Endpoint Encryption Manager Administration Guide

McAfee Endpoint Encryption Manager
AdministrationGuide
Version5.2.5

McAfee,Inc.
McAfee,Inc.3965FreedomCircle,SantaClara,CA95054,USA Tel:(+1)888.847.8766 FormoreinformationregardinglocalMcAfeerepresentativespleasecontactyourlocalMcAfeeoffice, orvisit: www.mcafee.com Document:EndpointEncryptionManagerAdministrationGuide Lastupdated:Tuesday,30March2010 Copyright(c)19922010McAfee,Inc.,and/oritsaffiliates.Allrightsreserved. McAfeeand/orothernotedMcAfeerelatedproductscontainedhereinareregisteredtrademarksor trademarksofMcAfee,Inc.,and/oritsaffiliatesintheUSand/orothercountries.McAfeeRedin connectionwithsecurityisdistinctiveofMcAfeebrandproducts.AnyothernonMcAfeerelated products,registeredand/orunregisteredtrademarkscontainedhereinisonlybyreferenceandarethe solepropertyoftheirrespectiveowners.
Contents
Preface ........................................................................................... 6
About this guide ............................................................................................. Audience ................................................................................................. Conventions ............................................................................................ Related Documentation............................................................................. Acknowledgements .................................................................................. Contacting Technical Support .................................................................... 6 6 7 7 7 7
Introduction ...................................................................................8
Why Endpoint Encryption?......................................................................... 8 Design Philosophy .................................................................................... 8 How Endpoint Encryption Solutions Work .................................................... 8 Objects, Entities, and Attributes explained. ................................................. 9 The Endpoint Encryption Components ........................................................ 10
Installing Endpoint Encryption Manager ....................................... 14

Upgrading the Endpoint Encryption Manager .............................................. 14
Endpoint Encryption Manager Interface ........................................ 15

Administration Level ................................................................................ 15 Starting Endpoint Encryption Manager ....................................................... 16 Groups of Users, Machines and other Objects ............................................. 16 Audit Trails. ........................................................................................... 18
The Endpoint Encryption Object Directory .................................... 19

The Object Directory Structure ................................................................. 19 Object locking ........................................................................................ 20
Creating and Configuring Users .................................................... 21

User Administration Functions .................................................................. 22 User configuration Options ....................................................................... 23 Setting User Administrative Privileges........................................................ 35 Some Example Administration Structures ................................................... 36
Tokens .......................................................................................... 38 File Groups and Management ........................................................ 40

Setting file group functions ...................................................................... 41 Importing new files ................................................................................. 41 Exporting Files ........................................................................................ 41 Deleting Files.......................................................................................... 41 Setting File Properties ............................................................................. 41
Auditing ........................................................................................ 44
Introduction ........................................................................................... 44 Common Audit Events ............................................................................. 44
Managing Object Directories ......................................................... 49

Managing Connections ............................................................................. 49 Adding a new directory connection ............................................................ 49
Endpoint Encryption Server .......................................................... 51

Installing the Endpoint Encryption Server Program ...................................... 51 Creating a new Server ............................................................................. 51 Starting The Endpoint Encryption Server for the first Time ........................... 52
Server Configuration ............................................................................... 53 Starting the Endpoint Encryption Server as a Service .................................. 53 Using Server / Client Authentication .......................................................... 53 Connecting to a new Endpoint Encryption Server ........................................ 54 Checking a Servers Status Remotely ........................................................ 54 Using Restricted User ID's for Servers ....................................................... 54
Keys .............................................................................................. 56
About Keys ............................................................................................ 56 Key Administration Functions ................................................................... 56 Key Configuration Options ........................................................................ 57
Policies ......................................................................................... 59
About Policies ......................................................................................... 59 Policy Administration Functions ................................................................. 59 Assigning a policy object to a user ............................................................ 60 Assigning a policy object to a machine ....................................................... 60
Endpoint Encryption Connector Manager ...................................... 62

Adding and Removing Connector Instances ................................................ 62
NT Connector (NTCon) .................................................................. 64

Summary of connected attributes ............................................................. 64 General Options ...................................................................................... 65 Group Mappings ...................................................................................... 65 User Information..................................................................................... 66
LDAP Connector (LDAPCon) .......................................................... 67

Summary of connected attributes ............................................................. 67 General Options ...................................................................................... 68 Group Mappings ...................................................................................... 70 Using Binary Data Attributes .................................................................... 74 LDAP Browser from Softerra ..................................................................... 74
Active Directory Connector (ADCon) ............................................. 76

Summary of connected attributes ............................................................. 76 General Options ...................................................................................... 77 Group Mapping ....................................................................................... 80 User Information..................................................................................... 82
Endpoint Encryption webHelpdesk Server..................................... 86

About Endpoint Encryption HTTP Server ..................................................... 86 webRecovery .......................................................................................... 86 Remote Password Change ........................................................................ 87 Pre-Requisites ........................................................................................ 87 Password Expiration Warning.................................................................... 88
Activating Endpoint Encryption webHelpdesk ............................... 89

Installing a SSL Certificate ....................................................................... 89 Configuring the webHelpdesk Server ......................................................... 90 Configuring webRecovery ......................................................................... 92
Recovering Users using webHelpdesk ........................................... 93

With Challenge-Response ......................................................................... 93 By Directly Changing their Password ......................................................... 95 User self recovery - webRecovery.................................................................... 96 Registering for webRecovery .................................................................... 96 Recovery using webRecovery.................................................................... 98
License Management .................................................................. 101 Common Criteria EAL4 Mode Operation ...................................... 103
Algorithm Certificate Numbers ................................................................ 104
Tuning the Object Directory ........................................................ 106

The Name Index ................................................................................... 106 About Name Indexing ............................................................................ 106 Enabling and Configuring Name Indexing: ................................................ 106 Enabling Directory Compression.............................................................. 107
Endpoint Encryption Configuration Files ..................................... 109

sbnewdb.ini .......................................................................................... 109 sberrors.ini .......................................................................................... 109 sbhelp.ini ............................................................................................. 109 sbadmin.ini .......................................................................................... 109 sbfeatur.ini .......................................................................................... 109 sbfiledb.ini ........................................................................................... 109 dbcfg.ini .............................................................................................. 109 sdmcfg.ini ............................................................................................ 110 SBServer.ini ......................................................................................... 111 sbconmgr.ini ........................................................................................ 111 Cmsettings.ini ...................................................................................... 112 LDAPCon Manual Settings ...................................................................... 112 LDAPCon / ADCon Manual Settings .......................................................... 112 SBHTTP.ini ........................................................................................... 112 EXE Files .............................................................................................. 114 DLL Files .............................................................................................. 114 SYS Files.............................................................................................. 114 srg files ............................................................................................... 114
Error Messages ........................................................................... 115

Module codes ....................................................................................... 115 5501 Web Server Page Errors ................................................................. 116 5502 Web Server User Web Recovery ...................................................... 117 5C00 Communications Protocol ............................................................... 117 5C02 Communications Cryptographic ...................................................... 119 C100 Scripting Errors ............................................................................ 120 DB00 Database Errors ........................................................................... 121 DB01 Database Objects ......................................................................... 124 DB02 Database Attributes ...................................................................... 125 E000 Endpoint Encryption General .......................................................... 125 E001 Tokens ........................................................................................ 125 E012 Licences....................................................................................... 127 E013 Installer ....................................................................................... 127 E014 Hashes ........................................................................................ 128 E016 Administration Center .................................................................... 129
Technical Specifications and Options .......................................... 130

Encryption Algorithms ........................................................................... 130 Smart Card Readers .............................................................................. 130 Tokens ................................................................................................ 130 Language Support ................................................................................. 131 System Requirements............................................................................ 131
Index .......................................................................................... 133
Preface
Preface
The team at McAfee is dedicated to providing you with the best in security for protecting data on personal computers. Applying the latest technology, deployment and management of users is enhanced using simple and structured administration controls. The Endpoint Encryption Manager and associated products are designed to protect your mobile data on PCs, PDAs and across networks. Through the continued investment in technology and the inclusions of industry standards we are confident that our goal of keeping Endpoint Encryption at the forefront of data security will be achieved.
About this guide

This document will aid corporate security administrators in the correct implementation and deployment of the Endpoint Encryption Manager. Although this guide is complete in terms of setting up and managing Endpoint Encryption systems, it does not attempt to teach the topic of "Enterprise Security" as a whole. Readers should refer to the Administration Guides for individual Endpoint Encryption products, such as the Endpoint Encryption for PC, for specific information.
Audience
This guide was designed to be used by qualified system administrators and security managers. Knowledge of basic networking and routing concepts, and a general understanding of the aims of centrally managed security is required. For information about cryptography topics, readers are advised to consult the following publications: Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition, Bruce Schneier, Pub. John Wiley & Sons; ISBN: 0471128457 Computer Security, Deiter Gollman, Pub. John Wiley and Sons; ISBN: 0471978442 Security in Computing, Charles P. Pfleeger, Pub Prentice Hall PTR; 3 edition; ISBN 0130355488
6|
Preface
Conventions
This guide uses the following conventions:
Bold Condensed
Courier Italic Blue All words from the interface, including options, menus, buttons, and dialog box names. The path of a folder or program; text that represents something the user types exactly (for example, a command at the system prompt). Emphasis or introduction of a new term; names of product manuals. A web address (URL); a live link. Supplemental information; for example, an alternate method of executing the same command. Important advice to protect your computer system, enterprise, software installation, or data.
Note Caution
Related Documentation
The following materials are available from our web site, http://www.mcafee.com, and from your Endpoint Encryption Distributor: Endpoint Encryption Manager Administration Guide (this document) Endpoint Encryption for PC Administration Guide Endpoint Encryption for Files and Folders Administration Guide Port Control Administration Guide Endpoint Encryption for PC Quick Start Guide Endpoint Encryption for Files and Folders Quick Start Guide
Acknowledgements
Endpoint Encryptions Novell NDS Connector and LDAP Connectors make use of OpenLDAP (www.openldap.org) and OpenSSL (www.openssl.org). Due credit is given
0 1
to these organizations for their free APIs.
Contacting Technical Support

Please refer to www.mcafee.com for further information.
|7
Introduction
Introduction
Why Endpoint Encryption?
Around 1,000,000 laptops go missing each year, causing an estimated 4 billion USD worth of lost data. Is your data safely stored? Ever thought about the risks you run for your company and your clients? The Endpoint Encryption product range was developed with the understanding that often the data stored on a computer is much more valuable than the hardware itself.
Design Philosophy
The Endpoint Encryption product range enhances the security of devices by providing data encryption and a token-based logon procedure using, for example a Smart Card, Fingerprint or USB Key. McAfee also has optional File and Media encryption programs (VDisk, File Encryptor and Endpoint Encryption for Files and Folders), as well as hardware VPN solutions further enhancing the security offered. Endpoint Encryption supports all current Microsoft Operating Systems, and also common PDA platforms: Microsoft Windows 7 Microsoft Windows 2000 through SP4 Microsoft Windows XP through SP3 (32bit only) Microsoft Windows 2003 through SP2 (32bit only) Microsoft Vista 32bit and 64bit (all versions) Microsoft Pocket Windows 2002 and 2003 Microsoft Windows Mobile 5.0/6.0/6.1 Palm OS 3.5 through 5.4
All Endpoint Encryption products are centrally managed through a single system, which supports scalable implementations and rich administrator control of policies.
How Endpoint Encryption Solutions Work

Management
Every time a Endpoint Encryption protected system starts, and optionally every time the user initiates a dial-up connection or after a set period of time, Endpoint Encryption tries to contact its Object Directory. This is a central store of configuration information for both machines and users, and is managed by Endpoint Encryption Administrators. The Object Directory could be on the users local hard disk (if the user is working completely stand-alone), or could be in some remote location and accessed
8|
Introduction
over TCP/IP via a secure Endpoint Encryption Server (in the case of a centrally managed enterprise). Endpoint Encryption applications query the directory for any updates to their configuration, and if needed download and apply them. Typical updates could be a new user assigned to the machine by an administrator, a change in password policy, or an upgrade to the Endpoint Encryption operating system or a new file specified by the administrator. At the same time Endpoint Encryption uploads details like the latest audit information, any user password changes, and security breaches to the Object Directory. In this way, transparent synchronization of the enterprise becomes possible.
Objects, Entities, and Attributes explained.

The Endpoint Encryption database stores information about users, machines, servers, PDAs etc in collections called "objects" - from an internal point of view it does not matter to Endpoint Encryption what an "object" represents, only the information it contains. So an object representing a user, say "John Smith", and an object representing a machine, for example "Johns Laptop" both contain information about encryption keys, account status and administration level. Within the object are collections of configuration data called "attributes", again the same type of attribute may exist across many object types. To take our previous example of John and his laptop, the details of the encryption keys, user status and administration level would all be stored as separate attributes. Entities are applications within the Endpoint Encryption system. Because of the generality of the "object" design, all Endpoint Encryption applications also have some generality about them, for instance the entity representing the Endpoint Encryption client, and the entity representing the Endpoint Encryption Server, both authenticate to the Object Directory in the same way - as an "object" which could be a machine or user - which it is does not matter. This generality is mainly hidden from users and administrators, but because of this core design, you will find that many Endpoint Encryption related functions and tasks are common between users, machines and entities.
|9
Introduction
The Endpoint Encryption Components

Endpoint Encryption Manager
Figure1.EndpointEncryptionManager The most important component of the Endpoint Encryption enterprise is the Endpoint Encryption Manager, the administrator interface. This utility allows privileged users to manage the enterprise from any workstation that can establish a TCP/IP link or file link to the Object Directory. Typical procedures that the Endpoint Encryption Administrator handles are: Adding users to machines Configuring Endpoint Encryption protected machines Creating and configuring users Revoking users logon privileges Updating file information on remote machines Recovering users who have forgotten their passwords Creating logon tokens such as smart cards for users
Endpoint Encryption Server

The Endpoint Encryption Server facilitates connections between entities such as the client, the Endpoint Encryption Manager and the central Object Directory over an IP connection (rather than the file based "local" connection). The server performs
10 |
Introduction
authentication of the entity using DSA signatures, and link encryption using the DiffieHellman key exchange and bulk algorithm line encryption. This ensures that "snooping" the connection cannot result in any secure key information being disclosed. The server exposes the Object Directory via fully routed TCP/IP, meaning that access to the Object Directory can be safely exposed to the Internet / Intranet, allowing clients to connect wherever they are. As all communications between the Server and client are encrypted and authenticated, there is no security risk in exposing it in this way. There is a unique PDA Server which provides similar services to PDAs such as Microsoft Pocket Windows and PalmOS devices. More information about this can be found in later chapters.
Endpoint Encryption Object Directory

The Endpoint Encryption Object Directory is the central configuration store for Endpoint Encryption for PC and is used as a repository of information for all the Endpoint Encryption entities. The default directory uses the operating systems file system driver to provide a high performance scalable system which mirrors an X500 design. Alternative stores such as LDAP are possible contact your Endpoint Encryption representative for details. The standard store has a capacity of over 4 billion users and machines. Typical information stored in the Object Directory includes: User Configuration information Machine Configuration information Client and administration file lists Encryption key and recovery information Audit trails Secure Server Key information
| 11
Introduction
Endpoint Encryption for PC Client
Figure2.EndpointEncryptionClient The Endpoint Encryption for PC client software is largely invisible to the end user. The only visible part is an entry in the users tool tray (the Endpoint Encryption icon). Clicking on this icon allows the user to lock the PC with the screen saver (if the administrator has set this option there one is selected). Right-clicking on the monitor allows them to perform a manual synchronization with their Object Directory, or, monitor the progress of any active synchronization. Normally the Endpoint Encryption client attempts to connect to its home server or directory each time the machine boots, or, establishes a new dial-up connection. During this process, any configuration changes made by the Endpoint Encryption administrator are collected and implemented by the Endpoint Encryption client. In addition, information such as the last audit logs are uploaded to the directory.
Endpoint Encryption PDA Server

The Endpoint Encryption PDA Server facilitates connections between entities such as the Endpoint Encryption client, the Management Center and the central Object Directory over an IP connection (rather than the file based "local" connection). The server performs authentication of the entity using DSA signatures and link encryption using Diffie-Hellman key exchange and bulk algorithm line encryption. This ensures that "snooping" the connection cannot result in any secure key information being disclosed. Note: The default port for PDA Server is 5557. The server exposes the Object Directory via fully routed TCP/IP, meaning that access to the Object Directory can be safely exposed to the Internet / Intranet, allowing clients to connect wherever they are. As all communications between the server and
12 |
Introduction
client are encrypted and authenticated, there is no security risk in exposing it in this way.
Endpoint Encryption for Mobile

Endpoint Encryption for Mobile provides authentication and crypt services for mobile devices. Every time you activate it you are prompted to enter a secure, recoverable password or pin. As with Endpoint Encryption for PCs, every time you activate, or dock a PDA device protected with Endpoint Encryption it tries to communicate with its home Endpoint Encryption PDA Server and set its security profile - again, set from the Endpoint Encryption Manager.
Endpoint Encryption File Encryptor

By right clicking on a file, users can elect to encrypt it using various keys. Files can be encrypted with other Endpoint Encryption users keys, and/or passwords. Once protected in this way the file can be sent elsewhere, for example via e-mail, or on a floppy disk, without the risk of disclosure. When the file needs to be used, it just needs to be double clicked, a password or login prompt will be presented for authentication, if correct the file will be decrypted. The File Encryptor also has an option to create an RSA key pair for recovery if the password to a file is lost, then the file can still be recovered using the correct recovery key.
Endpoint Encryption Connector Manager

Endpoint Encryptions directory used to keep track of security information is designed so that synchronization of details between Endpoint Encryption and other systems is possible. The Connector Manager is a customizable module which enables data from systems such as X500 directories (commonly used in PKI infrastructures) to propagate to the Endpoint Encryption Object Directory. Using this mechanism, it's possible to replicate details such as a users account status between the Endpoint Encryption Manager and other directories. Current connector options include LDAP, Active Directory, and a NT Domain Connector. For information on these components, see your Endpoint Encryption representative.
| 13
Installing Endpoint Encryption Manager
Installing Endpoint Encryption Manager

NOTE:ReadersunfamiliarwithEndpointEncryptionshouldfollowtheEndpointEncryptionQuickStart Guidefortheproductyouareinstalling,beforetacklinganyofthetopicsinthisguide.TheQuickStart guidesprovideanoverviewofsettingupanEndpointEncryptionenterprise. Endpoint Encryption Manager is the administration part of Endpoint Encryption and is the core tool for managing all Endpoint Encryption aware applications. If this is the first time you have installed an Endpoint Encryption application, then please read the Quick Start Guide for that application. You will find this either on your Endpoint Encryption download. Install Endpoint Encryption Manager by running the appropriate setup.exe from the Endpoint Encryption CD. You should run this first on the machine which you want to be the master or administrators machine. If you have a multi-language CD, select the language (for example, English) you want to install. The Endpoint Encryption Manager will now install on your machine. Follow the onscreen prompts to install the software, you may be prompted to select a language, smart card reader, and encryption algorithm. Once completed you may need to restart your system. The Endpoint Encryption Manager suite adds some items to your start menu: Endpoint Encryption Manager starts the Endpoint Encryption Manager; Endpoint Encryption Server starts the communication server which provides encrypted links between clients and the configuration. You may also have icons for the Endpoint Encryption Connector manager. After rebooting, run the Endpoint Encryption Manager program. A wizard will walk you through the creation of a new Endpoint Encryption directory. If you have an existing Object Directory in your network, you can connect to it by canceling the wizard and manually configuring a connection. For information on this procedure please see Managing Object Directories.
Upgrading the Endpoint Encryption Manager

1. Download the Endpoint Encryption Manager software from the McAfee download site. 2. Run the setup file and complete the upgrade. See the Endpoint Encryption Update and Migration Guide (contained in the download) for more detail.
14 |
Endpoint Encryption Manager Interface

The Endpoint Encryption Manager allows certain classifications of user to manage and interact with the backend Object Directory. Users and machines can perform certain tasks and change certain details within the directory, depending upon their assigned "Administration Privilege", and administrative rights.
Administration Level
Each object in the directory has a certain "administration privilege" with a range of between 1 (lowest) to 32 (root administrator), no object except the root administrator can change the attributes of an object of its privilege or above, but some attributes can be read regardless. This mechanism stops low privilege users from changing their own configuration, and protects high-level administrators from the activities of lower levels. The recommended assigned privileges are:
UserClassification RootAdministrator OtherAdministrators NormalUsers NormalMachines
AdministrationLevel 32 10 1 1
NOTE:Astherearenoobjectswithaprivilegeabove32,alllevel32objectsaretreatedequallyand withoutrestraint(exceptdeleterights).Thismeansthatanytopleveladmincaneditthepropertiesofany othertopleveladmin.However,alevel32administratorwithlimitedadminfunctionscannotaddthose restrictedfunctionstoanotherlevel32administrator.Forthisreasonitisrecommendedthatgeneral EndpointEncryptionadministratorsuseaccountswithaprivilegebelow32,andthemaster(orroot) administratoraccountshouldbeusedonlyinextremecircumstances. In addition to this rule, extra restrictions on what administration processes an individual may use can be set when they are created, for instance the ability to add users may be blocked, as may be the ability to create install sets.
| 15

This gives the ability to create high-privilege users with no admin abilities - these users cannot be administered or recovered by lower privilege users although the lower level users may have access to the administration functions.
Starting Endpoint Encryption Manager

Endpoint Encryption Manager communicates with the Object Directory and requests a user authentication on start-up, which it uses to connect to an Object Directory. Users and administrators authenticate using their Endpoint Encryption credentials, so if they usually use a smart card to login to Endpoint Encryption, they will need the same card to access Endpoint Encryption Manager. NOTE:fordetailsonsettingupconnectionstodirectories,seeManagingObjectDirectories. There is no real limit to the number of concurrent Endpoint Encryption sessions that can be connected to each directory, either directly or via an Endpoint Encryption Server. In the case of two administrators updating an objects configuration at the same time, the last one to click Save overrides all others. The limiting factor is the hardware supplying access to the directory, i.e. the network and server speed.
Groups of Users, Machines and other Objects

Within the Endpoint Encryption Directory, objects are "grouped" in order to simplify configuration. For example, in a large corporate with many departments, the Endpoint Encryption administrator may choose to create groups of machines based on their physical location - for instance "Sales" and "Helpdesk". The configuration of these two groups would be similar, but not identical - for instance, the "Sales" group of PCs may not synchronize with the Object Directory so often, and the "Helpdesk" PCs would not be receiving some sales-related database information. To facilitate configuration at group level, two types of group can be created: Controlled Groups Members of configuration-controlled groups cannot have their core configuration altered on a member-by-member basis (non-core items include machine description for instance). All changes have to be made at group level, and immediately affect all members of the group. When an object is moved into a controlled group, it immediately loses its individuality and inherits the groups properties. Controlled groups are used where it is not necessary or desirable to have many individual objects with their own configurations, for example an administrator may choose to enforce a strict security policy which must be adhered to. In this situation then there is no scope for objects to have individual configurations. Another use is
16 |

where a collection of machines needs to have their configurations synchronized as one. For example, if there was a controlled group of 200 machines with the property of Endpoint Encryption enabled set as false, if the option was enabled at group level, this change would affect each machine in the group. Each machine would automatically enable Endpoint Encryption the next time it synchronized with the directory. Free Groups Free groups have no master control; objects inherit the properties of the group when they are created, but this configuration is stored individually for the object and can be altered at any time. Existing objects moved into a free group do not inherit any group properties; they simply retain their own configurations. Changing the group configuration only effects new objects created within the group, it does not affect existing objects. One Group for each object type is defined as the default. Unless otherwise specified this is the group which new Objects (machines, users etc) appear under and inherit their initial attributes. This group may or may not be configuration controlled, and is displayed in bold type in the object tree. To set the default group, select it and use the right-click menu option Set as Default Group.
Finding Objects
You can search the object trees by either typing into the Find box on the tool bar of Endpoint Encryption Manager, or, by using the Filter or Find by ID options from the Objects Menu.
Finding orphaned objects using Group Scan

The Group Scan feature within the Groups drop down menu allows you to scan through any group and identify missing objects, e.g. machines, users, etc. 1. 2. 3. 4. 5. Select a group from the Users, System, Policies, or Devices tabs. Click the Groups option from the menu bar. Click Group Scan. Select a group from the drop down list. Click Ok. This will begin a search across the selected group for orphaned objects. The report output will appear in the bottom right pane.
| 17
Audit Trails.
Endpoint Encryption audits to most types of object. To view the current audit, select the object in question and use the right-click menu option View Audit. Audit trails can be exported as comma delimited files for use in other applications. The ability for a user to be able to view another users audit is a function of their relative administration level, and their View Audit administration right. It is recommended that not all users are given this permission.
18 |
The Endpoint Encryption Object Directory

Endpoint Encryption stores all its configuration and security information in a central, generic data store referred to as the Object Directory. This store resembles a treebased modular, object-structured directory, similar in design to an X500 directory. The Endpoint Encryption Configuration Manager on the protected machine periodically checks this store via a connection manager (the Directory Manager) to see if there are any changes to apply, and delivers any updates necessary in return. The directory stores information for the configuration of users, machines etc in logical Objects containing data blocks ("attributes").
The Object Directory Structure

The Object Directory manages three levels of information, object type, actual Objects, and attributes. This can be viewed as a correlation of a file or directory system. The top level has the various object classifications, user, group, and machine. Below this level is the individual Objects, for example, in the case of the user tree, there would be Objects containing the attributes for users. For each object there are many attributes, e.g. account status, private key and password. NOTESupportedaccessibleObjectsareUsers,Machines,Servers,Files,Directories,andGroups.Endpoint Encryptionmakesnodistinctionbetweenthedifferenttypesofobjectatthemanagementandaccesslevel. OnlytheAttributesstoredwithinthemdiffer.Thisindependencegreatlyincreasesthespeedtheobject storecanworkat. There is no requirement for any particular type of directory within as long as the directory engine can support the minimum layout. All data sources are viable, e.g. ODBC, Access, LDAP, DAP, X500 etc. Endpoint Encryption ships with two directory drivers, one, a high performance file system based driver for large corporate users, and a small single-file "transport" directory driver designed for single use and disconnected deployment. For information on porting Endpoint Encryption's backend directory to an alternate system, please contact your McAfee Services representative. A simple pictorial layout of the directory structure could be explained thus:
Root Directory | (Object Classes) (User level)
Users-------Machines-------Groups-------Servers--------Files | User.0-----User.1-----User.2-----User.3-.. User.n |
| 19

Attrib.0----Attrib.1-----Attrib.2------Attrib.n information) (Attributes containing Configuration
This structure mirrors an X500 directory, and allows fast access to attributes and modification (adding new attributes, new object classes etc) without significant effort.
Object locking
To prevent problems where two or more processes try to access the same data simultaneously, only one process can have write permission to an Object at any time. Normally an object such as a user is only locked during the actual write process, if there is a conflict in locks, one process will wait for the other to release. This usually takes only a few seconds. In the standard file managed directory, object locking is provided by the operating system itself.
20 |
Creating and Configuring Users
Figure3.CreatingNewUsers New users can be created in Endpoint Encryption Manager by selecting the group they need to be in, and using the menu option Create User. You can also create users automatically using a connector to another directory, such as Active Directory, or an automated script. Please see the Endpoint Encryption Connector Manager chapter, or, the Endpoint Encryption Scripting Tool Users Guide. The new users logon id and recovery information about them can be entered. The users password or token is inherited from the group, and can be set or generated at this point. The fields of information are used to identify the user in case of a helpdesk issue, such as the user forgetting their password. The helpdesk and user can see the majority of these fields, but some may be defined as "hidden from user" - in this example, the field Group Access is one of those. Hidden fields can only be seen by administrators with a higher privilege than the user, or the root administrator. This gives the helpdesk operator the ability to ask the user a question to validate their identity. For more information on recovery, see the Recovery chapters of your product administrators guide. Once created, the user assumes the configuration of the group they were created in. If this group is "controlled", then only a few options are available to be configured on a user-by-user basis. If the group is "Free" then although the user assumes the properties of the group on creation, the parameters can then be set individually afterwards.
| 21
User Administration Functions

Create Token
Creates a new Token for the selected user - this could be a soft (password) token, or a hard token such as a smart card or eToken. NOTE:Inthecaseofhardtokens,creatingthetokendoesnotnecessarilysettheusertoactuallyusethat token.ThismustbeaccomplishedseparatelyfromtheusersTokenpropertiespage.
Reset Token
Resets the token authentication to the default. In the case of the soft (password) token resets the password to 12345. NOTE:SomehardtokensmaynotbeabletoberesetusingEndpointEncryptionforexampleDatakey SmartCards.Inthiscasecontactthemanufacturerofyourtokentodeterminethecorrectreuse procedure.
Set SSO Details

Sets the Single-Sign-On details for the user. For more information on SSO see the Endpoint Encryption for PC Administration Guide.
Force Password Change at Next Logon

Forces the user to change their password at their next logon. This policy option applies to both the Endpoint Encryption Manager and all compatible applications, such as Endpoint Encryption for PC.
View Audit
Displays the audit for the user.
Reset (All) to Group Configuration

Resets the configuration of the user, or all the users in the group, to the groups configuration.
Create Copy
Creates a new object based on the selected object.
Properties
Displays the properties of the selected object.
22 |
User configuration Options

General
Figure4.UserOptionsGeneral User ID The user ID of a given user is the system-wide identifier that Endpoint Encryption uses internally to keep track of the user. This number is unique within the Object Directory and is displayed for technical support purposes. The users recovery screens also show this number. Auto-boot users Special user ids containing the tag $autoboot$ with a password of 12345 (or set by administrators) can be used to auto-boot a Endpoint Encryption Endpoint Encryption for PC protected machine. This option is useful if an auto boot of a machine is needed, for example when updating software using a distribution package such as SMS or Zenworks. This ID should be used with caution though, as it effectively bypasses the security of Endpoint Encryption. You can find out more about the $autoboot$ user from the Endpoint Encryption for PC Administration Guide. Enabled Shows whether the user account is enabled or not. The enabled status is always user selectable. Once a machine has synchronized, it checks the user account list to ensure that the currently logged on user is still valid (because they logged on at boot time before the network and Object Directory was available). Users with disabled accounts (or users
| 23

who have been removed from the user list) will find the screen saver will activate and they will be unable to log in. NOTE:IfyouwanttoforceaEndpointEncryptionmachinetosynchronize(andhenceimmediatelystopthe userfromaccessingthemachine),youcanusetheforcesyncoptionofthemachinesrightclickmenuto forceanupdate.FormoreinformationseetheEndpointEncryptionforPCAdministrationGuide. Valid From / Until Sets the period that this account is valid until. Once the period has past, the user will no longer be able to log on. If the user is logged on while the account expires, the will NOT be automatically logged off the system (but if they reboot, or the screen saver activates, they will not be able to log on again). Both Valid From and Valid Until settings can be made. This enables the administrator to set up accounts that self-activate sometime in the future and/or expire at some fixed point (e.g. for contracted employees with a fixed term contract starting and expiring on a given day). Change Picture Allows the administrator to set a picture for the user. The picture aids the helpdesk in the identification of a user when doing a challenge/response password reset. The imported picture can be any size bitmap image. User Defined Labels (Information Fields) When a user is created several fields of information may be set to aid the helpdesk identify the user during the recovery process. For a full description of the use of these fields see Creating Users, and Recovering Users and Machines.
24 |
Password Parameters
Figure5.UserConfigurationPasswordParameters Force Change if "12345" Ticking this option prevents users from continuing to use the Endpoint Encryption default password of "12345". If this password is ever used, for instance after recovering a user, it must be changed before Endpoint Encryption will allow the operating system to boot. The force password change mechanism is also supported in the Windows Screen Saver. Prevent Change Disables the Change Password option on the Endpoint Encryption boot screen, and on the directory login screen. Enable Password History Endpoint Encryption records previous passwords, and stops the user repeating old passwords when they are forced to change them. The maximum number of previous passwords that can be saved is limited by the users token, typically a password token can remember 19 previous passwords, whereas a smart card token only 10. Passwords are added to the history list when the user sets them, so the default password (12345) may be used ONCE again, as is not added to the history list when a user is created . Special smart card scripts can be made available which increase the maximum history count beyond 10, at the expense of the time needed to log in. For information on these scripts please contact your Endpoint Encryption representative. Require Change After
| 25

Forces the user to change their password after a period of days. Warn Warns the user that their password will expire a set number of days in advance of their password change. Timeout password When logging on, the user has three attempts to present Endpoint Encryption with a correct password. If the user fails, then a "lockout" period of 60 seconds commences. The user cannot log in while this period is in force, and if they reboot the PC, the period starts again. Once the period has expired, the user is allowed further logon attempts, which the time period between each logon doubling, i.e. 1st incorrect attempt 2nd incorrect attempt 3rd incorrect attempt 4th incorrect attempt 5th incorrect attempt 9th incorrect attempt No lockout No lockout 60 seconds lockout 120 seconds lockout 4 min lockout. 64 min lockout
64 minutes is the maximum lockout period that may be set. Invalidate Password after After a sequence of incorrect passwords, Endpoint Encryption can disable the users account. To log on again once this has happened, the user will need to call their Endpoint Encryption helpdesk for a password reset. The number of incorrect passwords that have to be entered before this occurs is normally 10, but can be set as needed.
26 |
Password Template
Figure6.UserConfigurationPasswordTemplate Password Length Sets the expected length of the users password between two extremes. Recommended settings are a minimum length of 5 characters, and a maximum length of 40 characters. Enforce Password Content Enforcing content in password forces the user to pick more secure passwords, but also reduces the number of possible passwords the user can select from. Content is not case sensitive. The following options can be set :Alpha A minimum number of characters from the range a-z and A-Z. Alphanumeric A minimum number of non-symbol chars from the range a-z, A-Z, and 0-9. Numeric Numbers only, from the range 0-9. Symbols !"$%^&*()_+{}~@:><,./ :;@'~#<,>.?/`[], and other non alpha and non numeric characters. Content restrictions force the user to be more particular when they change their password. Depending upon the selected options, passwords, which are related, will not be accepted. The following restrictions can be set:
| 27

No Anagrams "wordpass" is not acceptable after a password of "password". No palindromes The passwords "1234321", "asdsa" etc are unacceptable. No Sequences "password2" after "password1" is unacceptable, as are passwords such as aaaaaa and 111111. No Simple Words Allows an administrator-defined dictionary to be set containing forbidden passwords. You can create this dictionary using a unicode text editor. Place each forbidden word on its own line in the file. Name the file TrivialPWDs.dat and place it in your client install set in the [appdir]\SBTokens\Data folder. The password password is excluded by default. Cant Be User Name Prevents users from using their user name as their password. Windows content rules Mirrors the standard Windows password content rule. For passwords to be accepted they must contain at least 3 of the following: Lower case letters Upper case letters Numbers Symbols and special characters
28 |
Token Type
Figure7.UserConfigurationTokenSelection Sets the token for a given user / group of users. The list of available tokens is created from the token modules installed in the Object Directory. For information on particular token options, please see the Tokens chapter. Some tokens may be incompatible with other options - for instance, you cannot use the Floppy Disk token if the users floppy disk access is disabled, set to read only, or set as Encrypted. Assigning a token to a user does not necessarily mean they will be able to log into a machine for example giving a user a smart card does not mean their machine has a smart card reader, or the software needed to drive such a reader. NOTE:Whenyouchangeauserstoken,EndpointEncryptionautomaticallybringsupthetokencreation wizard.YouneedtoremembertocreateSoftTokenseventhoughtheyrejustpasswords. Recovery Key You can reset a users password, or change their token type using the recovery process this involves the user reading a small challenge of 18 characters from the machine to an administrator, then typing in a larger response from the administrator. The recovery key size defines the exact length of this code exchange. The range of options of the recovery key is dependent apron the maximum key size of the algorithm in use. A key size of 0 disables the user recovery system. Allow web-based self recovery
| 29

You can prevent a password-only user from registering for web recovery by selecting this option.
Administration Rights
Figure8.UserConfigurationAdministrationRights Administration Level The administration level of a given user defines their Administration Scope. Users can only work with directory objects (machines, other users etc) below their own level, thus a level 2 user can only administer users of level 1. All users are by default created at level 1, and are therefore unable to administer each other. The user who first created the directory is created at level 32, and can therefore administer any other object in the directory. NOTE:Aspecialcaseexistsforthehighestlevelofuser(rootusers),allowingthemtoadministeratlevel 32. Administration Functions Options in the administration functions box select what administrative options are available to a given user / group of users. When creating a new user, the administration rights of the creator are reflected to the new user. Most administration functions are obvious but the following may require more explanation: Users/Allow Administration controls a users right to start administration systems such as the Endpoint Encryption Manager or Connector Manager. If
30 |

this option is removed for all users, the management environment will be unavailable.
Logon Hours
Figure9.UserConfigurationLogonHours Endpoint Encryption can prevent a user from accessing any machine during particular time periods. In the example above, the user "John Smith" can access any machine his account has been allocated to during the hours of 9am - 5pm any day. If the Force user to logoff box is not ticked, restricting the logon hours of a user does not prevent them continuing to use a machine out of hours if they were logged on when the restriction comes into force, however it does prevent them logging on after this time, for instance at a screen saver prompt.
Devices
This is used by Endpoint Encryption for PC only. Please see the Endpoint Encryption for PC Administration Guide.
Application Control
This policy is used by Endpoint Encryption for PC only. Please see the Endpoint Encryption for PC Administration Guide
| 31
Policies
Figure10.Policies Endpoint Encryption can control other systems through the Policies Interface. You can define the actual parameters of a policy through its entry on the System Tree, and assign which policies are enforced for a particular user, or group of users, from the policies tab. For more information on policies see the Policies chapter.
Add / Remove
Click Add or Remove to associate a policy with a user. You can only associate one policy of each type with a user.
Bindings
Figure11.ConnectorBindings
32 |

The Endpoint Encryption Connectors use the bindings specified for a user to match their Endpoint Encryption account with their account on an alternate system. When a connector creates a new Endpoint Encryption user, it automatically fills in the binding tabs to make the association. It is possible though to connect one, or many users created in Endpoint Encryption to a connected account, by manually editing the bindings list. For information on the correct system tag to use for a given connector, please see the Endpoint Encryption Connector Manager chapter and those after it.
Local Recovery
The Local Recovery option allows the user to reset a forgotten password by answering a set of security questions. The full list of security questions is set by the administrator using the Endpoint Encryption Manager. Note: Endpoint Encryption contains a generic set of questions. When the user first sets up their local recovery feature they will be prompted to select a number of questions and provide the answers to them. These form the basis for their local self recovery feature.
Setting Local Recovery for a user name or user group

Using Endpoint Encryption Manager, the administrator assigns the local recovery option to the users logon, or, to a user group. The local recovery options are available from the user logon or group Properties screen. See below.
Figure12SettingtheLocalRecoveryoptions Enable Local Recovery
| 33

Selecting this check box will set Local Recovery for the specified user or user group. Require ? questions to be answered This option determines how many questions the user must select to perform a Local Recovery. Allow ? logons before forcing user to set answers This option determines how many times a user can logon without setting their Local Recovery questions and answers. Add The Add button will load the Local Self Recovery Question dialog box and allow you to create a new question. You can also specify the language that question should be in and the minimum number of characters the user must specify when configuring the answer to this question. Remove The Remove button will remove a selected question from the list. Edit The Edit button will allow you to edit the configuration of a selected question. Apply The Apply button will save any changes that have been made. Restore The Restore button will undo your changes and restore the Local Recovery options to the previous settings (providing you have not clicked the Apply button). See the Endpoint Encryption for PC Administrators Guide or the Help File for the user local recovery procedures.
34 |
Administration Groups
Figure13AdministrationGroups The groups which an administrator can manage can be restricted this gives the ability to create high privilege administrators who can only work a particular population of users and machines for instance departmental administrators. You can specify all group types for the restriction, so you can also create administrator accounts that have the ability to manage only servers, certain groups of users, or certain groups of machines. When group restrictions are in place, the users view of the database is restricted to only the groups specified. Leaving the admin groups box empty gives the account admin capability throughout the Object Directory. When an administrator with group restrictions creates a new user, the group restrictions are reflected into the new users properties. If the new user also inherits groups from their group membership, these too will be set. NOTE:Donotrestricttheadministrativescopeoftherootadministratororyoumaynotbeabletomake configurationchangesinthefuture.
Setting User Administrative Privileges

Endpoint Encryption has a powerful and flexible administration structure. You can set three conditions that must be met before a user can perform an administration task: Administration Level
| 35

This must be higher than the object you are trying to administer, or in the case of toplevel objects (level 32), must also be level 32. Groups If there are any groups specified for administration, the object you are trying to administer must be in one of the groups. Administration Functions The feature or command you are trying to use must be enabled in you Admin Rights list If all these conditions are met then the user will be able to perform the function. Using a selection of these features enables certain administration hierarchies to be created. We advise that the minimum administration rights are given to each user, to prevent unauthorized configuration of the security. By delegating responsibility, administration can become a simple task.
Some Example Administration Structures

Example 1. Top-down administration.
Root User level 32. Master Administrator(s) Level 30, no other restrictions. Sub Admin(s) Level 20, no other restrictions. Users Level 1, all rights removed.
In this scenario there is a simple top-down chain of administration.
Example 2. Tree administration.

Root User Level 32 Enterprise Administrator(s) Level 30, no other restrictions. Department A Administrator(s) Level 20, restricted to user and machine groups in department A only. Rights for server management removed. Department B Administrator(s) Level 20, restricted to user and machine groups in department B only. Rights for server management removed. Department A Users Level 1, all rights removed. Department B Users Level 1, all rights removed.
In this scenario, the departmental administrators are prevented from managing each others department by the group restriction. Administrators are also prevented from
36 |

adding any of their users to machines in the other department by the same mechanism. Only the Enterprise Administrator(s) can start or manage Endpoint Encryption Servers.
Example 3. Function / Department Administration.

Root User Level 32 Enterprise Administrator Level 30, no other restrictions. Server Manager Level 30, groups restricted to servers only, Rights restricted to managing servers only. Department A Administrator Level 20, restricted to user and machine groups in department A only. Rights for server management removed. Department B Administrator Level 20, restricted to user and machine groups in department B only. Rights for server management remove. Department A Users Level 1, all rights removed. Department B Users Level 1, all rights removed.
In this scenario, there are additional accounts for the Server Manager a person responsible for keeping the Endpoint Encryption Server running. Their account has no ability to manage users or logon to clients. There could also be other accounts with the ability to add/remove users (for example used by the personnel department).
| 37
Tokens
Tokens
The Endpoint Encryption Manager and connected applications support many different types of logon token, for example passwords, smart cards, fingerprint readers and others. Before a user can use a non-password token, you must ensure any machine they are going to use has been suitably prepared.
Supported Smart Cards and Tokens

The link below contains the supported smart cards and tokens: https://kc.mcafee.com/corporate/index?page=content&id=pd20895
Hardware Device Support

Ensure the machine has the appropriate Windows drivers for the hardware tokens it needs to support, for example, if you intend to use Aladdin eTokens you need to install the Aladdin eToken RTE (Run Time Environment). If you intend to use smart cards, you need to ensure that a Endpoint Encryption supported smart card reader is installed, along with its drivers for example the Mako/Infineer LT4000 PCMCIA smart card reader must be installed. In both cases, the appropriate device drivers are available either direct from the manufacturer, or from the Endpoint Encryption install CD in the Tools directory.
Endpoint Encryption Application Support

Once you have installed hardware support for the devices, you can enable software support for them. See the dedicated product administration guide for details how to enable tokens for that particular product.
Assign the token to the user and create it.

From the users Token properties pane, select the token you want that user to log in with. Endpoint Encryption will prompt you to insert the token and will create the appropriate data files on it. If all steps are followed, when you install Endpoint Encryption, or after the machines synchronize, users will be able to log in using their new token.
Upek Fingerprint Reader

1. The Upek Protector Suite QL software must be installed and configured on the client machine. The software can be found on the McAfee Endpoint Encryption
38 |
Tokens
Tools download. Please consult your McAfee representative for further information. 2. From the Endpoint Encryption Manager: Create a file group for the Upek token and import the token files: SbTokenUpek.dll and SbTokenUpek.dlm. The Upek file group must be assigned to the machine or machine group. The fingerprint reader must be assigned to a user or a user group. See the user or user group Properties 3. Tokens screen.
The user logs onto the client machine using the Upek token module in password mode.
4.
The user will be presented with a dialog which will ask them to register their fingerprints with Endpoint Encryption; the user configures the fingerprint reader to work with one or more of their fingerprints.
5.
From then on the user will need to authenticate to Endpoint Encryption with their fingerprint instead of a password.
| 39
File Groups and Management
Figure14.EndpointEncryptionFileGroups The Endpoint Encryption Manager uses central collections of files, called Deploy Sets to manage what versions of files are used many Endpoint Encryption applications. For information on a particular applications support for File Groups, please see the Administration Guide. When Endpoint Encryption Manager is installed, it automatically adds the entire standard Endpoint Encryption administrator files into the file groups and also may create language sets, for example "English Language". An INI files, ADMFILES.INI determines the contents of the core groups. INI files such as these can be edited to allow custom collections of files to be quickly imported and then applied using the Import file list menu option. For more information on ADMFILES.ini see the Endpoint Encryption Configuration Files chapter. Other file sets created as standard include those to support login tokens (such as smart card readers, and USB Key tokens).
40 |
Setting file group functions
Figure15.FileGroupContent You can specify the function of a file group by right-clicking it and selecting its properties. Some file selection windows, for example, the file selector for machines, only display certain classes of file group (in this example, those marked as Client Files).
Importing new files

New files can be imported one by one into an existing deploy set using the Import files menu option (right-click menu). Simply select the file, Endpoint Encryption will then import it into the directory, and add it to the deploy set.
Exporting Files
You can export a file group, or an individual file back to a directory. This may be useful, for example if you have an out of date administration system driver and there is an updated file in the Object Directory.
Deleting Files
You can delete individual files from a file set. With connected applications this usually results in the deletion of the file from their local directory at the next synchronization event.
Setting File Properties

To see the properties of a file, right click on the file in question and select Properties. Two screens of information are available.
| 41
Figure16.FileProperties,FileInformation The name of the file is the actual name, which will be used when deploying the file on the remote machine. The ID is the Object Directory object ID used as a reference for the file from the client PC. The version number is an incremental version of the file. When the file is updated, the version is incremented. This is used by the clients to check whether an update is needed. Other information such as the name of the user who imported the file and its size may be shown.
Figure17.FileProperties,Advanced File Types Set the type of the file. File Location Set the destination directory for the file.
42 |

Operating System Because some files are only applicable to some operating system(s), the target operating system(s) for the file must be selected. This is to prevent Windows NT drivers being installed on Windows 98 machines, or windows 9x registry files being run on Windows 2000 servers. Appid If you are installing file which is shared between multiple Endpoint Encryption applications, you can specify this applications ID. This prevents one application from installing files shared by another. Update Specify when Endpoint Encryption should update the file.
| 43
Auditing
Auditing
Introduction
The Endpoint Encryption Manager audits user, machine, and server activity. By rightclicking on a object in the Endpoint Encryption Object Directory, you can select the view audit function. Audit trails are uploaded to the central directory by both the Administration Center and connected Endpoint Encryption Applications such as Endpoint Encryption for PC and Endpoint Encryption for Files and Folders. The permission to view or clear an audit log can be controlled on a user or group basis. Both the administration level and administration function rights are checked before allowing access to a log. For more information on setting these permissions see the Creating and Configuring Users chapter. Audit trails can be exported to a CDF file by using the Audit menu option, or by rightclicking the trail and selecting Export. Also, the entire audit of the directory can be exported using the Endpoint Encryption Scripting Tool for information on this option please contact your McAfee representative. The Object Directory audit logs are open-ended, i.e. they continue to grow indefinitely, but can be cleared on mass again using SBAdmCL.
Common Audit Events

The text displayed in the audit log will depend on your localization and language settings. The following table lists the common events and their ID codes for the American English version of Endpoint Encryption. Many events can appear at multiple places, for example the Login Successful event will be logged both in the user account doing the login, and the machine being logged into simultaneously. You can find out about product specific events from its dedicated administration guide for example to find out about Endpoint Encryption for PC events, refer to the Endpoint Encryption for PC Administration Guide.
Information Events
Description Auditcleared Bootstarted Event 01000000 01000001
44 |
Auditing
Description Bootcomplete Bootednonsecure BackwardsDateChange Bootedfromfloppy Tokenbatterylow Powerfail Aviruswasdetected SynchronizationEvent Addgroup Addobject Deletegroup Deleteobject Importobject Exportobject Exportconfiguration Updateobject Importfileset Createtoken Resettoken Exportkey Recover Createdatabase Rebootmachine
Event 01000002 01000003 01000005 01000004 01000010 01000011 01000013 01000014 01000082 01000083 01000084 01000085 01000086 01000087 01000088 01000089 01000090 01000091 01000092 01000093 01000094 01000095 01000096
| 45
Auditing
Description MoveObjectbetweengroups RenameObject Serverstarted Serverstopped
Event 01000098 01000099 010000C0 010000C1
Try Events
Description Logonattempt Changepassword Forcedpasswordchange Recoverystarted Databaselogonattempt Logonsuccessful Passwordchangedsuccessfully Bootoncerecovery Passwordreset Passwordtimeout Lockoutrecovery Changetokenrecovery Screensaverrecovery Databaselogonsuccessful Logonfailed Passwordchangefailed Event 02000001 02000002 02000003 02000016 02000081 04000001 04000002 04000016 04000017 04000018 04000018 04000019 0400001A 04000081 08000001 08000002
46 |
Auditing
Description Passwordinvalidated Recoveryfailed Databaselogonfailed Machineconfigurationexpired Aviruswasdetected
Event 08000005 08000017 08000081 Undefined Undefined
Succeed Events
Description Logonsuccessful Passwordchangedsuccessfully Bootoncerecovery Passwordreset Passwordtimeout Lockoutrecovery Changetokenrecovery Screensaverrecovery Databaselogonsuccessful Event 04000001 04000002 04000016 04000017 04000018 04000018 04000019 0400001A 04000081
Failure Events
Description Logonfailed Passwordchangefailed Passwordinvalidated Machineconfigurationexpired Recoveryfailed Event 08000001 08000002 08000005 08000012 08000017
| 47
Auditing
Description Databaselogonfailed
Event 08000081
48 |
Managing Object Directories

All Endpoint Encryption Manager connected applications require a connection and logon to an Object Directory. The Endpoint Encryption logon screen provides an interface to manage these connections, whether they are direct to local directories or through Endpoint Encryption servers. The logon system automatically remembers the last token which was used, and displays that interface to the user if you want to log on with a different token, for instance a smart card, or fingerprint scan, simply cancel the login box and select a different token from the token selection list.
Managing Connections
You can add and remove directory connections by clicking Cancel on the Endpoint Encryption Manager Login box, then selecting Edit Connections on the Select Your Login Method dialog.
Figure18.EndpointEncryptionDatabaseConnections The Endpoint Encryption Database Connections window lists the currently configured directory locations and types. Local directories are accessed directly; remote directories are accessed through a Endpoint Encryption server. Where authentication parameters for the directory connection have been imported, the connection appears with a tick.
Adding a new directory connection

Click Add to create a new connection. If you are going to access the directory directly, for example in the case of the Endpoint Encryption file directory, it is stored on your local machine, or on an accessible network drive, select the Local option from the
| 49

connection type dropdown list. If the directory has an Endpoint Encryption server supplying its information, use the Remote option.
Remote Directories
Description Type a description for the directory - this is used to identify the directory in the list. Server Address Supply the address or DNS name of the server, and the port it is running on. Server Port Set the port the server should communicate on. The default is 5555. Authenticate Server authentication prevents a malicious "rogue" server masquerading as a valid Endpoint Encryption server, by forcing DSA key checking between the server and Endpoint Encryption application. If the key the server returns is invalid, the Endpoint Encryption application will refuse to connect to the server and inform the user of a key mismatch. When adding a new server, if you elect to create an authenticated link, you will be promoted to provide a key file (.spk file). You can obtain this key from an existing connected administrator by asking them to right-click on the server definition in the Endpoint Encryption Manager, and choose Export Public Key. NOTE:Ifyouareauthenticatedtoadirectory,youcanaddalternateEndpointEncryptionserver connectionstothisdirectorytothelistbysimplyrightclickingontheserversdirectoryentryinthesystem tree,andselectingAddtoDirectories.Thisprocesssetsuptheconnectioninadvanceandaddsallthekey informationifavailable.
Local Directories
Local directories (accessed without a Endpoint Encryption server) need a UNC or mapped drive data path (or a file location in the case of a file directory) and a description. Endpoint Encryption servers ALWAYS use a local directory - you cannot chain one server onto another. The default driver for Endpoint Encryptions Directory is sbfiledb.dll.
50 |
Figure19.TheEndpointEncryptionServer The Endpoint Encryption Server provides a secure communication interface between the Object Directory , and other components, such as Endpoint Encryption Manager, Endpoint Encryption for PC Client, and Endpoint Encryption Directory Synchronizer, over a TCP/IP link.
Installing the Endpoint Encryption Server Program

The Endpoint Encryption Server is installed as part of the Endpoint Encryption Manager setup. You can install multiple servers attached to one directory, simply install a new copy of Endpoint Encryption Manager, and manually configure the connection to the existing directory by canceling the Object Directory creation wizard, and setting up a new local or remote connection in the subsequent logon box.
Creating a new Server

Before The Endpoint Encryption Server can start, an entry for it must be created in a Endpoint Encryption Object Directory . This entry/object contains the servers public and private key set, configuration and other parameters.
| 51
Figure20.CreatinganewEndpointEncryptionServerObject To create a new server object, you can either use the New Server option to create a new server in the System/Endpoint Encryption Servers tree using Endpoint Encryption, or you can use the "create" button on the Endpoint Encryption Server startup screen shown after authenticating to the Object Directory. Both procedures follow the same path. Creating a new Endpoint Encryption Server object, automatically adds the definition to the local directories list. The next time you perform a directory logon, you will be able to choose to log on to the new Server.
Starting The Endpoint Encryption Server for the first Time

Once the object for the server has been created the program SBServer.exe may be run. The first task is to log in to the local Object Directory. For information on how to set up directory connections, see Managing Object Directories. Once the directory has been selected, and a logon id and password supplied, a prompt to select the object is displayed. From this dialog, a new server definition can be created, or an existing ID selected. The definition selected controls the startup parameters for the server, and the authentication keys it will use.
Figure21.SelectingtheEndpointEncryptionServerObjecttouseforconfiguration
52 |
Server Configuration
The Endpoint Encryption Server obtains its configuration from three places. The local file sdmcfg.ini supplies the location and type of Object Directory the server should connect to. It also supplies the logon ID and password to use in case of an automated start. This file is shared between all the Endpoint Encryption entities. The server's object within the Object Directory specified in sdmcfg.ini supplies the port the server should speak on, and its public and private key information. The local file sbserver.ini supplies the id of the object in the local Object Directory that the server uses for its port, etc. It also specifies whether the user should be prompted to select an id each time the server starts.
Starting the Endpoint Encryption Server as a Service

In Windows 2000 you can start the Endpoint Encryption Server as a true service. To do this, select the Start as service option from the server menu. You will need to supply a user ID and password for the server to use for subsequent starts. The Endpoint Encryption Server stores the users authentication key in sbserver.ini for use in subsequent logons. This is not the users password, but could give a hacker a method of attacking the Object Directory. TIP:Youcanstopcertainuseraccountsbeingusedtostartserversasservicesbyremovingtheir administrationprivilegeStartServerasservice.
Using Server / Client Authentication

Endpoint Encryption clients exchange highly sensitive information with their respective Servers, and rely on their server for their configuration, including details of what drives should be encrypted. One possible way around the Endpoint Encryption security would be to substitute an organizations Endpoint Encryption server and Object Directory, with a "Rogue" server which told Endpoint Encryption protected machines to decrypt their hard drives. To prevent this kind of attack, the Endpoint Encryption Server generates a publicprivate key set on install. The public part of the key is distributed on install to the clients, who then use it to verify the private key on the server each time they communicate with it. With this mechanism if the server is substituted by re-routing the network traffic or DNS name for instance, the clients will recognize the change and refuse to communicate.
| 53
Setting up the Endpoint Encryption Server / Endpoint Encryption authentication

Once an Endpoint Encryption server has been created and started, its public key may be exported from the Object Directory as a file. This key file can be freely distributed or placed in a publicly accessible repository - for instance on a web site. To extract a Server key from the Object Directory, simply select the server from the server tree, and use the Export public key option. The resulting .sky file can then be freely distributed. To import the information into a directory connection use the Advanced button on the login screen. For information on this process see Managing Object Directories. NOTE:IftheObjectDirectoryselectedduringthecreationofadeploysetalreadyhasauthentication configured,thenthisinformationwillbeautomaticallyincludedwithinthedeployset.
Connecting to a new Endpoint Encryption Server

Once a server has been created it appears in the Object Directory system tree. If this server was created by someone else in the Endpoint Encryption enterprise, you can still add this server to the local list of Endpoint Encryption servers used in the login dialog by selecting the Add to Directories option. This creates a new entry in the local list, and if necessary downloads the servers public key information. For more information see Managing Object Directories.
Checking a Servers Status Remotely

You can check the status of an Endpoint Encryption Server listed in the Object Directory by right-clicking its object, and selecting Get Status. If the server is online and responsive, it will return its current status in the system log. NOTE:theactiveconnectionslistwillalwaysshow1morethanthecurrentuser/machineconnections,due totheconnectionbyEndpointEncryptiontogetthestatus.
Using Restricted User ID's for Servers

Although any valid user id can start an Endpoint Encryption server, the access yielded to it by the Object Directory is a reflection of that users directory permissions. For instance if a very low admin privilege user starts the Endpoint Encryption Server, then high level users and machines will not receive any configuration updates because their admin level exceeds that which can be accessed by the Endpoint Encryption Server. For this reason the Endpoint Encryption Server should usually only be started by uses with very high, or the highest, level admin rights.
54 |

For practical reasons it is often not the master Endpoint Encryption administrator who starts the Endpoint Encryption Server - usually the corporate server managers have this responsibility. It would not be good security for the master accounts to be given out to any users except those directly involved with the Endpoint Encryption parameters. To overcome this conflict of interests - full access to the objects with no administrative ability - Endpoint Encryption allows you to create very high privilege users with no administrative ability - we will term these Service Accounts.
Service Accounts Parameters

Service accounts are created in the same way as normal users. We recommend they be created in their own group Service Accounts. The following parameters can be set to yield an account useless for login on to PCs. With these parameters the only use for the account is as a login to the Object Directory. Passwords Prevent Change set Require Change disabled Admin Rights Administration Level 30 All rights cleared except Start as Service Devices No access to any devices Token Password Only WARNINGRemembernottoaddanyserviceaccountsorthegroupyoucreatethemintomachines.
| 55
Keys
Keys
About Keys
Keys are generic purpose objects which other Endpoint Encryption-Aware applications can use to encrypt information, for example, Endpoint Encryption for Files and Folders uses Key objects to protect files and folders on network and user hard disks.
Key Administration Functions

Create New Key
This function creates a new Key. You can select the keys name, which algorithm it will use, and enter a description of the key to aid in its identification. To create a new policy: 1. 2. 3. 4. Navigate to the System tab of the object tree. Find the key provider. Double-click it to expand its groups. Either open an existing group, or create a new group by right-clicking the top node and selecting Create Key Group. 5. 6. From the open group window, right-click and select Create New Key. Enter the name for the new key, select an algorithm, and select OK.
Rename Key
This option changes the name of a key this does not affect the association of keys to users, or the protection of data. Only the human-readable name is changed.
Delete Key
This option deletes a key from the system. To delete a key: 1. 2. Find the key from the Keys node of the System tab within the object tree. Right-click the key and select Delete.
NOTE:Ifyoupermanentlydeleteakey,alldataprotectedwiththatkeywillbepermanentlylost;however, youcanrestorethekeyifithasbeenbackedup.
56 |
Keys
Reset to group configuration

Sets the properties of a key to be those of its group. This includes the user list assigned to the key.
Reset to group configuration (exclude users)

Sets the properties of a key to be those of its group excluding the keys user list.
Properties
Displays the properties of a key.
Key Configuration Options

Information
Displays information about the key Description A text description of the key, this can be used to identify the purpose or use of the key. Validity You can specify when a key is valid until, and whether it can be cached on users local systems Key is Enabled Tick to make the key accessible to users if the key is disabled, then all requests for this key (and therefore all data protected by it) will be denied. Expiry You can specify a date where the key will be valid until. After this date access to the key (and therefore access to data protected by it) will be denied. Caching Allow keys to be cached locally Enables local caching of the key. Normally keys are obtained on access from the network Endpoint Encryption Key Server. This means that the only way to access protected data is to have a good connection to the corporate Key Server. If you need data to be available to users offline, for example when they are working disconnected from the network, you can allow local caching of a particular key. Each time a key is requested, the user must authenticate against a Endpoint Encryption Key Server to obtain a fresh copy of the key. If the Key Server is not
| 57
Keys
accessible then the user authenticates against a local key cache and queries it for a copy of the key. If the key could be obtained from the Key Server, then the local copy may be installed, or updated at the same time. If the users credentials are not correct, no keys are released. Remove from cache after.. Causes a local cached copy of a key to be wiped from the local key cache after a certain number of days of disconnection. This prevents users obtaining keys, then continuing to use them for extended periods of time without validating their credentials against the central Endpoint Encryption Key Server. You can use this option to ensure that if you make changes to the validity or user list of cacheable keys, that these changes are enforced within a certain period of time.
Users
You can restrict access to keys to certain users by adding them to the keys user list. When the list is empty, any user who has valid Endpoint Encryption credentials can obtain the key. Once one or more users are added to the list though, ONLY those users can obtain, or administer the key. This prevents general Endpoint Encryption administrators from being able to access sensitive data. NOTE:Youcanrestrictwhatadministrationfunctionsregardingkeys(addkey,deletekey,propertiesetc)by settingausersadministrationrights.SeetheAdministrationRightssectionformoreinformation. Restrict Access To Defines the user list for a key. If the list is empty, then any user can access the key. If one or more users are added then ONLY they can access or administer the key. Minimum Admin Level Required You can specify the minimum admin level required to access a key. This parameter is enforced in ADDITION to the restricted user lists. If you add a user to the user list, and also set an admin level, then if the user does not match or exceed the level they will not be able to access the key. For more information on admin levels see the Administration Rights section.
58 |
Policies
Policies
About Policies
Endpoint Encryption can manage other systems and applications from the main Administration console. Each additional application provides a Policy system which allows the parameters for the application to be defined for example the Endpoint Encryption for Files and Folders policy provider integrates into the Endpoint Encryption Database, and allows you to set the functions and parameters for the Endpoint Encryption for Files and Folders system. You can assign policies to most kinds of Endpoint Encryption supported object, such as users, machines, PDAs etc wherever appropriate for the individual policy type. You can assign policies to both individual objects (such as users), and also to groups of objects (such as groups of machines).
Policy Administration Functions

Add Policy
You can create any number of policies of each type. You should create policies to fulfill an organizational or functional need for example a policy for a role within your organization, such as Management Team, for example. To create a new policy: 1. 2. Navigate to the Policies tab of the object tree. Find the Policy provider you want to create a new policy for for example Endpoint Encryption for Files and Folders Policies. 3. 4. Double-click it to expand its groups. Either open an existing group, or create a new group by right-clicking the top node and selecting Create Policy Group. 5. 6. From the open group window, right-click and select Add. Enter the name for the new policy, and select OK.
Rename Policy
Changes the name of the policy. This does not affect the association of the policy to other objects.
| 59
Policies
Delete Policy
If you delete a policy, all users of that policy will receive the Default policy instead the next time they update. To delete a policy: 1. 2. Find the policy from the Policies tab of the object tree. Right-click the policy and select Delete.
Create Installation Set

To install a policy object, some types allow you to create an installation set directly from the Endpoint Encryption database for that application for example, to install Endpoint Encryption you can create an Install EXE direct from the policy object.
Reset to Group Configuration

Resets the properties in the selected policy to those of its group.
Create Copy
Creates a copy of a policy object based on the selected one.
Properties
Opens the properties of the selected group or object. For more information about Endpoint Encryption. See the Endpoint Encryption Endpoint Encryption for Files and Folders Administration Guide.
Assigning a policy object to a user

1. 2. 3. 4. 5. Open the users Properties window. Move to the Policies properties type in the properties list. Click the Add button. Select the policy you want to associate with that user. Click Ok.
You can normally only assign one policy of each type to any particular object, for example one Endpoint Encryption for Files and Folders policy, per user.
Assigning a policy object to a machine

1. 2. Open the machine Properties window. Move to the Policies properties type in the properties list.
60 |
Policies
3. 4. 5. Click the Add button. Select the policy you want to associate with that machine. Click Ok.
You can normally only assign one policy of each type to any particular object, for example one Asset policy per machine.
| 61

The Connector Manager is responsible for managing the correlation of information between the Endpoint Encryption Object Directory and another data source. This remote source may be another Object Directory, or may be some disparate system (for example an X500 directory over LDAP, or an NT Domain). The Connector Manager is a set of customizable routines that can be used to quickly implement the desired synchronization functions.
Figure22.ConnectorManager The Connector Manager tools are supplied pre-configured to provide Endpoint Encryption directory to alternate systems such as NT Domains, Active Directory, and Novell Netware NDS as a uni-directional process. Support for alternate data stores are implemented on a customer basis. To discuss synchronization with other data stores please contact your McAfee representative.
Adding and Removing Connector Instances

You can add connectors to the Manager Tree simply by right-clicking the root node (Endpoint Encryption Connector Manager). Add Connector Creates a new connector instance. You can select from the available connector types, and give the connector a unique name.
62 |

Delete Connector Deletes the selected connector from the tree. Any connected users will become orphaned, unconnected to any alternate system. Rename Connector You can rename a connector to a more descriptive name. Service Mode The Connector Manager uses the Windows Scheduled Task Service to run individual connectors at preset times and intervals. This happens automatically you do not need to run a special version of the connector manager. Scheduled tasks are enabled from the moment they are created. Schedule and Log Each connector has a schedule and log controlled through the Connector Manager. You can add periodic events to the schedule to control when each connector performs its activity. You can also set repeat intervals for the tasks. To set the schedule for a connector, or change its log settings, simply click its name in the connector tree. The activity of the connector is logged centrally to the Connector Manager. You can also specify that the log should be appended to a file as it is created. Running Connectors Interactively You can run a connector interactively from the run now tab. The connector will output a progress log of its activities. Error Messages For information on error messages generated by the Connector Manager, or one of its connectors please see the Error Messages chapter.
| 63
NT Connector (NTCon)
The NT connector is designed to populate the Endpoint Encryption user list from an existing NT Domain. By specifying a server to synchronize with, the connector mines the domain user list, creating Endpoint Encryption user accounts for those domain users not found. If a domain user account is deleted or disabled, the connector makes the appropriate change to the Endpoint Encryption user account for that user. The NT Connector needs to be run on either an NT4.0 Domain Server, or a Windows 2000 server / workstation, and needs access to the Endpoint Encryption Object Directory.
Summary of connected attributes

Domain user name Used to create new Endpoint Encryption users. Also used in the Endpoint Encryption user-binding tab to maintain a connection to the domain user. If the domain user is deleted, the Endpoint Encryption user is either deleted or disabled depending upon the state of the Disable Users Only box. WARNING:IfyoudeleteanEndpointEncryptionuseraccount,nofilesprotectedbyonlythatEndpoint Encryptionuseridwillberecoverable.Werecommendyoudisableusersonly,anddeletethemmanually. Domain User Status The Endpoint Encryption user status mirrors the domain user status. Either enabled or disabled. Domain User Logon Hours The Endpoint Encryption user logon hours are set to match the domain users. Password Change The ability to change the password is reflected in the Endpoint Encryption user account. Full name The domain user full name field is placed in the Endpoint Encryption users field list. Description The domain user description is placed in the Endpoint Encryption users field list. Valid until
64 |
The expiry date of the domain account is placed in the Endpoint Encryption user valid until field. Group Membership On creation, logic can be applied to determine which group the new Endpoint Encryption user is created in (if at all).
General Options
NT Server Specify the server you want to obtain the user list from. You can use the local machine, or specify a domain server. Click the Servers button to obtain a list of machines accessible from this station. Disable Users Only If a user is deleted from the domain, their matched Endpoint Encryption account can be either deleted or disabled. WARNING:IfyoudeleteaEndpointEncryptionuseraccount,nofilesprotectedbyonlythatEndpoint Encryptionuseridwillberecoverable.Werecommendyoudisableusersonly,anddeletethemmanually. Use Configuration Checksum The connector can store a checksum of the domain configuration in the domain user comment. This negates the need to read the entire configuration each time a sync on the user occurs. To use this option you need to run the connector on a primary or backup domain controller you cannot use this option on a remote server. Throttling You can specify a delay between checking each user account to make the synchronization process more network-friendly. NOTE:ThedomainpasswordforauseraccountisnotavailableforEndpointEncryption,eachnewuserwill becreatedwiththedefaultpasswordof12345youshouldensurethatallEndpointEncryptiongroups whichreceivenewusersfromtheNTConnectorhavetheChangepasswordifdefaultattributeset.
Group Mappings
To ease the configuration of many synchronized domain users, you can map them to different Endpoint Encryption user groups based on their domain membership. As each domain account is checked, the NT Group Name fields are compared with the domain
| 65
users memberships. The first match found causes NT Connector to create the user in the specified Endpoint Encryption user group. By pre-creating Endpoint Encryption user groups with specific machine access and attributes, you can effectively synchronize a domain user list into Endpoint Encryption and have minimal configuration work left. For example, if the following group mappings were specified:
NTgroupname DomainAdmins DomainGuests Sales DomainUsers
EndpointEncryptiongroupname NTDomainAdmins NTDomainGuests NTDomainSales NTDomainUsers
A domain user with memberships of Domain Admins and Sales would be placed in the Endpoint Encryption user group NT Domain Admins. A user with membership to Domain Users and Sales would be placed in NT Domain Sales as it is listed first. If you clear the Add user to default group tick box, and the NT user being checked does not belong to any of the specified groups, they will not be synchronized into the Endpoint Encryption directory.
User Information
You can specify which Endpoint Encryption information fields receive information from the domain account comment and description. You can also select the default behavior when new users are created.
66 |
LDAP Connector (LDAPCon)

LDAPCon is an optional connector designed to populate the Endpoint Encryption user list from an existing LDAP Protocol 1-3 Directory server. By specifying the directory to synchronize with, the connector mines the directory, creating Endpoint Encryption user accounts for directory users who meet certain pre-defined criteria. For information on purchasing these connectors please contact your McAfee representative. If a directory user account is deleted or disabled, the connector makes the appropriate change to the Endpoint Encryption user account for that user. You can also make decisions to globally disable users based on any attribute using the excluded users function. The v4.2.12+ versions of the LDAP Connector can also use certificates stored in the AD to create users who can logon to Endpoint Encryption applications using Smart Cards and eTokens. These crypt-only tokens do not have to be initialized for use with Endpoint Encryption, as the PKI certificates stored on them can be used without any initialization. LDAPCon can run on Windows 2000, XP and Vista. It requires network access to both an Endpoint Encryption Server, and the directory server itself.

User name Used to create new Endpoint Encryption users. Various directory attributes can be used to create the Endpoint Encryption user name. If the user is deleted, the Endpoint Encryption user is either deleted or disabled depending upon the state of the Disable Users Only box. WARNING:IfyoudeleteanEndpointEncryptionuseraccount,nofilesprotectedsolelybythatEndpoint Encryptionuserskeywillberecoverable.Werecommendyoudisableusersonly,anddeletethem manually. User Status The Endpoint Encryption user status mirrors the directory user status. Either enabled or disabled. User Logon Hours The Endpoint Encryption user logon hours are set to match the directory users. Password Change
| 67

The ability to change the password is reflected in the Endpoint Encryption user account. Information Fields Up to 10 fields of information from the directory can be placed in the Endpoint Encryption users field list. Valid until The expiry date of the directory account is placed in the Endpoint Encryption user valid until field. Group Membership Logic can be applied to determine which group the new Endpoint Encryption user is created in (if at all). Also, if certain changes happen to the directory user, their Endpoint Encryption group can be set to change accordingly.
General Options
Connection Details
Connection Name A text description for this incident of the connector. Host The IP address, or DNS Name of the directory server you wish to connect to. Port The TCP/IP port that the target directory is publishing on. This is usually 389 or 636 for secure connections. Use Secure Connection This option is used to get full access to the directory. You may have to obtain a certificate from your directory manager. Use the Certificate button to point the connector to the appropriate .DER file. Protocol Version The LDAP Protocol version your directory supports this is usually Version 3. Use Secure Connection This option allows you to specify a secure connection. It will change the port number to 636 (note: this is configurable). The Certificate... button will also activate and you can browse and select the right certificate from the Microsoft Certificate store.
68 |

Certificates are generated for particular users. Microsoft has removed the ability to specify a user logon in this instance; the encryption and logon is determined by the certificate. Anonymous Login If your directory supports anonymous login, check this box, otherwise complete the Logon Credentials section. User DN Enter the full distinguished name for the administrators account. Password Enter and confirm the password for the account you specified in the User DN field.
Search Settings
Base DN The base distinguished name for the section of the directory this instance of the connector is to work with. You can set the Base DN to a sub-branch of your directory if you need to limit the scope of the connector. Object Filter Enter an appropriate filter to restrict the connectors view of objects in the directory. The default filter: (&(objectClass=User)(!objectClass=Computer)) Restricts the view to directory objects that are of a class User and not of a class Computer. If you only need to synchronize a small segment of users from your directory to Endpoint Encryption, you can specify a detailed Object Filter this will make the process more efficient by forcing the connector only to look at the users which are interesting to it. For example, to restrict the connectors view to users of the group Endpoint Encryption only, you could use a query like:(&(objectClass=user)(!objectClass=computer)(memberOf=CN=McAfee,OU=Uk,DC=c bi,DC=com)) Wherever you specify a search query, you must use the full parameters as accepted by the directory, so in the example above the memberOf parameter must match exactly that shown in the user. You can use an LDAP browser to see the correct attribute details. Timeout
| 69

Specify the connection timeout for your directory. Entry Limit Specify the maximum number of objects to synchronize this setting is useful when you need to test the behavior of the connector. For production use, set it to 0 (unlimited). Some directory servers may not accept this parameter. Referrals If your directory uses referrals, you can enable this feature in the connector. Search Depth You can limit the scope of the connector by reducing the section of the directory that is searched for users. Monitor Changes If your directory supports change logging, you can enable monitoring to enhance the performance of the connector. This sets up an asynchronous search on the directory server which reports when leafs are updated.
Search Groups
You can specify a list of DNs for group objects in your directory which contain members you wish to include in this connectors scope of operation. Search Groups takes precedence over the object filter specified in the Search Settings pane.
Attribute Types
Binary data attributes must be defined in this list before they can be used by the connector. You can also specify which attributes to substring search. By default, the entire value of an attribute is considered significant by specifying it for substring search you can allow sub-values to be significant. For example, in the DN CN= McAfee,CN=COM,FN=Fred if substring searching is enabled for DN, then CN=COM is a valid match.
Group Mappings
Group Mapping Information
To ease the configuration of many synchronized directory users, you can map them to different Endpoint Encryption user groups based on some attribute in their directory object. As each directory account is checked, the specified attributes are compared with the table set in the Group Mapping tab. The first match found per user causes
70 |

the LDAPCon to create or assign the user in the specified Endpoint Encryption user group. You can create new entries by double-clicking the table, by right-clicking an entry you can change its order, edit, or delete it. By pre-creating Endpoint Encryption user groups with specific machine access and attributes, you can effectively synchronize a directory user list into Endpoint Encryption and have minimal configuration work left. For example, if the following group mappings were specified:
DirectoryOrganizationalUnit (attributevalue) OU=R&D OU=Sales OU=Support OU=Management
EndpointEncryption groupname R&D Sales Techsup MT
Directoryservice Attribute distinguishedName distinguishedName distinguishedName distinguishedName
A directory user with memberships of Sales and Support would be placed in the Endpoint Encryption user group Sales as that clause comes first in the list. By specifying the No Mapping Exists behavior you can select one of four options: 1. 2. Use a defined group Create a new group based on an existing Endpoint Encryption group, generating the name from an attribute of the user (such as their DN). 3. 4. Add the user to the default group Ignore, Remove, Disable or Recycle the user
NOTE:Ifyoumapbasedonthevalueofabinarydatatypeattribute,youneedtoproperlydefineand escapethedata.Forinformationonthisprocess.
User Mapping
The LDAPCon has the ability to map up to 10 fields of information from the directory into the Endpoint Encryption Directory. A typical use of this feature would be security question-answer sessions to aid validation of a remote user. To add a new entry either double click, or right click on the input table.
| 71

If the directory attributes mapped to these Endpoint Encryption fields change, then the users Endpoint Encryption account will be updated accordingly. New Users Password When a new account is created in the Endpoint Encryption directory, the password will be set to the option specified. If you set the account to a random password, the user will need to be recovered or the account manually set to a known password before the user will be able to authenticate to Endpoint Encryption. Removal Behavior You can choose to either : Remove users from Endpoint Encryption if their account is removed from the directory. Disable them only. Ignore this event.
NOTE:IfyouchoosetoremoveusersfromEndpointEncryption,nodataprotectedsolelywiththeir personalEndpointEncryptionkeywillberetrievable. New Users Token If you are using certificates, via for example Microsoft Certificate Server, you can allow your users to login to Endpoint Encryption using their existing Certificate Token, for example an Activcard, eToken, or Setec token. For information about the supported tokens please see the Tokens chapter of this guide. Select from the list of installed tokens which one to create for the user. You can also decide the behavior if there is no valid certificate for the user. Search Endpoint Encryption for User Binding Traditionally the connector searches the directory for all users which match the set criteria. By selecting this option the search for users will be disabled, and the connector will expect to find the users pre-existing in the Endpoint Encryption directory. The connector will search for users with a binding which matches its identifier, and will only process those users. You can use the Search Endpoint Encryption option to process directories which contain a large population of uninteresting users. If you can pre-seed the Endpoint Encryption directory with the names of the users, and appropriate binding information (for example using the scripting tool) you can greatly streamline the process.
72 |
User Attributes
The User Bindings tab is used to correlate the directory attributes to the Endpoint Encryption Directory. The attributes specified on this tab should not need changing unless the directory is set up in a non-standard way. Binding Attribute The non-changing unique identifier for the user. This should be an item that is unique for that user, and unlikely to change for the existence of this account despite changes in surname or group membership Endpoint Encryption User name An attribute used to create the Endpoint Encryption user name NOTEEndpointEncryptionuseridsarelimitedto256characters;youshouldnotuseanattributethatis likelytoexceedthislength. Change Attribute The directory attribute containing the account change stamp. Logon Hours The directory attribute containing the User Logon Hours information. Account Control The directory attribute containing the user account disabled/enabled information. Account Expires The directory attribute containing the account expiry date. Delay between each user You can stifle the bandwidth that this connector consumes by putting a delay between each user synchronization.
Excluded Users
You can specify a selection of attributes to check to globally exclude a series of users from the synchronization process. You can also optionally disable existing Endpoint Encryption users that are bound to the excluded users. Revocation Check If you are using certificates to authenticate your users, you can enable revocation checking to ensure that if certificates are revoked, the user is denied access to
| 73

Endpoint Encryption. Specify the appropriate LDAP parameters for your published revocation list, and the behavior the connector should follow when revoking users.
Using Binary Data Attributes

In some circumstances you may want to use binary attributes to perform matching and group associations in the LDAPCon. The values for such attributes cannot be directly entered into the connector fields; they must be entered as escaped sequences. To determine what values to add, use your LDAP Browser to view the data in the directory, for example: In this schema, the attributes objectGUID and objectSid are binary attributes. If you wanted to manually link an existing Endpoint Encryption user to this directory user connecting via their objectGUID, you would need to assign the binding attribute to objectGUID in the Endpoint Encryption users User Bindings properties, and add a binding to LDAPConnector.username in their Endpoint Encryption profile which matched the escaped attribute value, and also define the attribute objectGUID as a binary data type in the Attribute Types list in general options.
Figure1523.ConnectorBindingwithEscapedValue
LDAP Browser from Softerra

When configuring the LDAPCon, it is highly desirable to view the Netware Directory in its unadulterated, raw, LDAP state. To do this we strongly recommend the free tool LDAP Browser from Softerra (http://www.ldapbrowser.com). This tool may be found
4
on your Endpoint Encryption CD, or included on the Endpoint Encryption Enterprise CD in the Tools directory.
74 |
Connecting to your Directory using LDAP Browser

To connect LDAP Browser to your directory, you will need to know its IP or DNS name, and have a valid administrative account to access the data with. Create a new entry in LDAP Browser, for your directory server, you may not need to enter a Base DN, but will need the full distinguished name for your administration account. Once you have successfully connected to your Netware Directory, you can start browsing the information to check the appropriate fields to use for the LDAPCon.
Choosing the correct fields for Synchronization

The exact settings used in any particular installation of LDAPCon are particular to each installation; in most cases the default settings are appropriate for general use, although some customization can be performed, especially when considering custom user to Endpoint Encryption group mapping, and custom exclusion of users. In the case of the user whose properties are listed above, it can be seen that there are multiple objectClass attributes these could be used to make a decision on their mapping to Endpoint Encryption groups (by using the Group Information fields). Also, it can be seen that any of the attributes cn, givenName, sn could be used to populate the Endpoint Encryption Username, although some of these may result in collisions with other similarly named users. Attributes such as groupMembership or securityEquals could also be used to map a user to a group, or to exclude a particular user from the synchronization process. NOTE:thedistinguishedNameattributeistreatedasaspecialcasewhenmatchingvaluesanyfragmentof thevaluecanbematched.Allotherattributesarematchedontheirentirevalue.Thisattributemaynotbe displayedinabrowserwindow,butexistsinternally.
| 75
Active Directory Connector (ADCon)

ADCon is an optional connector designed to populate the Endpoint Encryption user list from an existing Microsoft Active Directory. By specifying an Active Directory to synchronize with, the connector mines the directory, creating Endpoint Encryption user accounts for Active Directory users who meet certain pre-defined criteria, and continuously updating their policy to mach that stored in the AD. For information on purchasing ADCon please contact your McAfee representative. If an Active Directory user account is deleted or disabled, the connector makes the appropriate change to the Endpoint Encryption user account for that user. You can also make decisions to globally disable users based on any attribute using the excluded users function. The v4.2.12+ versions of the Active Directory Connector can also use certificates stored in the AD to create users who can logon to Endpoint Encryption applications using Smart Cards and eTokens. These crypt-only tokens do not have to be initialized for use with Endpoint Encryption, as the PKI certificates stored on them can be used without any initialization. ADCon can run on Windows 2000, XP and Vista. It requires network access to both an Endpoint Encryption Server, and the Active Directory itself.

Active Directory User name Used to create new Endpoint Encryption users. Various Active Directory attributes can be used to create the Endpoint Encryption user name. If the Active Director user is deleted, the Endpoint Encryption user is either deleted or disabled depending upon the state of the Disable Users Only box. WARNING:IfyoudeleteanEndpointEncryptionuseraccount,nofilesprotectedsolelybythatEndpoint Encryptionuserskeywillberecoverable.Werecommendyoudisableusersonly,anddeletethem manually. Active Directory User Status The Endpoint Encryption user status mirrors the Active Directory user status. Either enabled or disabled. Active Directory User Logon Hours The Endpoint Encryption user logon hours are set to match the Active Directory users
76 |

Password Change The ability to change the password is reflected in the Endpoint Encryption user account. Information Fields Up to 10 fields of information from the Active Directory can be placed in the Endpoint Encryption users field list. Valid until The expiry date of the Active Directory account is placed in the Endpoint Encryption user valid until field. Group Membership Logic can be applied to determine which group the new Endpoint Encryption user is created in (if at all). Also, if certain changes happen to the Active Directory user, their Endpoint Encryption group can be set to change accordingly.
General Options
Connection Details
Connection Name A text description for this incident of the connector. Host The IP address, or DNS Name of the Active Directory Server you wish to connect to. Port The TCP/IP port that the target Active Directory is publishing on. This is usually 389. Protocol Version The LDAP Protocol version your Active Directory connector supports this is usually Version 3. Use Secure Connection This option allows you to specifiy a secure connection. It will change the port number to 636 (note: this is configurable). Anonymous Login If your Active Directory supports anonymous login, check this box, otherwise complete the Logon Credentials section. The account name you use to authenticate to the AD
| 77

must have full view access of the full set of user attributes you want to synchronize with. User DN Enter the full distinguished name for the AD administrators account, or the account you intend to use the connector with. You can find this by contacting your AD Administrator. You can also specify the user name in a fully qualified AD format, for example, someone@somewhere.com.
5
Password Enter and confirm the password for the account you specified in the User DN field.
Search Settings
Search Settings define which AD users are visible to the connector, decisions as to whether to process these users are made in Group Settings described later on in this chapter. You can also use Search Groups to define which users the connector processes, for more information, see the next section. NOTE:EitherSearchSettings,orSearchGroupscanbeused,theycannotbeusedtogether.SearchGroups takesprecedence. Base DN The base distinguished name for the section of the directory this instance of the connector is to work with. You can set the Base DN to a sub-branch of your Active Directory if you need to limit the scope of the connector. Object Filter Enter an appropriate filter to restrict the connectors view of objects in the directory. The default filter: (&(objectClass=User)(!objectClass=Computer)) Restricts the view to directory objects that are of a class User and not of a class Computer. If you only need to synchronize a small segment of users from the AD to Endpoint Encryption, you can specify a detailed Object Filter this will make the process more efficient by forcing the connector only to look at the users which are interesting to it. For example, to restrict the connectors view to users of the group Endpoint Encryption only, you could use a query like:-
78 |

(&(objectClass=user)(!objectClass=computer)(memberOf=CN= McAfee,OU=Uk,DC=cbi,DC=com)) Wherever you specify a search query, you must use the full parameters as accepted by the AD, so in the example above the memberOf parameter must match exactly that shown in the user. You can use an LDAP browser to see the correct attribute details. Timeout Specify the connection timeout for your Active Directory. Entry Limit Specify the maximum number of objects to synchronize this setting is useful when you need to test the behavior of the connector. For production use, set it to 0 (unlimited). Some versions of Active Directory may not accept this parameter. Referrals If your Active Directory uses referrals, you can enable this feature in the connector. Search Depth You can limit the scope of the connector by reducing the section of the directory that is searched for users. Monitor Changes If your Active Directory supports change logging, you can enable monitoring to enhance the performance of the connector. This sets up an asynchronous search on the Active Directory server which reports when leafs are updated. The Active Directory search monitoring cannot take account of complex Object Filters, if you need to specify more criteria than the default to prevent the monitor returning unwanted users, you can edit the Connector Manager Settings file manually, adding entries in the following section: UserValid0.DSAttrib=objectClass UserValidity0.AttribVal=user UserValid1.DSAttrib=objectCategory UserValidity1.AttribVal=CN=Person UserValid2.DSAttrib=memberOf UserValidity2.AttribVal='full memberOf attribute'
| 79
Search Groups
Search Groups define which AD users are visible to the connector, decisions as to whether to process these users are made in Group Settings described later on in this chapter. You can also use Search Settings to define which users the connector processes, for more information, see the previous section. NOTE:EitherSearchSettings,orSearchGroupscanbeused,theycannotbeusedtogether.SearchGroups takesprecedence. With Search Groups you can specify the DNs of a list of group objects from your AD. The connector will then retrieve all the members from the specified groups (and any groups contained within), then individually process the derived user list. This method can be more efficient that the Search Settings method if the population of users which are needed to be synchronized are defined in a small number of groups. If the users can be identified through another attribute, or are all within certain OUs, Search Settings may be more appropriate. NOTE:SearchGroupscanonlybeusedwithtrueLDAPGroups(i.e.objectscontainingmembers.You cannotusethismethodwithOUs.
Attribute Types
Binary data attributes must be defined in this list before they can be used by the AD connector. You can also specify which attributes to substring search. By default, the entire value of an attribute is considered significant; by specifying it for substring search you can allow sub-values to be significant. For example, in the DN CN= McAfee,CN=COM,FN=Fred ; if substring searching is enabled for DN, then CN=COM is a valid match.
Group Mapping
Group Information
To ease the configuration of many synchronized Active Directory users, you can map them to different Endpoint Encryption user groups based on some attribute in their directory object. As each Active Directory account is checked, the specified attributes are compared with the table set in the Group Mapping tab. The first match found per
80 |

user causes the ADCon to create or assign the user in the specified Endpoint Encryption user group. You can create new entries by double-clicking the table, by right-clicking an entry you can change its order, edit, or delete it. By pre-creating Endpoint Encryption user groups with specific machine access and attributes, you can effectively synchronize an Active Directory user list into Endpoint Encryption and have minimal configuration work left. For example, if the following group mappings were specified:
ActiveDirectory OrganizationalUnit (attributevalue) OU=R&D OU=Sales OU=Support OU=Management
EndpointEncryption groupname
Directoryservice Attribute
R&D Sales Techsup MT
distinguishedName distinguishedName distinguishedName distinguishedName
An Active Directory user with memberships of Sales and Support would be placed in the Endpoint Encryption user group Sales as that clause comes first in the list. You can use any attribute of the user to map, for example their DN, or a group membership. By specifying the No Mapping Exists behavior you can select one of four options: Use a defined group Create a new group based on an existing Endpoint Encryption group, generating the name from an attribute of the user (such as their DN). Add the user to the default group Ignore, Remove, Disable or Recycle the user
NOTE:Ifyoumapbasedonthevalueofabinarydatatypeattribute,youneedtoproperlydefineand escapethedata.
| 81
User Information
User Mapping
The ADCon has the ability to map up to 10 fields of information from the Active Directory into the Endpoint Encryption Directory. A typical use of this feature would be security question-answer sessions to aid validation of a remote user. To add a new entry either double click, or right click on the input table. If the Active Directory attributes mapped to these Endpoint Encryption fields change, then the users Endpoint Encryption account will be updated accordingly. New Users Password When a new account is created in the Endpoint Encryption directory, the password will be set to the option specified. If you set the account to a random password, the user will need to be recovered or the account manually set to a known password before the user will be able to authenticate to Endpoint Encryption. Removal Behavior You can choose to remove users from Endpoint Encryption if their account is removed from the Active Directory, disable them only, or ignore this event. NOTE:IfyouchoosetoremoveusersfromEndpointEncryption,nodataprotectedsolelywiththeir personalEndpointEncryptionkeywillberetrievable. New Users Token If you are using certificates, via for example Microsoft Certificate Server, you can allow your users to login to Endpoint Encryption using their existing Certificate Token, for example an Activcard, eToken, or Setec token. For information about the supported tokens please see the Tokens chapter of this guide. Select from the list of installed tokens which one to create for the user. You can also decide the behavior if there is no valid certificate for the user. Search Endpoint Encryption for User Binding Traditionally the connector searches the directory for all users which match the set criteria. By selecting this option the search for users will be disabled, and the connector will expect to find the users pre-existing in the Endpoint Encryption directory. The connector will search for users with a binding which matches its identifier, and will only process those users. You can use the Search Endpoint Encryption option to process directories which contain a large population of uninteresting users. If you can pre-seed the Endpoint
82 |

Encryption directory with the names of the users, and appropriate binding information (for example using the scripting tool) you can greatly streamline the process.
User Attributes
The User Bindings tab is used to correlate the Active Directory attributes to the Endpoint Encryption Directory. The attributes specified on this tab should not need changing unless the Active Directory is set up in a non-standard way. Binding Attribute The non-changing unique identifier for the user. This should be an item that is unique for that user, and unlikely to change for the existence of this account despite changes in surname or group membership Endpoint Encryption User name An attribute used to create the Endpoint Encryption user name NOTE:EndpointEncryptionuseridsarelimitedto256characters;youshouldnotuseanattributethatis likelytoexceedthislength. Change Attribute The Active Directory attribute containing the account change stamp. Logon Hours The Active Directory attribute containing the User Logon Hours information. Account Control The Active Directory attribute containing the user account disabled/enabled information. Account Expires The Active Directory attribute containing the account expiry date. Delay between each user You can stifle the bandwidth that this connector consumes by putting a delay between each user synchronization.
Excluded Users
You can specify a selection of attributes to check to globally exclude a series of users from the synchronization process. You can also optionally disable existing Endpoint Encryption users that are bound to the excluded users.
| 83

Revocation Check If you are using certificates to authenticate your users, you can enable revocation checking to ensure that if certificates are revoked, the user is denied access to Endpoint Encryption. Specify the appropriate LDAP parameters for your published revocation list, and the behaviour the connector should follow when revoking users.
Using Binary Data Attributes

In some circumstances you may want to use binary attributes to perform matching and group associations in the ADCon. The values for such attributes cannot be directly entered into the connector fields; they must be entered as escaped sequences. To determine what values to add, use your LDAP Browser to view the data in the Active Directory. In this schema, the attributes objectGUID and objectSid are binary attributes. If you wanted to manually link an existing Endpoint Encryption user to this Active Directory user connecting via their objectGUID, you would need to assign the binding attribute to objectGUID in the Endpoint Encryption users User Bindings properties, and add a binding to ADConnector.username in their Endpoint Encryption profile which matched the escaped attribute value, and also define the attribute objectGUID as a binary data type in the Attribute Types list in general options.
LDAP Browser from Softerra

When configuring the ADCon, it is highly desirable to view the Active Directory in its unadulterated, raw, LDAP state. To do this we strongly recommend the free tool, LDAP Browser, from Softerra (http://www.ldapbrowser.com). This tool may be found on
6
your ADCon CD, or, included on the Endpoint Encryption Enterprise CD in the Tools directory.
Connecting to your Active Directory using LDAP Browser

To connect LDAP Browser to your active directory, you will need to know its IP or DNS name, and have a valid administrative account to access the data with. Create a new entry in LDAP Browser, for Microsoft Active Directory, you may not need to enter a Base DN, but will need the full distinguished name for your administration account. Typical properties of an Active Directory connection are: Once you have successfully connected to your Active Directory, you can start browsing the information to check the appropriate fields to use for the ADCon.
84 |
Choosing the correct fields for Synchronization

The exact settings used in any particular installation of ADCon are particular to each installation; in most cases the default settings are appropriate for general use, although some customization can be performed, especially when considering custom user to Endpoint Encryption group mapping, and custom exclusion of users. In the case of the user whose properties are listed above, it can be seen that there are multiple memberOf attributes these could be used to make a decision on their mapping to Endpoint Encryption groups (by using the Group Information fields). Also, it can be seen that any of the attributes userPrincipalName, sn, sAMAccountName, name, givenName, or cn could be used to populate the Endpoint Encryption Username, although some of these may result in collisions with other similarly named users. Attributes such as memberOf or distinguishedName could also be used to map a user to a group, or to exclude a particular user from the synchronization process. NOTE:thedistinguishedNameattributeistreatedasaspecialcasewhenmatchingvaluesanyfragment ofthevaluecanbematched.Allotherattributesarematchedontheirentirevalue.
| 85
Endpoint Encryption webHelpdesk Server

Endpoint Encryption webHelpdesk Server allows Endpoint Encryption administrators and users to perform password reset functions (The Endpoint Encryption Challenge Response system) via a web interface.
About Endpoint Encryption HTTP Server
Figure24.webHelpdesk/webRecovery The normal recovery interface requires the administrator to have access to a Endpoint Encryption Manager console. In some environments this may not be practical; in this case the Endpoint Encryption webHelpdesk Server can be used to present the same recovery interface via a web browser.
webRecovery
A further enhancement available with the Endpoint Encryption webHelpdesk Server, is the ability for users to reset their own passwords - this is an optional service which allows, after pre-registering, users to drive the challenge/response system themselves simply by providing the correct answers to a selection of pre-registered questions.
86 |
Figure25.webRecoveryRegistrationQuestions The Endpoint Encryption webHelpdesk server is a dedicated SSL (Secure Sockets Layer) web server, customised to prevent against known web server hacking attacks. It is stand-alone and does not require Microsoft IIS, or any other web services to be installed on the hosting computer.
Remote Password Change

As a final option, you can also change a users password directly within the Endpoint Encryption database using the Reset Users Password option. This allows administrators to set new passwords for other administrators and users, without going through the recovery process.
Pre-Requisites
To install this component, you will need a pre-configured Endpoint Encryption Manager at version 4.2 or above. You can check the version of Endpoint Encryption you are using through Help/About/Modules. Endpoint Encryption HTTP Server is designed to function on Windows 2000/XP only and does not use any other internet services. We strongly advise that Microsoft IIS is not used on the same computer as a Endpoint Encryption Manager system or database for security reasons.
| 87

Because Endpoint Encryption webHelpdesk Server uses HTTPS. You will need to provide it with a suitable SSL certificate. You can purchase one of these from Endpoint Encryption, or from other certificate vendors.
Password Expiration Warning

The Web Helpdesk administration and support passwords will not expire without a prior warning. The time of this warning can be set in the User Properties Passwords screen of the Endpoint Encryption Manager.
88 |
Activating Endpoint Encryption webHelpdesk

Once installed you can start the Endpoint Encryption webHelpdesk server with the following command prompt command or from the services manager: sbhttp -startservice The service can be correspondingly stopped either using the system service manager, or sbhttp -stopservice The service will not start correctly until you have installed an SSL certificate.
Installing a SSL Certificate

You must install a SSL certificate before the server will run correctly, to do this use Microsofts MMC console: Start Run MMC and add a Certificates plugin to the Endpoint Encryption HTTP Server service on Local Computer. Import a Server Authentication certificate into the Personal certificate store for the service. If you are using a Endpoint Encryption certificate, you can also import the Endpoint Encryption root CA cert into the Trusted Root Certification Authorities store, either for the Endpoint Encryption service, Local Computer, or Local User. 1. 2. 3. 4. Open the MMC Console, Start Run MMC.
Click File and then Add/Remove Snap-in Click Add from the Standalone tab. Select Certificates from the Add Standalone Snap-in dialog. This will add the Certificates option to the Console. See screenshot overleaf.
5.
Click the Endpoint Encryption HttpServer\Personal option and then select the Certificates folder inside it.
6. 7. 8.
Right-click in the right hand pane and select All Tasks followed by Import. Browse until you find the certificate files (*.cer, *.crt, *.pfx). Click the Place all certificates in the following store option (EndpointEncryptionHttpServer\Personal).
9.
Click Next followed by Finish to add the certificate.
10. Follow the same procedure for other certificates.
| 89
If the certificate you are using is allocated to the same machine name that you are running the server on, once you have installed it you can restart the service using one of the following commands or the system service manager: net start Endpoint Encryption HTTP Server sbhttp -startservice If the certificate has a different name then the server will not start and will log a Certificate Not Found error. You can edit the section [Configuration] Server.Ssl.CertName=Name of the cert In the file SBHTTP.ini to point to the Machine name registered in the cert. Endpoint Encryption ships with an evaluation server certificate with the name 127.0.0.1.pfx and password 12345 which can be found in the Tools directory of your Endpoint Encryption CD. You can purchase a full cert from CBI, or use one from a third party certificate provider. NOTEifyouuseamismatchedsite/machine/certname,thenusersandadministratorswillbewarnedthat thecertificateisinvalideverytimetheyaccesstherecoverywebsite.
Configuring the webHelpdesk Server

Once you have installed the program, added a certificate, and restarted the service, you can log on to the webHelpdesk server and configure it to talk to a Endpoint Encryption Object Directory, or edit SBHTTP.ini directly. The address is https://127.0.0.1 or https://server dns name.
7
The server uses the same connection details as Endpoint Encryption administrator, any connection type specified in the login box for Endpoint Encryption can be used. To configure the connection, click the Administrators section link and then click Configure Endpoint Encryption HTTP Server. You will need to login with a user id which has Endpoint Encryption Start Server as Service rights.
90 |
Figure26.ConfiguringtheEndpointEncryptionHTTPServer Server Name A logical name used to identify the server Port The port the server should expose the interface on (usually 443) Server Certificate Name The machine name specified in the SSL certificate. Log File A path/name for the server diagnostic log. Logon Timeout A time (in minutes) to keep inactive Administrator connections authenticated for (usually 5 minutes). WARNING:whenyouconfigurethewebHelpserveryouwillneedtoclosethebrowserandrestartthe webRecoveryserverforthechangestotakeeffect.
| 91
Configuring webRecovery
Figure27.ConfiguringwebRecovery You configure the user webRecovery server via its web interface. You can specify a number of questions (1-10) to be registered, and the number to be answered to authenticate the user for self recovery. The questions can be changed by editing the SBWebRec.ini file. The user name and password you log in to configure webRecovery are stored in sbwebrec.ini and used for future sessions. NOTE:YoumustlogintowebRecoveryatleastonetosetupitsinitialparametersifyoudonot,userswill notbeabletoresettheirpasswordandwillreceivedb010010ObjectNotFoundmessages. WARNING:whenyouconfigurethewebHelpserveryouwillneedtoclosethebrowserandrestartthe webRecoveryserverforthechangestotakeeffect. Questions and Answers are stored as pairs in the users Endpoint Encryption profile so you can safely change the questions at any time. This will not prevent users with out of date questions from recovering their password.
92 |
Recovering Users using webHelpdesk

Warning:webHelpdeskcannotbeusedforresettingorchangingthepincodesofsmartcards.
With Challenge-Response
After navigating in to the helpdesk operators section of the web helpdesk, choosing either to reset an Endpoint Encryption, or a pocket Endpoint Encryption system, and logging in using their Endpoint Encryption id and password, the operator is presented with the webHelpDesk User Challenge screen.
Figure28.webHelpdeskChallengeScreen The helpdesk operator enters the challenge from the users screen (the user reads it to the helpdesk operator over the telephone), and selects the action they want to perform, for example Reset Users Password followed by the Next button. Reset Users Password Selecting this action will reset a users forgotten password. Unlock User This option will unlock a user whose account has become locked. Change Token
| 93

This option allows you to change the authentication token for the user. Choose from the drop down list. 4.2 SP1 + Create Token This action allows you to create a token for version 4.2 of Endpoint Encryption (SafeBoot). Boot Machine Once This option will reboot the machine. Cancel Screen Saver This action will cancel the Endpoint Encryption screen saver. Bypass Preboot Authentication This action will skip the authentication option and log the user into Windows. The user can then change their Windows password and allow the synchronization and single-sign-on processes to follow through.
Figure29.webHelpdeskresponsescreen If the challenge was entered correctly, a response page is displayed which gives the operator the correct recovery code to read out to the user which will perform the selected operation (in this case, reset their password to 12345). The page also displays user information which can be used to check the authenticity of the user: The
94 |

helpdesk operator can ask the user, e.g. What is your mothers maiden name? and then check the answer. Various Endpoint Encryption applications, such as Endpoint Encryption for Files and Folders, Endpoint Encryption for PC etc can be recovered using this system.
By Directly Changing their Password

From the main page, select the Reset Users Password button. You will then be forced to authenticate using your normal Endpoint Encryption administrator ID and Password. You will next be presented with a simple form which allows you to specify a user id, and their new password (and password confirmation). As long as the administrator performing the change has greater admin rights than the user being reset, the new password will be applied.
Figure30.webRecoveryResetPassword
| 95
User self recovery - webRecovery
Figure31.webRecoverymainscreen The webRecovery interface allows users to reset their own forgotten passwords for Endpoint Encryption on PCs once they have pre-registered with the service. Users register a variable number of answers to pre-set questions, they are required to recall the correct answers to authenticate themselves to get their password reset. It is not as secure as the helpdesk driven recovery service, as its quite possible for users to enter simple or trivial information for their recovery questions, but has the advantage that it can operate 24x7 without human interaction.
Registering for webRecovery

Before users can reset their own passwords, they must register a number of questions and answers that they use to prove their identity to the system using the recovery interface. They must also have the Allow webRecovery option ticked in their Token properties. See the Creating and Configuring Users chapter. After clicking the Register button, users need to log in with their current Endpoint Encryption ID and Password
96 |
Figure32.webRecoveryRegistration NOTE:IfUsersdonotknowtheirpasswordatthistime,theywillhavetocalltheirEndpointEncryption helpdeskandgettheirpasswordresetusingoneofthehelpdeskdrivenmechanisms.
| 97
Figure33.webRecoveryregistrationquestions Once they have registered their preferred questions and answers, they are free to use the recovery service if they forget their password.
Recovery using webRecovery

To use the webRecovery service, the user who has forgotten their password simply access the HTTP Server via a web terminal, perhaps in an internet Caf, and clicks the Reset Password button. They then enter the challenge that is displayed on their Endpoint Encryption screen.
98 |
Figure34.webRecoverychallengescreen If the challenge is correct, they will be asked to enter the correct answers for a selection of their registered questions, and if these are correct, the user is presented with the response to type back into their Endpoint Encryption boot screen.
Figure35.webRecoveryanswersscreen
| 99
Figure36.webRecoveryResponseScreen
100 |
License Management
License Management
The Endpoint Encryption directory is licensed in terms of number of allowed users, number of allowed machines, and license file expiry dates. You can view the current license status of your directory by using the file/license information option. The summary boxes at the bottom of the screen indicate the current active license count. Any expired or invalid licenses are not included, although they may still be shown in the license list.
Figure37.Licenseinformation Multiple license files can be added to the list using the Add button, but each file can only be added once. License Restrictions License files can have many restrictions built in: Number of Users Restricts the maximum number of users that can be managed. Number of Machines Restricts the maximum number of machines that can be managed. Number of PDA Devices Restricts the maximum number of CE Machines that can be managed. Directory locked Some license files can be locked to only work on a particular directory. If you re-create your directory, you will need to obtain a new license file. Expires
| 101
License Management
Some license files expire after a certain time period. Exclusive License files marked as exclusive do not co-exist with other license files. Only one exclusive license file can be used at any time. If you import two exclusive license files, only the first one will be effective. Addons Extra components such as SBAdmCL, Connectors, and other utilities may require additional license code. The names of the additional components licensed will be displayed in this field. You may have received an extra license file with your copy of Endpoint Encryption if so you can import it into the directory using the Add button. If you need more licenses, you can save the current information out of your directory using the Save button this creates a text file which you can fax or e-mail to your McAfee representative. They can obtain all the details required to create new extended licenses from this information. You may also want to save the license file information to help you order replacement files in the event of a drive crash.
102 |
Common Criteria EAL4 Mode Operation

CESG in the United Kingdom, has certified the following products to EAL4 Endpoint Encryption for PC To apply this standard to your implementation of Endpoint Encryption, you need to ensure the following criteria are met:Administrator Guidance Endpoint Encryption must be installed using the Endpoint Encryption AES (FIPS) 256bit Algorithm. Administrators must enforce the following Policy Settings. A minimum password length of 5 characters or more. Disabling of accounts after 10 or less invalid password attempts. All data and operating system partitions on the machines where Endpoint Encryption client has been installed MUST be fully encrypted. You can check the conformance to this issue by viewing the Endpoint Encryption client status window if any drives are highlighted in red then they are not fully encrypted. Administrators must enforce use of the Endpoint Encryption Secure Screen Saver Mode. Use of Autoboot Mode is prohibited. Machine and User recovery key sizes must be non-zero (Machine/Encryption properties and User/Token properties). To comply with CC regulations, these policy settings must be applied before installing any clients. There must be a system in place for maintaining secure backups that are separately encrypted or physically protected to ensure data security is not compromised through theft of or unauthorised access to backup information. Backups should be regular and complete to enable system recovery in the event of loss or damage to data as a result of the actions of a threat agent and to avoid vulnerability through being forced to use less secure systems.
| 103

Users (including administrators) must protect all access credentials, such as passwords or other authentication information in a manner that maintains IT security objectives. Customers implementing a Endpoint Encryption enterprise must ensure that they have in place a database of authorized TOE-users along with user-specific authentication data for the purpose of enabling administrative personnel to verify the identity of a user over a voice-only telephone line before providing them with support or initiating recovery. Endpoint Encryption provides the means to display personal information such as the users ID number as part of the User Information Fields but any other appropriate system is acceptable. Administrators should ensure their users are fully trained in the use of the Endpoint Encryption for PC Client software as described in the chapter Client Software of the Endpoint Encryption for PC Administration Guide, and should remind them of the security procedures detailed in the User Guidance Below. User Guidance Users must maintain the confidentiality of their logon credentials, such as passwords and tokens. Users must not leave an Endpoint Encryption protected PC unattended in a logged on state, unless it is protected by the secure screen saver. Users must be informed of the process that they need to go through in order that they may contact their administrator in the event of needing to recover their PC if they forget their password or their user account becomes disabled.
Common Criteria EAL4 Certificate

You can find the official recognition of this certification on CESGs website: http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=1
8
52&id=336
Algorithm Certificate Numbers

AES
Cert 21 and 170 ECB(e/d; 256); CBC(e/d; 256); CFB8(e/d; 256) http://csrc.nist.gov/cryptval/aes/aesval.html
9
104 |
SHA1
Cert 71 and 254 http://csrc.nist.gov/cryptval/shs/shaval.htm
1
DSA/DSS
DSS cert 53 and 112 Sig(ver) Mod(all) http://csrc.nist.gov/cryptval/dss/dsaval.htm
1
RNG
Cert 15 AES, DSA., SHA, RNG on AMD Athalon XP, Windows XP SP1, PentiumIII Windows 2000 http://csrc.nist.gov/cryptval/rng/rngval.html
DES
Cert 145 CBC(e/d); CFB( 8 bits;e/d) http://csrc.nist.gov/cryptval/des/desval.html
| 105
Tuning the Object Directory

The Name Index
To improve object name-to-id lookup and license validation, Endpoint Encryption contains an extra "Name Index" ability which can be enabled to improve performance on object directories with large numbers of users (>3000) or high levels of synchronous activity (more than 10 simultaneous administration connections). If your Endpoint Encryption object directory server is showing high or constant hard disk access, with a low CPU usage, you may also benefit from enabling name caching.
About Name Indexing

Most lookup events in the Endpoint Encryption object directory are performed by object id - for instance when a machine synchronizes, it navigates directly to its attributes via a unique object id. This mechanism holds true for the majority of activity over the directory. When a user logs in through, for instance the file encryptor, or Administration console, the directory infrastructure performs a name-to-id lookup, this involves trawling the object directory to find the the user object with a name attribute which matches the one requested. Also when a new object is created a trawl of the entire database is initiated to check that the new user/machine etc is unique. The Name Index creates a "shortcut" to name-to-id lookup by periodically creating indexes of the name/id attributes of all objects in the directory. Once created, all lookups pass through the cache for resolution - as the Cache is much smaller than the directory this leads to dramatic increases of performance, mainly through better use of the operating system file cache. As a side-effect, the name index also speeds up counting objects in the database (part of license validation).
Enabling and Configuring Name Indexing:

The Name Index is controlled through the file dbcfg.ini stored in the root of the object directory (normally the sbdata directory). The index files are stored in the root of each object type. The following sections should be in dbcfg.ini: [NameIndex] Enabled=Yes More details about the dbcfg.ini file, and further tuning options can be found in the Endpoint Encryption Configuration Files chapter.
106 |
Performance Tests:
These tests are approximate indications of the benefits of the Name Index running on a 5000 user database. They were performed using a login id which was at the end of the database (worst case scenario).
Name Index Enabled
Task CreateUser
1Bucket +455%
16Buckets +460%
64Buckets +500%
256Buckets +400%
As you can see from the table above, enabling the Name Index drastically improves the performance of the enumeration functions. The exact parameters to use for any particular database / server combination depend largely upon the memory and cache functions of the server itself. As a rough guide, CBI consultants have found that tuning the bucket number to give cache files not exceeding 64KB has proved optimal. If you require performance tuning for your object database, please consider a consultancy visit as tinkering with the Endpoint Encryption object database can result in loss of users and machines.
Enabling Directory Compression

To reduce the number of files stored in an Object Directory, a special mode can be enabled which uses a single attribute file instead of the numerous files created within a standard sbfiledb structures. Using a single file has the following advantages / disadvantages:-
Advantages TheODuseslessdiskspacebecause thereisareducednumberoffiles, thereforetheclustersizeoverheadis reduced.Areductionindiskspaceofa factorof10canbeexpected.
Disadvantages ThesizeoftheactualdataintheOD increasesduetoheaderoverheadsin theattributefiles.
Entireobjectsarecached,notjustthe mostrecentopenedattributefiles leadingtoatheoreticalincreasein performanceiffrequentlargeupdates
Resiliencetocorruptionisreducedasall theobjectattributesareinonefile, whereasbeforeresiliencewasgainedby splittingthemupintomultiplefiles.
| 107
Advantages takeplace. Thereducednumberoffilesmakes handlingtheODforbackupsand replicationeaser,andfaster.
Disadvantages
Nametoidresolutiontimeisincreased unlesstheNameIndexmode(UK4005) isalsoenabled. Iffrequentsmallupdatestakeplace,or infrequentupdates,overalldatabase performancewilldrop.
Migrating to a compressed directory

All local connections to a compressed object database must go through a sbfiledb.dll which has the compression code - You cannot mix connections as the previous drivers do not understand the compressed attributes. You can enable compression on an existing database, in such a way as either only new objects will be created compressed, or in self-compress mode where each object gets compressed as it is written to. CBI can provide a tool to entirely compress an Object Directory, or compress only a branch of it.
Enabling and Configuring Directory Compression

Dbcfg.ini file from the root of the object directory needs the following section added:[Attribs] ; If this option is set to "yes" then all new objects created will use the ;compressed format Singlefile=Yes ;If this option is set to "yes" then all existing uncompressed objects which are updated ;will be converted to the new compressed format at that time. AutoConvert=yes
Performance Notes
No performance change has been noted between identical compressed and uncompressed databases up to 5000 users. There may be some benefit on servers with exceptionally high amounts of memory. With large (>10000) databases, performance may well drop when using the compressed directory mode.
108 |
Endpoint Encryption Configuration Files

Endpoint Encryption uses many .ini files to maintain information about the configuration of various components. Some of the more important files are listed here.
sbnewdb.ini
Used to customize the creation of Endpoint Encryption Object Directories. The sbnewdb file contains instructions as to creating custom groups, setting the default user id and password, and other instructions related to the location of the directory.
sberrors.ini
Used to increase the detail available in on-screen error messages. You can add further descriptions to errors by amending this file. In 5.1 and beyond, you can substitute the Unicode file SBErrors.XML in place of SBErrors.ini to give localized translations of the error messages.
sbhelp.ini
Used to match on-screen windows to their help file sections.
sbadmin.ini
This file controls the tree layout and behavior of SBAdmin.exe - you can modify it to display certain nodes of the database on tabs other than the defaults.
sbfeatur.ini
Controls the feature set available to Endpoint Encryption. This file is digitally signed by the Endpoint Encryption team and must not be modified.
sbfiledb.ini
SBFileDB controls the locking behavior of local running database connections. [LockOptions] Timeout=time in 100ths of a second (3000) Sleep=time in 1000ths of a second (10)
dbcfg.ini
This file controls the global database behavior - for this reason it is stored not in the application directory, but in the root of the file database. For more information on dbcfg.ini, see the Tuning the Object Directory chapter. [NameIndex]
| 109

Enabled=No ; the time we wait for the lock on the index file to become available ; in 100ths of a second (default is 30 seconds). LockTimeout=3000 ; the time we wait before re-trying locking of the index file ; in 1000th of a second. LockSleep=10 ; the number of "buckets" into which the hash of the name is split HashCount=16 ; the minimum space to allocate per object name MinEntrySize=16 ; the time (in seconds) for which the index will be used before it is ; automatically re-created (default is 30 minutes). A value of zero means ; that it never expires. LifeTime=1800 [Attribs] ; if set to "Yes", all the attributes will be stored in a single TLV file ; rather than individual ones. SingleFile=No ; if this is set to "Yes", then when objects are opened for writing all the ; attribute are automatically converted to a single file. Otherwise only ; new objects will use the single file. AutoConvert=No [Tracking] ; if set to "Yes", then all changes to attributes will be recorded e.g. for ; possible use with a replication system. AttributeChanges=No ; if set to "Yes", the whenever an object is modified, that fact is recorded ; in a single file. This file could then be used to determine which objects ; have changed since a certain time by reading only a single file. ObjectChanges=No [idassignment] ;firstid= hex number starting point for ALL objects ;lastid= hex number
sdmcfg.ini
Used by the Endpoint Encryption Client to control the connection to the Object Directory. There may be many connections listed in the file, the multi-connection behavior is controlled through scm.ini. [Databases] Database1=192.168.20.57
Theipaddressforthe remoteserver.Thiscan
110 |
beaDNSname.
[Database1] Description=SH-DELL-W2K IsLocal=No Authenticate=Yes Port=5555 ServerKey=
Thepublickeyforthe remoteServer.Thisis usedtostopahacker puttingarogueserver inplaceand interceptingthetraffic. Paddingforthe serverkey.
ExtraInfo=
SBServer.ini
This SBServer.ini is used to store the credentials by the server in service mode. You can adjust the maximum number of connections the Endpoint Encryption server will accept and the behavior when the maximum is reached. By default, the maximum is 200 connections. When the limit has been reached, it can behave in one of two ways: either it simply stops accepting connections or it accepts connections and then immediately closes them. Because Windows maintains a queue of 5 pending connections, the first 5 connections after the maximum is reached will be held in the queue until the number of connections has dropped below the maximum. Thus, when in (the default) Accept At Max=No mode, those 5 will not timeout at the client end and the client will appear to hang until a connection becomes free. In the Accept At Max mode, the client will fail with a communications error. [Connections] Max=200 AcceptAtMax=No
sbconmgr.ini
Used to define the active connectors displayed in the Connector Manager, for example [Connectors] SBNTCON=SBNTCON.DLL [Authentication] DatabaseId=1 ObjectType=0x00000001 ObjectId=0x00000001 Key=00000000000000000000000000000000000000000000000000000000000000 0006557FB28C5A226BB8BF634A68EE75DE2C4010DD1E143D9BC29808C5E5C3A729 838DD1D1E0B032D6C2A015BD8B1AAF5DC2D1E3F58D37A41F29AF5DC108EB03D441 8D95316CCC84EE2881DCBE0012C6F705F6A6D5063C2D0BEB87897C2A9AC318D659
| 111

C712E99D515DB18E567218CC2B1520EBD6119095674C9C215BA329521CFE200000 0000000000000000000000000000000000A6 [Manager] LastFile=G:\Program Files\SBAdmin\CmSettings.ini ;the check interval (ms) defines how often the connector manager looks for an updated cmsettings.ini file. CheckInterval=500
Cmsettings.ini
Used to define the parameters associated with each individual connector. The settings contained in this file are usually maintained by the connector manager application. Only manual settings are documented below.
LDAPCon Manual Settings

SearchAttribs=objectClass,uid,cn,givenName Limits the attributes that a directory search returns. Normally all attributes are returned. This can affect the performance of the directory server if many are not wanted.
LDAPCon / ADCon Manual Settings

CaseSensitive=0 / 1 Switches on and off case sensitive attribute searches. The default value is 1 (searches are case sensitive)
SBHTTP.ini
Configuration for the main webServer [Configuration] ; The port on which the server listens for connections. The default is 443 ; which is the standard HTTPS port. Server.Port=443 ; Optional log file to record server activity. If no name is specified here, ; then no logging will occur (the default). Server.Log.FileName= ; Flags that control what is logged if logging is enabled. This is a 32-bit ; hex number. The following bits are used: ; ; Bit 0 (value=1) = Log request headers ; Bit 1 (value=2) = Log request data (e.g. form results) ; Bit 3 (value=4) = Log response headers ; ; The default is a value of "5" which logs request and response headers, but ; no request data. ; Server.Log.Flags=00000005
112 |

; Specifies the name of the Subject field of the certificate the server ; should use for SSL connections. The certificate must reside in the server's ; private store (SbHttpServer service store). If this is not specified, the ; network name of the computer is used. ;Server.Ssl.CertName= ; ; Specifies the period of inactivity (in minutes) after a logged on user is ; automatically logged off. Server.Logon.Timeout=5 [Strings] ; ; These are strings that the server can display. Use the "|" character to ; specify a new line. ; Server.String.1=Web Server Server.String.2=The challenge you entered was not correct. Please try again. Server.String.3=The recovery action you selected was not valid. Pleast try again. Server.String.4=The requested URL "%s" was not found. [Page.Handlers] ; ; This section lists all the optional page handlers that will get loaded ; by the web server. The left side should start with "Handler." and the right ; side is the name of the DLL to load. ; Handler.CeRecovery=SBCEDEV.DLL Handler.WebRecovery=SBWEBREC.DLL
SBwebRec.ini
Configuration for webRecovery [Configuration] Register.Questions.Required=5 Recover.Questions.Asked=3 Database.User.Id=00000001 Database.User.Key= Recover.Attempts.Max=3 Recover.Attempts.Timeout=3600 [Strings] String.1=The challenge you entered was not correct. Please try again. String.2=Some of your answers were not correct. Please try again. [Questions] Question1=What is your favorite color? Question2=What is your pet's name? Question3=Who is your favorite musician? Question4=What is a memorable date? Question5=What is your date of birth? Question6=What is your favorite place? Question7=Who is your favorite actor? Question8=What is your favorite film? Question9=What is your favorite song? Question10=What is your favorite food?
| 113

The questions used can be changed at any time without affecting current registered users. Endpoint Encryption Manager Program and Driver Files
EXE Files
SBAdmin.exe
Main Endpoint Encryption Manager Executable
DLL Files
sbalgxx
Utility Encryption algorithm module.
SYS Files
SBALG.SYS
Endpoint Encryptions device driver crypto algorithm module.
srg files
Endpoint Encryption registry files
These are standard regedit files which are processed into the registry by Endpoint Encryption, without using the windows regedit utility.
114 |
Error Messages
Error Messages
Please see the file sberrors.ini for more details of these error messages. You can also find more information on error messages on our web site, www.mcafee.com.
1
Please note that many of these error codes are not designed to ever be shown they are mentioned for completeness. This kind of error is termed an Assertion - a place in our software where we ensure a number of conditions are true before continuing, even though the design does not allow for a specific case where the conditions could not be true. As the code and design does not expect such errors to be generated, resolving them involves working through the context of the issue without knowing the steps required to reproduce the error it would not be possible to conclude how the system managed to arrive at the error state.
Module codes
The following codes can be used to identify from which Endpoint Encryption module the error message was generated.
ErrorCode 1c00 5501 5502 5c00 5c02 a100 c100 db00 db01 db02 e000
Module IPC SBHTTPPageErrors SBHTTPUserWebRecovery SBCOMProtocol SBCOMCrypto ALG Scripting DatabaseMisc DatabaseObjects DatabaseAttributes EndpointEncryptionGeneral
| 115
Error Messages
ErrorCode e001 e002 e003 e004 e005 e006 e007 e010 e011 e012 e013 e014 e015 e016
Module EndpointEncryptionTokens EndpointEncryptionDisk EndpointEncryptionSBFS EndpointEncryptionBootCode EndpointEncryptionClient EndpointEncryptionAlgorithms EndpointEncryptionUsers EndpointEncryptionKeys EndpointEncryptionFile EndpointEncryptionLicenses EndpointEncryptionInstaller EndpointEncryptionHashes EndpointEncryptionAppControl EndpointEncryptionAdmin
5501 Web Server Page Errors

Code [55010000] [55010001] [55010002] [55010003] [55010004] [55010005] MessageandDescription URLnotfound Invalidparameterencoding Invalidparameter Missingparameter Notloggedon Nouserchallengehasbeenprovided
116 |
Error Messages
Code [55010006] [55010007] [55010008] [55010009] [5501000a]
MessageandDescription Unabletogetconfiguration Unabletosetconfiguration Incorrectuserchallenge Invalidrecoveryaction Reparserequired
5502 Web Server User Web Recovery

Code [55020000] MessageandDescription Permissiontousewebrecoveryisdenied
5C00 Communications Protocol

Code [5c000000] MessageandDescription Unsupportedversion Theserverandclientarenottalkingthesamecommunications protocolversion [5c000005] [5c000008] [5c000009] Outofmemory Acorruptorunexpectedmessagewasreceived UnabletoloadtheWindowsTCP/IPlibrary(WSOCK32.DLL) CheckthattheTCP/IPprotocolisinstalled [5c00000a] Communicationslibrarynotinitialised Thisisaninternalprogrammaticerror [5c00000c] [5c00000d] [5c00000e] UnabletocreateTCP/IPsocket FailedwhilelisteningonaTCP/IPsocket UnabletoconvertahostnametoanIPaddress CheckthehostfileortheDNSsettings
| 117
Error Messages
Code [5c00000f]
MessageandDescription Failedtoconnecttotheremotecomputer Thecomputermaynotbelisteningoritistoobusytoaccept connections
[5c000010] [5c000011]
FailedwhileacceptinganewTCP/IPconnection Failedwhilereceivingcommunicationsdata Theremotecomputermayhaveresettheconnection
[5c000012] [5c000013] [5c000014] [5c000015] [5c000016] [5c000017] [5c000018] [5c000019] [5c00001a] [5c00001b]
Failedwhilesendingcommunicationsdata Invalidcommunicationsconfiguration Invalidcontexthandle Aconnectionhasalreadybeenestablished Noconnectionhasbeenestablished Requestforanunknownfunctionhasbeenreceived Unsupportedorcorruptcompresseddatareceived Datablockistoobig Dataofanunexpectedlengthhasbeenreceived Messagetoobigtobereceived Thismayoccurifanattemptismadetoimportlargeamountsof dataintothedatabase(e.g.afile)
[5c00001c] [5c00001d]
Unabletocreatethreadmute Messagetoobigtobesent Thismayoccurifanattemptismadetoimportlargeamountsof dataintothedatabase(e.g.afile)
[5c00001e]
WrongEndpointEncryptionCommunicationsProtocolVersion Youaremostlikelytryingtoconnecttoav4EndpointEncryption Serverusingav5Serverdefinitionwithserverauthentication
118 |
Error Messages
Code
MessageandDescription enabled. Checkthatyoudonothavebothv4andv5serversrunning (perhapsasaservice)atthesametime.
5C02 Communications Cryptographic

Code [5c020000] [5c020001] [5c020002] [5c020003] [5c020004] [5c020005] [5c020006] [5c020007] [5c020008] [5c020009] MessageandDescription TheDiffieHellmendataisinvalidorcorrupt Anunsupportedencryptionalgorithmhasbeenrequested Anunsupportedauthenticationalgorithmhasbeenrequested Unabletosigndata Authenticationsignatureisnotvalid Authenticationparametersareinvalidorcorrupt FailedwhilegeneratingDSAparameters Nosessionkeyhasbeengenerated Unabletoauthenticateuser Sessionkeytoobig
A100 Algorithm Errors

Code [a1000000] [a1000001] [a10000002] [a1000003] [a1000004] [a1000005] MessageandDescription Notenoughmemory Unknownorunsupportedfunction Invalidhandle Encryptionkeyistoobig Encryptionkeyistoosmall Unsupportedencryptionmode
| 119
Error Messages
Code [a1000006] [a1000007]
MessageandDescription Invalidmemoryaddress Invalidkeydata
C100 Scripting Errors

Code [c1000001] [c1000002] MessageandDescription InvalidArgument MissingParameter Thereisarequiredparametermissing [c1000003] [c1000004] [c1000005] [c1000006] [c1000007] [c1000009] MissingValue MachineAlreadyInGroup DatabaseNotFound UserAlreadyInGroup WrongGroupType WrongDatabaseCapabilities UsuallyonlyreturnedwhenthedatabasedoesnothaveID assignmentsupport.ThestandardEndpointEncryption databaseincludesthisfeature. [c1000009] ParameterNeeded Youmustenteroneoftherequiredparameters,forexample userorgroupname. [c100000a] ParameterPositive Youmustspecifyapositivevalueforthisparameter. [c100000b] [c100000c] [c100000d] UnsupportedConnectionType NoAdminNameSpecified NoAdminPasswordSpecified
120 |
Error Messages
Code [c100000e] [c100000f] [c1000010] [c1000011]
MessageandDescription UnknownAuthenticationType NoConnectionReference UnknownConnection MutexCreationFailed Causedwhenthereareinsufficientsystemresourcesinthehost OStocreateanothermutex
[c1000012] [c1000013] [c1000014] [c1000015] [c1000016] [c1000017]
CommandSkipped NoCommandSpecified UnknownCommand NoUserIDspecified NoUserKeyFound NoKeyFile Nokeyfilewasspecified
[c1000018]
KeyFileNotFound TheauthenticationkeyfilespecifiedasUserIDKeyFilewasnot found
DB00 Database Errors

Code [db000000] [db000001] [db000002] MessageandDescription Outofmemory Moredataisavailable Thedatabasehasnotbeencreatedorinitialisedyet Checkthedatabasepathorcreateanewdatabase.Toforcethe newdatabasewizardtoberun,deletetheSDMCFG.INIfileand restarttheadministrationprogram. [db000003] Invalidcontexthandle
| 121
Error Messages
Code [db000004] db000005]
MessageandDescription Thenamewasnotfoundinthedatabase [Authenticationwasnotsuccessful. Checkthatyouhavethecorrecttokenforthisdatabase
[db000006] [db000007] [db000008]
Unknowndatabase Invaliddatabasetype Thedatabasecouldnotbefound.Checkthedatabasepath settings Databasealreadyexists. Chooseadifferentdatabasepath
[db000009]
[db00000a]
Unabletocreatethedatabase Checkthepathsettingsandmakesureyouhavewriteaccessto thedirectory
[db00000b] [db00000c]
Invaliddatabasehandle Thedatabaseiscurrentlyinusebyanotherentity Youcannotdeleteadatabasewhilesomeoneisusingit
[db00000d] [db00000e] [db00000f] [db000010] [db000011] [db000012] [db000013] [db000014] [db000015]
Unabletoinitialisethedatabase Useraborted Memoryaccessviolation Invalidstring Nodefaultgrouphasbeendefined Thegroupcouldnotbefound Filenotfound Unabletoreadfile Unabletocreatefile
122 |
Error Messages
Code [db000016] [db000017] [db000018] [db000019] [db00001a]
MessageandDescription Unabletowritetofile Filecorrupt Invalidfunction Unabletocreatemutex Invalidlicense Thelicensehasbeenmodifiedsothatthesignatureisnowinvalid
[db00001b] [db00001c]
Licensehasexpired Thelicenseisnotforthisdatabase CheckthedatabaseIDandensureitisthesameastheone specifiedinthelicense.Eachtimeyoucreateanewdatabase,a differentIDisgenerated.ThereisnowaytochangetheIDofa database.
[db00001d] [db00001e]
Youdonothavepermissiontoaccesstheobject EndpointEncryptioniscurrentlybusywithanothertask.Please waitforittocompleteandtryagain. Thisusuallymeansthatyourharddisksareintheprocessof beingencryptedordecrypted.Youcancheckthecurrent EndpointEncryptionstatusfromtherightclickmenuofthe EndpointEncryptiontaskbaricon.
[db00001f] [db000020] [db000021] [db000022]
EndpointEncryptionisstillinstalledonthismachine Buffertoosmall Therequestedfunctionisnotsupported Unabletoupdatethebootsector ThediskmaybeinusebyanotherapplicationorExploreritself. Thediskmaybeprotectedbyanantivirusprogram.
| 123
Error Messages
DB01 Database Objects

Code [db010000] MessageandDescription Theobjectislocked Someoneelseiscurrentlyupdatingthesameobject [db010001] [db010002] UnabletogettheobjectID Unabletochangetheobject'saccessmode Someoneelsemaybyaccessingtheobjectatthesametime.If youaretryingtowritetotheobjectwhilesomeoneelsehasthe objectopenforreading,youwillnotbeabletochangetowrite mode. [db010003] [db010004] Objectisinwrongaccessmode Unabletocreatetheobjectinthedatabase Thediskmaybefullorwriteprotected [db010005] [db010006] Operationnotallowedontheobjecttype Insufficientprivilegelevel Youdonothavetheaccessrightsrequiredtoaccesstheobject. [db010007] Theobjectstatusisdisabled ThisisusuallyassociatedwithUserobjects.Disablingtheuser's objectpreventsthemloggingonuntiltheiraccountisreenabled. [db010008] [db01000f] [db010010] Theobjectalreadyexists Theobjectisinuse Objectnotfound Theobjecthasbeendeletedfromthedatabase [db010011] Licensehasbeenexceededforthisobjecttype Checkthatyourlicensesarestillvalidandifnotobtainfurther licensesifnecessary
124 |
Error Messages
DB02 Database Attributes

Code [db020000] [db020001] [db020002] [db020003] [db020004] [db020005] [db020006] MessageandDescription Attributenotfound Unabletoupdateattribute Unabletogetattributedata Invalidoffsetintoattributedata Unabletodeleteattribute Incorrectattributelength Attributedatarequired
E000 Endpoint Encryption General

Code [e0000000] [e0000001] [e0000002] [e0000010] MessageandDescription Useraborted Insufficientmemory Invaliddate/time Invaliddate/time.Clockisreportingatimebefore1992orafter 2038.
E001 Tokens
Code [e0010000] [e0010001] [e0010002] [e0010003] [e0010004] [e0010005] MessageandDescription Generaltokenerror Tokennotloggedon Tokenauthenticationparametersareincorrect Unsupportedtokentype Tokeniscorrupt Thetokenisinvalidatedduetotoomanyinvalidlogonattempts
| 125
Error Messages
Code [e0010006] [e0010007] [e0010010] [e0010011] [e0010012]
MessageandDescription Toomanyincorrectauthenticationattempts Tokenrecoverykeyincorrect Thepasswordistoosmall Thepasswordistoolarge Thepasswordhasalreadybeenusedbefore.Pleasechoosea newone. Thepasswordcontentisinvalid Thepasswordhasexpired Thepasswordisthedefaultandmustbechanged. Passwordchangeisdisabled Passwordentryisdisabled Unknownuser Incorrectuserkey Thetokenisnotthecorrectonefortheuser Unsupporteduserconfigurationitem Theuserhasbeeninvalidated Theuserisnotactive Theuserisdisabled Logonforthisuserisnotallowedatthistime Norecoverykeyisavailablefortheuser Thealgorithmrequiredforthetokenisnotavailable Unknowntokentype Unabletoopentokenmodule
[e0010013] [e0010014] [e0010015] [e0010016] [e0010017] [e0010020] [e0010021] [e0010022] [e0010023] [e0010024] [e0010025] [e0010026] [e0010027] [e0010028] [e0010030] [e0010040] [e0010041]
126 |
Error Messages
Code [e0010042] [e0010043] [e0010044] [e0010045] [e0010046] [e0018000] [e0018001] [e0018002]
MessageandDescription Unabletoreadtokenmodule Unabletowritetokenmodule Tokenfilenotfound Tokentypenotpresent Tokensystemclassisnotavailable SonyPuppyrequiresfingerprint SonyPuppyrequirespassword SonyPuppynottrained
E012 Licences
Code [e0120001] [e0120002] [e0120003] [e0120004] MessageandDescription Licenseinvalid Licenseexpired Licenseisnotforthisdatabase Licensecountexceeded
E013 Installer
Code [e0130002] [e0130003] [e0130004] [e0130005] [e0130006] [e0130007] MessageandDescription Noinstallerexecutablestubfound Unabletoreadinstallerexecutablestub Unabletocreatefile Errorwritingfile Erroropeningfile Errorreadingfile
| 127
Error Messages
Code [e0130008] [e0130009] [e013000a] [e013000b] [e013000c] [e013000d] [e013000e] [e013000f] [e0130010]
MessageandDescription Installerfileinvalid Nomorefilestoinstall Installarchiveblockdatatoolarge Installarchivedatanotfound Installarchivedecompressionfailed Unsupportedinstallerarchivecompressiontype Installationerror Unabletocreatetemporarydirectory Errorregisteringmodule
E014 Hashes
Code [e0140001] [e0140002] [e0140003] [e0140004] [e0140005] [e0140006] [e0140007] [e0140008] [e0140009] [e014000a] MessageandDescription Insufficientmemory Erroropeninghashesfile Errorreadinghashesfile Hashesfileinvalid Unabletocreatehashesfile Errorwritinghashesfile Hashesfileisnotopen Hashesfiledatainvalid Hashesfiledatatoobig Useraborted
128 |
Error Messages
E016 Administration Center

Code [e0160001] MessageandDescription Invalidplugininformation
| 129
Technical Specifications and Options

The following options are available from Endpoint Encryption but may not be included on your install CD, or be appropriate for your version of the Endpoint Encryption Manager. Please contact your McAfee representative for information if you wish to use one of these optional components.
Encryption Algorithms
Endpoint Encryption supports many custom algorithms. Only one algorithm can be used in an Endpoint Encryption Enterprise.
RC5-12
CBC Mode, 1024 bit key, 12 rounds, 64 bit blocks The RC5-12 algorithm is compatible with the Endpoint Encryption 3.x algorithm.
RC5-18
CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks The 18 round RC5 variant is designed to prevent the theoretical Known Plaintext attack.
AES-FIPS (FIPS 140-1 Approved) - RECOMMENDED

CBC Mode, 256 bit key, 128 bit blocks This algorithm is approved for FIPS 140-1 use.
Smart Card Readers

The following smart card readers are supported. Any Windows supported smart card reader All PC/SC Smart Card Readers
Tokens
Smart Cards
For the latest list of authentication methods using smart cards, tokens, fingerprint readers please consult your McAfee representative.
130 |
Language Support
Endpoint Encryption Manager
Czech, Dutch, English (United States), English (United Kingdom), French, Japanese, Korean, Portuguese (Brazil)
System Requirements
Implementation documentation discussing appropriate hardware for typical installations of Endpoint Encryption is available from your representative. The following specifications should be considered appropriate for evaluation deployments only.
Endpoint Encryption Database Server

Windows NT4.0sp6a, 2000, XP, 2003, Vista 32bit (all versions), Vista 64bit (all versions) 256MB Or OS Minimum RAM, 1024MB recommended. 200MB Free hard disk space Pentium compatible processor, multi-way (up to 32 processors), Hyperthreading, Dual Core and AMD processors are supported. For remote administration a TCP/IP network connection with a static DNS name / ip address is required. This configuration is considered appropriate for evaluation systems only. For production systems, please contact your McAfee representative for enterprise implementation documentation.
Administration
Windows NT4.0sp6a, 2000, XP, 2003, Vista 32bit (all versions), Vista 64bit (all versions) 256MB or OS Minimum RAM 40MB free hard disk space Pentium compatible processor, multi-way (up to 32 processors), Hyperthreading, Dual Core and AMD processors are supported. For remote administration, a TCP/IP network connection is required.
| 131
SFDBBack
All versions of Windows (IE4.0 with Offline Browsing Pack required for Windows 95 and NT4.0sp6a)
Active Directory Connector

Windows NT4sp6a, Windows 2000, Windows XP, Windows 2003, Vista 32bit and Vista 64bit. Requires read/write access to v3+ Active Directory.
Novell Netware / LDAP Connector

Windows NT4sp6a, Windows 2000, Windows XP, Windows 2003, Vista 32bit and Vista 64bit Novell eDirectory 8.6.x with Novell Server 7.x. Future versions of Novell are expected to function.
NT Connector
Windows NT4.0sp6a, Windows 2000, Windows XP, Windows 2003, Vista 32bit, Vista 64bit. Domain account access for Windows 2000+.
NOTE:TheNTconnectormustbeinstalledonaPDCorBDConWindowsNT4.0.
132 |
Index
Index
A
AccountValidity,24,65,68,77 ActiveDirectory,13,62,67,68,69,70,71,72,73,74,75, 76,77,78,79,80,81,82,83,84,132 OrganizationalUnits,71,81 ADCon,67,71,74,75,76,81,82,84,85 adminrights,15,54 Administration level,15 priviledge,15 privleges,35 rights,15 AdministrationFunction,36 AdministrationLevel,30,35,55 algorithm,11,14,29,104,114,130 maximumkeysize,29 Attributes explained,9 AuditTrails viewing,18 Auditing,44 authentication,11,13,16,49,50,52,53,54 Authentication client/server,53 Autobootusers autobootuser,23 ConnectorManager,62 overviewof,13 userbindingsto,33 ControlledGroups.See groups cryptography,6 Cryptography encryption,13
D
DAP,19 Databases addinganewconnection,49 managing,49 decrypt,53 DefaultPassword,22,23,25,65,90,94 deploy,41,54 disable,26,64,65,67,72,73,76,82,83 disablingusers.See Users distibguishedname(s),69,78 distinguishedname,69,75,78,84 DNS,50,53,110,131 DNSName,68,77 DSA,11,50
E
enablingusers.See Users Encryption algorithms,130 EncryptionAlgorithm,11,14,29,114,130 EncryptionAlgorithms RC5,130 EndpointEncryptionCEServer,11,13 EndpointEncryptionComponents FileEncryptor,8 VDisk,8 EndpointEncryptionServer connectingtoanew,54 overviewof,10 restrictinguserid'sfor,54 Entities explained,9 errorcodes,109,115 errormessages,115 excludedusers,67,73,76,83
B
backup,65 BaseDN,69,75,78,84
C
cache,107 CEServer,11,13 chipdrive.See Towitoko Client overviewof,12 compressed ObjectDirectory,108 connectingtodatabases,49 connectingtoNTDomains,64 Connector Bindings,32,33,73,74,83,84
| 133
Index
F
FileEncryption overviewof,13 FileEncryptor,8 filegroupmanagement,40 Files deletingandexporting,41 importingnew,41 inifiles,109 programanddriverfiles,114 properties,41 forcesync,24
M
mappinggroups.See Group mappings,See Group mappings,SeeGroupmappings Microsoft,76,84,87,89 MicrosoftActiveDirectory,67,76
N
NameIndex,106 NetworkName,68,77 NTDomain,13 NTDomainsconnectingto,64
G
Groupmappings,65,70,80 groups,16,17,22,35,36,37,40,46,65,66,70,71,75,80, 81,85,109 Groups administrationof,35 controlledvsfree,16 free,17 ofusersandmachines,16
O
objectchangelog,70,79 objectdirectory,8,9,10,11,12,13,14,15,16,19,23,29, 35,41,42,44,49,51,52,53,54,55,62,64,90,106, 107,108,110 Objects explained,9 lockingof,20 OfflineBrowsingPack,132
H
hiddenfields.See Users hours.See Users
P
Password Default,22,23,25,65,90,94 passwords,10,13,25,26,27,28,29 Reset,24,26,86,96,97 Passwords,25 history,25 Pentium,131 performance,11,19 Performance ObjectDirectory,107 PocketEndpointEncryption,93 PocketWindows 2002,11 privileges,10,15 public/privatekeys,53
I
IPAddress,9,10,11,51,68,75,77,84,131
L
languagesupport,131 LDAP,11,13,19,62 BaseDN,69,75,78,84 ObjectFilter,69,78,79 ProtocolVersion,68,77 Referrals,70,79 UserDN,69,78 LDAPBrowser,74,75,84 LicenceFiles adding,101 expiryof,102 restrictions,101 localdatabases,50 logonhours,31,64,67,76
Q
quickstartguide,7
R
RC5,130 recovery,11,13,21,23,24,29 referrals,70,79
134 |
Index
registry,43,114 RSA,11,13
towitokochipdrive,130
S
SafeBootServer overviewof,12 SBAdmCL,44,102 schedule,63 schedulingsynchronisations,63 Server creatinga,51 Server EndpointEncryptionCEServer,13 Server startinga,52 Server configurationof,53 Server startingasaservice,53 service,53,55,63,71,81,86,89,90,96,98,113 ServiceAccounts,55 SFDBBack,132 Smarty,130 systemrequirements,131
U
userdn,69,78 userstatus,9,64,67,76 Users administrationlevel,30 creatingnew,21 disable,64,65,67,76 Disabling,64,65,67,76 enablinganddisabling,23 Excluding,67,73,76,83 hiddenfields,21 logonhours,31 logonid,21 passwordparameters,25
W
Windows2000,43,64 WindowsCE,11
X
X500,11,13,19,20,62
T
TCP/IP,9,10,11,51,131
| 135

Endpoint Encryption Manager Administration Guide

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Endpoint Encryption Manager Administration Guide

Загружено:

Авторское право:

Доступные форматы

McAfee Endpoint Encryption Manager

Installing Endpoint Encryption Manager ....................................... 14

Endpoint Encryption Manager Interface ........................................ 15

The Endpoint Encryption Object Directory .................................... 19

Creating and Configuring Users .................................................... 21

Tokens .......................................................................................... 38 File Groups and Management ........................................................ 40

Managing Object Directories ......................................................... 49

Endpoint Encryption Server .......................................................... 51

Endpoint Encryption Connector Manager ...................................... 62

NT Connector (NTCon) .................................................................. 64

LDAP Connector (LDAPCon) .......................................................... 67

Active Directory Connector (ADCon) ............................................. 76

Endpoint Encryption webHelpdesk Server..................................... 86

Activating Endpoint Encryption webHelpdesk ............................... 89

Recovering Users using webHelpdesk ........................................... 93

Algorithm Certificate Numbers ................................................................ 104

Tuning the Object Directory ........................................................ 106

Endpoint Encryption Configuration Files ..................................... 109

Error Messages ........................................................................... 115

Technical Specifications and Options .......................................... 130

Index .......................................................................................... 133

About this guide

to these organizations for their free APIs.

Contacting Technical Support

How Endpoint Encryption Solutions Work

Objects, Entities, and Attributes explained.

The Endpoint Encryption Components

Endpoint Encryption Server

Endpoint Encryption Object Directory

Endpoint Encryption for PC Client

Endpoint Encryption PDA Server

Endpoint Encryption for Mobile

Endpoint Encryption File Encryptor

Endpoint Encryption Connector Manager

Installing Endpoint Encryption Manager

Installing Endpoint Encryption Manager

Upgrading the Endpoint Encryption Manager

Endpoint Encryption Manager Interface

Endpoint Encryption Manager Interface

UserClassification RootAdministrator OtherAdministrators NormalUsers NormalMachines

Endpoint Encryption Manager Interface

Starting Endpoint Encryption Manager

Groups of Users, Machines and other Objects

Endpoint Encryption Manager Interface

Finding orphaned objects using Group Scan

Endpoint Encryption Manager Interface

The Endpoint Encryption Object Directory

The Endpoint Encryption Object Directory

The Object Directory Structure

Users-------Machines-------Groups-------Servers--------Files | User.0-----User.1-----User.2-----User.3-.. User.n |

The Endpoint Encryption Object Directory

Creating and Configuring Users

Creating and Configuring Users

Creating and Configuring Users

User Administration Functions

Set SSO Details

Force Password Change at Next Logon

Reset (All) to Group Configuration

Creating and Configuring Users

User configuration Options

Creating and Configuring Users

Creating and Configuring Users

Creating and Configuring Users

Creating and Configuring Users