryption Server
| 51
Endpoint Encryption Server
Figure 19. The Endpoint Encryption Server
The Endpoint Encryption Server provides a secure communication interface between
the Object Directory , and other components, such as Endpoint Encryption Manager,
Endpoint Encryption for PC Client, and Endpoint Encryption Directory Synchronizer,
over a TCP/IP link.
Installing the Endpoint Encryption Server Program The Endpoint Encryption Server is installed as part of the Endpoint Encryption Manager
setup. You can install multiple servers attached to one directory, simply install a new
copy of Endpoint Encryption Manager, and manually configure the connection to the
existing directory by canceling the Object Directory creation wizard, and setting up a
new local or remote connection in the subsequent logon box.
Creating a new Server Before The Endpoint Encryption Server can start, an entry for it must be created in a
Endpoint Encryption Object Directory . This entry/object contains the server’s public
and private key set, configuration and other parameters.
Endpoint Encryption Server
52 |
Figure 20. Creating a new Endpoint Encryption Server Object
To create a new server object, you can either use the New Server option to create a
new server in the System/Endpoint Encryption Servers tree using Endpoint Encryption,
or you can use the "create" button on the Endpoint Encryption Server startup screen
shown after authenticating to the Object Directory. Both procedures follow the same
path.
Creating a new Endpoint Encryption Server object, automatically adds the definition to
the local directories list. The next time you perform a directory logon, you will be able
to choose to log on to the new Server.
Starting The Endpoint Encryption Server for the first Time Once the object for the server has been created the program SBServer.exe may be
run. The first task is to log in to the local Object Directory. For information on how to
set up directory connections, see Managing Object Directories. Once the directory has
been selected, and a logon id and password supplied, a prompt to select the object is
displayed. From this dialog, a new server definition can be created, or an existing ID
selected. The definition selected controls the startup parameters for the server, and
the authentication keys it will use.
Figure 21. Selecting the Endpoint Encryption Server Object to use for configuration
Endpoint Encryption Server
| 53
Server Configuration The Endpoint Encryption Server obtains its configuration from three places.
The local file sdmcfg.ini supplies the location and type of Object Directory the server
should connect to. It also supplies the logon ID and password to use in case of an
automated start. This file is shared between all the Endpoint Encryption entities.
The server's object within the Object Directory specified in sdmcfg.ini supplies the port
the server should speak on, and its public and private key information.
The local file sbserver.ini supplies the id of the object in the local Object Directory that
the server uses for its port, etc. It also specifies whether the user should be prompted
to select an id each time the server starts.
Starting the Endpoint Encryption Server as a Service In Windows 2000 you can start the Endpoint Encryption Server as a true service. To
do this, select the Start as service option from the server menu. You will need to
supply a user ID and password for the server to use for subsequent starts.
The Endpoint Encryption Server stores the user’s authentication key in sbserver.ini for
use in subsequent logons. This is not the user’s password, but could give a hacker a
method of attacking the Object Directory.
TIP: You can stop certain user accounts being used to start servers as services by removing their
administration privilege Start Server as service.
Using Server / Client Authentication Endpoint Encryption clients exchange highly sensitive information with their respective
Servers, and rely on their server for their configuration, including details of what
drives should be encrypted.
One possible way around the Endpoint Encryption security would be to substitute an
organization’s Endpoint Encryption server and Object Directory, with a "Rogue" server
which told Endpoint Encryption protected machines to decrypt their hard drives.
To prevent this kind of attack, the Endpoint Encryption Server generates a public-
private key set on install. The public part of the key is distributed on install to the
clients, who then use it to verify the private key on the server each time they
communicate with it.
With this mechanism if the server is substituted by re-routing the network traffic or
DNS name for instance, the clients will recognize the change and refuse to
communicate.
Endpoint Encryption Server
54 |
Setting up the Endpoint Encryption Server / Endpoint Encryption authentication
Once an Endpoint Encryption server has been created and started, its public key may
be exported from the Object Directory as a file. This key file can be freely distributed
or placed in a publicly accessible repository - for instance on a web site.
To extract a Server key from the Object Directory, simply select the server from the
server tree, and use the Export public key option. The resulting .sky file can then be
freely distributed. To import the information into a directory connection use the
Advanced button on the login screen. For information on this process see Managing
Object Directories.
NOTE: If the Object Directory selected during the creation of a deploy set already has authentication
configured, then this information will be automatically included within the deploy set.
Connecting to a new Endpoint Encryption Server Once a server has been created it appears in the Object Directory system tree. If this
server was created by someone else in the Endpoint Encryption enterprise, you can
still add this server to the local list of Endpoint Encryption servers used in the login
dialog by selecting the Add to Directories option. This creates a new entry in the
local list, and if necessary downloads the server’s public key information. For more
information see Managing Object Directories.
Checking a Server’s Status Remotely You can check the status of an Endpoint Encryption Server listed in the Object
Directory by right-clicking its object, and selecting Get Status. If the server is online
and responsive, it will return its current status in the system log.
NOTE: the active connections list will always show 1 more than the current user / machine connections, due
to the connection by Endpoint Encryption to get the status.
Using Restricted User ID's for Servers Although any valid user id can start an Endpoint Encryption server, the access yielded
to it by the Object Directory is a reflection of that user’s directory permissions.
For instance if a very low admin privilege user starts the Endpoint Encryption Server,
then high level users and machines will not receive any configuration updates because
their admin level exceeds that which can be accessed by the Endpoint Encryption
Server. For this reason the Endpoint Encryption Server should usually only be started
by uses with very high, or the highest, level admin rights.
Endpoint Encryption Server
| 55
For practical reasons it is often not the master Endpoint Encryption administrator who
starts the Endpoint Encryption Server - usually the corporate server managers have
this responsibility. It would not be good security for the master accounts to be given
out to any users except those directly involved with the Endpoint Encryption
parameters.
To overcome this conflict of interests - full access to the objects with no administrative
ability - Endpoint Encryption allows you to create very high privilege users with no
administrative ability - we will term these Service Accounts.
Service Accounts Parameters
Service accounts are created in the same way as normal users. We recommend they
be created in their own group Service Accounts.
The following parameters can be set to yield an account useless for login on to PCs.
With these parameters the only use for the account is as a login to the Object
Directory.
Passwords
Prevent Change set
Require Change disabled
Admin Rights
Administration Level 30
All rights cleared except Start as Service
Devices
No access to any devices
Token
Password Only
WARNING – Remember not to add any “service accounts” or the group you create them in to machines.
Keys
56 |
Keys About Keys Keys are generic purpose objects which other Endpoint Encryption-Aware applications
can use to encrypt information, for example, Endpoint Encryption for Files and Folders
uses Key objects to protect files and folders on network and user hard disks.
Key Administration Functions
Create New Key
This function creates a new Key. You can select the keys name, which algorithm it will
use, and enter a description of the key to aid in its identification.
To create a new policy:
1. Navigate to the System tab of the object tree.
2. Find the key provider.
3. Double-click it to expand its groups.
4. Either open an existing group, or create a new group by right-clicking the top
node and selecting Create Key Group.
5. From the open group window, right-click and select Create New Key.
6. Enter the name for the new key, select an algorithm, and select OK.
Rename Key
This option changes the name of a key – this does not affect the association of keys to
users, or the protection of data. Only the human-readable name is changed.
Delete Key
This option deletes a key from the system.
To delete a key:
1. Find the key from the Keys node of the System tab within the object tree.
2. Right-click the key and select Delete.
NOTE: If you permanently delete a key, all data protected with that key will be permanently lost; however,
you can restore the key if it has been backed up.
Keys
| 57
Reset to group configuration
Sets the properties of a key to be those of its group. This includes the user list
assigned to the key.
Reset to group configuration (exclude users)
Sets the properties of a key to be those of its group excluding the key’s user list.
Properties
Displays the properties of a key.
Key Configuration Options
Information
Displays information about the key
Description
A text description of the key, this can be used to identify the purpose or use of the
key.
Validity
You can specify when a key is valid until, and whether it can be cached on users’ local
systems
Key is Enabled
Tick to make the key accessible to users – if the key is disabled, then all requests for
this key (and therefore all data protected by it) will be denied.
Expiry
You can specify a date where the key will be valid until. After this date access to the
key (and therefore access to data protected by it) will be denied.
Caching
Allow keys to be cached locally
Enables local caching of the key. Normally keys are obtained on access from the
network Endpoint Encryption Key Server. This means that the only way to access
protected data is to have a good connection to the corporate Key Server.
If you need data to be available to users offline, for example when they are working
disconnected from the network, you can allow local caching of a particular key.
Each time a key is requested, the user must authenticate against a Endpoint
Encryption Key Server to obtain a fresh copy of the key. If the Key Server is not
Keys
58 |
accessible then the user authenticates against a local key cache and queries it for a
copy of the key. If the key could be obtained from the Key Server, then the local copy
may be installed, or updated at the same time. If the user’s credentials are not
correct, no keys are released.
Remove from cache after..
Causes a local cached copy of a key to be wiped from the local key cache after a
certain number of days of disconnection. This prevents users obtaining keys, then
continuing to use them for extended periods of time without validating their
credentials against the central Endpoint Encryption Key Server. You can use this
option to ensure that if you make changes to the validity or user list of cacheable
keys, that these changes are enforced within a certain period of time.
Users
You can restrict access to keys to certain users by adding them to the keys user list.
When the list is empty, any user who has valid Endpoint Encryption credentials can
obtain the key. Once one or more users are added to the list though, ONLY those
users can obtain, or administer the key. This prevents general Endpoint Encryption
administrators from being able to access sensitive data.
NOTE: You can restrict what administration functions regarding keys (add key, delete key, properties etc) by
setting a users administration rights. See the Administration Rights section for more information.
Restrict Access To
Defines the user list for a key. If the list is empty, then any user can access the key. If
one or more users are added then ONLY they can access or administer the key.
Minimum Admin Level Required
You can specify the minimum admin level required to access a key. This parameter is
enforced in ADDITION to the restricted user lists. If you add a user to the user list,
and also set an admin level, then if the user does not match or exceed the level they
will not be able to access the key. For more information on admin levels see the
Administration Rights section.
Policies
| 59
Policies About Policies Endpoint Encryption can manage other systems and applications from the main
Administration console. Each additional application provides a Policy system which
allows the parameters for the application to be defined – for example the Endpoint
Encryption for Files and Folders policy provider integrates into the Endpoint Encryption
Database, and allows you to set the functions and parameters for the Endpoint
Encryption for Files and Folders system.
You can assign policies to most kinds of Endpoint Encryption supported object, such as
users, machines, PDAs etc – wherever appropriate for the individual policy type. You
can assign policies to both individual objects (such as users), and also to groups of
objects (such as groups of machines).
Policy Administration Functions
Add Policy
You can create any number of policies of each type. You should create policies to fulfill
an organizational or functional need – for example a policy for a role within your
organization, such as Management Team, for example.
To create a new policy:
1. Navigate to the Policies tab of the object tree.
2. Find the Policy provider you want to create a new policy for – for example
Endpoint Encryption for Files and Folders Policies.
3. Double-click it to expand its groups.
4. Either open an existing group, or create a new group by right-clicking the top
node and selecting Create Policy Group.
5. From the open group window, right-click and select Add.
6. Enter the name for the new policy, and select OK.
Rename Policy
Changes the name of the policy. This does not affect the association of the policy to
other objects.
Policies
60 |
Delete Policy
If you delete a policy, all users of that policy will receive the “Default” policy instead
the next time they update.
To delete a policy:
1. Find the policy from the Policies tab of the object tree.
2. Right-click the policy and select Delete.
Create Installation Set
To install a policy object, some types allow you to create an installation set directly
from the Endpoint Encryption database for that application – for example, to install
Endpoint Encryption you can create an Install EXE direct from the policy object.
Reset to Group Configuration
Resets the properties in the selected policy to those of its group.
Create Copy
Creates a copy of a policy object based on the selected one.
Properties
Opens the properties of the selected group or object.
For more information about Endpoint Encryption. See the Endpoint Encryption
Endpoint Encryption for Files and Folders Administration Guide.
Assigning a policy object to a user 1. Open the users Properties window.
2. Move to the Policies properties type in the properties list.
3. Click the Add button.
4. Select the policy you want to associate with that user.
5. Click Ok.
You can normally only assign one policy of each type to any particular object, for
example one Endpoint Encryption for Files and Folders policy, per user.
Assigning a policy object to a machine 1. Open the machine Properties window.
2. Move to the Policies properties type in the properties list.
Policies
| 61
3. Click the Add button.
4. Select the policy you want to associate with that machine.
5. Click Ok.
You can normally only assign one policy of each type to any particular object, for
example one Asset policy per machine.
Endpoint Encryption Connector Manager
62 |
Endpoint Encryption Connector Manager
The Connector Manager is responsible for managing the correlation of information
between the Endpoint Encryption Object Directory and another data source. This
remote source may be another Object Directory, or may be some disparate system
(for example an X500 directory over LDAP, or an NT Domain). The Connector Manager
is a set of customizable routines that can be used to quickly implement the desired
synchronization functions.
Figure 22. Connector Manager
The Connector Manager tools are supplied pre-configured to provide Endpoint
Encryption directory to alternate systems such as NT Domains, Active Directory, and
Novell Netware NDS as a uni-directional process.
Support for alternate data stores are implemented on a customer basis. To discuss
synchronization with other data stores please contact your McAfee representative.
Adding and Removing Connector Instances You can add connectors to the Manager Tree simply by right-clicking the root node
(Endpoint Encryption Connector Manager).
Add Connector
Creates a new connector instance. You can select from the available connector types,
and give the connector a unique name.
Endpoint Encryption Connector Manager
| 63
Delete Connector
Deletes the selected connector from the tree. Any connected users will become
“orphaned”, unconnected to any alternate system.
Rename Connector
You can rename a connector to a more descriptive name.
Service Mode
The Connector Manager uses the Windows Scheduled Task Service to run individual
connectors at preset times and intervals. This happens automatically – you do not
need to run a special version of the connector manager.
Scheduled tasks are enabled from the moment they are created.
Schedule and Log
Each connector has a schedule and log controlled through the Connector Manager. You
can add periodic events to the schedule to control when each connector performs its
activity. You can also set repeat intervals for the tasks.
To set the schedule for a connector, or change its log settings, simply click its name in
the connector tree.
The activity of the connector is logged centrally to the Connector Manager. You can
also specify that the log should be appended to a file as it is created.
Running Connectors Interactively
You can run a connector interactively from the run now tab. The connector will output
a progress log of its activities.
Error Messages
For information on error messages generated by the Connector Manager, or one of its
connectors – please see the Error Messages chapter.
NT Connector (NTCon)
64 |
NT Connector (NTCon) The NT connector is designed to populate the Endpoint Encryption user list from an
existing NT Domain. By specifying a server to synchronize with, the connector mines
the domain user list, creating Endpoint Encryption user accounts for those domain
users not found.
If a domain user account is deleted or disabled, the connector makes the appropriate
change to the Endpoint Encryption user account for that user.
The NT Connector needs to be run on either an NT4.0 Domain Server, or a Windows
2000 server / workstation, and needs access to the Endpoint Encryption Object
Directory.
Summary of connected attributes Domain user name
Used to create new Endpoint Encryption users. Also used in the Endpoint Encryption
user-binding tab to maintain a connection to the domain user. If the domain user is
deleted, the Endpoint Encryption user is either deleted or disabled depending upon the
state of the Disable Users Only box.
WARNING: If you delete an Endpoint Encryption user account, no files protected by only that Endpoint
Encryption user id will be recoverable. We recommend you disable users only, and delete them manually.
Domain User Status
The Endpoint Encryption user status mirrors the domain user status. Either enabled or
disabled.
Domain User Logon Hours
The Endpoint Encryption user logon hours are set to match the domain users.
Password Change
The ability to change the password is reflected in the Endpoint Encryption user
account.
Full name
The domain user full name field is placed in the Endpoint Encryption user’s field list.
Description
The domain user description is placed in the Endpoint Encryption user’s field list.
Valid until
NT Connector (NTCon)
| 65
The expiry date of the domain account is placed in the Endpoint Encryption user valid
until field.
Group Membership
On creation, logic can be applied to determine which group the new Endpoint
Encryption user is created in (if at all).
General Options NT Server
Specify the server you want to obtain the user list from. You can use the local
machine, or specify a domain server. Click the Servers button to obtain a list of
machines accessible from this station.
Disable Users Only
If a user is deleted from the domain, their matched Endpoint Encryption account can
be either deleted or disabled.
WARNING: If you delete a Endpoint Encryption user account, no files protected by only that Endpoint
Encryption user id will be recoverable. We recommend you disable users only, and delete them manually.
Use Configuration Checksum
The connector can store a checksum of the domain configuration in the domain user
comment. This negates the need to read the entire configuration each time a sync on
the user occurs.
To use this option you need to run the connector on a primary or backup domain
controller – you cannot use this option on a remote server.
Throttling
You can specify a delay between checking each user account to make the
synchronization process more network-friendly.
NOTE: The domain password for a user account is not available for Endpoint Encryption, each new user will
be created with the default password of “12345” – you should ensure that all Endpoint Encryption groups
which receive new users from the NT Connector have the Change password if default attribute set.
Group Mappings To ease the configuration of many synchronized domain users, you can map them to
different Endpoint Encryption user groups based on their domain membership. As each
domain account is checked, the NT Group Name fields are compared with the domain
NT Connector (NTCon)
66 |
users’ memberships. The first match found causes NT Connector to create the user in
the specified Endpoint Encryption user group.
By pre-creating Endpoint Encryption user groups with specific machine access and
attributes, you can effectively synchronize a domain user list into Endpoint Encryption
and have minimal configuration work left.
For example, if the following group mappings were specified:
NT group name Endpoint Encryption group name
Domain Admins NT Domain Admins
Domain Guests NT Domain Guests
Sales NT Domain Sales
Domain Users NT Domain Users
A domain user with memberships of Domain Admins and Sales would be placed in the
Endpoint Encryption user group NT Domain Admins. A user with membership to
Domain Users and Sales would be placed in NT Domain Sales as it is listed first.
If you clear the Add user to default group tick box, and the NT user being checked
does not belong to any of the specified groups, they will not be synchronized into the
Endpoint Encryption directory.
User Information You can specify which Endpoint Encryption information fields receive information from
the domain account comment and description. You can also select the default behavior
when new users are created.
LDAP Connector (LDAPCon)
| 67
LDAP Connector (LDAPCon) LDAPCon is an optional connector designed to populate the Endpoint Encryption user
list from an existing LDAP Protocol 1-3 Directory server. By specifying the directory to
synchronize with, the connector mines the directory, creating Endpoint Encryption user
accounts for directory users who meet certain pre-defined criteria. For information on
purchasing these connectors please contact your McAfee representative.
If a directory user account is deleted or disabled, the connector makes the appropriate
change to the Endpoint Encryption user account for that user. You can also make
decisions to globally disable users based on any attribute using the excluded users
function.
The v4.2.12+ versions of the LDAP Connector can also use certificates stored in the
AD to create users who can logon to Endpoint Encryption applications using Smart
Cards and eTokens. These “crypt-only” tokens do not have to be initialized for use
with Endpoint Encryption, as the PKI certificates stored on them can be used without
any initialization.
LDAPCon can run on Windows 2000, XP and Vista. It requires network access to both
an Endpoint Encryption Server, and the directory server itself.
Summary of connected attributes User name
Used to create new Endpoint Encryption users. Various directory attributes can be
used to create the Endpoint Encryption user name. If the user is deleted, the Endpoint
Encryption user is either deleted or disabled depending upon the state of the Disable
Users Only box.
WARNING: If you delete an Endpoint Encryption user account, no files protected solely by that Endpoint
Encryption users’ key will be recoverable. We recommend you disable users only, and delete them
manually.
User Status
The Endpoint Encryption user status mirrors the directory user status. Either enabled
or disabled.
User Logon Hours
The Endpoint Encryption user logon hours are set to match the directory users.
Password Change
LDAP Connector (LDAPCon)
68 |
The ability to change the password is reflected in the Endpoint Encryption user
account.
Information Fields
Up to 10 fields of information from the directory can be placed in the Endpoint
Encryption user’s field list.
Valid until
The expiry date of the directory account is placed in the Endpoint Encryption user valid
until field.
Group Membership
Logic can be applied to determine which group the new Endpoint Encryption user is
created in (if at all). Also, if certain changes happen to the directory user, their
Endpoint Encryption group can be set to change accordingly.
General Options
Connection Details
Connection Name
A text description for this incident of the connector.
Host
The IP address, or DNS Name of the directory server you wish to connect to.
Port
The TCP/IP port that the target directory is publishing on. This is usually 389 or 636
for secure connections.
Use Secure Connection
This option is used to get full access to the directory. You may have to obtain a
certificate from your directory manager. Use the Certificate button to point the
connector to the appropriate .DER file.
Protocol Version
The LDAP Protocol version your directory supports – this is usually Version 3.
Use Secure Connection
This option allows you to specify a secure connection. It will change the port number
to 636 (note: this is configurable). The Certificate... button will also activate and you
can browse and select the right certificate from the Microsoft Certificate store.
LDAP Connector (LDAPCon)
| 69
Certificates are generated for particular users. Microsoft has removed the ability to
specify a user logon in this instance; the encryption and logon is determined by the
certificate.
Anonymous Login
If your directory supports anonymous login, check this box, otherwise complete the
Logon Credentials section.
User DN
Enter the full distinguished name for the administrator’s account.
Password
Enter and confirm the password for the account you specified in the User DN field.
Search Settings
Base DN
The base distinguished name for the section of the directory this instance of the
connector is to work with. You can set the Base DN to a sub-branch of your directory if
you need to limit the scope of the connector.
Object Filter
Enter an appropriate filter to restrict the connectors view of objects in the directory.
The default filter:
(&(objectClass=User)(!objectClass=Computer))
Restricts the view to directory objects that are of a class User and not of a class
Computer.
If you only need to synchronize a small segment of users from your directory to
Endpoint Encryption, you can specify a detailed Object Filter – this will make the
process more efficient by forcing the connector only to look at the users which are
“interesting” to it. For example, to restrict the connectors view to users of the group
Endpoint Encryption only, you could use a query like:-
(&(objectClass=user)(!objectClass=computer)(memberOf=CN=McAfee,OU=Uk,DC=cbi,DC=com))
Wherever you specify a search query, you must use the full parameters as accepted
by the directory, so in the example above the memberOf parameter must match
exactly that shown in the user. You can use an LDAP browser to see the correct
attribute details.
Timeout
LDAP Connector (LDAPCon)
70 |
Specify the connection timeout for your directory.
Entry Limit
Specify the maximum number of objects to synchronize – this setting is useful when
you need to test the behavior of the connector. For production use, set it to 0
(unlimited). Some directory servers may not accept this parameter.
Referrals
If your directory uses referrals, you can enable this feature in the connector.
Search Depth
You can limit the scope of the connector by reducing the section of the directory that
is searched for users.
Monitor Changes
If your directory supports change logging, you can enable monitoring to enhance the
performance of the connector. This sets up an asynchronous search on the directory
server which reports when leafs are updated.
Search Groups
You can specify a list of DN’s for group objects in your directory which contain
members you wish to include in this connectors scope of operation. Search Groups
takes precedence over the object filter specified in the Search Settings pane.
Attribute Types
Binary data attributes must be defined in this list before they can be used by the
connector.
You can also specify which attributes to substring search. By default, the entire value
of an attribute is considered significant by specifying it for substring search you can
allow sub-values to be significant.
For example, in the DN “CN= McAfee,CN=COM,FN=Fred” if substring searching is
enabled for DN, then “CN=COM” is a valid match.
Group Mappings
Group Mapping Information
To ease the configuration of many synchronized directory users, you can map them to
different Endpoint Encryption user groups based on some attribute in their directory
object. As each directory account is checked, the specified attributes are compared
with the table set in the Group Mapping tab. The first match found per user causes
LDAP Connector (LDAPCon)
| 71
the LDAPCon to create or assign the user in the specified Endpoint Encryption user
group.
You can create new entries by double-clicking the table, by right-clicking an entry you
can change its order, edit, or delete it.
By pre-creating Endpoint Encryption user groups with specific machine access and
attributes, you can effectively synchronize a directory user list into Endpoint
Encryption and have minimal configuration work left.
For example, if the following group mappings were specified:
Directory Organizational Unit (attribute value)
Endpoint Encryption group name
Directory service Attribute
OU=R&D R&D distinguishedName
OU=Sales Sales distinguishedName
OU=Support Techsup distinguishedName
OU=Management MT distinguishedName
A directory user with memberships of Sales and Support would be placed in the
Endpoint Encryption user group Sales as that clause comes first in the list.
By specifying the No Mapping Exists behavior you can select one of four options:
1. Use a defined group
2. Create a new group based on an existing Endpoint Encryption group,
generating the name from an attribute of the user (such as their DN).
3. Add the user to the default group
4. Ignore, Remove, Disable or Recycle the user
NOTE: If you map based on the value of a binary data type attribute, you need to properly define and
escape the data. For information on this process.
User Mapping
The LDAPCon has the ability to map up to 10 fields of information from the directory
into the Endpoint Encryption Directory. A typical use of this feature would be security
question-answer sessions to aid validation of a remote user. To add a new entry either
double click, or right click on the input table.
LDAP Connector (LDAPCon)
72 |
If the directory attributes mapped to these Endpoint Encryption fields change, then the
users’ Endpoint Encryption account will be updated accordingly.
New Users Password
When a new account is created in the Endpoint Encryption directory, the password will
be set to the option specified. If you set the account to a random password, the user
will need to be “recovered” or the account manually set to a known password before
the user will be able to authenticate to Endpoint Encryption.
Removal Behavior
You can choose to either :
• Remove users from Endpoint Encryption if their account is removed from the
directory.
• Disable them only.
• Ignore this event.
NOTE: If you choose to remove users from Endpoint Encryption, no data protected solely with their
personal Endpoint Encryption key will be retrievable.
New Users Token
If you are using certificates, via for example Microsoft Certificate Server, you can allow
your users to login to Endpoint Encryption using their existing Certificate Token, for
example an Activcard, eToken, or Setec token. For information about the supported
tokens please see the Tokens chapter of this guide.
Select from the list of installed tokens which one to create for the user. You can also
decide the behavior if there is no valid certificate for the user.
Search Endpoint Encryption for User Binding
Traditionally the connector searches the directory for all users which match the set
criteria. By selecting this option the search for users will be disabled, and the
connector will expect to find the users pre-existing in the Endpoint Encryption
directory. The connector will search for users with a binding which matches its
identifier, and will only process those users.
You can use the Search Endpoint Encryption option to process directories which
contain a large population of “uninteresting users”. If you can pre-seed the Endpoint
Encryption directory with the names of the users, and appropriate binding information
(for example using the scripting tool) you can greatly streamline the process.
LDAP Connector (LDAPCon)
| 73
User Attributes
The User Bindings tab is used to correlate the directory attributes to the Endpoint
Encryption Directory. The attributes specified on this tab should not need changing
unless the directory is set up in a non-standard way.
Binding Attribute
The non-changing unique identifier for the user. This should be an item that is unique
for that user, and unlikely to change for the existence of this account despite changes
in surname or group membership
Endpoint Encryption User name
An attribute used to create the Endpoint Encryption user name
NOTE – Endpoint Encryption user id’s are limited to 256 characters; you should not use an attribute that is
likely to exceed this length.
Change Attribute
The directory attribute containing the account change stamp.
Logon Hours
The directory attribute containing the User Logon Hours information.
Account Control
The directory attribute containing the user account disabled/enabled information.
Account Expires
The directory attribute containing the account expiry date.
Delay between each user
You can stifle the bandwidth that this connector consumes by putting a delay between
each user synchronization.
Excluded Users
You can specify a selection of attributes to check to globally exclude a series of users
from the synchronization process.
You can also optionally disable existing Endpoint Encryption users that are bound to
the excluded users.
Revocation Check
If you are using certificates to authenticate your users, you can enable revocation
checking to ensure that if certificates are revoked, the user is denied access to
LDAP Connector (LDAPCon)
74 |
Endpoint Encryption. Specify the appropriate LDAP parameters for your published
revocation list, and the behavior the connector should follow when revoking users.
Using Binary Data Attributes In some circumstances you may want to use binary attributes to perform matching
and group associations in the LDAPCon. The values for such attributes cannot be
directly entered into the connector fields; they must be entered as escaped
sequences.
To determine what values to add, use your LDAP Browser to view the data in the
directory, for example:
In this schema, the attributes objectGUID and objectSid are binary attributes. If you
wanted to manually link an existing Endpoint Encryption user to this directory user
connecting via their objectGUID, you would need to assign the binding attribute to
objectGUID in the Endpoint Encryption user’s User Bindings properties, and add a
binding to LDAPConnector.username in their Endpoint Encryption profile which
matched the escaped attribute value, and also define the attribute objectGUID as a
binary data type in the Attribute Types list in general options.
Figure 15‐23. Connector Binding with Escaped Value
LDAP Browser from Softerra When configuring the LDAPCon, it is highly desirable to view the Netware Directory in
its unadulterated, raw, LDAP state. To do this we strongly recommend the free tool
LDAP Browser from Softerra (4http://www.ldapbrowser.com). This tool may be found
on your Endpoint Encryption CD, or included on the Endpoint Encryption Enterprise CD
in the Tools directory.
LDAP Connector (LDAPCon)
| 75
Connecting to your Directory using LDAP Browser
To connect LDAP Browser to your directory, you will need to know its IP or DNS name,
and have a valid administrative account to access the data with.
Create a new entry in LDAP Browser, for your directory server, you may not need to
enter a Base DN, but will need the full distinguished name for your administration
account.
Once you have successfully connected to your Netware Directory, you can start
browsing the information to check the appropriate fields to use for the LDAPCon.
Choosing the correct fields for Synchronization
The exact settings used in any particular installation of LDAPCon are particular to each
installation; in most cases the default settings are appropriate for general use,
although some customization can be performed, especially when considering custom
user to Endpoint Encryption group mapping, and custom exclusion of users.
In the case of the user whose properties are listed above, it can be seen that there are
multiple objectClass attributes – these could be used to make a decision on their
mapping to Endpoint Encryption groups (by using the Group Information fields).
Also, it can be seen that any of the attributes cn, givenName, sn could be used to
populate the Endpoint Encryption Username, although some of these may result in
collisions with other similarly named users.
Attributes such as groupMembership or securityEquals could also be used to map
a user to a group, or to exclude a particular user from the synchronization process.
NOTE: the distinguishedName attribute is treated as a special case when matching values – any fragment of
the value can be matched. All other attributes are matched on their entire value. This attribute may not be
displayed in a browser window, but exists internally.
Active Directory Connector (ADCon)
76 |
Active Directory Connector (ADCon) ADCon is an optional connector designed to populate the Endpoint Encryption user list
from an existing Microsoft Active Directory. By specifying an Active Directory to
synchronize with, the connector mines the directory, creating Endpoint Encryption user
accounts for Active Directory users who meet certain pre-defined criteria, and
continuously updating their policy to mach that stored in the AD. For information on
purchasing ADCon please contact your McAfee representative.
If an Active Directory user account is deleted or disabled, the connector makes the
appropriate change to the Endpoint Encryption user account for that user. You can also
make decisions to globally disable users based on any attribute using the excluded
users function.
The v4.2.12+ versions of the Active Directory Connector can also use certificates
stored in the AD to create users who can logon to Endpoint Encryption applications
using Smart Cards and eTokens. These “crypt-only” tokens do not have to be
initialized for use with Endpoint Encryption, as the PKI certificates stored on them can
be used without any initialization.
ADCon can run on Windows 2000, XP and Vista. It requires network access to both an
Endpoint Encryption Server, and the Active Directory itself.
Summary of connected attributes Active Directory User name
Used to create new Endpoint Encryption users. Various Active Directory attributes can
be used to create the Endpoint Encryption user name. If the Active Director user is
deleted, the Endpoint Encryption user is either deleted or disabled depending upon the
state of the Disable Users Only box.
WARNING: If you delete an Endpoint Encryption user account, no files protected solely by that Endpoint
Encryption user s’ key will be recoverable. We recommend you disable users only, and delete them
manually.
Active Directory User Status
The Endpoint Encryption user status mirrors the Active Directory user status. Either
enabled or disabled.
Active Directory User Logon Hours
The Endpoint Encryption user logon hours are set to match the Active Directory users’
Active Directory Connector (ADCon)
| 77
Password Change
The ability to change the password is reflected in the Endpoint Encryption user
account.
Information Fields
Up to 10 fields of information from the Active Directory can be placed in the Endpoint
Encryption user’s field list.
Valid until
The expiry date of the Active Directory account is placed in the Endpoint Encryption
user valid until field.
Group Membership
Logic can be applied to determine which group the new Endpoint Encryption user is
created in (if at all). Also, if certain changes happen to the Active Directory user, their
Endpoint Encryption group can be set to change accordingly.
General Options
Connection Details
Connection Name
A text description for this incident of the connector.
Host
The IP address, or DNS Name of the Active Directory Server you wish to connect to.
Port
The TCP/IP port that the target Active Directory is publishing on. This is usually 389.
Protocol Version
The LDAP Protocol version your Active Directory connector supports – this is usually
Version 3.
Use Secure Connection
This option allows you to specifiy a secure connection. It will change the port number
to 636 (note: this is configurable).
Anonymous Login
If your Active Directory supports anonymous login, check this box, otherwise complete
the Logon Credentials section. The account name you use to authenticate to the AD
Active Directory Connector (ADCon)
78 |
must have full view access of the full set of user attributes you want to synchronize
with.
User DN
Enter the full distinguished name for the AD administrator’s account, or the account
you intend to use the connector with. You can find this by contacting your AD
Administrator. You can also specify the user name in a fully qualified AD format, for
example, [email protected].
Password
Enter and confirm the password for the account you specified in the User DN field.
Search Settings
Search Settings define which AD users are visible to the connector, decisions as to
whether to process these users are made in Group Settings described later on in this
chapter.
You can also use Search Groups to define which users the connector processes, for
more information, see the next section.
NOTE: Either Search Settings, or Search Groups can be used, they cannot be used together. Search Groups
takes precedence.
Base DN
The base distinguished name for the section of the directory this instance of the
connector is to work with. You can set the Base DN to a sub-branch of your Active
Directory if you need to limit the scope of the connector.
Object Filter
Enter an appropriate filter to restrict the connectors view of objects in the directory.
The default filter:
(&(objectClass=User)(!objectClass=Computer))
Restricts the view to directory objects that are of a class User and not of a class
Computer.
If you only need to synchronize a small segment of users from the AD to Endpoint
Encryption, you can specify a detailed Object Filter – this will make the process more
efficient by forcing the connector only to look at the users which are “interesting” to it.
For example, to restrict the connectors view to users of the group Endpoint
Encryption only, you could use a query like:-
Active Directory Connector (ADCon)
| 79
(&(objectClass=user)(!objectClass=computer)(memberOf=CN=
McAfee,OU=Uk,DC=cbi,DC=com))
Wherever you specify a search query, you must use the full parameters as accepted
by the AD, so in the example above the memberOf parameter must match exactly that
shown in the user. You can use an LDAP browser to see the correct attribute details.
Timeout
Specify the connection timeout for your Active Directory.
Entry Limit
Specify the maximum number of objects to synchronize – this setting is useful when
you need to test the behavior of the connector. For production use, set it to 0
(unlimited). Some versions of Active Directory may not accept this parameter.
Referrals
If your Active Directory uses referrals, you can enable this feature in the connector.
Search Depth
You can limit the scope of the connector by reducing the section of the directory that
is searched for users.
Monitor Changes
If your Active Directory supports change logging, you can enable monitoring to
enhance the performance of the connector. This sets up an asynchronous search on
the Active Directory server which reports when leafs are updated. The Active Directory
search monitoring cannot take account of complex Object Filters, if you need to
specify more criteria than the default to prevent the monitor returning unwanted
users, you can edit the Connector Manager Settings file manually, adding entries in
the following section:
UserValid0.DSAttrib=objectClass
UserValidity0.AttribVal=user
UserValid1.DSAttrib=objectCategory
UserValidity1.AttribVal=CN=Person
UserValid2.DSAttrib=memberOf
UserValidity2.AttribVal='full memberOf attribute'
Active Directory Connector (ADCon)
80 |
Search Groups
Search Groups define which AD users are visible to the connector, decisions as to
whether to process these users are made in Group Settings described later on in this
chapter.
You can also use Search Settings to define which users the connector processes, for
more information, see the previous section.
NOTE: Either Search Settings, or Search Groups can be used, they cannot be used together. Search Groups
takes precedence.
With Search Groups you can specify the DN’s of a list of group objects from your AD.
The connector will then retrieve all the members from the specified groups (and any
groups contained within), then individually process the derived user list.
This method can be more efficient that the Search Settings method if the population
of users which are needed to be synchronized are defined in a small number of
groups. If the users can be identified through another attribute, or are all within
certain OU’s, Search Settings may be more appropriate.
NOTE: Search Groups can only be used with true LDAP Groups (i.e. objects containing “members”. You
cannot use this method with OU’s.
Attribute Types
Binary data attributes must be defined in this list before they can be used by the AD
connector.
You can also specify which attributes to substring search. By default, the entire value
of an attribute is considered significant; by specifying it for substring search you can
allow sub-values to be significant.
For example, in the DN CN= McAfee,CN=COM,FN=Fred ; if substring searching is
enabled for DN, then CN=COM is a valid match.
Group Mapping
Group Information
To ease the configuration of many synchronized Active Directory users, you can map
them to different Endpoint Encryption user groups based on some attribute in their
directory object. As each Active Directory account is checked, the specified attributes
are compared with the table set in the Group Mapping tab. The first match found per
Active Directory Connector (ADCon)
| 81
user causes the ADCon to create or assign the user in the specified Endpoint
Encryption user group.
You can create new entries by double-clicking the table, by right-clicking an entry you
can change its order, edit, or delete it.
By pre-creating Endpoint Encryption user groups with specific machine access and
attributes, you can effectively synchronize an Active Directory user list into Endpoint
Encryption and have minimal configuration work left.
For example, if the following group mappings were specified:
Active Directory Organizational Unit (attribute value)
Endpoint Encryption group name
Directory service Attribute
OU=R&D R&D distinguishedName
OU=Sales Sales distinguishedName
OU=Support Techsup distinguishedName
OU=Management MT distinguishedName
An Active Directory user with memberships of Sales and Support would be placed in
the Endpoint Encryption user group Sales as that clause comes first in the list.
You can use any attribute of the user to map, for example their DN, or a group
membership.
By specifying the No Mapping Exists behavior you can select one of four options:
• Use a defined group
• Create a new group based on an existing Endpoint Encryption group,
generating the name from an attribute of the user (such as their DN).
• Add the user to the default group
• Ignore, Remove, Disable or Recycle the user
NOTE: If you map based on the value of a binary data type attribute, you need to properly define and
escape the data.
Active Directory Connector (ADCon)
82 |
User Information
User Mapping
The ADCon has the ability to map up to 10 fields of information from the Active
Directory into the Endpoint Encryption Directory. A typical use of this feature would be
security question-answer sessions to aid validation of a remote user. To add a new
entry either double click, or right click on the input table.
If the Active Directory attributes mapped to these Endpoint Encryption fields change,
then the users’ Endpoint Encryption account will be updated accordingly.
New Users Password
When a new account is created in the Endpoint Encryption directory, the password will
be set to the option specified. If you set the account to a random password, the user
will need to be “recovered” or the account manually set to a known password before
the user will be able to authenticate to Endpoint Encryption.
Removal Behavior
You can choose to remove users from Endpoint Encryption if their account is removed
from the Active Directory, disable them only, or ignore this event.
NOTE: If you choose to remove users from Endpoint Encryption, no data protected solely with their
personal Endpoint Encryption key will be retrievable.
New Users Token
If you are using certificates, via for example Microsoft Certificate Server, you can allow
your users to login to Endpoint Encryption using their existing Certificate Token, for
example an Activcard, eToken, or Setec token. For information about the supported
tokens please see the Tokens chapter of this guide.
Select from the list of installed tokens which one to create for the user. You can also
decide the behavior if there is no valid certificate for the user.
Search Endpoint Encryption for User Binding
Traditionally the connector searches the directory for all users which match the set
criteria. By selecting this option the search for users will be disabled, and the
connector will expect to find the users pre-existing in the Endpoint Encryption
directory. The connector will search for users with a binding which matches its
identifier, and will only process those users.
You can use the Search Endpoint Encryption option to process directories which
contain a large population of “uninteresting users”. If you can pre-seed the Endpoint
Active Directory Connector (ADCon)
| 83
Encryption directory with the names of the users, and appropriate binding information
(for example using the scripting tool) you can greatly streamline the process.
User Attributes
The User Bindings tab is used to correlate the Active Directory attributes to the
Endpoint Encryption Directory. The attributes specified on this tab should not need
changing unless the Active Directory is set up in a non-standard way.
Binding Attribute
The non-changing unique identifier for the user. This should be an item that is unique
for that user, and unlikely to change for the existence of this account despite changes
in surname or group membership
Endpoint Encryption User name
An attribute used to create the Endpoint Encryption user name
NOTE: Endpoint Encryption user id’s are limited to 256 characters; you should not use an attribute that is
likely to exceed this length.
Change Attribute
The Active Directory attribute containing the account change stamp.
Logon Hours
The Active Directory attribute containing the User Logon Hours information.
Account Control
The Active Directory attribute containing the user account disabled/enabled
information.
Account Expires
The Active Directory attribute containing the account expiry date.
Delay between each user
You can stifle the bandwidth that this connector consumes by putting a delay between
each user synchronization.
Excluded Users
You can specify a selection of attributes to check to globally exclude a series of users
from the synchronization process.
You can also optionally disable existing Endpoint Encryption users that are bound to
the excluded users.
Active Directory Connector (ADCon)
84 |
Revocation Check
If you are using certificates to authenticate your users, you can enable revocation
checking to ensure that if certificates are revoked, the user is denied access to
Endpoint Encryption. Specify the appropriate LDAP parameters for your published
revocation list, and the behaviour the connector should follow when revoking users.
Using Binary Data Attributes
In some circumstances you may want to use binary attributes to perform matching
and group associations in the ADCon. The values for such attributes cannot be directly
entered into the connector fields; they must be entered as “escaped” sequences.
To determine what values to add, use your LDAP Browser to view the data in the
Active Directory.
In this schema, the attributes objectGUID and objectSid are binary attributes. If you
wanted to manually link an existing Endpoint Encryption user to this Active Directory
user connecting via their objectGUID, you would need to assign the binding attribute
to objectGUID in the Endpoint Encryption user’s User Bindings properties, and add
a binding to ADConnector.username in their Endpoint Encryption profile which
matched the escaped attribute value, and also define the attribute objectGUID as a
binary data type in the Attribute Types list in general options.
LDAP Browser from Softerra
When configuring the ADCon, it is highly desirable to view the Active Directory in its
unadulterated, raw, LDAP state. To do this we strongly recommend the free tool, LDAP
Browser, from Softerra (6http://www.ldapbrowser.com). This tool may be found on
your ADCon CD, or, included on the Endpoint Encryption Enterprise CD in the Tools
directory.
Connecting to your Active Directory using LDAP Browser
To connect LDAP Browser to your active directory, you will need to know its IP or DNS
name, and have a valid administrative account to access the data with.
Create a new entry in LDAP Browser, for Microsoft Active Directory, you may not need
to enter a Base DN, but will need the full distinguished name for your administration
account.
Typical properties of an Active Directory connection are:
Once you have successfully connected to your Active Directory, you can start browsing
the information to check the appropriate fields to use for the ADCon.
Active Directory Connector (ADCon)
| 85
Choosing the correct fields for Synchronization
The exact settings used in any particular installation of ADCon are particular to each
installation; in most cases the default settings are appropriate for general use,
although some customization can be performed, especially when considering custom
user to Endpoint Encryption group mapping, and custom exclusion of users.
In the case of the user whose properties are listed above, it can be seen that there are
multiple memberOf attributes – these could be used to make a decision on their
mapping to Endpoint Encryption groups (by using the Group Information fields).
Also, it can be seen that any of the attributes userPrincipalName, sn,
sAMAccountName, name, givenName, or cn could be used to populate the
Endpoint Encryption Username, although some of these may result in “collisions”
with other similarly named users.
Attributes such as memberOf or distinguishedName could also be used to map a
user to a group, or to exclude a particular user from the synchronization process.
NOTE: the distinguishedName attribute is treated as a special case when matching values – any fragment
of the value can be matched. All other attributes are matched on their entire value.
Endpoint Encryption webHelpdesk Server
86 |
Endpoint Encryption webHelpdesk Server
Endpoint Encryption webHelpdesk Server allows Endpoint Encryption administrators
and users to perform password reset functions (The Endpoint Encryption Challenge
Response system) via a web interface.
About Endpoint Encryption HTTP Server
Figure 24. webHelpdesk / webRecovery
The normal recovery interface requires the administrator to have access to a Endpoint
Encryption Manager console. In some environments this may not be practical; in this
case the Endpoint Encryption webHelpdesk Server can be used to present the same
recovery interface via a web browser.
webRecovery A further enhancement available with the Endpoint Encryption webHelpdesk Server, is
the ability for users to reset their own passwords - this is an optional service which
allows, after pre-registering, users to drive the challenge/response system themselves
simply by providing the correct answers to a selection of pre-registered questions.
Endpoint Encryption webHelpdesk Server
| 87
Figure 25. webRecovery Registration Questions
The Endpoint Encryption webHelpdesk server is a dedicated SSL (Secure Sockets
Layer) web server, customised to prevent against known web server hacking attacks.
It is stand-alone and does not require Microsoft IIS, or any other web services to be
installed on the hosting computer.
Remote Password Change As a final option, you can also change a users password directly within the Endpoint
Encryption database using the Reset User’s Password option. This allows
administrators to set new passwords for other administrators and users, without going
through the recovery process.
Pre-Requisites To install this component, you will need a pre-configured Endpoint Encryption Manager
at version 4.2 or above. You can check the version of Endpoint Encryption you are
using through “Help/About/Modules”.
Endpoint Encryption HTTP Server is designed to function on Windows 2000/XP only
and does not use any other internet services. We strongly advise that Microsoft IIS is
not used on the same computer as a Endpoint Encryption Manager system or database
for security reasons.
Endpoint Encryption webHelpdesk Server
88 |
Because Endpoint Encryption webHelpdesk Server uses HTTPS. You will need to
provide it with a suitable SSL certificate. You can purchase one of these from Endpoint
Encryption, or from other certificate vendors.
Password Expiration Warning The Web Helpdesk administration and support passwords will not expire without a
prior warning. The time of this warning can be set in the User → Properties →
Passwords screen of the Endpoint Encryption Manager.
Activating Endpoint Encryption webHelpdesk
| 89
Activating Endpoint Encryption webHelpdesk
Once installed you can start the Endpoint Encryption webHelpdesk server with the
following command prompt command or from the services manager:
sbhttp -startservice
The service can be correspondingly stopped either using the system service manager,
or
sbhttp -stopservice
The service will not start correctly until you have installed an SSL certificate.
Installing a SSL Certificate You must install a SSL certificate before the server will run correctly, to do this use
Microsoft’s MMC console: Start Run MMC and add a Certificates plugin to the
Endpoint Encryption HTTP Server service on Local Computer. Import a Server
Authentication certificate into the Personal certificate store for the service. If you
are using a Endpoint Encryption certificate, you can also import the Endpoint
Encryption root CA cert into the Trusted Root Certification Authorities store, either
for the Endpoint Encryption service, Local Computer, or Local User.
1. Open the MMC Console, Start Run MMC.
2. Click File and then Add/Remove Snap-in…
3. Click Add from the Standalone tab.
4. Select Certificates from the Add Standalone Snap-in dialog. This will add
the Certificates option to the Console. See screenshot overleaf.
5. Click the Endpoint Encryption HttpServer\Personal option and then select
the Certificates folder inside it.
6. Right-click in the right hand pane and select All Tasks followed by Import.
7. Browse until you find the certificate files (*.cer, *.crt, *.pfx).
8. Click the Place all certificates in the following store option
(EndpointEncryptionHttpServer\Personal).
9. Click Next followed by Finish to add the certificate.
10. Follow the same procedure for other certificates.
Activating Endpoint Encryption webHelpdesk
90 |
If the certificate you are using is allocated to the same machine name that you are
running the server on, once you have installed it you can restart the service using one
of the following commands or the system service manager:
net start “Endpoint Encryption HTTP Server” sbhttp -startservice
If the certificate has a different name then the server will not start and will log a
Certificate Not Found error. You can edit the section
[Configuration] Server.Ssl.CertName=Name of the cert
In the file SBHTTP.ini to point to the Machine name registered in the cert.
Endpoint Encryption ships with an evaluation server certificate with the name
“127.0.0.1.pfx” and password “12345” which can be found in the Tools directory of
your Endpoint Encryption CD. You can purchase a full cert from CBI, or use one from a
third party certificate provider.
NOTE ‐ if you use a mismatched site/machine/cert name, then users and administrators will be warned that
the certificate is invalid every time they access the recovery web site.
Configuring the webHelpdesk Server Once you have installed the program, added a certificate, and restarted the service,
you can log on to the webHelpdesk server and configure it to talk to a Endpoint
Encryption Object Directory, or edit SBHTTP.ini directly. The address is
https://127.0.0.1 or 7https://server dns name.
The server uses the same connection details as Endpoint Encryption administrator, any
connection type specified in the login box for Endpoint Encryption can be used.
To configure the connection, click the Administrators section link and then click
Configure Endpoint Encryption HTTP Server. You will need to login with a user id
which has Endpoint Encryption Start Server as Service rights.
Activating Endpoint Encryption webHelpdesk
| 91
Figure 26. Configuring the Endpoint Encryption HTTP Server
Server Name
A logical name used to identify the server
Port
The port the server should expose the interface on (usually 443)
Server Certificate Name
The machine name specified in the SSL certificate.
Log File
A path/name for the server diagnostic log.
Logon Timeout
A time (in minutes) to keep inactive Administrator connections authenticated for
(usually 5 minutes).
WARNING: when you configure the webHelpserver you will need to close the browser and restart the
webRecovery server for the changes to take effect.
Activating Endpoint Encryption webHelpdesk
92 |
Configuring webRecovery
Figure 27. Configuring webRecovery
You configure the user webRecovery server via its web interface. You can specify a
number of questions (1-10) to be registered, and the number to be answered to
authenticate the user for self recovery. The questions can be changed by editing the
SBWebRec.ini file. The user name and password you log in to configure webRecovery
are stored in sbwebrec.ini and used for future sessions.
NOTE: You must log in to webRecovery at least one to set up its initial parameters – if you do not, users will
not be able to reset their password and will receive db010010 Object Not Found messages.
WARNING: when you configure the webHelpserver you will need to close the browser and restart the
webRecovery server for the changes to take effect.
Questions and Answers are stored as pairs in the users Endpoint Encryption profile so
you can safely change the questions at any time. This will not prevent users with out
of date questions from recovering their password.
Recovering Users using webHelpdesk
| 93
Recovering Users using webHelpdesk Warning: webHelpdesk cannot be used for resetting or changing the pin codes of smart cards.
With Challenge-Response After navigating in to the helpdesk operators section of the web helpdesk, choosing
either to reset an Endpoint Encryption, or a pocket Endpoint Encryption system, and
logging in using their Endpoint Encryption id and password, the operator is presented
with the webHelpDesk User Challenge screen.
Figure 28. webHelpdesk Challenge Screen
The helpdesk operator enters the challenge from the users screen (the user reads it to
the helpdesk operator over the telephone), and selects the action they want to
perform, for example Reset User’s Password followed by the Next button.
Reset User’s Password
Selecting this action will reset a user’s forgotten password.
Unlock User
This option will unlock a user whose account has become locked.
Change Token
Recovering Users using webHelpdesk
94 |
This option allows you to change the authentication token for the user. Choose
from the drop down list.
4.2 SP1 + Create Token
This action allows you to create a token for version 4.2 of Endpoint Encryption
(SafeBoot).
Boot Machine Once
This option will reboot the machine.
Cancel Screen Saver
This action will cancel the Endpoint Encryption screen saver.
Bypass Preboot Authentication
This action will skip the authentication option and log the user into Windows.
The user can then change their Windows password and allow the
synchronization and single-sign-on processes to follow through.
Figure 29. webHelpdesk response screen
If the challenge was entered correctly, a response page is displayed which gives the
operator the correct recovery code to read out to the user which will perform the
selected operation (in this case, reset their password to “12345”). The page also
displays user information which can be used to check the authenticity of the user: The
Recovering Users using webHelpdesk
| 95
helpdesk operator can ask the user, e.g. What is your mother’s maiden name? and
then check the answer.
Various Endpoint Encryption applications, such as Endpoint Encryption for Files and
Folders, Endpoint Encryption for PC etc can be recovered using this system.
By Directly Changing their Password From the main page, select the Reset User’s Password button. You will then be
forced to authenticate using your normal Endpoint Encryption administrator ID and
Password.
You will next be presented with a simple form which allows you to specify a user id,
and their new password (and password confirmation). As long as the administrator
performing the change has greater admin rights than the user being reset, the new
password will be applied.
Figure 30. webRecovery Reset Password
Recovering Users using webHelpdesk
96 |
User self recovery - webRecovery
Figure 31. webRecovery main screen
The webRecovery interface allows users to reset their own forgotten passwords for
Endpoint Encryption on PCs once they have pre-registered with the service. Users
register a variable number of answers to pre-set questions, they are required to recall
the correct answers to authenticate themselves to get their password reset. It is not
as secure as the helpdesk driven recovery service, as it’s quite possible for users to
enter simple or trivial information for their recovery questions, but has the advantage
that it can operate 24x7 without human interaction.
Registering for webRecovery Before users can reset their own passwords, they must register a number of questions
and answers that they use to prove their identity to the system using the recovery
interface. They must also have the Allow webRecovery option ticked in their Token
properties. See the Creating and Configuring Users chapter.
After clicking the Register button, users need to log in with their current Endpoint
Encryption ID and Password
Recovering Users using webHelpdesk
| 97
Figure 32. webRecovery Registration
NOTE: If Users do not know their password at this time, they will have to call their Endpoint Encryption
helpdesk and get their password reset using one of the helpdesk driven mechanisms.
Recovering Users using webHelpdesk
98 |
Figure 33. webRecovery registration questions
Once they have registered their preferred questions and answers, they are free to use
the recovery service if they forget their password.
Recovery using webRecovery To use the webRecovery service, the user who has forgotten their password simply
access the HTTP Server via a web terminal, perhaps in an internet Café, and clicks the
Reset Password button. They then enter the challenge that is displayed on their
Endpoint Encryption screen.
Recovering Users using webHelpdesk
| 99
Figure 34. webRecovery challenge screen
If the challenge is correct, they will be asked to enter the correct answers for a
selection of their registered questions, and if these are correct, the user is presented
with the response to type back into their Endpoint Encryption boot screen.
Figure 35. webRecovery answers screen
Recovering Users using webHelpdesk
100 |
Figure 36. webRecovery Response Screen
License Management
| 101
License Management The Endpoint Encryption directory is licensed in terms of number of allowed users,
number of allowed machines, and license file expiry dates. You can view the current
license status of your directory by using the file/license information option. The
summary boxes at the bottom of the screen indicate the current active license count.
Any expired or invalid licenses are not included, although they may still be shown in
the license list.
Figure 37. License information
Multiple license files can be added to the list using the Add button, but each file can
only be added once.
License Restrictions
License files can have many restrictions built in:
Number of Users
Restricts the maximum number of users that can be managed.
Number of Machines
Restricts the maximum number of machines that can be managed.
Number of PDA Devices
Restricts the maximum number of CE Machines that can be managed.
Directory locked
Some license files can be locked to only work on a particular directory. If you re-create
your directory, you will need to obtain a new license file.
Expires
License Management
102 |
Some license files expire after a certain time period.
Exclusive
License files marked as exclusive do not co-exist with other license files. Only one
exclusive license file can be used at any time. If you import two exclusive license files,
only the first one will be effective.
Addons
Extra components such as SBAdmCL, Connectors, and other utilities may require
additional license code. The names of the additional components licensed will be
displayed in this field.
You may have received an extra license file with your copy of Endpoint Encryption – if
so you can import it into the directory using the Add button.
If you need more licenses, you can save the current information out of your directory
using the Save button – this creates a text file which you can fax or e-mail to your
McAfee representative. They can obtain all the details required to create new extended
licenses from this information.
You may also want to save the license file information to help you order replacement
files in the event of a drive crash.
Common Criteria EAL4 Mode Operation
| 103
Common Criteria EAL4 Mode Operation
CESG in the United Kingdom, has certified the following products to EAL4
• Endpoint Encryption for PC
To apply this standard to your implementation of Endpoint Encryption, you need to
ensure the following criteria are met:-
Administrator Guidance
• Endpoint Encryption must be installed using the Endpoint Encryption AES
(FIPS) 256bit Algorithm.
• Administrators must enforce the following Policy Settings.
- A minimum password length of 5 characters or more.
- Disabling of accounts after 10 or less invalid password attempts.
- All data and operating system partitions on the machines where Endpoint
Encryption client has been installed MUST be fully encrypted. You can
check the conformance to this issue by viewing the Endpoint Encryption
client status window – if any drives are highlighted in red then they are
not fully encrypted.
- Administrators must enforce use of the Endpoint Encryption Secure Screen
Saver Mode.
- Use of Autoboot Mode is prohibited.
- Machine and User recovery key sizes must be non-zero
(Machine/Encryption properties and User/Token properties).
• To comply with CC regulations, these policy settings must be applied before
installing any clients.
• There must be a system in place for maintaining secure backups that are
separately encrypted or physically protected to ensure data security is not
compromised through theft of or unauthorised access to backup information.
• Backups should be regular and complete to enable system recovery in the
event of loss or damage to data as a result of the actions of a threat agent and
to avoid vulnerability through being forced to use less secure systems.
Common Criteria EAL4 Mode Operation
104 |
• Users (including administrators) must protect all access credentials, such as
passwords or other authentication information in a manner that maintains IT
security objectives.
• Customers implementing a Endpoint Encryption enterprise must ensure that
they have in place a database of authorized TOE-users along with user-specific
authentication data for the purpose of enabling administrative personnel to
verify the identity of a user over a voice-only telephone line before providing
them with support or initiating recovery. Endpoint Encryption provides the
means to display personal information such as the users ID number as part of
the User Information Fields – but any other appropriate system is
acceptable.
• Administrators should ensure their users are fully trained in the use of the
Endpoint Encryption for PC Client software as described in the chapter Client
Software of the Endpoint Encryption for PC Administration Guide, and should
remind them of the security procedures detailed in the User Guidance Below.
User Guidance
• Users must maintain the confidentiality of their logon credentials, such as
passwords and tokens.
• Users must not leave an Endpoint Encryption protected PC unattended in a
logged on state, unless it is protected by the secure screen saver.
• Users must be informed of the process that they need to go through in order
that they may contact their administrator in the event of needing to recover
their PC if they forget their password or their user account becomes disabled.
Common Criteria EAL4 Certificate
You can find the official recognition of this certification on CESG’s website:
8http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=1
52&id=336
Algorithm Certificate Numbers
AES
Cert 21 and 170 ECB(e/d; 256); CBC(e/d; 256); CFB8(e/d; 256)
9http://csrc.nist.gov/cryptval/aes/aesval.html
Common Criteria EAL4 Mode Operation
| 105
SHA1
Cert 71 and 254
1http://csrc.nist.gov/cryptval/shs/shaval.htm
DSA/DSS
DSS cert 53 and 112 Sig(ver) Mod(all)
1http://csrc.nist.gov/cryptval/dss/dsaval.htm
RNG
Cert 15 AES, DSA., SHA, RNG on AMD Athalon XP, Windows XP SP1, PentiumIII
Windows 2000
http://csrc.nist.gov/cryptval/rng/rngval.html
DES
Cert 145 CBC(e/d); CFB( 8 bits;e/d)
http://csrc.nist.gov/cryptval/des/desval.html
Tuning the Object Directory
106 |
Tuning the Object Directory The Name Index To improve object name-to-id lookup and license validation, Endpoint Encryption
contains an extra "Name Index" ability which can be enabled to improve performance
on object directories with large numbers of users (>3000) or high levels of
synchronous activity (more than 10 simultaneous administration connections).
If your Endpoint Encryption object directory server is showing high or constant hard
disk access, with a low CPU usage, you may also benefit from enabling name caching.
About Name Indexing Most lookup events in the Endpoint Encryption object directory are performed by
object id - for instance when a machine synchronizes, it navigates directly to its
attributes via a unique object id. This mechanism holds true for the majority of activity
over the directory.
When a user logs in through, for instance the file encryptor, or Administration console,
the directory infrastructure performs a name-to-id lookup, this involves trawling the
object directory to find the the user object with a name attribute which matches the
one requested. Also when a new object is created a trawl of the entire database is
initiated to check that the new user/machine etc is unique.
The Name Index creates a "shortcut" to name-to-id lookup by periodically creating
indexes of the name/id attributes of all objects in the directory. Once created, all
lookups pass through the cache for resolution - as the Cache is much smaller than the
directory this leads to dramatic increases of performance, mainly through better use of
the operating system file cache. As a side-effect, the name index also speeds up
counting objects in the database (part of license validation).
Enabling and Configuring Name Indexing: The Name Index is controlled through the file dbcfg.ini stored in the root of the
object directory (normally the sbdata directory). The index files are stored in the root
of each object type.
The following sections should be in dbcfg.ini:
[NameIndex]
Enabled=Yes
More details about the dbcfg.ini file, and further tuning options can be found in the
Endpoint Encryption Configuration Files chapter.
Tuning the Object Directory
| 107
Performance Tests:
These tests are approximate indications of the benefits of the Name Index running on
a 5000 user database. They were performed using a login id which was at the end of
the database (worst case scenario).
Name Index Enabled
Task 1 Bucket 16 Buckets 64 Buckets 256 Buckets
Create User +455% +460% +500% +400%
As you can see from the table above, enabling the Name Index drastically improves
the performance of the enumeration functions. The exact parameters to use for any
particular database / server combination depend largely upon the memory and cache
functions of the server itself. As a rough guide, CBI consultants have found that tuning
the bucket number to give cache files not exceeding 64KB has proved optimal.
If you require performance tuning for your object database, please consider a
consultancy visit as “tinkering” with the Endpoint Encryption object database can
result in loss of users and machines.
Enabling Directory Compression To reduce the number of files stored in an Object Directory, a special mode can be
enabled which uses a single attribute file instead of the numerous files created within
a standard sbfiledb structures. Using a single file has the following advantages /
disadvantages:-
Advantages Disadvantages
The OD uses less disk space because there is a reduced number of files, therefore the cluster size overhead is reduced. A reduction in disk space of a factor of 10 can be expected.
The size of the actual data in the OD increases due to header overheads in the attribute files.
Entire objects are cached, not just the most recent opened attribute files leading to a ‐theoretical‐ increase in performance if frequent large updates
Resilience to corruption is reduced as all the object attributes are in one file, whereas before resilience was gained by splitting them up into multiple files.
Tuning the Object Directory
108 |
Advantages Disadvantages
take place.
The reduced number of files makes handling the OD for backups and replication easer, and faster.
Name‐to‐id resolution time is increased unless the Name Index mode (UK4005) is also enabled.
If frequent small updates take place, or infrequent updates, overall database performance will drop.
Migrating to a compressed directory
All local connections to a compressed object database must go through a sbfiledb.dll
which has the compression code - You cannot mix connections as the previous drivers
do not understand the compressed attributes.
You can enable compression on an existing database, in such a way as either only new
objects will be created compressed, or in self-compress mode where each object gets
compressed as it is written to. CBI can provide a tool to entirely compress an Object
Directory, or compress only a branch of it.
Enabling and Configuring Directory Compression
Dbcfg.ini file from the root of the object directory needs the following section added:-
[Attribs] ; If this option is set to "yes" then all new objects created will use the ;compressed format Singlefile=Yes ;If this option is set to "yes" then all existing uncompressed objects which are updated ;will be converted to the new compressed format at that time. AutoConvert=yes
Performance Notes
No performance change has been noted between identical compressed and
uncompressed databases up to 5000 users. There may be some benefit on servers
with exceptionally high amounts of memory. With large (>10000) databases,
performance may well drop when using the compressed directory mode.
Endpoint Encryption Configuration Files
| 109
Endpoint Encryption Configuration Files
Endpoint Encryption uses many .ini files to maintain information about the
configuration of various components. Some of the more important files are listed here.
sbnewdb.ini Used to customize the creation of Endpoint Encryption Object Directories. The
sbnewdb file contains instructions as to creating custom groups, setting the default
user id and password, and other instructions related to the location of the directory.
sberrors.ini Used to increase the detail available in on-screen error messages. You can add further
descriptions to errors by amending this file.
In 5.1 and beyond, you can substitute the Unicode file SBErrors.XML in place of
SBErrors.ini to give localized translations of the error messages.
sbhelp.ini Used to match on-screen windows to their help file sections.
sbadmin.ini This file controls the tree layout and behavior of SBAdmin.exe - you can modify it to
display certain nodes of the database on tabs other than the defaults.
sbfeatur.ini Controls the feature set available to Endpoint Encryption. This file is digitally signed by
the Endpoint Encryption team and must not be modified.
sbfiledb.ini SBFileDB controls the locking behavior of local running database connections.
[LockOptions] Timeout=time in 100ths of a second (3000) Sleep=time in 1000ths of a second (10)
dbcfg.ini This file controls the global database behavior - for this reason it is stored not in the
application directory, but in the root of the file database. For more information on
dbcfg.ini, see the Tuning the Object Directory chapter.
[NameIndex]
Endpoint Encryption Configuration Files
110 |
Enabled=No ; the time we wait for the lock on the index file to become available ; in 100ths of a second (default is 30 seconds). LockTimeout=3000 ; the time we wait before re-trying locking of the index file ; in 1000th of a second. LockSleep=10 ; the number of "buckets" into which the hash of the name is split HashCount=16 ; the minimum space to allocate per object name MinEntrySize=16 ; the time (in seconds) for which the index will be used before it is ; automatically re-created (default is 30 minutes). A value of zero means ; that it never expires. LifeTime=1800 [Attribs] ; if set to "Yes", all the attributes will be stored in a single TLV file ; rather than individual ones. SingleFile=No ; if this is set to "Yes", then when objects are opened for writing all the ; attribute are automatically converted to a single file. Otherwise only ; new objects will use the single file. AutoConvert=No [Tracking] ; if set to "Yes", then all changes to attributes will be recorded e.g. for ; possible use with a replication system. AttributeChanges=No ; if set to "Yes", the whenever an object is modified, that fact is recorded ; in a single file. This file could then be used to determine which objects ; have changed since a certain time by reading only a single file. ObjectChanges=No [idassignment] ;firstid= hex number starting point for ALL objects ;lastid= hex number
sdmcfg.ini Used by the Endpoint Encryption Client to control the connection to the Object
Directory. There may be many connections listed in the file, the multi-connection
behavior is controlled through scm.ini.
[Databases]
Database1=192.168.20.57 The ip address for the remote server. This can
Endpoint Encryption Configuration Files
| 111
be a DNS name.
[Database1] Description=SH-DELL-W2K IsLocal=No Authenticate=Yes Port=5555
ServerKey=… The public key for the remote Server. This is used to stop a hacker putting a rogue server in place and intercepting the traffic.
ExtraInfo=… Padding for the serverkey.
SBServer.ini This SBServer.ini is used to store the credentials by the server in service mode. You
can adjust the maximum number of connections the Endpoint Encryption server will
accept and the behavior when the maximum is reached.
By default, the maximum is 200 connections. When the limit has been reached, it can
behave in one of two ways: either it simply stops accepting connections or it accepts
connections and then immediately closes them. Because Windows maintains a queue
of 5 pending connections, the first 5 connections after the maximum is reached will be
held in the queue until the number of connections has dropped below the maximum.
Thus, when in (the default) Accept At Max=No mode, those 5 will not timeout at the
client end and the client will appear to hang until a connection becomes free. In the
Accept At Max mode, the client will fail with a communications error.
[Connections] Max=200 AcceptAtMax=No
sbconmgr.ini Used to define the active connectors displayed in the Connector Manager, for example
[Connectors] SBNTCON=SBNTCON.DLL [Authentication] DatabaseId=1 ObjectType=0x00000001 ObjectId=0x00000001 Key=000000000000000000000000000000000000000000000000000000000000000006557FB28C5A226BB8BF634A68EE75DE2C4010DD1E143D9BC29808C5E5C3A729838DD1D1E0B032D6C2A015BD8B1AAF5DC2D1E3F58D37A41F29AF5DC108EB03D4418D95316CCC84EE2881DCBE0012C6F705F6A6D5063C2D0BEB87897C2A9AC318D659
Endpoint Encryption Configuration Files
112 |
C712E99D515DB18E567218CC2B1520EBD6119095674C9C215BA329521CFE2000000000000000000000000000000000000000A6 [Manager] LastFile=G:\Program Files\SBAdmin\CmSettings.ini ;the check interval (ms) defines how often the connector manager looks for an updated cmsettings.ini file. CheckInterval=500
Cmsettings.ini Used to define the parameters associated with each individual connector.
The settings contained in this file are usually maintained by the connector manager
application. Only manual settings are documented below.
LDAPCon Manual Settings SearchAttribs=objectClass,uid,cn,givenName
Limits the attributes that a directory search returns. Normally all attributes are
returned. This can affect the performance of the directory server if many are not
wanted.
LDAPCon / ADCon Manual Settings CaseSensitive=0 / 1
Switches on and off case sensitive attribute searches. The default value is 1 (searches
are case sensitive)
SBHTTP.ini Configuration for the main webServer
[Configuration] ; The port on which the server listens for connections. The default is 443 ; which is the standard HTTPS port. Server.Port=443 ; Optional log file to record server activity. If no name is specified here, ; then no logging will occur (the default). Server.Log.FileName= ; Flags that control what is logged if logging is enabled. This is a 32-bit ; hex number. The following bits are used: ; ; Bit 0 (value=1) = Log request headers ; Bit 1 (value=2) = Log request data (e.g. form results) ; Bit 3 (value=4) = Log response headers ; ; The default is a value of "5" which logs request and response headers, but ; no request data. ; Server.Log.Flags=00000005
Endpoint Encryption Configuration Files
| 113
; Specifies the name of the Subject field of the certificate the server ; should use for SSL connections. The certificate must reside in the server's ; private store (SbHttpServer service store). If this is not specified, the ; network name of the computer is used. ;Server.Ssl.CertName= ; ; Specifies the period of inactivity (in minutes) after a logged on user is ; automatically logged off. Server.Logon.Timeout=5 [Strings] ; ; These are strings that the server can display. Use the "|" character to ; specify a new line. ; Server.String.1=Web Server Server.String.2=The challenge you entered was not correct. Please try again. Server.String.3=The recovery action you selected was not valid. Pleast try again. Server.String.4=The requested URL "%s" was not found. [Page.Handlers] ; ; This section lists all the optional page handlers that will get loaded ; by the web server. The left side should start with "Handler." and the right ; side is the name of the DLL to load. ; Handler.CeRecovery=SBCEDEV.DLL Handler.WebRecovery=SBWEBREC.DLL
SBwebRec.ini
Configuration for webRecovery
[Configuration] Register.Questions.Required=5 Recover.Questions.Asked=3 Database.User.Id=00000001 Database.User.Key=… Recover.Attempts.Max=3 Recover.Attempts.Timeout=3600 [Strings] String.1=The challenge you entered was not correct. Please try again. String.2=Some of your answers were not correct. Please try again. [Questions] Question1=What is your favorite color? Question2=What is your pet's name? Question3=Who is your favorite musician? Question4=What is a memorable date? Question5=What is your date of birth? Question6=What is your favorite place? Question7=Who is your favorite actor? Question8=What is your favorite film? Question9=What is your favorite song? Question10=What is your favorite food?
Endpoint Encryption Configuration Files
114 |
The questions used can be changed at any time without affecting current registered
users. Endpoint Encryption Manager Program and Driver Files
EXE Files
SBAdmin.exe
Main Endpoint Encryption Manager Executable
DLL Files
sbalgxx
Utility Encryption algorithm module.
SYS Files
SBALG.SYS
Endpoint Encryption’s device driver crypto algorithm module.
srg files
Endpoint Encryption registry files
These are standard regedit files which are processed into the registry by Endpoint
Encryption, without using the windows regedit utility.
Error Messages
| 115
Error Messages Please see the file sberrors.ini for more details of these error messages. You can also
find more information on error messages on our web site, 1www.mcafee.com.
Please note that many of these error codes are not designed to ever be shown – they
are mentioned for completeness. This kind of error is termed an “Assertion” - a place
in our software where we ensure a number of conditions are true before continuing,
even though the design does not allow for a specific case where the conditions could
not be true.
As the code and design does not expect such errors to be generated, resolving them
involves working through the context of the issue – without knowing the steps
required to reproduce the error it would not be possible to conclude how the system
managed to arrive at the error state.
Module codes The following codes can be used to identify from which Endpoint Encryption module
the error message was generated.
Error Code Module
1c00 IPC
5501 SBHTTP Page Errors
5502 SBHTTP User Web Recovery
5c00 SBCOM Protocol
5c02 SBCOM Crypto
a100 ALG
c100 Scripting
db00 Database Misc
db01 Database Objects
db02 Database Attributes
e000 Endpoint Encryption General
Error Messages
116 |
Error Code Module
e001 Endpoint Encryption Tokens
e002 Endpoint Encryption Disk
e003 Endpoint Encryption SBFS
e004 Endpoint Encryption BootCode
e005 Endpoint Encryption Client
e006 Endpoint Encryption Algorithms
e007 Endpoint Encryption Users
e010 Endpoint Encryption Keys
e011 Endpoint Encryption File
e012 Endpoint Encryption Licenses
e013 Endpoint Encryption Installer
e014 Endpoint Encryption Hashes
e015 Endpoint Encryption App Control
e016 Endpoint Encryption Admin
5501 Web Server Page Errors Code Message and Description
[55010000] URL not found
[55010001] Invalid parameter encoding
[55010002] Invalid parameter
[55010003] Missing parameter
[55010004] Not logged on
[55010005] No user challenge has been provided
Error Messages
| 117
Code Message and Description
[55010006] Unable to get configuration
[55010007] Unable to set configuration
[55010008] Incorrect user challenge
[55010009] Invalid recovery action
[5501000a] Reparse required
5502 Web Server User Web Recovery Code Message and Description
[55020000] Permission to use web recovery is denied
5C00 Communications Protocol Code Message and Description
[5c000000] Unsupported version
The server and client are not talking the same communications protocol version
[5c000005] Out of memory
[5c000008] A corrupt or unexpected message was received
[5c000009] Unable to load the Windows TCP/IP library (WSOCK32.DLL)
Check that the TCP/IP protocol is installed
[5c00000a] Communications library not initialised
This is an internal programmatic error
[5c00000c] Unable to create TCP/IP socket
[5c00000d] Failed while listening on a TCP/IP socket
[5c00000e] Unable to convert a host name to an IP address
Check the host file or the DNS settings
Error Messages
118 |
Code Message and Description
[5c00000f] Failed to connect to the remote computer
The computer may not be listening or it is too busy to accept connections
[5c000010] Failed while accepting a new TCP/IP connection
[5c000011] Failed while receiving communications data
The remote computer may have reset the connection
[5c000012] Failed while sending communications data
[5c000013] Invalid communications configuration
[5c000014] Invalid context handle
[5c000015] A connection has already been established
[5c000016] No connection has been established
[5c000017] Request for an unknown function has been received
[5c000018] Unsupported or corrupt compressed data received
[5c000019] Data block is too big
[5c00001a] Data of an unexpected length has been received
[5c00001b] Message too big to be received
This may occur if an attempt is made to import large amounts of data into the database (e.g. a file)
[5c00001c] Unable to create thread mute
[5c00001d] Message too big to be sent
This may occur if an attempt is made to import large amounts of data into the database (e.g. a file)
[5c00001e]
Wrong Endpoint Encryption Communications Protocol Version
You are most likely trying to connect to a v4 Endpoint Encryption Server using a v5 Server definition with server authentication
Error Messages
| 119
Code Message and Description
enabled.
Check that you do not have both v4 and v5 servers running (perhaps as a service) at the same time.
5C02 Communications Cryptographic Code Message and Description
[5c020000] The Diffie‐Hellmen data is invalid or corrupt
[5c020001] An unsupported encryption algorithm has been requested
[5c020002] An unsupported authentication algorithm has been requested
[5c020003] Unable to sign data
[5c020004] Authentication signature is not valid
[5c020005] Authentication parameters are invalid or corrupt
[5c020006] Failed while generating DSA parameters
[5c020007] No session key has been generated
[5c020008] Unable to authenticate user
[5c020009] Session key too big
A100 Algorithm Errors Code Message and Description
[a1000000] Not enough memory
[a1000001] Unknown or unsupported function
[a10000002] Invalid handle
[a1000003] Encryption key is too big
[a1000004] Encryption key is too small
[a1000005] Unsupported encryption mode
Error Messages
120 |
Code Message and Description
[a1000006] Invalid memory address
[a1000007] Invalid key data
C100 Scripting Errors Code Message and Description
[c1000001] Invalid Argument
[c1000002] Missing Parameter
There is a required parameter missing
[c1000003] Missing Value
[c1000004] Machine Already In Group
[c1000005] Database Not Found
[c1000006] User Already In Group
[c1000007] Wrong Group Type
[c1000009] Wrong Database Capabilities
Usually only returned when the database does not have ID assignment support. The standard Endpoint Encryption database includes this feature.
[c1000009] Parameter Needed
You must enter one of the required parameters, for example user or group name.
[c100000a] Parameter Positive
You must specify a positive value for this parameter.
[c100000b] Unsupported Connection Type
[c100000c] No Admin Name Specified
[c100000d] No Admin Password Specified
Error Messages
| 121
Code Message and Description
[c100000e] Unknown Authentication Type
[c100000f] No Connection Reference
[c1000010] Unknown Connection
[c1000011] Mutex Creation Failed
Caused when there are insufficient system resources in the host OS to create another mutex
[c1000012] Command Skipped
[c1000013] No Command Specified
[c1000014] Unknown Command
[c1000015] No User ID specified
[c1000016] No User Key Found
[c1000017] No Key File
No key file was specified
[c1000018] Key File Not Found
The authentication key file specified as UserIDKeyFile was not found
DB00 Database Errors Code Message and Description
[db000000] Out of memory
[db000001] More data is available
[db000002] The database has not been created or initialised yet
Check the database path or create a new database. To force the new database wizard to be run, delete the SDMCFG.INI file and restart the administration program.
[db000003] Invalid context handle
Error Messages
122 |
Code Message and Description
[db000004] The name was not found in the database
db000005] [Authentication was not successful.
Check that you have the correct token for this database
[db000006] Unknown database
[db000007] Invalid database type
[db000008] The database could not be found. Check the database path settings
[db000009] Database already exists.
Choose a different database path
[db00000a] Unable to create the database
Check the path settings and make sure you have write access to the directory
[db00000b] Invalid database handle
[db00000c] The database is currently in use by another entity
You cannot delete a database while someone is using it
[db00000d] Unable to initialise the database
[db00000e] User aborted
[db00000f] Memory access violation
[db000010] Invalid string
[db000011] No default group has been defined
[db000012] The group could not be found
[db000013] File not found
[db000014] Unable to read file
[db000015] Unable to create file
Error Messages
| 123
Code Message and Description
[db000016] Unable to write to file
[db000017] File corrupt
[db000018] Invalid function
[db000019] Unable to create mutex
[db00001a] Invalid license
The license has been modified so that the signature is now invalid
[db00001b] License has expired
[db00001c] The license is not for this database
Check the database ID and ensure it is the same as the one specified in the license. Each time you create a new database, a different ID is generated. There is no way to change the ID of a database.
[db00001d] You do not have permission to access the object
[db00001e] Endpoint Encryption is currently busy with another task. Please wait for it to complete and try again.
This usually means that your hard disks are in the process of being encrypted or decrypted. You can check the current Endpoint Encryption status from the right‐click menu of the Endpoint Encryption task bar icon.
[db00001f] Endpoint Encryption is still installed on this machine
[db000020] Buffer too small
[db000021] The requested function is not supported
[db000022] Unable to update the boot sector
The disk may be in use by another application or Explorer itself. The disk may be protected by an anti‐virus program.
Error Messages
124 |
DB01 Database Objects Code Message and Description
[db010000] The object is locked
Someone else is currently updating the same object
[db010001] Unable to get the object ID
[db010002] Unable to change the object's access mode
Someone else may by accessing the object at the same time. If you are trying to write to the object while someone else has the object open for reading, you will not be able to change to write mode.
[db010003] Object is in wrong access mode
[db010004] Unable to create the object in the database
The disk may be full or write protected
[db010005] Operation not allowed on the object type
[db010006] Insufficient privilege level
You do not have the access rights required to access the object.
[db010007] The object status is disabled
This is usually associated with User objects. Disabling the user's object prevents them logging on until their account is re‐enabled.
[db010008] The object already exists
[db01000f] The object is in use
[db010010] Object not found
The object has been deleted from the database
[db010011] License has been exceeded for this object type
Check that your licenses are still valid and if not obtain further licenses if necessary
Error Messages
| 125
DB02 Database Attributes Code Message and Description
[db020000] Attribute not found
[db020001] Unable to update attribute
[db020002] Unable to get attribute data
[db020003] Invalid offset into attribute data
[db020004] Unable to delete attribute
[db020005] Incorrect attribute length
[db020006] Attribute data required
E000 Endpoint Encryption General Code Message and Description
[e0000000] User aborted
[e0000001] Insufficient memory
[e0000002] Invalid date/time
[e0000010] Invalid date/time. Clock is reporting a time before 1992 or after 2038.
E001 Tokens Code Message and Description
[e0010000] General token error
[e0010001] Token not logged on
[e0010002] Token authentication parameters are incorrect
[e0010003] Unsupported token type
[e0010004] Token is corrupt
[e0010005] The token is invalidated due to too many invalid logon attempts
Error Messages
126 |
Code Message and Description
[e0010006] Too many incorrect authentication attempts
[e0010007] Token recovery key incorrect
[e0010010] The password is too small
[e0010011] The password is too large
[e0010012] The password has already been used before. Please choose a new one.
[e0010013] The password content is invalid
[e0010014] The password has expired
[e0010015] The password is the default and must be changed.
[e0010016] Password change is disabled
[e0010017] Password entry is disabled
[e0010020] Unknown user
[e0010021] Incorrect user key
[e0010022] The token is not the correct one for the user
[e0010023] Unsupported user configuration item
[e0010024] The user has been invalidated
[e0010025] The user is not active
[e0010026] The user is disabled
[e0010027] Logon for this user is not allowed at this time
[e0010028] No recovery key is available for the user
[e0010030] The algorithm required for the token is not available
[e0010040] Unknown token type
[e0010041] Unable to open token module
Error Messages
| 127
Code Message and Description
[e0010042] Unable to read token module
[e0010043] Unable to write token module
[e0010044] Token file not found
[e0010045] Token type not present
[e0010046] Token system class is not available
[e0018000] Sony Puppy requires fingerprint
[e0018001] Sony Puppy requires password
[e0018002] Sony Puppy not trained
E012 Licences Code Message and Description
[e0120001] License invalid
[e0120002] License expired
[e0120003] License is not for this database
[e0120004] License count exceeded
E013 Installer Code Message and Description
[e0130002] No installer executable stub found
[e0130003] Unable to read installer executable stub
[e0130004] Unable to create file
[e0130005] Error writing file
[e0130006] Error opening file
[e0130007] Error reading file
Error Messages
128 |
Code Message and Description
[e0130008] Installer file invalid
[e0130009] No more files to install
[e013000a] Install archive block data too large
[e013000b] Install archive data not found
[e013000c] Install archive decompression failed
[e013000d] Unsupported installer archive compression type
[e013000e] Installation error
[e013000f] Unable to create temporary directory
[e0130010] Error registering module
E014 Hashes Code Message and Description
[e0140001] Insufficient memory
[e0140002] Error opening hashes file
[e0140003] Error reading hashes file
[e0140004] Hashes file invalid
[e0140005] Unable to create hashes file
[e0140006] Error writing hashes file
[e0140007] Hashes file is not open
[e0140008] Hashes file data invalid
[e0140009] Hashes file data too big
[e014000a] User aborted
Error Messages
| 129
E016 Administration Center Code Message and Description
[e0160001] Invalid plugin information
Technical Specifications and Options
130 |
Technical Specifications and Options The following options are available from Endpoint Encryption but may not be included
on your install CD, or be appropriate for your version of the Endpoint Encryption
Manager. Please contact your McAfee representative for information if you wish to use
one of these optional components.
Encryption Algorithms Endpoint Encryption supports many custom algorithms. Only one algorithm can be
used in an Endpoint Encryption Enterprise.
RC5-12
CBC Mode, 1024 bit key, 12 rounds, 64 bit blocks
The RC5-12 algorithm is compatible with the Endpoint Encryption 3.x algorithm.
RC5-18
CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks
The 18 round RC5 variant is designed to prevent the theoretical “Known Plaintext”
attack.
AES-FIPS (FIPS 140-1 Approved) - RECOMMENDED
CBC Mode, 256 bit key, 128 bit blocks
This algorithm is approved for FIPS 140-1 use.
Smart Card Readers The following smart card readers are supported.
• Any Windows supported smart card reader
• All PC/SC Smart Card Readers
Tokens
Smart Cards
For the latest list of authentication methods using smart cards, tokens, fingerprint
readers please consult your McAfee representative.
Technical Specifications and Options
| 131
Language Support
Endpoint Encryption Manager
Czech, Dutch, English (United States), English (United Kingdom), French, Japanese,
Korean, Portuguese (Brazil)
System Requirements Implementation documentation discussing appropriate hardware for typical
installations of Endpoint Encryption is available from your representative. The
following specifications should be considered appropriate for evaluation deployments
only.
Endpoint Encryption Database Server
• Windows NT4.0sp6a, 2000, XP, 2003, Vista 32bit (all versions), Vista 64bit (all
versions)
• 256MB Or OS Minimum RAM, 1024MB recommended.
• 200MB Free hard disk space
• Pentium compatible processor, multi-way (up to 32 processors),
Hyperthreading, Dual Core and AMD processors are supported.
• For remote administration a TCP/IP network connection with a static DNS
name / ip address is required.
• This configuration is considered appropriate for evaluation systems only. For
production systems, please contact your McAfee representative for enterprise
implementation documentation.
Administration
• Windows NT4.0sp6a, 2000, XP, 2003, Vista 32bit (all versions), Vista 64bit (all
versions)
• 256MB or OS Minimum RAM
• 40MB free hard disk space
• Pentium compatible processor, multi-way (up to 32 processors),
Hyperthreading, Dual Core and AMD processors are supported.
• For remote administration, a TCP/IP network connection is required.
Technical Specifications and Options
132 |
SFDBBack
• All versions of Windows (IE4.0 with Offline Browsing Pack required for
Windows 95 and NT4.0sp6a)
Active Directory Connector
• Windows NT4sp6a, Windows 2000, Windows XP, Windows 2003, Vista 32bit
and Vista 64bit.
• Requires read/write access to v3+ Active Directory.
Novell Netware / LDAP Connector
• Windows NT4sp6a, Windows 2000, Windows XP, Windows 2003, Vista 32bit
and Vista 64bit
• Novell eDirectory 8.6.x with Novell Server 7.x.
• Future versions of Novell are expected to function.
NT Connector
• Windows NT4.0sp6a, Windows 2000, Windows XP, Windows 2003, Vista 32bit,
Vista 64bit.
• Domain account access for Windows 2000+.
NOTE: The NT connector must be installed on a PDC or BDC on Windows NT4.0.
Index
| 133
Index
A
Account Validity, 24, 65, 68, 77 Active Directory, 13, 62, 67, 68, 69, 70, 71, 72, 73, 74, 75,
76, 77, 78, 79, 80, 81, 82, 83, 84, 132 Organizational Units, 71, 81
ADCon, 67, 71, 74, 75, 76, 81, 82, 84, 85 admin rights, 15, 54 Administration
level, 15 priviledge, 15 privleges, 35 rights, 15
Administration Function, 36 Administration Level, 30, 35, 55 algorithm, 11, 14, 29, 104, 114, 130
maximum key size, 29 Attributes
explained, 9 Audit Trails
viewing, 18 Auditing, 44 authentication, 11, 13, 16, 49, 50, 52, 53, 54 Authentication
client/server, 53 Auto‐boot users
autoboot user, 23
B
backup, 65 Base DN, 69, 75, 78, 84
C
cache, 107 CE Server, 11, 13 chipdrive. See Towitoko Client
overview of, 12 compressed
Object Directory, 108 connecting to databases, 49 connecting to NT Domains, 64 Connector
Bindings, 32, 33, 73, 74, 83, 84
Connector Manager, 62 overview of, 13 user bindings to, 33
Controlled Groups. See groups cryptography, 6 Cryptography
encryption, 13
D
DAP, 19 Databases
adding a new connection, 49 managing, 49
decrypt, 53 Default Password, 22, 23, 25, 65, 90, 94 deploy, 41, 54 disable, 26, 64, 65, 67, 72, 73, 76, 82, 83 disabling users. See Users distibguished name(s), 69, 78 distinguished name, 69, 75, 78, 84 DNS, 50, 53, 110, 131 DNS Name, 68, 77 DSA, 11, 50
E
enabling users. See Users Encryption
algorithms, 130 Encryption Algorithm, 11, 14, 29, 114, 130 Encryption Algorithms
RC5, 130 Endpoint Encryption CE Server, 11, 13 Endpoint Encryption Components
File Encryptor, 8 VDisk, 8
Endpoint Encryption Server connecting to a new, 54 overview of, 10 restricting user id's for, 54
Entities explained, 9
error codes, 109, 115 error messages, 115 excluded users, 67, 73, 76, 83
Index
134 |
F
File Encryption overview of, 13
File Encryptor, 8 file group management, 40 Files
deleting and exporting, 41 importing new, 41 ini files, 109 program and driver files, 114 properties, 41
force sync, 24
G
Group mappings, 65, 70, 80 groups, 16, 17, 22, 35, 36, 37, 40, 46, 65, 66, 70, 71, 75, 80,
81, 85, 109 Groups
administration of, 35 controlled vs free, 16 free, 17 of users and machines, 16
H
hidden fields. See Users hours. See Users
I
IP Address, 9, 10, 11, 51, 68, 75, 77, 84, 131
L
language support, 131 LDAP, 11, 13, 19, 62
Base DN, 69, 75, 78, 84 Object Filter, 69, 78, 79 Protocol Version, 68, 77 Referrals, 70, 79 User DN, 69, 78
LDAP Browser, 74, 75, 84 Licence Files
adding, 101 expiry of, 102 restrictions, 101
local databases, 50 logon hours, 31, 64, 67, 76
M
mapping groups. See Group mappings, See Group mappings, See Group mappings
Microsoft, 76, 84, 87, 89 Microsoft Active Directory, 67, 76
N
Name Index, 106 Network Name, 68, 77 NT Domain, 13 NT Domains ‐ connecting to, 64
O
object change log, 70, 79 object directory, 8, 9, 10, 11, 12, 13, 14, 15, 16, 19, 23, 29,
35, 41, 42, 44, 49, 51, 52, 53, 54, 55, 62, 64, 90, 106, 107, 108, 110
Objects explained, 9 locking of, 20
Offline Browsing Pack, 132
P
Password Default, 22, 23, 25, 65, 90, 94
passwords, 10, 13, 25, 26, 27, 28, 29 Reset, 24, 26, 86, 96, 97
Passwords, 25 history, 25
Pentium, 131 performance, 11, 19 Performance
Object Directory, 107 Pocket Endpoint Encryption, 93 Pocket Windows
2002, 11 privileges, 10, 15 public / private keys, 53
Q
quick start guide, 7
R
RC5, 130 recovery, 11, 13, 21, 23, 24, 29 referrals, 70, 79
Index
| 135
registry, 43, 114 RSA, 11, 13
S
SafeBoot Server overview of, 12
SBAdmCL, 44, 102 schedule, 63 scheduling synchronisations, 63 Server
creating a, 51 Server
Endpoint Encryption CE Server, 13 Server
starting a, 52 Server
configuration of, 53 Server
starting as a service, 53 service, 53, 55, 63, 71, 81, 86, 89, 90, 96, 98, 113 Service Accounts, 55 SFDBBack, 132 Smarty, 130 system requirements, 131
T
TCP/IP, 9, 10, 11, 51, 131
towitoko chipdrive, 130
U
user dn, 69, 78 user status, 9, 64, 67, 76 Users
administration level, 30 creating new, 21 disable, 64, 65, 67, 76 Disabling, 64, 65, 67, 76 enabling and disabling, 23 Excluding, 67, 73, 76, 83 hidden fields, 21 logon hours, 31 logon id, 21 password parameters, 25
W
Windows 2000, 43, 64 Windows CE, 11
X
X500, 11, 13, 19, 20, 62