Академический Документы
Профессиональный Документы
Культура Документы
AdministrationGuide
Version5.2.5
McAfee,Inc.
McAfee,Inc.3965FreedomCircle,SantaClara,CA95054,USA Tel:(+1)888.847.8766 FormoreinformationregardinglocalMcAfeerepresentativespleasecontactyourlocalMcAfeeoffice, orvisit: www.mcafee.com Document:EndpointEncryptionManagerAdministrationGuide Lastupdated:Tuesday,30March2010 Copyright(c)19922010McAfee,Inc.,and/oritsaffiliates.Allrightsreserved. McAfeeand/orothernotedMcAfeerelatedproductscontainedhereinareregisteredtrademarksor trademarksofMcAfee,Inc.,and/oritsaffiliatesintheUSand/orothercountries.McAfeeRedin connectionwithsecurityisdistinctiveofMcAfeebrandproducts.AnyothernonMcAfeerelated products,registeredand/orunregisteredtrademarkscontainedhereinisonlybyreferenceandarethe solepropertyoftheirrespectiveowners.
Contents
Preface ........................................................................................... 6
About this guide ............................................................................................. Audience ................................................................................................. Conventions ............................................................................................ Related Documentation............................................................................. Acknowledgements .................................................................................. Contacting Technical Support .................................................................... 6 6 7 7 7 7
Introduction ...................................................................................8
Why Endpoint Encryption?......................................................................... 8 Design Philosophy .................................................................................... 8 How Endpoint Encryption Solutions Work .................................................... 8 Objects, Entities, and Attributes explained. ................................................. 9 The Endpoint Encryption Components ........................................................ 10
Auditing ........................................................................................ 44
Introduction ........................................................................................... 44 Common Audit Events ............................................................................. 44
Server Configuration ............................................................................... 53 Starting the Endpoint Encryption Server as a Service .................................. 53 Using Server / Client Authentication .......................................................... 53 Connecting to a new Endpoint Encryption Server ........................................ 54 Checking a Servers Status Remotely ........................................................ 54 Using Restricted User ID's for Servers ....................................................... 54
Keys .............................................................................................. 56
About Keys ............................................................................................ 56 Key Administration Functions ................................................................... 56 Key Configuration Options ........................................................................ 57
Policies ......................................................................................... 59
About Policies ......................................................................................... 59 Policy Administration Functions ................................................................. 59 Assigning a policy object to a user ............................................................ 60 Assigning a policy object to a machine ....................................................... 60
License Management .................................................................. 101 Common Criteria EAL4 Mode Operation ...................................... 103
Preface
Preface
The team at McAfee is dedicated to providing you with the best in security for protecting data on personal computers. Applying the latest technology, deployment and management of users is enhanced using simple and structured administration controls. The Endpoint Encryption Manager and associated products are designed to protect your mobile data on PCs, PDAs and across networks. Through the continued investment in technology and the inclusions of industry standards we are confident that our goal of keeping Endpoint Encryption at the forefront of data security will be achieved.
Audience
This guide was designed to be used by qualified system administrators and security managers. Knowledge of basic networking and routing concepts, and a general understanding of the aims of centrally managed security is required. For information about cryptography topics, readers are advised to consult the following publications: Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition, Bruce Schneier, Pub. John Wiley & Sons; ISBN: 0471128457 Computer Security, Deiter Gollman, Pub. John Wiley and Sons; ISBN: 0471978442 Security in Computing, Charles P. Pfleeger, Pub Prentice Hall PTR; 3 edition; ISBN 0130355488
6|
Preface
Conventions
This guide uses the following conventions:
Bold Condensed
Courier Italic Blue All words from the interface, including options, menus, buttons, and dialog box names. The path of a folder or program; text that represents something the user types exactly (for example, a command at the system prompt). Emphasis or introduction of a new term; names of product manuals. A web address (URL); a live link. Supplemental information; for example, an alternate method of executing the same command. Important advice to protect your computer system, enterprise, software installation, or data.
Note Caution
Related Documentation
The following materials are available from our web site, http://www.mcafee.com, and from your Endpoint Encryption Distributor: Endpoint Encryption Manager Administration Guide (this document) Endpoint Encryption for PC Administration Guide Endpoint Encryption for Files and Folders Administration Guide Port Control Administration Guide Endpoint Encryption for PC Quick Start Guide Endpoint Encryption for Files and Folders Quick Start Guide
Acknowledgements
Endpoint Encryptions Novell NDS Connector and LDAP Connectors make use of OpenLDAP (www.openldap.org) and OpenSSL (www.openssl.org). Due credit is given
0 1
|7
Introduction
Introduction
Why Endpoint Encryption?
Around 1,000,000 laptops go missing each year, causing an estimated 4 billion USD worth of lost data. Is your data safely stored? Ever thought about the risks you run for your company and your clients? The Endpoint Encryption product range was developed with the understanding that often the data stored on a computer is much more valuable than the hardware itself.
Design Philosophy
The Endpoint Encryption product range enhances the security of devices by providing data encryption and a token-based logon procedure using, for example a Smart Card, Fingerprint or USB Key. McAfee also has optional File and Media encryption programs (VDisk, File Encryptor and Endpoint Encryption for Files and Folders), as well as hardware VPN solutions further enhancing the security offered. Endpoint Encryption supports all current Microsoft Operating Systems, and also common PDA platforms: Microsoft Windows 7 Microsoft Windows 2000 through SP4 Microsoft Windows XP through SP3 (32bit only) Microsoft Windows 2003 through SP2 (32bit only) Microsoft Vista 32bit and 64bit (all versions) Microsoft Pocket Windows 2002 and 2003 Microsoft Windows Mobile 5.0/6.0/6.1 Palm OS 3.5 through 5.4
All Endpoint Encryption products are centrally managed through a single system, which supports scalable implementations and rich administrator control of policies.
8|
Introduction
over TCP/IP via a secure Endpoint Encryption Server (in the case of a centrally managed enterprise). Endpoint Encryption applications query the directory for any updates to their configuration, and if needed download and apply them. Typical updates could be a new user assigned to the machine by an administrator, a change in password policy, or an upgrade to the Endpoint Encryption operating system or a new file specified by the administrator. At the same time Endpoint Encryption uploads details like the latest audit information, any user password changes, and security breaches to the Object Directory. In this way, transparent synchronization of the enterprise becomes possible.
|9
Introduction
Figure1.EndpointEncryptionManager The most important component of the Endpoint Encryption enterprise is the Endpoint Encryption Manager, the administrator interface. This utility allows privileged users to manage the enterprise from any workstation that can establish a TCP/IP link or file link to the Object Directory. Typical procedures that the Endpoint Encryption Administrator handles are: Adding users to machines Configuring Endpoint Encryption protected machines Creating and configuring users Revoking users logon privileges Updating file information on remote machines Recovering users who have forgotten their passwords Creating logon tokens such as smart cards for users
10 |
Introduction
authentication of the entity using DSA signatures, and link encryption using the DiffieHellman key exchange and bulk algorithm line encryption. This ensures that "snooping" the connection cannot result in any secure key information being disclosed. The server exposes the Object Directory via fully routed TCP/IP, meaning that access to the Object Directory can be safely exposed to the Internet / Intranet, allowing clients to connect wherever they are. As all communications between the Server and client are encrypted and authenticated, there is no security risk in exposing it in this way. There is a unique PDA Server which provides similar services to PDAs such as Microsoft Pocket Windows and PalmOS devices. More information about this can be found in later chapters.
| 11
Introduction
Figure2.EndpointEncryptionClient The Endpoint Encryption for PC client software is largely invisible to the end user. The only visible part is an entry in the users tool tray (the Endpoint Encryption icon). Clicking on this icon allows the user to lock the PC with the screen saver (if the administrator has set this option there one is selected). Right-clicking on the monitor allows them to perform a manual synchronization with their Object Directory, or, monitor the progress of any active synchronization. Normally the Endpoint Encryption client attempts to connect to its home server or directory each time the machine boots, or, establishes a new dial-up connection. During this process, any configuration changes made by the Endpoint Encryption administrator are collected and implemented by the Endpoint Encryption client. In addition, information such as the last audit logs are uploaded to the directory.
12 |
Introduction
client are encrypted and authenticated, there is no security risk in exposing it in this way.
| 13
14 |
Administration Level
Each object in the directory has a certain "administration privilege" with a range of between 1 (lowest) to 32 (root administrator), no object except the root administrator can change the attributes of an object of its privilege or above, but some attributes can be read regardless. This mechanism stops low privilege users from changing their own configuration, and protects high-level administrators from the activities of lower levels. The recommended assigned privileges are:
AdministrationLevel 32 10 1 1
NOTE:Astherearenoobjectswithaprivilegeabove32,alllevel32objectsaretreatedequallyand withoutrestraint(exceptdeleterights).Thismeansthatanytopleveladmincaneditthepropertiesofany othertopleveladmin.However,alevel32administratorwithlimitedadminfunctionscannotaddthose restrictedfunctionstoanotherlevel32administrator.Forthisreasonitisrecommendedthatgeneral EndpointEncryptionadministratorsuseaccountswithaprivilegebelow32,andthemaster(orroot) administratoraccountshouldbeusedonlyinextremecircumstances. In addition to this rule, extra restrictions on what administration processes an individual may use can be set when they are created, for instance the ability to add users may be blocked, as may be the ability to create install sets.
| 15
16 |
Finding Objects
You can search the object trees by either typing into the Find box on the tool bar of Endpoint Encryption Manager, or, by using the Filter or Find by ID options from the Objects Menu.
| 17
Audit Trails.
Endpoint Encryption audits to most types of object. To view the current audit, select the object in question and use the right-click menu option View Audit. Audit trails can be exported as comma delimited files for use in other applications. The ability for a user to be able to view another users audit is a function of their relative administration level, and their View Audit administration right. It is recommended that not all users are given this permission.
18 |
| 19
This structure mirrors an X500 directory, and allows fast access to attributes and modification (adding new attributes, new object classes etc) without significant effort.
Object locking
To prevent problems where two or more processes try to access the same data simultaneously, only one process can have write permission to an Object at any time. Normally an object such as a user is only locked during the actual write process, if there is a conflict in locks, one process will wait for the other to release. This usually takes only a few seconds. In the standard file managed directory, object locking is provided by the operating system itself.
20 |
Figure3.CreatingNewUsers New users can be created in Endpoint Encryption Manager by selecting the group they need to be in, and using the menu option Create User. You can also create users automatically using a connector to another directory, such as Active Directory, or an automated script. Please see the Endpoint Encryption Connector Manager chapter, or, the Endpoint Encryption Scripting Tool Users Guide. The new users logon id and recovery information about them can be entered. The users password or token is inherited from the group, and can be set or generated at this point. The fields of information are used to identify the user in case of a helpdesk issue, such as the user forgetting their password. The helpdesk and user can see the majority of these fields, but some may be defined as "hidden from user" - in this example, the field Group Access is one of those. Hidden fields can only be seen by administrators with a higher privilege than the user, or the root administrator. This gives the helpdesk operator the ability to ask the user a question to validate their identity. For more information on recovery, see the Recovery chapters of your product administrators guide. Once created, the user assumes the configuration of the group they were created in. If this group is "controlled", then only a few options are available to be configured on a user-by-user basis. If the group is "Free" then although the user assumes the properties of the group on creation, the parameters can then be set individually afterwards.
| 21
Reset Token
Resets the token authentication to the default. In the case of the soft (password) token resets the password to 12345. NOTE:SomehardtokensmaynotbeabletoberesetusingEndpointEncryptionforexampleDatakey SmartCards.Inthiscasecontactthemanufacturerofyourtokentodeterminethecorrectreuse procedure.
View Audit
Displays the audit for the user.
Create Copy
Creates a new object based on the selected object.
Properties
Displays the properties of the selected object.
22 |
Figure4.UserOptionsGeneral User ID The user ID of a given user is the system-wide identifier that Endpoint Encryption uses internally to keep track of the user. This number is unique within the Object Directory and is displayed for technical support purposes. The users recovery screens also show this number. Auto-boot users Special user ids containing the tag $autoboot$ with a password of 12345 (or set by administrators) can be used to auto-boot a Endpoint Encryption Endpoint Encryption for PC protected machine. This option is useful if an auto boot of a machine is needed, for example when updating software using a distribution package such as SMS or Zenworks. This ID should be used with caution though, as it effectively bypasses the security of Endpoint Encryption. You can find out more about the $autoboot$ user from the Endpoint Encryption for PC Administration Guide. Enabled Shows whether the user account is enabled or not. The enabled status is always user selectable. Once a machine has synchronized, it checks the user account list to ensure that the currently logged on user is still valid (because they logged on at boot time before the network and Object Directory was available). Users with disabled accounts (or users
| 23
24 |
Password Parameters
Figure5.UserConfigurationPasswordParameters Force Change if "12345" Ticking this option prevents users from continuing to use the Endpoint Encryption default password of "12345". If this password is ever used, for instance after recovering a user, it must be changed before Endpoint Encryption will allow the operating system to boot. The force password change mechanism is also supported in the Windows Screen Saver. Prevent Change Disables the Change Password option on the Endpoint Encryption boot screen, and on the directory login screen. Enable Password History Endpoint Encryption records previous passwords, and stops the user repeating old passwords when they are forced to change them. The maximum number of previous passwords that can be saved is limited by the users token, typically a password token can remember 19 previous passwords, whereas a smart card token only 10. Passwords are added to the history list when the user sets them, so the default password (12345) may be used ONCE again, as is not added to the history list when a user is created . Special smart card scripts can be made available which increase the maximum history count beyond 10, at the expense of the time needed to log in. For information on these scripts please contact your Endpoint Encryption representative. Require Change After
| 25
64 minutes is the maximum lockout period that may be set. Invalidate Password after After a sequence of incorrect passwords, Endpoint Encryption can disable the users account. To log on again once this has happened, the user will need to call their Endpoint Encryption helpdesk for a password reset. The number of incorrect passwords that have to be entered before this occurs is normally 10, but can be set as needed.
26 |
Password Template
Figure6.UserConfigurationPasswordTemplate Password Length Sets the expected length of the users password between two extremes. Recommended settings are a minimum length of 5 characters, and a maximum length of 40 characters. Enforce Password Content Enforcing content in password forces the user to pick more secure passwords, but also reduces the number of possible passwords the user can select from. Content is not case sensitive. The following options can be set :Alpha A minimum number of characters from the range a-z and A-Z. Alphanumeric A minimum number of non-symbol chars from the range a-z, A-Z, and 0-9. Numeric Numbers only, from the range 0-9. Symbols !"$%^&*()_+{}~@:><,./ :;@'~#<,>.?/`[], and other non alpha and non numeric characters. Content restrictions force the user to be more particular when they change their password. Depending upon the selected options, passwords, which are related, will not be accepted. The following restrictions can be set:
| 27
28 |
Token Type
Figure7.UserConfigurationTokenSelection Sets the token for a given user / group of users. The list of available tokens is created from the token modules installed in the Object Directory. For information on particular token options, please see the Tokens chapter. Some tokens may be incompatible with other options - for instance, you cannot use the Floppy Disk token if the users floppy disk access is disabled, set to read only, or set as Encrypted. Assigning a token to a user does not necessarily mean they will be able to log into a machine for example giving a user a smart card does not mean their machine has a smart card reader, or the software needed to drive such a reader. NOTE:Whenyouchangeauserstoken,EndpointEncryptionautomaticallybringsupthetokencreation wizard.YouneedtoremembertocreateSoftTokenseventhoughtheyrejustpasswords. Recovery Key You can reset a users password, or change their token type using the recovery process this involves the user reading a small challenge of 18 characters from the machine to an administrator, then typing in a larger response from the administrator. The recovery key size defines the exact length of this code exchange. The range of options of the recovery key is dependent apron the maximum key size of the algorithm in use. A key size of 0 disables the user recovery system. Allow web-based self recovery
| 29
Administration Rights
Figure8.UserConfigurationAdministrationRights Administration Level The administration level of a given user defines their Administration Scope. Users can only work with directory objects (machines, other users etc) below their own level, thus a level 2 user can only administer users of level 1. All users are by default created at level 1, and are therefore unable to administer each other. The user who first created the directory is created at level 32, and can therefore administer any other object in the directory. NOTE:Aspecialcaseexistsforthehighestlevelofuser(rootusers),allowingthemtoadministeratlevel 32. Administration Functions Options in the administration functions box select what administrative options are available to a given user / group of users. When creating a new user, the administration rights of the creator are reflected to the new user. Most administration functions are obvious but the following may require more explanation: Users/Allow Administration controls a users right to start administration systems such as the Endpoint Encryption Manager or Connector Manager. If
30 |
Logon Hours
Figure9.UserConfigurationLogonHours Endpoint Encryption can prevent a user from accessing any machine during particular time periods. In the example above, the user "John Smith" can access any machine his account has been allocated to during the hours of 9am - 5pm any day. If the Force user to logoff box is not ticked, restricting the logon hours of a user does not prevent them continuing to use a machine out of hours if they were logged on when the restriction comes into force, however it does prevent them logging on after this time, for instance at a screen saver prompt.
Devices
This is used by Endpoint Encryption for PC only. Please see the Endpoint Encryption for PC Administration Guide.
Application Control
This policy is used by Endpoint Encryption for PC only. Please see the Endpoint Encryption for PC Administration Guide
| 31
Policies
Figure10.Policies Endpoint Encryption can control other systems through the Policies Interface. You can define the actual parameters of a policy through its entry on the System Tree, and assign which policies are enforced for a particular user, or group of users, from the policies tab. For more information on policies see the Policies chapter.
Add / Remove
Click Add or Remove to associate a policy with a user. You can only associate one policy of each type with a user.
Bindings
Figure11.ConnectorBindings
32 |
Local Recovery
The Local Recovery option allows the user to reset a forgotten password by answering a set of security questions. The full list of security questions is set by the administrator using the Endpoint Encryption Manager. Note: Endpoint Encryption contains a generic set of questions. When the user first sets up their local recovery feature they will be prompted to select a number of questions and provide the answers to them. These form the basis for their local self recovery feature.
| 33
34 |
Administration Groups
Figure13AdministrationGroups The groups which an administrator can manage can be restricted this gives the ability to create high privilege administrators who can only work a particular population of users and machines for instance departmental administrators. You can specify all group types for the restriction, so you can also create administrator accounts that have the ability to manage only servers, certain groups of users, or certain groups of machines. When group restrictions are in place, the users view of the database is restricted to only the groups specified. Leaving the admin groups box empty gives the account admin capability throughout the Object Directory. When an administrator with group restrictions creates a new user, the group restrictions are reflected into the new users properties. If the new user also inherits groups from their group membership, these too will be set. NOTE:Donotrestricttheadministrativescopeoftherootadministratororyoumaynotbeabletomake configurationchangesinthefuture.
| 35
In this scenario, the departmental administrators are prevented from managing each others department by the group restriction. Administrators are also prevented from
36 |
In this scenario, there are additional accounts for the Server Manager a person responsible for keeping the Endpoint Encryption Server running. Their account has no ability to manage users or logon to clients. There could also be other accounts with the ability to add/remove users (for example used by the personnel department).
| 37
Tokens
Tokens
The Endpoint Encryption Manager and connected applications support many different types of logon token, for example passwords, smart cards, fingerprint readers and others. Before a user can use a non-password token, you must ensure any machine they are going to use has been suitably prepared.
38 |
Tokens
Tools download. Please consult your McAfee representative for further information. 2. From the Endpoint Encryption Manager: Create a file group for the Upek token and import the token files: SbTokenUpek.dll and SbTokenUpek.dlm. The Upek file group must be assigned to the machine or machine group. The fingerprint reader must be assigned to a user or a user group. See the user or user group Properties 3. Tokens screen.
The user logs onto the client machine using the Upek token module in password mode.
4.
The user will be presented with a dialog which will ask them to register their fingerprints with Endpoint Encryption; the user configures the fingerprint reader to work with one or more of their fingerprints.
5.
From then on the user will need to authenticate to Endpoint Encryption with their fingerprint instead of a password.
| 39
Figure14.EndpointEncryptionFileGroups The Endpoint Encryption Manager uses central collections of files, called Deploy Sets to manage what versions of files are used many Endpoint Encryption applications. For information on a particular applications support for File Groups, please see the Administration Guide. When Endpoint Encryption Manager is installed, it automatically adds the entire standard Endpoint Encryption administrator files into the file groups and also may create language sets, for example "English Language". An INI files, ADMFILES.INI determines the contents of the core groups. INI files such as these can be edited to allow custom collections of files to be quickly imported and then applied using the Import file list menu option. For more information on ADMFILES.ini see the Endpoint Encryption Configuration Files chapter. Other file sets created as standard include those to support login tokens (such as smart card readers, and USB Key tokens).
40 |
Figure15.FileGroupContent You can specify the function of a file group by right-clicking it and selecting its properties. Some file selection windows, for example, the file selector for machines, only display certain classes of file group (in this example, those marked as Client Files).
Exporting Files
You can export a file group, or an individual file back to a directory. This may be useful, for example if you have an out of date administration system driver and there is an updated file in the Object Directory.
Deleting Files
You can delete individual files from a file set. With connected applications this usually results in the deletion of the file from their local directory at the next synchronization event.
| 41
Figure16.FileProperties,FileInformation The name of the file is the actual name, which will be used when deploying the file on the remote machine. The ID is the Object Directory object ID used as a reference for the file from the client PC. The version number is an incremental version of the file. When the file is updated, the version is incremented. This is used by the clients to check whether an update is needed. Other information such as the name of the user who imported the file and its size may be shown.
Figure17.FileProperties,Advanced File Types Set the type of the file. File Location Set the destination directory for the file.
42 |
| 43
Auditing
Auditing
Introduction
The Endpoint Encryption Manager audits user, machine, and server activity. By rightclicking on a object in the Endpoint Encryption Object Directory, you can select the view audit function. Audit trails are uploaded to the central directory by both the Administration Center and connected Endpoint Encryption Applications such as Endpoint Encryption for PC and Endpoint Encryption for Files and Folders. The permission to view or clear an audit log can be controlled on a user or group basis. Both the administration level and administration function rights are checked before allowing access to a log. For more information on setting these permissions see the Creating and Configuring Users chapter. Audit trails can be exported to a CDF file by using the Audit menu option, or by rightclicking the trail and selecting Export. Also, the entire audit of the directory can be exported using the Endpoint Encryption Scripting Tool for information on this option please contact your McAfee representative. The Object Directory audit logs are open-ended, i.e. they continue to grow indefinitely, but can be cleared on mass again using SBAdmCL.
Information Events
Description Auditcleared Bootstarted Event 01000000 01000001
44 |
Auditing
Description Bootcomplete Bootednonsecure BackwardsDateChange Bootedfromfloppy Tokenbatterylow Powerfail Aviruswasdetected SynchronizationEvent Addgroup Addobject Deletegroup Deleteobject Importobject Exportobject Exportconfiguration Updateobject Importfileset Createtoken Resettoken Exportkey Recover Createdatabase Rebootmachine
Event 01000002 01000003 01000005 01000004 01000010 01000011 01000013 01000014 01000082 01000083 01000084 01000085 01000086 01000087 01000088 01000089 01000090 01000091 01000092 01000093 01000094 01000095 01000096
| 45
Auditing
Try Events
Description Logonattempt Changepassword Forcedpasswordchange Recoverystarted Databaselogonattempt Logonsuccessful Passwordchangedsuccessfully Bootoncerecovery Passwordreset Passwordtimeout Lockoutrecovery Changetokenrecovery Screensaverrecovery Databaselogonsuccessful Logonfailed Passwordchangefailed Event 02000001 02000002 02000003 02000016 02000081 04000001 04000002 04000016 04000017 04000018 04000018 04000019 0400001A 04000081 08000001 08000002
46 |
Auditing
Succeed Events
Description Logonsuccessful Passwordchangedsuccessfully Bootoncerecovery Passwordreset Passwordtimeout Lockoutrecovery Changetokenrecovery Screensaverrecovery Databaselogonsuccessful Event 04000001 04000002 04000016 04000017 04000018 04000018 04000019 0400001A 04000081
Failure Events
Description Logonfailed Passwordchangefailed Passwordinvalidated Machineconfigurationexpired Recoveryfailed Event 08000001 08000002 08000005 08000012 08000017
| 47
Auditing
Description Databaselogonfailed
Event 08000081
48 |
Managing Connections
You can add and remove directory connections by clicking Cancel on the Endpoint Encryption Manager Login box, then selecting Edit Connections on the Select Your Login Method dialog.
Figure18.EndpointEncryptionDatabaseConnections The Endpoint Encryption Database Connections window lists the currently configured directory locations and types. Local directories are accessed directly; remote directories are accessed through a Endpoint Encryption server. Where authentication parameters for the directory connection have been imported, the connection appears with a tick.
| 49
Remote Directories
Description Type a description for the directory - this is used to identify the directory in the list. Server Address Supply the address or DNS name of the server, and the port it is running on. Server Port Set the port the server should communicate on. The default is 5555. Authenticate Server authentication prevents a malicious "rogue" server masquerading as a valid Endpoint Encryption server, by forcing DSA key checking between the server and Endpoint Encryption application. If the key the server returns is invalid, the Endpoint Encryption application will refuse to connect to the server and inform the user of a key mismatch. When adding a new server, if you elect to create an authenticated link, you will be promoted to provide a key file (.spk file). You can obtain this key from an existing connected administrator by asking them to right-click on the server definition in the Endpoint Encryption Manager, and choose Export Public Key. NOTE:Ifyouareauthenticatedtoadirectory,youcanaddalternateEndpointEncryptionserver connectionstothisdirectorytothelistbysimplyrightclickingontheserversdirectoryentryinthesystem tree,andselectingAddtoDirectories.Thisprocesssetsuptheconnectioninadvanceandaddsallthekey informationifavailable.
Local Directories
Local directories (accessed without a Endpoint Encryption server) need a UNC or mapped drive data path (or a file location in the case of a file directory) and a description. Endpoint Encryption servers ALWAYS use a local directory - you cannot chain one server onto another. The default driver for Endpoint Encryptions Directory is sbfiledb.dll.
50 |
Figure19.TheEndpointEncryptionServer The Endpoint Encryption Server provides a secure communication interface between the Object Directory , and other components, such as Endpoint Encryption Manager, Endpoint Encryption for PC Client, and Endpoint Encryption Directory Synchronizer, over a TCP/IP link.
| 51
Figure20.CreatinganewEndpointEncryptionServerObject To create a new server object, you can either use the New Server option to create a new server in the System/Endpoint Encryption Servers tree using Endpoint Encryption, or you can use the "create" button on the Endpoint Encryption Server startup screen shown after authenticating to the Object Directory. Both procedures follow the same path. Creating a new Endpoint Encryption Server object, automatically adds the definition to the local directories list. The next time you perform a directory logon, you will be able to choose to log on to the new Server.
Figure21.SelectingtheEndpointEncryptionServerObjecttouseforconfiguration
52 |
Server Configuration
The Endpoint Encryption Server obtains its configuration from three places. The local file sdmcfg.ini supplies the location and type of Object Directory the server should connect to. It also supplies the logon ID and password to use in case of an automated start. This file is shared between all the Endpoint Encryption entities. The server's object within the Object Directory specified in sdmcfg.ini supplies the port the server should speak on, and its public and private key information. The local file sbserver.ini supplies the id of the object in the local Object Directory that the server uses for its port, etc. It also specifies whether the user should be prompted to select an id each time the server starts.
| 53
54 |
| 55
Keys
Keys
About Keys
Keys are generic purpose objects which other Endpoint Encryption-Aware applications can use to encrypt information, for example, Endpoint Encryption for Files and Folders uses Key objects to protect files and folders on network and user hard disks.
Rename Key
This option changes the name of a key this does not affect the association of keys to users, or the protection of data. Only the human-readable name is changed.
Delete Key
This option deletes a key from the system. To delete a key: 1. 2. Find the key from the Keys node of the System tab within the object tree. Right-click the key and select Delete.
NOTE:Ifyoupermanentlydeleteakey,alldataprotectedwiththatkeywillbepermanentlylost;however, youcanrestorethekeyifithasbeenbackedup.
56 |
Keys
Properties
Displays the properties of a key.
| 57
Keys
accessible then the user authenticates against a local key cache and queries it for a copy of the key. If the key could be obtained from the Key Server, then the local copy may be installed, or updated at the same time. If the users credentials are not correct, no keys are released. Remove from cache after.. Causes a local cached copy of a key to be wiped from the local key cache after a certain number of days of disconnection. This prevents users obtaining keys, then continuing to use them for extended periods of time without validating their credentials against the central Endpoint Encryption Key Server. You can use this option to ensure that if you make changes to the validity or user list of cacheable keys, that these changes are enforced within a certain period of time.
Users
You can restrict access to keys to certain users by adding them to the keys user list. When the list is empty, any user who has valid Endpoint Encryption credentials can obtain the key. Once one or more users are added to the list though, ONLY those users can obtain, or administer the key. This prevents general Endpoint Encryption administrators from being able to access sensitive data. NOTE:Youcanrestrictwhatadministrationfunctionsregardingkeys(addkey,deletekey,propertiesetc)by settingausersadministrationrights.SeetheAdministrationRightssectionformoreinformation. Restrict Access To Defines the user list for a key. If the list is empty, then any user can access the key. If one or more users are added then ONLY they can access or administer the key. Minimum Admin Level Required You can specify the minimum admin level required to access a key. This parameter is enforced in ADDITION to the restricted user lists. If you add a user to the user list, and also set an admin level, then if the user does not match or exceed the level they will not be able to access the key. For more information on admin levels see the Administration Rights section.
58 |
Policies
Policies
About Policies
Endpoint Encryption can manage other systems and applications from the main Administration console. Each additional application provides a Policy system which allows the parameters for the application to be defined for example the Endpoint Encryption for Files and Folders policy provider integrates into the Endpoint Encryption Database, and allows you to set the functions and parameters for the Endpoint Encryption for Files and Folders system. You can assign policies to most kinds of Endpoint Encryption supported object, such as users, machines, PDAs etc wherever appropriate for the individual policy type. You can assign policies to both individual objects (such as users), and also to groups of objects (such as groups of machines).
Rename Policy
Changes the name of the policy. This does not affect the association of the policy to other objects.
| 59
Policies
Delete Policy
If you delete a policy, all users of that policy will receive the Default policy instead the next time they update. To delete a policy: 1. 2. Find the policy from the Policies tab of the object tree. Right-click the policy and select Delete.
Create Copy
Creates a copy of a policy object based on the selected one.
Properties
Opens the properties of the selected group or object. For more information about Endpoint Encryption. See the Endpoint Encryption Endpoint Encryption for Files and Folders Administration Guide.
You can normally only assign one policy of each type to any particular object, for example one Endpoint Encryption for Files and Folders policy, per user.
60 |
Policies
3. 4. 5. Click the Add button. Select the policy you want to associate with that machine. Click Ok.
You can normally only assign one policy of each type to any particular object, for example one Asset policy per machine.
| 61
Figure22.ConnectorManager The Connector Manager tools are supplied pre-configured to provide Endpoint Encryption directory to alternate systems such as NT Domains, Active Directory, and Novell Netware NDS as a uni-directional process. Support for alternate data stores are implemented on a customer basis. To discuss synchronization with other data stores please contact your McAfee representative.
62 |
| 63
NT Connector (NTCon)
NT Connector (NTCon)
The NT connector is designed to populate the Endpoint Encryption user list from an existing NT Domain. By specifying a server to synchronize with, the connector mines the domain user list, creating Endpoint Encryption user accounts for those domain users not found. If a domain user account is deleted or disabled, the connector makes the appropriate change to the Endpoint Encryption user account for that user. The NT Connector needs to be run on either an NT4.0 Domain Server, or a Windows 2000 server / workstation, and needs access to the Endpoint Encryption Object Directory.
64 |
NT Connector (NTCon)
The expiry date of the domain account is placed in the Endpoint Encryption user valid until field. Group Membership On creation, logic can be applied to determine which group the new Endpoint Encryption user is created in (if at all).
General Options
NT Server Specify the server you want to obtain the user list from. You can use the local machine, or specify a domain server. Click the Servers button to obtain a list of machines accessible from this station. Disable Users Only If a user is deleted from the domain, their matched Endpoint Encryption account can be either deleted or disabled. WARNING:IfyoudeleteaEndpointEncryptionuseraccount,nofilesprotectedbyonlythatEndpoint Encryptionuseridwillberecoverable.Werecommendyoudisableusersonly,anddeletethemmanually. Use Configuration Checksum The connector can store a checksum of the domain configuration in the domain user comment. This negates the need to read the entire configuration each time a sync on the user occurs. To use this option you need to run the connector on a primary or backup domain controller you cannot use this option on a remote server. Throttling You can specify a delay between checking each user account to make the synchronization process more network-friendly. NOTE:ThedomainpasswordforauseraccountisnotavailableforEndpointEncryption,eachnewuserwill becreatedwiththedefaultpasswordof12345youshouldensurethatallEndpointEncryptiongroups whichreceivenewusersfromtheNTConnectorhavetheChangepasswordifdefaultattributeset.
Group Mappings
To ease the configuration of many synchronized domain users, you can map them to different Endpoint Encryption user groups based on their domain membership. As each domain account is checked, the NT Group Name fields are compared with the domain
| 65
NT Connector (NTCon)
users memberships. The first match found causes NT Connector to create the user in the specified Endpoint Encryption user group. By pre-creating Endpoint Encryption user groups with specific machine access and attributes, you can effectively synchronize a domain user list into Endpoint Encryption and have minimal configuration work left. For example, if the following group mappings were specified:
A domain user with memberships of Domain Admins and Sales would be placed in the Endpoint Encryption user group NT Domain Admins. A user with membership to Domain Users and Sales would be placed in NT Domain Sales as it is listed first. If you clear the Add user to default group tick box, and the NT user being checked does not belong to any of the specified groups, they will not be synchronized into the Endpoint Encryption directory.
User Information
You can specify which Endpoint Encryption information fields receive information from the domain account comment and description. You can also select the default behavior when new users are created.
66 |
| 67
General Options
Connection Details
Connection Name A text description for this incident of the connector. Host The IP address, or DNS Name of the directory server you wish to connect to. Port The TCP/IP port that the target directory is publishing on. This is usually 389 or 636 for secure connections. Use Secure Connection This option is used to get full access to the directory. You may have to obtain a certificate from your directory manager. Use the Certificate button to point the connector to the appropriate .DER file. Protocol Version The LDAP Protocol version your directory supports this is usually Version 3. Use Secure Connection This option allows you to specify a secure connection. It will change the port number to 636 (note: this is configurable). The Certificate... button will also activate and you can browse and select the right certificate from the Microsoft Certificate store.
68 |
Search Settings
Base DN The base distinguished name for the section of the directory this instance of the connector is to work with. You can set the Base DN to a sub-branch of your directory if you need to limit the scope of the connector. Object Filter Enter an appropriate filter to restrict the connectors view of objects in the directory. The default filter: (&(objectClass=User)(!objectClass=Computer)) Restricts the view to directory objects that are of a class User and not of a class Computer. If you only need to synchronize a small segment of users from your directory to Endpoint Encryption, you can specify a detailed Object Filter this will make the process more efficient by forcing the connector only to look at the users which are interesting to it. For example, to restrict the connectors view to users of the group Endpoint Encryption only, you could use a query like:(&(objectClass=user)(!objectClass=computer)(memberOf=CN=McAfee,OU=Uk,DC=c bi,DC=com)) Wherever you specify a search query, you must use the full parameters as accepted by the directory, so in the example above the memberOf parameter must match exactly that shown in the user. You can use an LDAP browser to see the correct attribute details. Timeout
| 69
Search Groups
You can specify a list of DNs for group objects in your directory which contain members you wish to include in this connectors scope of operation. Search Groups takes precedence over the object filter specified in the Search Settings pane.
Attribute Types
Binary data attributes must be defined in this list before they can be used by the connector. You can also specify which attributes to substring search. By default, the entire value of an attribute is considered significant by specifying it for substring search you can allow sub-values to be significant. For example, in the DN CN= McAfee,CN=COM,FN=Fred if substring searching is enabled for DN, then CN=COM is a valid match.
Group Mappings
Group Mapping Information
To ease the configuration of many synchronized directory users, you can map them to different Endpoint Encryption user groups based on some attribute in their directory object. As each directory account is checked, the specified attributes are compared with the table set in the Group Mapping tab. The first match found per user causes
70 |
A directory user with memberships of Sales and Support would be placed in the Endpoint Encryption user group Sales as that clause comes first in the list. By specifying the No Mapping Exists behavior you can select one of four options: 1. 2. Use a defined group Create a new group based on an existing Endpoint Encryption group, generating the name from an attribute of the user (such as their DN). 3. 4. Add the user to the default group Ignore, Remove, Disable or Recycle the user
NOTE:Ifyoumapbasedonthevalueofabinarydatatypeattribute,youneedtoproperlydefineand escapethedata.Forinformationonthisprocess.
User Mapping
The LDAPCon has the ability to map up to 10 fields of information from the directory into the Endpoint Encryption Directory. A typical use of this feature would be security question-answer sessions to aid validation of a remote user. To add a new entry either double click, or right click on the input table.
| 71
NOTE:IfyouchoosetoremoveusersfromEndpointEncryption,nodataprotectedsolelywiththeir personalEndpointEncryptionkeywillberetrievable. New Users Token If you are using certificates, via for example Microsoft Certificate Server, you can allow your users to login to Endpoint Encryption using their existing Certificate Token, for example an Activcard, eToken, or Setec token. For information about the supported tokens please see the Tokens chapter of this guide. Select from the list of installed tokens which one to create for the user. You can also decide the behavior if there is no valid certificate for the user. Search Endpoint Encryption for User Binding Traditionally the connector searches the directory for all users which match the set criteria. By selecting this option the search for users will be disabled, and the connector will expect to find the users pre-existing in the Endpoint Encryption directory. The connector will search for users with a binding which matches its identifier, and will only process those users. You can use the Search Endpoint Encryption option to process directories which contain a large population of uninteresting users. If you can pre-seed the Endpoint Encryption directory with the names of the users, and appropriate binding information (for example using the scripting tool) you can greatly streamline the process.
72 |
User Attributes
The User Bindings tab is used to correlate the directory attributes to the Endpoint Encryption Directory. The attributes specified on this tab should not need changing unless the directory is set up in a non-standard way. Binding Attribute The non-changing unique identifier for the user. This should be an item that is unique for that user, and unlikely to change for the existence of this account despite changes in surname or group membership Endpoint Encryption User name An attribute used to create the Endpoint Encryption user name NOTEEndpointEncryptionuseridsarelimitedto256characters;youshouldnotuseanattributethatis likelytoexceedthislength. Change Attribute The directory attribute containing the account change stamp. Logon Hours The directory attribute containing the User Logon Hours information. Account Control The directory attribute containing the user account disabled/enabled information. Account Expires The directory attribute containing the account expiry date. Delay between each user You can stifle the bandwidth that this connector consumes by putting a delay between each user synchronization.
Excluded Users
You can specify a selection of attributes to check to globally exclude a series of users from the synchronization process. You can also optionally disable existing Endpoint Encryption users that are bound to the excluded users. Revocation Check If you are using certificates to authenticate your users, you can enable revocation checking to ensure that if certificates are revoked, the user is denied access to
| 73
Figure1523.ConnectorBindingwithEscapedValue
on your Endpoint Encryption CD, or included on the Endpoint Encryption Enterprise CD in the Tools directory.
74 |
| 75
76 |
General Options
Connection Details
Connection Name A text description for this incident of the connector. Host The IP address, or DNS Name of the Active Directory Server you wish to connect to. Port The TCP/IP port that the target Active Directory is publishing on. This is usually 389. Protocol Version The LDAP Protocol version your Active Directory connector supports this is usually Version 3. Use Secure Connection This option allows you to specifiy a secure connection. It will change the port number to 636 (note: this is configurable). Anonymous Login If your Active Directory supports anonymous login, check this box, otherwise complete the Logon Credentials section. The account name you use to authenticate to the AD
| 77
Password Enter and confirm the password for the account you specified in the User DN field.
Search Settings
Search Settings define which AD users are visible to the connector, decisions as to whether to process these users are made in Group Settings described later on in this chapter. You can also use Search Groups to define which users the connector processes, for more information, see the next section. NOTE:EitherSearchSettings,orSearchGroupscanbeused,theycannotbeusedtogether.SearchGroups takesprecedence. Base DN The base distinguished name for the section of the directory this instance of the connector is to work with. You can set the Base DN to a sub-branch of your Active Directory if you need to limit the scope of the connector. Object Filter Enter an appropriate filter to restrict the connectors view of objects in the directory. The default filter: (&(objectClass=User)(!objectClass=Computer)) Restricts the view to directory objects that are of a class User and not of a class Computer. If you only need to synchronize a small segment of users from the AD to Endpoint Encryption, you can specify a detailed Object Filter this will make the process more efficient by forcing the connector only to look at the users which are interesting to it. For example, to restrict the connectors view to users of the group Endpoint Encryption only, you could use a query like:-
78 |
| 79
Search Groups
Search Groups define which AD users are visible to the connector, decisions as to whether to process these users are made in Group Settings described later on in this chapter. You can also use Search Settings to define which users the connector processes, for more information, see the previous section. NOTE:EitherSearchSettings,orSearchGroupscanbeused,theycannotbeusedtogether.SearchGroups takesprecedence. With Search Groups you can specify the DNs of a list of group objects from your AD. The connector will then retrieve all the members from the specified groups (and any groups contained within), then individually process the derived user list. This method can be more efficient that the Search Settings method if the population of users which are needed to be synchronized are defined in a small number of groups. If the users can be identified through another attribute, or are all within certain OUs, Search Settings may be more appropriate. NOTE:SearchGroupscanonlybeusedwithtrueLDAPGroups(i.e.objectscontainingmembers.You cannotusethismethodwithOUs.
Attribute Types
Binary data attributes must be defined in this list before they can be used by the AD connector. You can also specify which attributes to substring search. By default, the entire value of an attribute is considered significant; by specifying it for substring search you can allow sub-values to be significant. For example, in the DN CN= McAfee,CN=COM,FN=Fred ; if substring searching is enabled for DN, then CN=COM is a valid match.
Group Mapping
Group Information
To ease the configuration of many synchronized Active Directory users, you can map them to different Endpoint Encryption user groups based on some attribute in their directory object. As each Active Directory account is checked, the specified attributes are compared with the table set in the Group Mapping tab. The first match found per
80 |
EndpointEncryption groupname
Directoryservice Attribute
An Active Directory user with memberships of Sales and Support would be placed in the Endpoint Encryption user group Sales as that clause comes first in the list. You can use any attribute of the user to map, for example their DN, or a group membership. By specifying the No Mapping Exists behavior you can select one of four options: Use a defined group Create a new group based on an existing Endpoint Encryption group, generating the name from an attribute of the user (such as their DN). Add the user to the default group Ignore, Remove, Disable or Recycle the user
NOTE:Ifyoumapbasedonthevalueofabinarydatatypeattribute,youneedtoproperlydefineand escapethedata.
| 81
User Information
User Mapping
The ADCon has the ability to map up to 10 fields of information from the Active Directory into the Endpoint Encryption Directory. A typical use of this feature would be security question-answer sessions to aid validation of a remote user. To add a new entry either double click, or right click on the input table. If the Active Directory attributes mapped to these Endpoint Encryption fields change, then the users Endpoint Encryption account will be updated accordingly. New Users Password When a new account is created in the Endpoint Encryption directory, the password will be set to the option specified. If you set the account to a random password, the user will need to be recovered or the account manually set to a known password before the user will be able to authenticate to Endpoint Encryption. Removal Behavior You can choose to remove users from Endpoint Encryption if their account is removed from the Active Directory, disable them only, or ignore this event. NOTE:IfyouchoosetoremoveusersfromEndpointEncryption,nodataprotectedsolelywiththeir personalEndpointEncryptionkeywillberetrievable. New Users Token If you are using certificates, via for example Microsoft Certificate Server, you can allow your users to login to Endpoint Encryption using their existing Certificate Token, for example an Activcard, eToken, or Setec token. For information about the supported tokens please see the Tokens chapter of this guide. Select from the list of installed tokens which one to create for the user. You can also decide the behavior if there is no valid certificate for the user. Search Endpoint Encryption for User Binding Traditionally the connector searches the directory for all users which match the set criteria. By selecting this option the search for users will be disabled, and the connector will expect to find the users pre-existing in the Endpoint Encryption directory. The connector will search for users with a binding which matches its identifier, and will only process those users. You can use the Search Endpoint Encryption option to process directories which contain a large population of uninteresting users. If you can pre-seed the Endpoint
82 |
User Attributes
The User Bindings tab is used to correlate the Active Directory attributes to the Endpoint Encryption Directory. The attributes specified on this tab should not need changing unless the Active Directory is set up in a non-standard way. Binding Attribute The non-changing unique identifier for the user. This should be an item that is unique for that user, and unlikely to change for the existence of this account despite changes in surname or group membership Endpoint Encryption User name An attribute used to create the Endpoint Encryption user name NOTE:EndpointEncryptionuseridsarelimitedto256characters;youshouldnotuseanattributethatis likelytoexceedthislength. Change Attribute The Active Directory attribute containing the account change stamp. Logon Hours The Active Directory attribute containing the User Logon Hours information. Account Control The Active Directory attribute containing the user account disabled/enabled information. Account Expires The Active Directory attribute containing the account expiry date. Delay between each user You can stifle the bandwidth that this connector consumes by putting a delay between each user synchronization.
Excluded Users
You can specify a selection of attributes to check to globally exclude a series of users from the synchronization process. You can also optionally disable existing Endpoint Encryption users that are bound to the excluded users.
| 83
your ADCon CD, or, included on the Endpoint Encryption Enterprise CD in the Tools directory.
84 |
| 85
Figure24.webHelpdesk/webRecovery The normal recovery interface requires the administrator to have access to a Endpoint Encryption Manager console. In some environments this may not be practical; in this case the Endpoint Encryption webHelpdesk Server can be used to present the same recovery interface via a web browser.
webRecovery
A further enhancement available with the Endpoint Encryption webHelpdesk Server, is the ability for users to reset their own passwords - this is an optional service which allows, after pre-registering, users to drive the challenge/response system themselves simply by providing the correct answers to a selection of pre-registered questions.
86 |
Figure25.webRecoveryRegistrationQuestions The Endpoint Encryption webHelpdesk server is a dedicated SSL (Secure Sockets Layer) web server, customised to prevent against known web server hacking attacks. It is stand-alone and does not require Microsoft IIS, or any other web services to be installed on the hosting computer.
Pre-Requisites
To install this component, you will need a pre-configured Endpoint Encryption Manager at version 4.2 or above. You can check the version of Endpoint Encryption you are using through Help/About/Modules. Endpoint Encryption HTTP Server is designed to function on Windows 2000/XP only and does not use any other internet services. We strongly advise that Microsoft IIS is not used on the same computer as a Endpoint Encryption Manager system or database for security reasons.
| 87
88 |
Click File and then Add/Remove Snap-in Click Add from the Standalone tab. Select Certificates from the Add Standalone Snap-in dialog. This will add the Certificates option to the Console. See screenshot overleaf.
5.
Click the Endpoint Encryption HttpServer\Personal option and then select the Certificates folder inside it.
6. 7. 8.
Right-click in the right hand pane and select All Tasks followed by Import. Browse until you find the certificate files (*.cer, *.crt, *.pfx). Click the Place all certificates in the following store option (EndpointEncryptionHttpServer\Personal).
9.
| 89
If the certificate you are using is allocated to the same machine name that you are running the server on, once you have installed it you can restart the service using one of the following commands or the system service manager: net start Endpoint Encryption HTTP Server sbhttp -startservice If the certificate has a different name then the server will not start and will log a Certificate Not Found error. You can edit the section [Configuration] Server.Ssl.CertName=Name of the cert In the file SBHTTP.ini to point to the Machine name registered in the cert. Endpoint Encryption ships with an evaluation server certificate with the name 127.0.0.1.pfx and password 12345 which can be found in the Tools directory of your Endpoint Encryption CD. You can purchase a full cert from CBI, or use one from a third party certificate provider. NOTEifyouuseamismatchedsite/machine/certname,thenusersandadministratorswillbewarnedthat thecertificateisinvalideverytimetheyaccesstherecoverywebsite.
The server uses the same connection details as Endpoint Encryption administrator, any connection type specified in the login box for Endpoint Encryption can be used. To configure the connection, click the Administrators section link and then click Configure Endpoint Encryption HTTP Server. You will need to login with a user id which has Endpoint Encryption Start Server as Service rights.
90 |
Figure26.ConfiguringtheEndpointEncryptionHTTPServer Server Name A logical name used to identify the server Port The port the server should expose the interface on (usually 443) Server Certificate Name The machine name specified in the SSL certificate. Log File A path/name for the server diagnostic log. Logon Timeout A time (in minutes) to keep inactive Administrator connections authenticated for (usually 5 minutes). WARNING:whenyouconfigurethewebHelpserveryouwillneedtoclosethebrowserandrestartthe webRecoveryserverforthechangestotakeeffect.
| 91
Configuring webRecovery
Figure27.ConfiguringwebRecovery You configure the user webRecovery server via its web interface. You can specify a number of questions (1-10) to be registered, and the number to be answered to authenticate the user for self recovery. The questions can be changed by editing the SBWebRec.ini file. The user name and password you log in to configure webRecovery are stored in sbwebrec.ini and used for future sessions. NOTE:YoumustlogintowebRecoveryatleastonetosetupitsinitialparametersifyoudonot,userswill notbeabletoresettheirpasswordandwillreceivedb010010ObjectNotFoundmessages. WARNING:whenyouconfigurethewebHelpserveryouwillneedtoclosethebrowserandrestartthe webRecoveryserverforthechangestotakeeffect. Questions and Answers are stored as pairs in the users Endpoint Encryption profile so you can safely change the questions at any time. This will not prevent users with out of date questions from recovering their password.
92 |
With Challenge-Response
After navigating in to the helpdesk operators section of the web helpdesk, choosing either to reset an Endpoint Encryption, or a pocket Endpoint Encryption system, and logging in using their Endpoint Encryption id and password, the operator is presented with the webHelpDesk User Challenge screen.
Figure28.webHelpdeskChallengeScreen The helpdesk operator enters the challenge from the users screen (the user reads it to the helpdesk operator over the telephone), and selects the action they want to perform, for example Reset Users Password followed by the Next button. Reset Users Password Selecting this action will reset a users forgotten password. Unlock User This option will unlock a user whose account has become locked. Change Token
| 93
Figure29.webHelpdeskresponsescreen If the challenge was entered correctly, a response page is displayed which gives the operator the correct recovery code to read out to the user which will perform the selected operation (in this case, reset their password to 12345). The page also displays user information which can be used to check the authenticity of the user: The
94 |
Figure30.webRecoveryResetPassword
| 95
Figure31.webRecoverymainscreen The webRecovery interface allows users to reset their own forgotten passwords for Endpoint Encryption on PCs once they have pre-registered with the service. Users register a variable number of answers to pre-set questions, they are required to recall the correct answers to authenticate themselves to get their password reset. It is not as secure as the helpdesk driven recovery service, as its quite possible for users to enter simple or trivial information for their recovery questions, but has the advantage that it can operate 24x7 without human interaction.
96 |
| 97
Figure33.webRecoveryregistrationquestions Once they have registered their preferred questions and answers, they are free to use the recovery service if they forget their password.
98 |
Figure34.webRecoverychallengescreen If the challenge is correct, they will be asked to enter the correct answers for a selection of their registered questions, and if these are correct, the user is presented with the response to type back into their Endpoint Encryption boot screen.
Figure35.webRecoveryanswersscreen
| 99
Figure36.webRecoveryResponseScreen
100 |
License Management
License Management
The Endpoint Encryption directory is licensed in terms of number of allowed users, number of allowed machines, and license file expiry dates. You can view the current license status of your directory by using the file/license information option. The summary boxes at the bottom of the screen indicate the current active license count. Any expired or invalid licenses are not included, although they may still be shown in the license list.
Figure37.Licenseinformation Multiple license files can be added to the list using the Add button, but each file can only be added once. License Restrictions License files can have many restrictions built in: Number of Users Restricts the maximum number of users that can be managed. Number of Machines Restricts the maximum number of machines that can be managed. Number of PDA Devices Restricts the maximum number of CE Machines that can be managed. Directory locked Some license files can be locked to only work on a particular directory. If you re-create your directory, you will need to obtain a new license file. Expires
| 101
License Management
Some license files expire after a certain time period. Exclusive License files marked as exclusive do not co-exist with other license files. Only one exclusive license file can be used at any time. If you import two exclusive license files, only the first one will be effective. Addons Extra components such as SBAdmCL, Connectors, and other utilities may require additional license code. The names of the additional components licensed will be displayed in this field. You may have received an extra license file with your copy of Endpoint Encryption if so you can import it into the directory using the Add button. If you need more licenses, you can save the current information out of your directory using the Save button this creates a text file which you can fax or e-mail to your McAfee representative. They can obtain all the details required to create new extended licenses from this information. You may also want to save the license file information to help you order replacement files in the event of a drive crash.
102 |
| 103
52&id=336
104 |
SHA1
Cert 71 and 254 http://csrc.nist.gov/cryptval/shs/shaval.htm
1
DSA/DSS
DSS cert 53 and 112 Sig(ver) Mod(all) http://csrc.nist.gov/cryptval/dss/dsaval.htm
1
RNG
Cert 15 AES, DSA., SHA, RNG on AMD Athalon XP, Windows XP SP1, PentiumIII Windows 2000 http://csrc.nist.gov/cryptval/rng/rngval.html
DES
Cert 145 CBC(e/d); CFB( 8 bits;e/d) http://csrc.nist.gov/cryptval/des/desval.html
| 105
106 |
Performance Tests:
These tests are approximate indications of the benefits of the Name Index running on a 5000 user database. They were performed using a login id which was at the end of the database (worst case scenario).
Task CreateUser
1Bucket +455%
16Buckets +460%
64Buckets +500%
256Buckets +400%
As you can see from the table above, enabling the Name Index drastically improves the performance of the enumeration functions. The exact parameters to use for any particular database / server combination depend largely upon the memory and cache functions of the server itself. As a rough guide, CBI consultants have found that tuning the bucket number to give cache files not exceeding 64KB has proved optimal. If you require performance tuning for your object database, please consider a consultancy visit as tinkering with the Endpoint Encryption object database can result in loss of users and machines.
| 107
Disadvantages
Performance Notes
No performance change has been noted between identical compressed and uncompressed databases up to 5000 users. There may be some benefit on servers with exceptionally high amounts of memory. With large (>10000) databases, performance may well drop when using the compressed directory mode.
108 |
sbnewdb.ini
Used to customize the creation of Endpoint Encryption Object Directories. The sbnewdb file contains instructions as to creating custom groups, setting the default user id and password, and other instructions related to the location of the directory.
sberrors.ini
Used to increase the detail available in on-screen error messages. You can add further descriptions to errors by amending this file. In 5.1 and beyond, you can substitute the Unicode file SBErrors.XML in place of SBErrors.ini to give localized translations of the error messages.
sbhelp.ini
Used to match on-screen windows to their help file sections.
sbadmin.ini
This file controls the tree layout and behavior of SBAdmin.exe - you can modify it to display certain nodes of the database on tabs other than the defaults.
sbfeatur.ini
Controls the feature set available to Endpoint Encryption. This file is digitally signed by the Endpoint Encryption team and must not be modified.
sbfiledb.ini
SBFileDB controls the locking behavior of local running database connections. [LockOptions] Timeout=time in 100ths of a second (3000) Sleep=time in 1000ths of a second (10)
dbcfg.ini
This file controls the global database behavior - for this reason it is stored not in the application directory, but in the root of the file database. For more information on dbcfg.ini, see the Tuning the Object Directory chapter. [NameIndex]
| 109
sdmcfg.ini
Used by the Endpoint Encryption Client to control the connection to the Object Directory. There may be many connections listed in the file, the multi-connection behavior is controlled through scm.ini. [Databases] Database1=192.168.20.57
Theipaddressforthe remoteserver.Thiscan
110 |
beaDNSname.
[Database1] Description=SH-DELL-W2K IsLocal=No Authenticate=Yes Port=5555 ServerKey=
ExtraInfo=
SBServer.ini
This SBServer.ini is used to store the credentials by the server in service mode. You can adjust the maximum number of connections the Endpoint Encryption server will accept and the behavior when the maximum is reached. By default, the maximum is 200 connections. When the limit has been reached, it can behave in one of two ways: either it simply stops accepting connections or it accepts connections and then immediately closes them. Because Windows maintains a queue of 5 pending connections, the first 5 connections after the maximum is reached will be held in the queue until the number of connections has dropped below the maximum. Thus, when in (the default) Accept At Max=No mode, those 5 will not timeout at the client end and the client will appear to hang until a connection becomes free. In the Accept At Max mode, the client will fail with a communications error. [Connections] Max=200 AcceptAtMax=No
sbconmgr.ini
Used to define the active connectors displayed in the Connector Manager, for example [Connectors] SBNTCON=SBNTCON.DLL [Authentication] DatabaseId=1 ObjectType=0x00000001 ObjectId=0x00000001 Key=00000000000000000000000000000000000000000000000000000000000000 0006557FB28C5A226BB8BF634A68EE75DE2C4010DD1E143D9BC29808C5E5C3A729 838DD1D1E0B032D6C2A015BD8B1AAF5DC2D1E3F58D37A41F29AF5DC108EB03D441 8D95316CCC84EE2881DCBE0012C6F705F6A6D5063C2D0BEB87897C2A9AC318D659
| 111
Cmsettings.ini
Used to define the parameters associated with each individual connector. The settings contained in this file are usually maintained by the connector manager application. Only manual settings are documented below.
SBHTTP.ini
Configuration for the main webServer [Configuration] ; The port on which the server listens for connections. The default is 443 ; which is the standard HTTPS port. Server.Port=443 ; Optional log file to record server activity. If no name is specified here, ; then no logging will occur (the default). Server.Log.FileName= ; Flags that control what is logged if logging is enabled. This is a 32-bit ; hex number. The following bits are used: ; ; Bit 0 (value=1) = Log request headers ; Bit 1 (value=2) = Log request data (e.g. form results) ; Bit 3 (value=4) = Log response headers ; ; The default is a value of "5" which logs request and response headers, but ; no request data. ; Server.Log.Flags=00000005
112 |
SBwebRec.ini
Configuration for webRecovery [Configuration] Register.Questions.Required=5 Recover.Questions.Asked=3 Database.User.Id=00000001 Database.User.Key= Recover.Attempts.Max=3 Recover.Attempts.Timeout=3600 [Strings] String.1=The challenge you entered was not correct. Please try again. String.2=Some of your answers were not correct. Please try again. [Questions] Question1=What is your favorite color? Question2=What is your pet's name? Question3=Who is your favorite musician? Question4=What is a memorable date? Question5=What is your date of birth? Question6=What is your favorite place? Question7=Who is your favorite actor? Question8=What is your favorite film? Question9=What is your favorite song? Question10=What is your favorite food?
| 113
EXE Files
SBAdmin.exe
Main Endpoint Encryption Manager Executable
DLL Files
sbalgxx
Utility Encryption algorithm module.
SYS Files
SBALG.SYS
Endpoint Encryptions device driver crypto algorithm module.
srg files
Endpoint Encryption registry files
These are standard regedit files which are processed into the registry by Endpoint Encryption, without using the windows regedit utility.
114 |
Error Messages
Error Messages
Please see the file sberrors.ini for more details of these error messages. You can also find more information on error messages on our web site, www.mcafee.com.
1
Please note that many of these error codes are not designed to ever be shown they are mentioned for completeness. This kind of error is termed an Assertion - a place in our software where we ensure a number of conditions are true before continuing, even though the design does not allow for a specific case where the conditions could not be true. As the code and design does not expect such errors to be generated, resolving them involves working through the context of the issue without knowing the steps required to reproduce the error it would not be possible to conclude how the system managed to arrive at the error state.
Module codes
The following codes can be used to identify from which Endpoint Encryption module the error message was generated.
ErrorCode 1c00 5501 5502 5c00 5c02 a100 c100 db00 db01 db02 e000
Module IPC SBHTTPPageErrors SBHTTPUserWebRecovery SBCOMProtocol SBCOMCrypto ALG Scripting DatabaseMisc DatabaseObjects DatabaseAttributes EndpointEncryptionGeneral
| 115
Error Messages
ErrorCode e001 e002 e003 e004 e005 e006 e007 e010 e011 e012 e013 e014 e015 e016
Module EndpointEncryptionTokens EndpointEncryptionDisk EndpointEncryptionSBFS EndpointEncryptionBootCode EndpointEncryptionClient EndpointEncryptionAlgorithms EndpointEncryptionUsers EndpointEncryptionKeys EndpointEncryptionFile EndpointEncryptionLicenses EndpointEncryptionInstaller EndpointEncryptionHashes EndpointEncryptionAppControl EndpointEncryptionAdmin
116 |
Error Messages
| 117
Error Messages
Code [5c00000f]
[5c000010] [5c000011]
[5c000012] [5c000013] [5c000014] [5c000015] [5c000016] [5c000017] [5c000018] [5c000019] [5c00001a] [5c00001b]
Failedwhilesendingcommunicationsdata Invalidcommunicationsconfiguration Invalidcontexthandle Aconnectionhasalreadybeenestablished Noconnectionhasbeenestablished Requestforanunknownfunctionhasbeenreceived Unsupportedorcorruptcompresseddatareceived Datablockistoobig Dataofanunexpectedlengthhasbeenreceived Messagetoobigtobereceived Thismayoccurifanattemptismadetoimportlargeamountsof dataintothedatabase(e.g.afile)
[5c00001c] [5c00001d]
[5c00001e]
118 |
Error Messages
Code
| 119
Error Messages
120 |
Error Messages
[c1000018]
Error Messages
[db000009]
[db00000a]
[db00000b] [db00000c]
122 |
Error Messages
[db00001b] [db00001c]
[db00001d] [db00001e]
| 123
Error Messages
124 |
Error Messages
E001 Tokens
Code [e0010000] [e0010001] [e0010002] [e0010003] [e0010004] [e0010005] MessageandDescription Generaltokenerror Tokennotloggedon Tokenauthenticationparametersareincorrect Unsupportedtokentype Tokeniscorrupt Thetokenisinvalidatedduetotoomanyinvalidlogonattempts
| 125
Error Messages
MessageandDescription Toomanyincorrectauthenticationattempts Tokenrecoverykeyincorrect Thepasswordistoosmall Thepasswordistoolarge Thepasswordhasalreadybeenusedbefore.Pleasechoosea newone. Thepasswordcontentisinvalid Thepasswordhasexpired Thepasswordisthedefaultandmustbechanged. Passwordchangeisdisabled Passwordentryisdisabled Unknownuser Incorrectuserkey Thetokenisnotthecorrectonefortheuser Unsupporteduserconfigurationitem Theuserhasbeeninvalidated Theuserisnotactive Theuserisdisabled Logonforthisuserisnotallowedatthistime Norecoverykeyisavailablefortheuser Thealgorithmrequiredforthetokenisnotavailable Unknowntokentype Unabletoopentokenmodule
[e0010013] [e0010014] [e0010015] [e0010016] [e0010017] [e0010020] [e0010021] [e0010022] [e0010023] [e0010024] [e0010025] [e0010026] [e0010027] [e0010028] [e0010030] [e0010040] [e0010041]
126 |
Error Messages
E012 Licences
Code [e0120001] [e0120002] [e0120003] [e0120004] MessageandDescription Licenseinvalid Licenseexpired Licenseisnotforthisdatabase Licensecountexceeded
E013 Installer
Code [e0130002] [e0130003] [e0130004] [e0130005] [e0130006] [e0130007] MessageandDescription Noinstallerexecutablestubfound Unabletoreadinstallerexecutablestub Unabletocreatefile Errorwritingfile Erroropeningfile Errorreadingfile
| 127
Error Messages
Code [e0130008] [e0130009] [e013000a] [e013000b] [e013000c] [e013000d] [e013000e] [e013000f] [e0130010]
MessageandDescription Installerfileinvalid Nomorefilestoinstall Installarchiveblockdatatoolarge Installarchivedatanotfound Installarchivedecompressionfailed Unsupportedinstallerarchivecompressiontype Installationerror Unabletocreatetemporarydirectory Errorregisteringmodule
E014 Hashes
Code [e0140001] [e0140002] [e0140003] [e0140004] [e0140005] [e0140006] [e0140007] [e0140008] [e0140009] [e014000a] MessageandDescription Insufficientmemory Erroropeninghashesfile Errorreadinghashesfile Hashesfileinvalid Unabletocreatehashesfile Errorwritinghashesfile Hashesfileisnotopen Hashesfiledatainvalid Hashesfiledatatoobig Useraborted
128 |
Error Messages
| 129
Encryption Algorithms
Endpoint Encryption supports many custom algorithms. Only one algorithm can be used in an Endpoint Encryption Enterprise.
RC5-12
CBC Mode, 1024 bit key, 12 rounds, 64 bit blocks The RC5-12 algorithm is compatible with the Endpoint Encryption 3.x algorithm.
RC5-18
CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks The 18 round RC5 variant is designed to prevent the theoretical Known Plaintext attack.
Tokens
Smart Cards
For the latest list of authentication methods using smart cards, tokens, fingerprint readers please consult your McAfee representative.
130 |
Language Support
Endpoint Encryption Manager
Czech, Dutch, English (United States), English (United Kingdom), French, Japanese, Korean, Portuguese (Brazil)
System Requirements
Implementation documentation discussing appropriate hardware for typical installations of Endpoint Encryption is available from your representative. The following specifications should be considered appropriate for evaluation deployments only.
Administration
Windows NT4.0sp6a, 2000, XP, 2003, Vista 32bit (all versions), Vista 64bit (all versions) 256MB or OS Minimum RAM 40MB free hard disk space Pentium compatible processor, multi-way (up to 32 processors), Hyperthreading, Dual Core and AMD processors are supported. For remote administration, a TCP/IP network connection is required.
| 131
SFDBBack
All versions of Windows (IE4.0 with Offline Browsing Pack required for Windows 95 and NT4.0sp6a)
NT Connector
Windows NT4.0sp6a, Windows 2000, Windows XP, Windows 2003, Vista 32bit, Vista 64bit. Domain account access for Windows 2000+.
NOTE:TheNTconnectormustbeinstalledonaPDCorBDConWindowsNT4.0.
132 |
Index
Index
A
AccountValidity,24,65,68,77 ActiveDirectory,13,62,67,68,69,70,71,72,73,74,75, 76,77,78,79,80,81,82,83,84,132 OrganizationalUnits,71,81 ADCon,67,71,74,75,76,81,82,84,85 adminrights,15,54 Administration level,15 priviledge,15 privleges,35 rights,15 AdministrationFunction,36 AdministrationLevel,30,35,55 algorithm,11,14,29,104,114,130 maximumkeysize,29 Attributes explained,9 AuditTrails viewing,18 Auditing,44 authentication,11,13,16,49,50,52,53,54 Authentication client/server,53 Autobootusers autobootuser,23 ConnectorManager,62 overviewof,13 userbindingsto,33 ControlledGroups.See groups cryptography,6 Cryptography encryption,13
D
DAP,19 Databases addinganewconnection,49 managing,49 decrypt,53 DefaultPassword,22,23,25,65,90,94 deploy,41,54 disable,26,64,65,67,72,73,76,82,83 disablingusers.See Users distibguishedname(s),69,78 distinguishedname,69,75,78,84 DNS,50,53,110,131 DNSName,68,77 DSA,11,50
E
enablingusers.See Users Encryption algorithms,130 EncryptionAlgorithm,11,14,29,114,130 EncryptionAlgorithms RC5,130 EndpointEncryptionCEServer,11,13 EndpointEncryptionComponents FileEncryptor,8 VDisk,8 EndpointEncryptionServer connectingtoanew,54 overviewof,10 restrictinguserid'sfor,54 Entities explained,9 errorcodes,109,115 errormessages,115 excludedusers,67,73,76,83
B
backup,65 BaseDN,69,75,78,84
C
cache,107 CEServer,11,13 chipdrive.See Towitoko Client overviewof,12 compressed ObjectDirectory,108 connectingtodatabases,49 connectingtoNTDomains,64 Connector Bindings,32,33,73,74,83,84
| 133
Index
F
FileEncryption overviewof,13 FileEncryptor,8 filegroupmanagement,40 Files deletingandexporting,41 importingnew,41 inifiles,109 programanddriverfiles,114 properties,41 forcesync,24
M
mappinggroups.See Group mappings,See Group mappings,SeeGroupmappings Microsoft,76,84,87,89 MicrosoftActiveDirectory,67,76
N
NameIndex,106 NetworkName,68,77 NTDomain,13 NTDomainsconnectingto,64
G
Groupmappings,65,70,80 groups,16,17,22,35,36,37,40,46,65,66,70,71,75,80, 81,85,109 Groups administrationof,35 controlledvsfree,16 free,17 ofusersandmachines,16
O
objectchangelog,70,79 objectdirectory,8,9,10,11,12,13,14,15,16,19,23,29, 35,41,42,44,49,51,52,53,54,55,62,64,90,106, 107,108,110 Objects explained,9 lockingof,20 OfflineBrowsingPack,132
H
hiddenfields.See Users hours.See Users
P
Password Default,22,23,25,65,90,94 passwords,10,13,25,26,27,28,29 Reset,24,26,86,96,97 Passwords,25 history,25 Pentium,131 performance,11,19 Performance ObjectDirectory,107 PocketEndpointEncryption,93 PocketWindows 2002,11 privileges,10,15 public/privatekeys,53
I
IPAddress,9,10,11,51,68,75,77,84,131
L
languagesupport,131 LDAP,11,13,19,62 BaseDN,69,75,78,84 ObjectFilter,69,78,79 ProtocolVersion,68,77 Referrals,70,79 UserDN,69,78 LDAPBrowser,74,75,84 LicenceFiles adding,101 expiryof,102 restrictions,101 localdatabases,50 logonhours,31,64,67,76
Q
quickstartguide,7
R
RC5,130 recovery,11,13,21,23,24,29 referrals,70,79
134 |
Index
registry,43,114 RSA,11,13
towitokochipdrive,130
S
SafeBootServer overviewof,12 SBAdmCL,44,102 schedule,63 schedulingsynchronisations,63 Server creatinga,51 Server EndpointEncryptionCEServer,13 Server startinga,52 Server configurationof,53 Server startingasaservice,53 service,53,55,63,71,81,86,89,90,96,98,113 ServiceAccounts,55 SFDBBack,132 Smarty,130 systemrequirements,131
U
userdn,69,78 userstatus,9,64,67,76 Users administrationlevel,30 creatingnew,21 disable,64,65,67,76 Disabling,64,65,67,76 enablinganddisabling,23 Excluding,67,73,76,83 hiddenfields,21 logonhours,31 logonid,21 passwordparameters,25
W
Windows2000,43,64 WindowsCE,11
X
X500,11,13,19,20,62
T
TCP/IP,9,10,11,51,131
| 135