Endpoint Encryption for PC 5.2.13 Administration
Transcription
Endpoint Encryption for PC 5.2.13 Administration
McAfee Endpoint Encryption for PC 5.2.13 Administration Guide COPYRIGHT Copyright © 2013 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Endpoint Encryption for PC 5.2.13 Contents Introducing McAfee Endpoint Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 What is McAfee Endpoint Encryption for PC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 How McAfee Endpoint Encryption for PC works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Endpoint Encryption product components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Endpoint Encryption for PC features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Finding product documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Installing Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Install Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 EEPC user policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 User administration functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 User configuration options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Using tokens with EEPC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Supported Smart Cards and tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 General token operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Stored value tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Certificate, or crypt only tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Other types of token. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Token compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Specific token notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Sony Puppy fingerprint reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Setting up the Sony Puppy fingerprint reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Endpoint Encryption for PC setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Installing Endpoint Encryption with Puppy support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Aladdin eToken 64KB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 SafeNet IKEY 2032. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Using Endpoint Encryption Phantom USB biometric key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Using Upek fingerprint reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 McAfee Endpoint Encryption for PC 5.2.13 3 Contents Creating and configuring systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Machine administration functions (right-click menu). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Machine configuration options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 File groups and management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Endpoint Encryption file groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Setting file group functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Importing new files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Exporting files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Deleting files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Setting file properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Using Endpoint Encryption as a file deploy system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Copying a new file to the desktop (Example). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Creating an install package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Selecting the Group/Machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Select the install set type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Importing a transport directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Select the install set type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Select the master directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Installing, upgrading, and removing EEPC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Offline package installs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Online package installs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Removing Endpoint Encryption client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Upgrading Endpoint Encryption from previous versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Upgrading existing 5.x clients to a later service pack or patch version. . . . . . . . . . . . . . . . . . . . . . . . 51 Removing Endpoint Encryption 5.x from a machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Client software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 The tool tray icon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Client auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Boot and logon process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Endpoint Encryption screen saver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Windows Sign-On and logon mechanisms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Changing the password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Section 508: Logon accessibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Windows Sign-on and SSO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Windows logon features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 How Windows logon works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 4 McAfee Endpoint Encryption for PC 5.2.13 Contents Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Common audit events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Recovering users and systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Offline recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Local recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Configure your local recovery questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Perform local recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Online recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Trusted applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Hash sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Hash generator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Using hash generator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Common criteria EAL4 mode operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Administrator guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 User guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Endpoint Encryption configuration files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 sbgina.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 scm.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 defscm.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 sdmcfg.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 TrivialPwds.dat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Bootcode.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 BootManager.INI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Errors.XML. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 AutoBoot.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 SBCP.INI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Endpoint Encryption program and driver files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 EXE Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 DLL files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 SYS files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 WinTech and SafeTech. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 WinTech and SafeTech functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Themes and localization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Localization support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Creating your own language file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Pre-Boot language. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 McAfee Endpoint Encryption for PC 5.2.13 5 Contents Pre-Boot token descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Windows languages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Troubleshooting PCs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Error messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Technical specifications and options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Encryption Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Legal notices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Open source components license details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 6 McAfee Endpoint Encryption for PC 5.2.13 Introducing McAfee Endpoint Encryption With data breaches on the rise, it is important to protect information assets and comply with privacy regulations. McAfee Endpoint Encryption for PC (EEPC) delivers powerful encryption that protects data from unauthorized access, loss, and exposure. McAfee Endpoint Encryption for PC features a new dimension in IT security incorporating many new enterprise level options, including automated upgrades, file deployment, flexible grouping of users and centralized user management. In addition, user’s credentials can be imported and synchronized with other deployment systems. Contents What is McAfee Endpoint Encryption for PC How McAfee Endpoint Encryption for PC works Endpoint Encryption product components Endpoint Encryption for PC features About this guide Conventions Finding product documentation Requirements What is McAfee Endpoint Encryption for PC To ensure data protection in today’s dynamic IT environment, we need to protect what matters most – the data. McAfee Endpoint Encryption for PC is a strong cryptographic facility for denying unauthorized access to data stored on any system or disk when it is not in use. It prevents the loss of sensitive data, especially from lost or stolen equipment. It protects the data with strong access control using Pre-Boot Authentication and a powerful encryption engine. To log on to a system, the user must first authenticate through the Pre-Boot environment. On a successful authentication, the client system's operating system loads and gives access to normal system operation. McAfee Endpoint Encryption for PC is completely transparent to the user and has little impact on performance of the computer. McAfee Endpoint Encryption for PC is the encryption software installed on client systems. It is deployed and managed through the Endpoint Encryption Manager using policies. A policy is a set of rules that determine how encryption functions on the user’s computer. McAfee Endpoint Encryption for PC 5.2.13 7 Introducing McAfee Endpoint Encryption How McAfee Endpoint Encryption for PC works How McAfee Endpoint Encryption for PC works McAfee Endpoint Encryption for PC protects the data on a system by taking control of the hard disk from the operating system. The Endpoint Encryption driver encrypts all data written to the disk; it also decrypts the data read off the disk. The client software is installed on the client system. After the installation, the system synchronizes with EEM and acquires the user data, token data, and Pre-Boot graphics. When this is complete, the user authenticates and logs on through the Pre-Boot environment, which loads the operating system, and uses the system as normal. On PDAs such as Pocket Windows and PalmOS, Endpoint Encryption installs applications and drivers to provide authentication and encryption services. Endpoint Encryption can protect memory cards, internal databases (such as e-mail and contact lists), and provide secure, manageable authentication services. Endpoint Encryption product components Endpoint Encryption Manager (EEM) The most important component of the Endpoint Encryption enterprise is the Endpoint Encryption Manager, the administrator interface. This utility allows privileged users to manage the enterprise from any workstation that can establish a TCP/IP link or file link to the Object Directory. Typical procedures that the Endpoint Encryption Administrator handles are: • Adding users to systems • Configuring Endpoint Encryption protected systems • Creating and configuring users • Revoking users logon privileges • Updating file information on remote systems • Recovering users who have forgotten their passwords • Creating logon tokens such as smart cards for users. Endpoint Encryption Server The Endpoint Encryption Server facilitates connections between the client and Endpoint Encryption Manager, and the central Object Directory over an IP connection. The server performs authentication of the entity using DSA signatures, and link encryption using the Diffie-Hellman key exchange and bulk algorithm line encryption. This ensures that snooping the connection cannot result in any secure key information being disclosed. The server exposes the Object Directory through fully routed TCP/IP, meaning that access to the Object Directory can be safely exposed to the Internet/Intranet, allowing clients to connect wherever they are. As all communications between the server and client are encrypted and authenticated, there is no security risk in exposing it in this way. There is a unique PDA Server which provides similar services to PDAs such as Microsoft Pocket Windows and PalmOS devices. Endpoint Encryption Object Directory The Endpoint Encryption Object Directory is the central configuration store for EEPC and is used as a repository of information for all the Endpoint Encryption entities. The default directory uses 8 McAfee Endpoint Encryption for PC 5.2.13 Introducing McAfee Endpoint Encryption Endpoint Encryption product components the operating systems file system driver to provide a high performance scalable system which mirrors an X500 design. Alternative stores such as LDAP are possible – contact your Endpoint Encryption representative for details. The standard store has a capacity of over 4 billion users and machines. Typical information stored in the Object Directory includes: • User Configuration information • Machine Configuration information • Client and administration file lists • Encryption key and recovery information • Audit trails • Secure Server Key information. Endpoint Encryption for PC Client The Endpoint Encryption for PC client software is largely invisible to the end user. The only visible part is an entry, the Endpoint Encryption icon in the user’s tool tray. Clicking on this icon allows the user to lock the PC with the screen saver (if the administrator has set this option). Right-clicking on the monitor allows them to perform a manual synchronization with their Object Directory, or, monitor the progress of any active synchronization. Normally the Endpoint Encryption client attempts to connect to its home server or directory each time the system restarts, or, establishes a new dial-up connection. During this process, any configuration changes made by the Endpoint Encryption administrator are collected and implemented by the Endpoint Encryption client. In addition, information such as the last audit logs are uploaded to the directory. Endpoint Encryption File Encryptor By right clicking on a file, users can elect to encrypt it using various keys. Files can be encrypted with other Endpoint Encryption users’ keys, and/or passwords. Once protected in this way, the file can be sent elsewhere, for example, through e-mail or a floppy disk, without the risk of disclosure. When the file needs to be used, it just needs to be double clicked; a password or login prompt will be presented for authentication. If they are authenticated correctly, the file will be decrypted. The File Encryptor also has an option to create an RSA key pair for recovery—if the password to a file is lost, the file can still be recovered using the correct recovery key. Endpoint Encryption Connector Manager Endpoint Encryption’s object directory keeps track of security information. It is designed so that synchronization of details between Endpoint Encryption and other systems is possible. The Connector Manager is a customizable module which enables data from systems such as X500 directories (commonly used in PKI infrastructures) to propagate to the Endpoint Encryption Object Directory. Using this mechanism, it is possible to replicate details such as a user’s account status between Endpoint Encryption for PC and other directories. Current connector options include LDAP, Active Directory, and a NT Domain Connector. For information on these components, contact your Endpoint Encryption representative, or, see the Endpoint Encryption Manager Administration Guide. McAfee Endpoint Encryption for PC 5.2.13 9 Introducing McAfee Endpoint Encryption Endpoint Encryption for PC features Install and Deployment Endpoint Encryption is installed on users systems by running small deploy sets created by the Endpoint Encryption Manager. This executable file contains the core components and drivers needed to enable Endpoint Encryption on a user’s system. With the increasing necessity of install mechanisms which do not involve end users, and software industries striving to make the cost of ownership and implementation of products as small as possible, Endpoint Encryption for PC utilizes smart-update type technology. Endpoint Encryption’s file deploy mechanism can also be used to push other files to Endpoint Encryption protected system, for instance, virus databases can be stored in the central Endpoint Encryption directory, when it needs updating a Endpoint Encryption administrator upgrades the central copy. All Endpoint Encryption protected systems notice the change and automatically download the new file. This deploy mechanism can also be used to make registry changes on remote systems and can even execute files. Endpoint Encryption for PC features • McAfee Endpoint Encryption leverages the award-winning Endpoint Encryption Manager infrastructure for automated security reporting, monitoring, deployment, and policy administration. Integrates itself fully into EEM management software, so that the management can now be performed from this console. • Enables transparent encryption without hindering users or system performance. • Enforces strong access control with Pre-Boot Authentication. About this guide This guide is designed to support corporate security administrators to implement and deploy Endpoint Encryption for PC. Although this guide is complete in terms of setting up and managing Endpoint Encryption systems, it does not attempt to teach the topic of Enterprise Security as a whole. Readers unfamiliar with Endpoint Encryption should follow the appropriate sections of the Endpoint Encryption for PC Quick Start Guide which walks through setting up the Endpoint Encryption enterprise before tackling any of the topics in this guide. Target audience The information in this guide is intended for McAfee Endpoint Encryption for PC administrators who understand the fundamentals of EEPC. Conventions This guide uses the following typographical conventions. 10 Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold Text that is strongly emphasized. McAfee Endpoint Encryption for PC 5.2.13 Introducing McAfee Endpoint Encryption Finding product documentation User input or Path Commands and other text that the user types; the path of a folder or program. Code A code sample. User interface Words in the user interface including options, menus, buttons, and dialog boxes. Hypertext blue A live link to a topic or to a website. Note Additional information, like an alternate method of accessing an option. Tip Suggestions and recommendations. Important/Caution Valuable advice to protect your computer system, software installation, network, business, or data. Warning Critical advice to prevent bodily harm when using a hardware product. Finding product documentation McAfee provides the information you need during each phase of product implementation, from installing to using and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this... User documentation 1 Click Product Documentation. 2 Select a Product, then select a Version. 3 Select a product document. KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions. • Click Browse the KnowledgeBase for articles listed by product and version. Requirements System requirements Systems Requirements Endpoint Encryption Manager • CPU: Pentium III 1GHz or higher • RAM: 512 MB minimum (1 GB recommended) • Hard Disk: 200 MB minimum free disk space • CPU: Pentium III 1GHz or higher • RAM: 512 MB minimum (1 GB recommended) • Hard Disk: 200 MB minimum free disk space Client systems for EEPC McAfee Endpoint Encryption for PC 5.2.13 11 Introducing McAfee Endpoint Encryption Requirements Software requirements Software (or package name) Requirements McAfee management software Endpoint Encryption Manager Operating system requirements 12 Systems Software Endpoint Encryption Manager See the Endpoint Encryption Manager Administration Guide Client systems for EEPC • Microsoft Windows 7 32-bit and 64-bit • Microsoft Windows 2000 Professoinal • Microsoft Windows XP Professional (32-bit only) • Microsoft Vista 32-bit and 64-bit (all versions) • Microsoft Windows Server 2003 and 2008 McAfee Endpoint Encryption for PC 5.2.13 Installing Endpoint Encryption Manager McAfee Endpoint Encryption Manager is the administration tool for managing all Endpoint Encryption applications. NOTE: If you are unfamiliar with Endpoint Encryption, you should follow the Endpoint Encryption for PC Quick Start Guide which describes setting up an Endpoint Encryption enterprise. Please read the Quick Start guide before tackling any of the topics in this guide. You will find this in your Endpoint Encryption box, or,on your Endpoint Encryption CD. Install Endpoint Encryption Manager Install Endpoint Encryption Manager Install Endpoint Encryption Manager by running the appropriate setup.exe from the Endpoint Encryption CD or download. Before you begin You should run this first on the system that will be the master or administrators system. Task 1 Run the appropriate setup.exe from the Endpoint Encryption CD or download. 2 Follow the on-screen prompts and select a language, a smart card reader, and encryption algorithm. The McAfee Endpoint Encryption Manager software is now installed on your system. 3 Restart your system. The Endpoint Encryption Management suite adds the required items to your system start menu: Endpoint Encryption Manager which starts the management console; the Database Server which starts the communication server and provides encrypted links between clients and the configuration. 4 Run the Endpoint Encryption Manager program. A wizard walks you through the creation of a new Endpoint Encryption directory. NOTE: If you have an existing Object Directory in your network, you can connect to it by cancelling the wizard and manually configuring a connection. For information on this procedure, see the Endpoint Encryption Manager Administration Guide. McAfee Endpoint Encryption for PC 5.2.13 13 EEPC user policies The following sections describe the Endpoint Encryption specific parameters. Contents User administration functions User configuration options User administration functions Create Token This option creates a new Token for the selected user - this could be a soft (password) token or a hard token such as a smart card or eToken. See the Token Operation chapter for more information. In the case of hard tokens, creating the token does not necessarily set the user to actually use that token. This must be accomplished separately from the user’s Token properties page. Reset Token This option resets the token authentication to the default. In the case of the soft (password) token resets the password to 12345. Some hard tokens may not be able to be reset using Endpoint Encryption, for example, Datakey Smart Cards. In this case contact the manufacturer of your token to determine the correct re-use procedure. Set Single Sign On (SSO) Details This option sets the SSO details for the user. For more information on SSO see the Windows Logon Features chapter. Force Password Change at Next Logon This option Forces the user to change password at their next logon. View Audit This option displays the audit for the user - for more information see the Auditing chapter. Reset (All) to Group Configuration This option resets the configuration of the users, or, all the users in the group, to the groups configuration. 14 McAfee Endpoint Encryption for PC 5.2.13 EEPC user policies User configuration options Create Copy This option creates a new object based on the selected object. Properties This option displays the properties of the selected object. User configuration options General The General page displays the user details such as Used Id, user status, user validity and user picture. Figure 1: User Options-General • Auto-boot users - The special user id “$autoboot$”, with a password of “12345”, can be used to autoboot a Endpoint Encryption protected machine. This option is useful if an auto-boot of a machine is required, for example, when updating software using a distribution package such as SMS or Zenworks. However, this ID should be used with caution as it effectively bypasses the security of Endpoint Encryption. • Enabled - This option shows whether the user account is enabled or not. The enabled status is always user selectable. When an Endpoint Encryption for PC protected system synchronizes with the Endpoint Encryption Manager, it checks the user account list to ensure that the currently logged on user is still valid (because they logged on at a boot time before the network and Object Directory were available). Users with disabled accounts, or users who have been removed from the user list, will find their workstation will lock and they will be unable to log in. NOTE: If you want to force an Endpoint Encryption machine to synchronize (and hence immediately stop the user from accessing the machine), you can use the "force sync" option to force an update. See the Force Synchronization chapter. McAfee Endpoint Encryption for PC 5.2.13 15 EEPC user policies User configuration options Devices The Devices page is used to specify (set) the access level for the floppy disk. Figure 2: User Configuration - Devices • Floppy Disk Access - Users can be prevented from accessing the floppy disk or, from writing to it. You can also elect to allow only encrypted floppy disks: in this situation the user must format their own disks, which only they can then use. Note: the disk is encrypted with the user’s personal key. • Ports - Endpoint Encryption can attempt to block access to the serial and/or parallel ports. This blocking is implemented after the operating system has booted. Therefore, if the machine has a serial mouse, it will still function. Likewise a printer connected to the parallel port will still function. This option is designed to stop users adding serial and parallel devices AFTER the machine has booted. NOTE: The McAfee Port Control product provides granular device access by allowing you to take detailed control of the devices which are available to your users. Application Control Endpoint Encryption includes an innovative application blocking system which can be used to restrict what code can actually be run by a user. For more information on this feature see the Trusted Applications chapter. Figure 3: User Configuration - Application Control 16 McAfee Endpoint Encryption for PC 5.2.13 EEPC user policies User configuration options • List Contains Untrusted Applications - This option allows you to specify files in the listed file hash sets that should be blocked(untrusted). All unlisted executable files will be permitted to execute code (trusted). • List Contains Trusted Applications - This option allows you to specify files in the listed file hash sets that will be permitted to execute code (trusted). All unlisted executable files will be blocked (untrusted). • Enable Blocking of Untrusted Applications - This option blocks code from executing untrusted applications. If this option is not set, then any code can run. This is a debugging option. • Enable Logging of Executed Applications - This option makes a record of files that try to execute code. A status message indicating whether the file is trusted or not, is written to the SBAPPLOG.TXT file. This feature is useful for debugging trusted application file sets. McAfee Endpoint Encryption for PC 5.2.13 17 Using tokens with EEPC Endpoint Encryption supports many different types of logon token, for example passwords, smart cards, Aladdin eToken, and others. Before a user can use a nonpassword token, you must ensure any machine they are going to use has been suitably prepared. Contents Supported Smart Cards and tokens General token operation Stored value tokens Certificate, or crypt only tokens Other types of token Token compatibility Specific token notes Aladdin eToken 64KB SafeNet IKEY 2032 Using Endpoint Encryption Phantom USB biometric key Using Upek fingerprint reader Supported Smart Cards and tokens The link below contains the supported smart cards and tokens: https://kc.mcafee.com/corporate/index?page=content&id=pd20895 General token operation Hardware device support Ensure the machine has the appropriate Windows drivers for the hardware tokens it needs to support. For example, if you intend to use Aladdin eTokens you need to install the Aladdin eToken RTE (Run Time Environment). If you intend to use smart cards, you need to ensure that a Endpoint Encryption supported smart card reader is installed, along with its drivers – for example the Mako/Infineer LT4000 PCMCIA smart card reader must be installed. In both cases, the appropriate device drivers are available either direct from the manufacturer, or from the Endpoint Encryption install CD in the \Tools directory. 18 McAfee Endpoint Encryption for PC 5.2.13 Using tokens with EEPC Stored value tokens Endpoint Encryption for PC driver support Once you have installed hardware support for the devices, you can enable software support for them: from the machine, or machine group Properties window, select the “Files” properties pane and tick the appropriate options for the tokens you want the machine, or group of machines, to support, e.g. if you want the machines to support eTokens, select the “eToken PRO Client Token” file group. To support the Mako/Infineer Smart Card reader, select “Infineer Smart Card Reader” file set. NOTE: You should also note that some USB key tokens are in fact a combined USB Smart Card reader and USB Device in one unit, therefore, you need to add USB CCID Smart Card reader support to your EEPC clients for them to work. See the Token Compatibility section later in this chapter for information on the tokens which are of this nature. Assign the token to the user and create it From the user’s Token properties pane, select the token you want that user to log in with. Endpoint Encryption will prompt you to insert the token and will create the appropriate data files on it. If all steps are followed, when you install Endpoint Encryption, or after the machines synchronize, users will be able to log in using their new token. NOTE: When learning how to use Endpoint Encryption, we advise you always leave at least one passwordonly user assigned to machines in case you make a mistake when setting up token support. Stored value tokens Endpoint Encryption can store user keys on certain tokens, such as smart cards or USB keys such as the Aladdin eToken. Storage tokens host around 1KB of data unique to the Endpoint Encryption environment and user, on each token. They are configured within the Endpoint Encryption Manager for the specific user before they can be used. Tokens offer the following advantages over passwords: • The users key is not stored on the users machine, and is protected from brute force attack by the microprocessor of the token • The same token can be used to authenticate to many systems • Tokens can be used for other physical purposes, for example door access systems Certificate, or crypt only tokens Endpoint Encryption can leverage your investment in PKI and tokens to allow users to authenticate using their certificates. This can be quite advantageous in the corporate environment for the following reasons: • Leverage investment in PKI and existing tokens • Tokens do not need to be provisioned specifically for Endpoint Encryption • Users can login to Windows etc using their PKI certificates • Revocation of certificates denies access to Endpoint Encryption-protected PCs McAfee Endpoint Encryption for PC 5.2.13 19 Using tokens with EEPC Other types of token By using one of Endpoint Encryption’s certificate connectors, you can quickly make your Endpoint Encryption enterprise aware of all certificate-holding users, and can allow them to be allocated to computers using Endpoint Encryption for PC without having to create new smart cards or other forms of token for them to use. Endpoint Encryption has been tested with the following tokens and PKI environments – more tokens and PKIs are being developed so if your environment is not listed, please contact your Endpoint Encryption representative for the latest information. You can use any token with any PKI. How Certificate Tokens Work Certificate tokens leverage the unique one-way properties of public-key encryption: a piece of data can be encrypted for a user, using some public information, but cannot be subsequently decrypted with that same information. Endpoint Encryption uses the information stored in the public certificate store of a PKI to look up users and encrypt their unique key with the public key stored in their certificate. This online process is handled transparently by one of the Endpoint Encryption Connectors. Once encrypted, Endpoint Encryption stores the information within its policy store, and makes it available to all Endpoint Encryption-aware applications: for example, with Endpoint Encryption for PC, the user’s key encrypted with their public key is stored on each machine the user is assigned to. When a user tries to login, Endpoint Encryption sends their encrypted user key to their token and asks it to be decrypted using the private key stored on the token. The actual decryption happens securely within the microprocessor of the token and only after the user has supplied the correct token PIN or password. This ensures the user’s decryption key (private key) never has to leave the token. Once decrypted, the resulting user key can be used to authenticate the user. You can see from this process that there is no need for Endpoint Encryption to have prior experience, or to have stored anything on the users token. All the information Endpoint Encryption needs to prepare the system can be obtained online through the PKI certificate server. Certificate Connectors Setting up Certificate tokens is the responsibility of the Endpoint Encryption Certificate connectors – these are available for both Active Directory and LDAP systems, and more information on configuring them can be found in the Endpoint Encryption Manager Administration Guide, in the Active Directory Connector and LDAP Connector chapters. The connectors can search AD and LDAP directories for users, and create them in Endpoint Encryption based on certain criteria. The connectors can also monitor CRL lists for revoked certificates, and also automatically handle the rollover of certificates on expiry. Other types of token There are other types of token also supported by Endpoint Encryption, such as Biometric and Cognometric tokens. For more information on these tokens please contact the manufacturer or your distributor. Other Tokens Supported in Endpoint Encryption for PC: • Sony Puppy Biometric Reader (http://www.sony.co.jp/puppy/) 20 McAfee Endpoint Encryption for PC 5.2.13 Using tokens with EEPC Token compatibility • RealUser Passfaces (http://www.realuser.com) • Infineon Embedded TPM Chip • Security Chip: TPM (TCG V1.2) with Infineon Package versions: InfineonTPM Professional Package V2.5 and InfineonTPM Professional Package V2.5 SP1 • Upek Fingerprint Reader Token compatibility Endpoint Encryption supports many tokens, but due to the pre-boot nature of Endpoint Encryption for PC, not all tokens are supported in all environments. If you have a specific token requirement, please contact your Endpoint Encryption representative for the latest information. Please also see the token overview spreadsheet. Contact your McAfee representative for further details. Some USB key tokens are a combined USB Smart Card reader and USB Device in one unit. You therefore need to add USB CCID Smart Card reader support to your Endpoint Encryption for PC clients, to enable them to work. Specific token notes RSA SID800 USB Token Storage token supported pre-boot. This token requires firmware 1.01.33 or higher. ActivIdentity Smart Cards and USB Keys These modules support ActivIdentity 64K v1 (card profile S4), ActivIdentity 64K v2 (card profile O4) and ActivIdentity 64K v2C (card profile S4 Cards. You can choose to use the card in Stored Value mode, or Certificate mode. The Tested ActivIdentity ActivKeys are AAK300 version (product code ZFG-3007-AB). Infineon Embedded TPM Chip The Infineon Trusted Platform Module (TPM) on Fujitsu PCs can be used as a token for Endpoint Encryption allowing: • Authentication to Endpoint Encryption Manager • Pre-Boot Authentication • Screensaver Authentication NOTE: If you use TPM as a token for Endpoint Encryption Manager, ensure that the UserID is not used on any other PC with a TPM. If it is, it will be locked to that PC from then on. The embedded TPM chip, in its simplest form, can be envisaged as a smart card physically attached to the motherboard of the PC. The TPM (Trusted Platform Module) can perform similar cryptographic operations to PKI smart cards, such as encryption, decryption, key generation, signing of data etc. With the Endpoint Encryption TPM module, the TPM chip is used to secure a users logon credentials. This means once initialized the users unique secret key is removed from the Endpoint Encryption environment and secured by the TPM chip. The user from this stage onwards will only be able to login to that particular machine. McAfee Endpoint Encryption for PC 5.2.13 21 Using tokens with EEPC Specific token notes Conversion from password mode to TPM mode is automatic and occurs as soon as the user uses their account on a TPM protected machine. From activation onwards, that Endpoint Encryption user will only be able to log into the machine on which the TPM chip holds their keys. Pre-Requisites for Endpoint Encryption Pre-Boot TPM Support • Endpoint Encryption • PC with Infineon TPM Chip installed (TCG Spec. Version 1.2) Endpoint Encryption's TPM module also requires that the TPM be "initialized". This involves creating the Endorsement Key, Storage Root Key and setting an Owner password. If this is not done, Endpoint Encryption will find the TPM and try to convert the user to use it at first logon, but the operation will fail and the user will not be able to logon. • Infineon TPM Professional Package (Version 2.5) • Infineon TPM Professional Package (Version 2.5 SP1) The TPM initialization process is performed by the Infineon software after you install it. The TPM Chip must be enabled in the BIOS on the target PC. The TPM has to be enabled in the BIOS (which it is not by default). Until it is enabled, it is essentially not present as far as Endpoint Encryption and Infineon software is concerned. If you try to install the Infineon software with TPM disabled, it will warn you that the "Infineon TPM not found" and abort the install (exactly as it does on machines without a TPM). Endpoint Encryption has been tested with the following TPM Components: • Infineon TPM Professional Package v2.5 HF2 • Chip State = Enabled • Owner State = Initialized • User State = Initialized • Trusted Platform Module • TCG Spec. Version = 1.2 • Vendor = Infineon Technologies AG • Chip Version = SLB 9635 TT 1.2 (41313100) FW Version = 1.00 FW ROM CRC = 0x4028 • TPM Device Driver • File name = ifxtpm.sys (x86) • Version = 1.80.0002.00 built by: WinDDK • TPM Device Driver Library • File name = IFXTPM.dll • Version = 2.50.0771.00 Configuring the TPM on the target PC The following instructions detail how to enable TPM support for a user on a target PC: 22 1 From the system tray, double-click the TPM icon or from Start | All Programs | Infineon Security Platform solution | Manage Security Platform. 2 Click on the User Settings tab. 3 Click on the Basic User Password | Change button. 4 Follow the on screen instructions to register password for the TPM. McAfee Endpoint Encryption for PC 5.2.13 Using tokens with EEPC Sony Puppy fingerprint reader 5 When you have successfully created the TPM password, exit the application. Endpoint Encryption for PC setup 1 Install EEPC with TPM support. 2 Log on to the Endpoint Encryption Manager. 3 Click on Devices and from Endpoint Encryption Machine Groups add a new machine group. 4 Right click on the machine group and select Properties. 5 Click on the Files icon and select TPM Machine Chip. Apply these settings. 6 Click on the Users tab and create an Endpoint Encryption user 7 Right click on the new Endpoint Encryption user and select Properties. 8 Assign an Infineon Embedded TPM Chip to the user and apply these settings. NOTE: The Configure option does not apply to the Puppy token 9 Assign the user to the machine group. 10 Create an install set from the machine group. Installing Endpoint Encryption with TPM 1 Install Endpoint Encryption on the client PC using the newly created install set. 2 Reboot and synchronize with the Endpoint Encryption database. 3 Log on to the Pre-Boot Authentication using the default password “12345”. 4 When prompted to change the password, select the same password as the Basic User password for the TPM. 5 After the PCs next boot, the password for the TPM will be the TPM Basic User password. 6 Reboot the machine and log on at PBA by selecting the Sony Puppy token. Recovery When a user password recovery is performed Endpoint Encryption will reset the password to the default ‘12345’ and will allow the user to login. The user will be prompted to change the password. Select a new password and make sure that you change the TPM password to the new one before rebooting the PC. Sony Puppy fingerprint reader The Sony Puppy can be used as a token for Endpoint Encryption allowing: • Authentication to Endpoint Encryption Manager • Pre-Boot Authentication • Screensaver Authentication The Puppy allows two mode of operation: Fingerprint or Password. This means that if a user fails to login using their fingerprint, they can do so using their password. Requirements to use Sony Puppy with Endpoint Encryption • Puppy Suite Enterprise / Personal - v2.1 or later McAfee Endpoint Encryption for PC 5.2.13 23 Using tokens with EEPC Sony Puppy fingerprint reader • Sony Puppy device (FIU-810-N03) • Endpoint Encryption V5.0 The following instructions detail how to enable Sony Puppy Support for a user. For this you will need to have a new Sony Puppy or Reset an exsiting one using the Sony Puppy Administration Tools. Setting up the Sony Puppy fingerprint reader Endpoint Encryption for PC setup Installing Endpoint Encryption with Puppy support Setting up the Sony Puppy fingerprint reader Task 1 Install the Sony Puppy software - SC-API 810 setup (Basic). 2 Plug the Sony Puppy finger-print reader into an available USB Port. 3 Click Start | All Programs | FIU-810 tools | User Manager. 4 Follow the on screen instructions to register a User Name and Fingerprint/Password for the device. 5 When you have successfully created the Sony Puppy User and registered your fingerprint(s) exit the application. Endpoint Encryption for PC setup Task 1 Install Endpoint Encryption for PC with Sony Puppy support. 2 Login to the Endpoint Encryption Manager. 3 Click on Devices and from Endpoint Encryption Machine Groups, add a new machine group. 4 Right click on the Machine Group and select Properties. 5 Click on the Files icon and select Sony Puppy Client Files. 6 Apply these settings. 7 Click on the Users tab and create a Endpoint Encryption user (Keep a note of the UserID). 8 Right click on the new Endpoint Encryption user and select Properties. 9 Assign a Puppy token to the User and apply these settings. NOTE: The configure option does not work with the Puppy token. 10 Assign the user to the machine group. 11 Create an install set from the machine group. Installing Endpoint Encryption with Puppy support Task 1 24 Install Endpoint Encryption for PC on the client using the newly created install set. McAfee Endpoint Encryption for PC 5.2.13 Using tokens with EEPC Aladdin eToken 64KB 2 Once installed, start SbPuppytrainer.exe from the default Endpoint Encryption directory. 3 Select Train Puppy from the menu. The logon screen will appear. 4 Select Use Endpoint Encryption Username and enter the User ID and Password of the Endpoint Encryption user and click the Logon with Password button. You will be asked to verify your fingerprint. 5 Place your finger on the reader and it should verify OK. The training is complete. You may Reboot the machine and logon at PBA by selecting the Sony Puppy token. Aladdin eToken 64KB Tokens with id 0x0514 and 0x0600 are supported. Tokens 0x050c are no longer supported as they are discontinued by Aladdin. This token module requires Aladdin RTE 3.65 to be installed. SafeNet IKEY 2032 Requires the v3.4.7 drivers as available from www.safenet.com. The Windows update drivers do not function. This token is supported in Storage Mode only. Using Endpoint Encryption Phantom USB biometric key The Endpoint Encryption Phantom is a combined USB storage + Biometric authentication token. To use it for Endpoint Encryption for PC Pre-Boot: Task 1 Create a user and assign their finger within the USB Phantom by running SMCforUSB.exe (this is the USB Management utility): a Create user b Enroll user i.e. register finger c Assign a partition to the user 2 From the Endpoint Encryption Manager create a user account for the user name created in step 1. 3 Assign Endpoint Encryption for USB token to user (default token is password) NOTE: The default in EEPC is to create a default password of 12345. 4 Define the Machine Policy which should include file sets: • Endpoint Encryption for PC client files • READER: USB CCID smart card • TOKEN V5x: Endpoint Encryption for USB Phantom client files McAfee Endpoint Encryption for PC 5.2.13 25 Using tokens with EEPC Using Upek fingerprint reader 5 Create online installation set note: assign user or user group to the machine as part of machine policy. 6 Install Endpoint Encryption for PC on the client computer. After the second reboot, the client should see the Pre-Boot Authentication screen. This will have the password and Endpoint Encryption for USB token options. 7 Select Endpoint Encryption for USB which should generate a Endpoint Encryption Biometric challenge screen: a Attach USB phantom to PC. b Swipe enrolled finger on USB Phantom c Tick the box for user listed Provide User Name. The standard Endpoint Encryption logon screen should appear which will require the SAME user name to be entered as the one registered with the USB Phantom. At this point you will need to enter the default Endpoint Encryption password of 12345 which will configure the Endpoint Encryption for PC client with the USB phantom. This step has completed the integration of Endpoint Encryption for PC with the USB phantom. The PC should now boot into Windows. After rebooting the client you will be prompted to authenticate via the USB Phantom biometric reader. Using Upek fingerprint reader Before the Upek fingerprint reader can be used as an authentication device the following steps must be performed: 1 The Upek Protector Suite QL software must be installed and configured on the client machine. The software can be found on the McAfee Endpoint Encryption Tools download. Please consult your McAfee representative for further information. 2 From the Endpoint Encryption Manager: • Create a file group for the Upek token and import the token files: SbTokenUpek.dll and SbTokenUpek.dlm. See the File Groups and Management chapter for further information. • The Upek file group must be assigned to the machine or machine group. • The fingerprint reader must be assigned to a user or a user group. See the user or user group Properties | Tokens screen. 26 3 The user logs onto the client machine using the Upek token module in password mode. 4 The user will be presented with a dialog box which will ask them to register their fingerprints with Endpoint Encryption; the user configures the fingerprint reader to work with one or more of their fingerprints. 5 From then on the user will need to authenticate to Endpoint Encryption with their fingerprint instead of a password. McAfee Endpoint Encryption for PC 5.2.13 Creating and configuring systems The Object Directory contains a unique record for every system attached to it. When Endpoint Encryption installs, it creates a record either directly in the Object Directory or in a transfer directory for later inclusion—this object contains the system’s encryption key, hard drive geometry, and secure configuration. Each user system periodically tries to connect to its parent directory to check that its local configuration matches the centrally defined one. If there are any differences, the local system reconfigures itself to match. You can change any aspect of the system’s configuration centrally; these changes get applied to the system the next time it synchronizes. Systems normally create their own object in the directory when Endpoint Encryption first installs, this happens automatically if you use a Group Install Set (see the Creating an Install Package chapter), but you can pre-create a placeholder object for the system, set a unique custom configuration for it, and then create an install set for that object only. Users are assigned to systems and system groups. When the system synchronizes, it compares its local user list with that in its Object Directory entry. Any changes are made in real time, including disabling the current user if their account status, becomes removed or disabled. Contents Machine administration functions (right-click menu) Machine configuration options Machine administration functions (right-click menu) Create Machine The Create Machine option creates a new placeholder system definition. If in the future a new system with the same network name tries to install itself into the group, it will take over the placeholder object and use the configuration set within it. Rename This option changes the Endpoint Encryption name of the system. This does not affect the systems network name which can be seen from the General | Properties page. Delete This option deletes the system entry—you will be given the opportunity to Permanently Delete the system, or to move the system to the Recycle Bin (where it can be later restored, if necessary). McAfee Endpoint Encryption for PC 5.2.13 27 Creating and configuring systems Machine administration functions (right-click menu) Import Machines This option imports a system definition into the group—This definition could be from a system created using an Offline Install (see Offline Package Installs for further information) or from an export from another database. Export Configuration This option exports the configuration information for a system (.sdb file) which can be used for diagnostic or troubleshooting tasks or for import into an alternate database. Create Install Set Creates a package of all the files and configuration needed to install Endpoint Encryption—for more information, see Installing, Upgrading and Removing Endpoint Encryption for PC. Force Synchronization You can elect to force a system (or group of systems), which are online to perform immediate configuration synchronization. You would perhaps do this if you have removed a user from a group (or disabled them) and it is imperative that they are disabled immediately, or a user has a configuration issue that needs resolving. To do this, select the system (or system group) in question, and use the Force Synchronization option from the window menu or right-click menu. The Endpoint Encryption Manager sends a short message to the system in question (using its stored DNS or IP address) telling it to perform an immediate synchronization to update its policies. If you Force Sync a system that is not online, or refuses the request because Endpoint Encryption is no longer installed, an error message is generated. If Endpoint Encryption is already in the process of performing a configuration change on the remote system, the sync request is ignored. Reboot Machine You can select the Reboot Machine option to attempt to reboot one or many systems—this sends a message to the systems in question telling them to perform an immediate shutdown. Users may not be given enough time to save their work, so this feature should be used with caution. You can configure the messages and timeout of the reboot option by editing the SCM.ini file, as explained in Endpoint Encryption Configuration Files chapter of this guide. There are some instances when Windows will prevent remote rebooting of a system, for example, while the screen-saver is active. Lock Machine You can remotely activate the screen saver on a given system by using the Lock Machine command. Both systems and groups of systems can be locked in this way. Add Users You can add a number of users to a collection of systems using this option—You can select the system, or combination of systems you want to add users to from a group or search window. View Audit This option displays the audit for the system. For more information see the Auditing chapter. 28 McAfee Endpoint Encryption for PC 5.2.13 Creating and configuring systems Machine configuration options Reset to Group Configuration Resets the configuration of the system, or all the systems in the group, to the groups configuration. Optionally, it sets the user list to match the group user list. Create Copy Creates a new object based on the selected object. Properties This option displays the properties of the selected object. Machine configuration options The following configuration options can be set for systems, or groups of systems. Machine Groups Description - You can enter a text description for a system group, such as the physical location of the systems. General The General page enables you to select the Boot protection and other General options. Figure 4: Boot Protection and General Options Table 1: Boot Protection and General Options Settings Options Description General Boot Protection • Disabled—Endpoint Encryption is installed, but is not securing the computer. You can change the status to another mode and this will be reflected at the next synchronization. • Enabled—Endpoint Encryption is protecting the system, and requiring users to log on. • Remove—Endpoint Encryption will decrypt and uninstall itself at the next synchronization. • Remove and Reboot—as above, with the addition that Endpoint Encryption will automatically reboot the system after uninstalling. McAfee Endpoint Encryption for PC 5.2.13 29 Creating and configuring systems Machine configuration options Settings Options Description • Removed—Endpoint Encryption is no longer installed on the system, and its entry can be deleted from the directory. NOTE: If you select Remove and let the system uninstall Endpoint Encryption, remember to delete the entry from the directory, or, set the protection back to Enable before re installing Endpoint Encryption. If you forget this, then as soon as the new install connects, it will remove itself again. Description This field allows you to enter a text description of the system, such as its specification, model or physical location. Network Name The systems logical network name—you can find and filter the Machine tree for the systems name using the Object/Filter option. Options (Windows Logon) • Require Endpoint Encryption Logon—Endpoint Encryption takes control of the normal windows logon screen, and screen saver logon. Users will be prompted for their Endpoint Encryption for PC credentials. • Attempt automatic Windows Logon—Endpoint Encryption tracks the user’s Windows id, password and domain, and presents these automatically to Windows logon boxes. This mechanism means once the user has authenticated to Endpoint Encryption at the boot screen, they do not need to enter any more passwords for Windows. NOTE: If the user’s Windows credentials are different from their Endpoint Encryption for PC credentials, Endpoint Encryption stores the Windows credentials the first time they are used. It may take two reboots before the Single Sign On becomes active. 30 McAfee Endpoint Encryption for PC 5.2.13 • Require Endpoint Encryption re-logon—If the user logs out of Windows, Endpoint Encryption controls the logon box for the next log on. • Automatically logon as boot user—If there are no stored Windows credentials for the user, Endpoint Encryption tries to log on to Windows with the user’s Endpoint Encryption credentials. • Endpoint Encryption logon component always active—If selected, the Endpoint Encryption logon component is kept active on the system even if all the other options are disabled. This means that it can be reactivated mid-session during synchronization with the Object Directory. If all options are deactivated, the Endpoint Encryption logon component can only be reactivated after a reboot. • Set Endpoint Encryption Password to Windows Password—If the Windows and Creating and configuring systems Machine configuration options Settings Options Description Endpoint Encryption logon passwords differ, users are prompted to set the Endpoint Encryption password to the Windows password. Also, if the user changes their password in Windows, their Endpoint Encryption password is set to match. • Booting Must Match Windows user name—If a users Endpoint Encryption and Windows user ID’s do not match, no SSO credentials are stored for the user if this option is enabled. This prevents an administrators Windows credentials being associated with a normal user’s Endpoint Encryption account in the case that the normal user logged on at Pre-Boot, but then an administrator authenticated to Windows. Allow Booting from the hard disk—If disabled, users will have to boot the system with a system bootable token such as a Endpoint Encryption Floppy Disk. This adds the additional security in that the system is inaccessible without the token. NOTE: This option is not available with Endpoint Encryption version 4.1 or later. Virus Protection Enable MBR Virus protection—Endpoint Encryption monitors boot sector activity, and prevents any program writing to it. Endpoint Encryption also monitors the bios signature to further prevent boot viruses. NOTE: If you have this option enabled and you move a protected hard disk between two systems, Endpoint Encryption will detect this as a possible virus and prevent the system being used until a virus reset has been performed. For information on this procedure, see the chapter on WinTech and SafeTech. Miscellaneous • Do not display previous user name—Hides the ID of the last logged on user in all Endpoint Encryption logon dialogs, and changes the Incorrect Password and Unknown User ID error messages to a generic message. • Reject Suspend/Hibernate Requests—This option stops the system from entering hibernation mode. NOTE: This option is not supported in Vista. McAfee Endpoint Encryption for PC 5.2.13 • Disable Checking for T—This option switches off the $autoboot$ user support on this system. If the system has many users assigned, this option can speed up the boot time. • Do not lock after AutoBoot is removed—Normally Endpoint Encryption locks the workstation if the current logged on user is removed, or disabled, as part of a synchronization event. This is to prevent the system being used in the event that there is 31 Creating and configuring systems Machine configuration options Settings Options Description no current user. Switching this option on stops the autolock happening if the $autoboot$ user is removed, and may be useful in the case of automated software updates. Encryption Encryption Mode • Allow AutoBoot user to be managed locally—Enables support for the -disablesecurity and -reenablesecurity options of the Endpoint Encryption Automation library–for more information on these options see the SBAdmCL Users Guide. • Disable Clearing of status log—Prevents users from clearing the Client side status log. • Always display On-screen keyboard—Forces the Pre-Boot to always display a clickable on screen representation of the keyboard. This option is of most benefit to TabletPC users. • Enable Boot Disk Compatibility—Some systems have BIOS code which mounts USB disks as physical drives. This is an unusual mode of operation and means that after Endpoint Encryption has finished it’s authentication, Windows hangs trying to access the drive through the BIOS physical interface (because Endpoint Encryption is also a 32-bit platform, it unloads all BIOS drives when it finishes). This option forces the low-level Endpoint Encryption drivers to block access to disks other than the boot disk meaning Windows will not detect these USB drives until the USB stack is initialized. An alternate solution would be to unplug all USB drives before booting the system. • Always enable pre-boot USB support—This option forces the Endpoint Encryption Pre-Boot code to always initialize the USB stack. Normally this option should not be enabled as Endpoint Encryption will dynamically enable USB on demand. • Do Not Lock Workstation if no User is Authenticated—This option stops the client manager from locking the workstation after a synchronization if it finds that there is no current Endpoint Encryption user logged on, for example, after the first synchronization during the install or if the Endpoint Encryption user that is currently logged on is removed. • Do Not Lock Workstation if User is Disabled—This prevents the client manager from locking the workstation after a synchronization if the currently logged on Endpoint Encryption user is disabled. The Encryption Mode drop down menu lets you specify an encryption type for all drives in a system group: • 32 McAfee Endpoint Encryption for PC 5.2.13 Manually select the drives to encrypt—This option allows you to manually select the encryption type for each drive using the Full, Partial or None buttons. Creating and configuring systems Machine configuration options Settings Options Description • Never encrypt any drives—This option ensures no drives in the system group will be encrypted. • Automatically encrypt all drives partially—This option sets all drives in the system group to be partially encrypted. • Automatically encrypt all drives fully—This option sets0 all drives in the system group to be fully encrypted. Encryption Before a system has first synchronized with the Object Directory, or in the case of the properties of a system group, the Object Directory does not know what drives and partitions are available to be encrypted. The Endpoint Encryption Manager provides the ability to specify any partition name and elect to encrypt it. Figure 5: Setting Drive Encryption Once the system has synchronized, only the partitions present on it are shown. You can specify one of three encryption modes—Full encrypts the entire partition, Partial encrypts only the first 10% of the drive, None leaves the drive in plain text with no security. The Last Reported Setting can be used to verify if the system has applied recent configuration changes. The Last Reported Setting for a drive is the exact state of encryption the last time the system reported to the Database. NOTE: Partial encryption is designed to encrypt the directory structure and file allocation table on FAT drives—it does not stop a competent hacker reassembling file data from the drive. Table 2: Encryption Options Settings Options Description Encryption Encryption Mode The Encryption Mode drop down menu lets you specify an encryption type for all drives in a system group: • McAfee Endpoint Encryption for PC 5.2.13 Manually select the drives to encrypt—This option allows you to manually select the encryption type for each drive using the Full, Partial or None buttons. 33 Creating and configuring systems Machine configuration options Settings Options Description • Never encrypt any drives—This option ensures no drives in the system group will be encrypted. • Automatically encrypt all drives partially—This option sets all drives in the system group to be partially encrypted. • Automatically encrypt all drives fully—This option sets all drives in the system group to be fully encrypted. Recovery key You can boot a system, or close the Endpoint Encryption screen saver without logging on using the recovery process—this involves the user reading a small challenge of 18 characters from the system to an administrator, then typing in a larger response from the administrator. The recovery key size defines the exact length of this code exchange. For more information see the Recovery Key chapter. A recovery key size of 0 disables the system recovery system. Removable Devices You can configure EEPC to also encrypt removable drives such as USB or Firewire hard disks, Flash drives etc. Normally, EEPC only protects physically attached hard disks, for example, IDE or SCSI hard disks. This is because EEPC is related to the system, not the user – it’s impossible to share drives encrypted with EEPC between different systems. If you need to share data amongst users and systems, please consider using EEFF. • Manually Select—Normally removable drives will not be show in the encryption list. Selecting this option makes them visible. • Always Encrypt—Forces encryption of removable drives. • Never Encrypt—Prevents Endpoint Encryption from attaching its drivers to removable disks—this is the default option. Users You can add groups of users, and individual users, to a system (or system group). Either drag and drop the user(s) from the user tree into the system properties User tab, or, use the user picker to select them. Although Endpoint Encryption supports many hundreds of users on a single system, we recommend that the actual number of users assigned is minimized to the fewest possible. Every user added to a system is another possible account for a hacker to gain entry. There is no purpose in adding entire departments of users to laptops which are used by only one person. • Auto-boot users—Special user IDs containing the name $autoboot$ with a password of 12345 can be used to auto-boot a protected system. This option is useful if an auto boot of a system is needed; for example, when updating software using a distribution package such as SMS or Zenworks. These IDs should be used with caution however, as they effectively bypass the security of Endpoint Encryption. Any ID containing the string $autoboot$ can be used, for example, my$autoboot$, $autoboot$123 etc. By using more than one ID, you can improve database performance if many systems are synchronizing the $autoboot$ account at the same time. The process for creating an $autoboot$ user is: 34 McAfee Endpoint Encryption for PC 5.2.13 Creating and configuring systems Machine configuration options 1 Create the user 2 Uncheck the Force password change at next logon 3 Click the Devices tab 4 Right-click the system group (or system, if preferred), and select Properties 5 Ensure the Disable checking for AutoBoot option is unchecked 6 Ensure the Allow AutoBoot user to be managed locally and Allow AutoBoot to be cancelled options are checked 7 Click the Apply button to save these options. The AutoBoot user is now ready. For further explanation of steps 5 and 6 see the General section of Machine Configuration Options chapter. You can also change the default password for the $autoboot$ accounts, to do so see the section Autoboot.ini in Endpoint Encryption Configuration Files. CAUTION: It is quite possible to create a system, or system group, with no users assigned. If this configuration is deployed then no one will be able to log on to that system. To resolve this issue, use the recovery “boot once” procedure, add some users to the system in question, and then synchronize it again to update the configuration. Warning Text • Security warning—Text displayed to the user in the Endpoint Encryption login box. Figure 6: Client Warning Text • Recovery Message—Text displayed to the user when they select the Recover button. This may include information such as their help desk telephone number. McAfee Endpoint Encryption for PC 5.2.13 35 Creating and configuring systems Machine configuration options Synchronization Settings Endpoint Encryption systems try to keep their local configuration the same as their central directory configuration; they do this by periodically synchronizing changes with the Object Directory. The default behavior is to synchronize on boot, but further options can be set. Figure 7: Synchronization Settings Table 3: Synchronization Settings Settings Options Description Synchronization Settings Automatically Resynchronize Endpoint Encryption tries to contact the Object Directory every specified number of minutes. If the directory cannot be contacted, the sync sleeps until the next period. Allow Local Resynchronization By right clicking on the Endpoint Encryption tool tray icon, the user can force a synchronization event by selecting the Synchronize option. This feature can be disabled. Resynchronize when RAS connection is detected This option causes a synchronization event to occur if the user dials up to the internet/intranet. Endpoint Encryption checks for new RAS (Remote Access Service) connections every second. Synchronize time with directory This option sets the local system time to the time of the server/directory it is synchronizing with. If the user’s system is in a different time zone to the server, the correct local time will be set as long as their time zone is correct. CAUTION: This option is useful when logon hour restrictions are in place—without this time check the user could set their system clock back to gain extra hours of system use. 36 Disable Synchronization of Files This option stops Endpoint Encryption monitoring file group changes and deploying updates to the remote systems. Allow remote controlled synchronization This option allows an administrator initiate a synchronization event using the ForceSync option. The Endpoint Encryption client sends its IP address to the ObjectDirectory each time it connects to enable the communication channel. McAfee Endpoint Encryption for PC 5.2.13 Creating and configuring systems Machine configuration options Settings Options Description The communication port can be set between 0 and 65535. NOTE: The client IP appears in the Address field within the Synchronize settings screen of the system’s Properties screen. Disable Access if not synchronized… If a system does not connect to its server within the specified number of days, then all accounts become disabled. This option prevents users continuing to use systems offline from the Endpoint Encryption Object Database for extended periods of time. Also, if a system is stolen or lost, you can be assured that it will disable itself after the timeout has passed. Delay Sync at boot for… You can specify an optional offset and random offset for the initial boot sync. This speeds up the system, and also ensures any network load created by 9am syndrome is distributed over a longer period of time. You can set a value of Zero for the delay time, this disables the initial synchronization. The synchronization settings take effect once Endpoint Encryption has connected and picked up its policy from the central object directory. You can pre-set the parameters that Endpoint Encryption will use while it is trying to establish the initial first time connection through settings in the file SCM.ini. More information on this file can be found in Endpoint Encryption Configuration Files. Files Select which groups of files need to be deployed to the system. Typically the Endpoint Encryption Client File group is deployed, along with optional token and language files. Figure 8: Client File Groups Some file groups may not be displayed in the list—Only file groups with the property Client File Sets are shown. You can add your own file groups for deployment to the Endpoint Encryption Object Database. McAfee Endpoint Encryption for PC 5.2.13 37 Creating and configuring systems Machine configuration options If your Endpoint Encryption user account has group permissions set, some file groups assigned to the system may be outside your control—in this case they will be marked as locked groups. To gain the ability to change them, remove any Group administration restrictions on your account. Screen Saver Figure 9: Screen Saver Properties Table 4: Screen Saver Settings Options Screen Saver Enable Secure Screen Savers Endpoint Encryption will take control over all screen savers, providing secure authentication services. On Windows 2000, XP, Vista, and 7 operating systems, the Windows Logon options also need to be configured. Allow user access… Description This option allows the user to change the local screen saver properties. Run screen saver if token is If the current user’s token supports dynamic removed… removal, for example, a smart card or eToken, then the screen saver will be activated if they remove the token from the system. Set Endpoint Encryption screen saver as default This option sets the current selected screen saver to be the Endpoint Encryption Screen Saver. Allow logon of administrators… This option allows administrators with accounts on systems greater than the specified admin level to unlock a screen saver that has locked by a different user. If this option is not set, then only the user who locked the system can unlock it. Set screen saver inactivity… This option sets the timeout period for the screen saver. 38 McAfee Endpoint Encryption for PC 5.2.13 Creating and configuring systems Machine configuration options Boot Figure 10: Boot Properties Table 5: Boot Settings Options Description Boot Boot Manager Enable boot Manager—Switches on the built in Pre-Boot partition boot manager. Users can select which primary partition on the hard disk they wish to boot. You can control the display of the partitions which the user can select to through the file bootmanager.ini. For information about this file, see the Endpoint Encryption Configuration Files chapter of this guide. Auto select After... seconds This option allows you to select a period, which once it has expired, causes the boot manager to select the last used partition. Graphics Mode This menu allows you to specify the screen resolution for a system or systems within a group. The default option is Default Graphics Mode which supports resolutions up to 1024x768. NOTE: If the selected mode is not supported on the system it will fall back to the default mode. McAfee Endpoint Encryption for PC 5.2.13 39 File groups and management Endpoint Encryption for PC uses central collections of files, called Deploy Sets, to manage what versions of files are used on remote Endpoint Encryption clients. When an administrator updates a file in the central directory, all machines attached to that Deploy Set automatically collect the new version of the file from the directory the next time they synchronize. This mechanism can be used to update Endpoint Encryption clients to future versions, or to manage any file on a Endpoint Encryption protected machine—for instance, updating a virus database, or, a new version of an application. Contents Endpoint Encryption file groups Setting file group functions Importing new files Exporting files Deleting files Setting file properties Endpoint Encryption file groups You can assign multiple file sets to be used on each system. Typically two are used, the first for the core Endpoint Encryption files, the second for the language files. All assigned sets are processed in the same way. When the Endpoint Encryption Manager is installed, it automatically adds the entire standard Endpoint Encryption administrator and client files into two core file groups: Administration Center Files and Endpoint Encryption for PC 5 Client Files; it also may create language sets, for example, English Language; two INI files - ADMFILES.INI for the administrator files (determines the contents of the core groups) and SBCLIENTFILESET.INI for the client files. These INI files can be edited to allow custom collections of files to be quickly imported 40 McAfee Endpoint Encryption for PC 5.2.13 File groups and management Setting file group functions and then applied using the "Import file list" menu option. For more information on ADMFILES.ini and SbClientFileSet.ini, see the Endpoint Encryption Configuration Files chapter of this guide. Figure 11: Endpoint Encryption File Groups Other file sets created as standard include those to support login tokens, such as smart card readers, and USB Key tokens. Setting file group functions You can specify the function of a file group by right-clicking it and selecting its properties. Some file selection windows, for example the file selector for machines, only display certain classes of file group (in this example, those marked as Client Files). Figure 12: File Group Content McAfee Endpoint Encryption for PC 5.2.13 41 File groups and management Importing new files Importing new files New files can be imported one by one into an existing deploy set using the Import files menu option. Simply select the file. The Endpoint Encryption Manager will then import it into the directory and add it to the deploy set. The default options for the file mean that those machines using this deploy set it will NOT automatically receive a download when they synchronize. This chapter contains further information on how to achieve this. You can also import File Sets, for instance, to add a new option to the Endpoint Encryption database. Exporting files You can export a file group, or an individual file back to a directory. This may be useful, for example if you have an out of date administration system driver and there is an updated file in the Object Directory. Deleting files You can delete individual files from a file set. In this case all machines that are maintaining a link to the file through association will delete it from their local directory at the next synchronization event. Clients maintain a link to a particular file through its object id, not its name. If you delete a file and re-import it, its id changes, clients will still delete the original and download the new copy. Setting file properties To see the properties of a file, right click on the file in question and select Properties. Two screens of information are available: File Information and Advanced. The name of the file is the actual name, which will be used when deploying the file on the remote machine. The ID is the Object Directory object ID which is used as a reference for the file from the client PC. 42 McAfee Endpoint Encryption for PC 5.2.13 File groups and management Setting file properties The version number is an incremental version of the file. When the file is updated, the version is incremented. This is used by the clients to check whether an update is needed. Other information such as the name of the user who imported the file and its size may be shown. Figure 13: File Properties, Advanced Table 6: File Properties, Advanced Settings Options Description Setting File Properties File Types Sets the type of the file. Operating System Because some files are only applicable to some operating system(s), the target operating system(s) for the file must be selected. This is to prevent Windows NT drivers being installed on Windows 98 machines, or windows 9x registry files being run on Windows 2000 servers. App ID If you are installing file which is shared between multiple Endpoint Encryption applications, you can specify this applications ID. This prevents one application from installing files shared by another. Update Specify when Endpoint Encryption should update the file. McAfee Endpoint Encryption for PC 5.2.13 43 Using Endpoint Encryption as a file deploy system Endpoint Encryption’s internal file update mechanism can be used to synchronize any file on an Endpoint Encryption protected machine. When the Endpoint Encryption client performs synchronization, it compares its internal file revision list with the revision of the files in the Object Directory. If any files have been superseded (or are in the directory list but not in the local list), the Endpoint Encryption downloads them. The file type assigned in the Object Directory determines what happens to a file when it is downloaded. The action can be summarized simply: • Endpoint Encryption Registry File: Processed into registry • Windows Registry File: Processed into registry using RegEdit • Pre/post Installation Executable: Copied to specified location and Run either before or after Endpoint Encryption. • Any other file: Copied to specified location Contents Copying a new file to the desktop (Example) Copying a new file to the desktop (Example) This example shows how to set up a new text file that will be copied to the user’s desktop when they synchronize. Task 1 Check the File Group settings: From the properties of the machine (or controlled machine group) you want to update, check which file groups are assigned. The default file group is EEPC1: Endpoint Encryption for PC 5.1.2 Client Files. You can create new file groups specifically for your custom files and assign them to machines if you so wish. 2 Add the new text file. a Select the file group from step 1, and then use the Import Files option (rightclick inside the File Group window). b Select the new file you want to import, for example, "message.txt". Once imported, select the new file and go to its Advanced Properties box. Because we are importing a "Known" file type, the file location will be set automatically to [appdir]. We will override this with the location we want to send the file to, in this case 44 McAfee Endpoint Encryption for PC 5.2.13 Using Endpoint Encryption as a file deploy system Copying a new file to the desktop (Example) c:\windows\desktop. We also want this file to be deployed on all operating systems, so we check all the boxes. Figure 14: Setting the new text file permissions. Now, next time the machine synchronizes, it will notice the new file, and download it into its c:\windows\desktop directory. If the file was defined as a type of Endpoint Encryption or Windows Registry file, it would be applied. If it was marked as an "Installation Executable", it would be run. You can test this behavior by forcing the machine to resynchronize using either the "Force Sync" option from the Endpoint Encryption Manager, or from the Endpoint Encryption client tool tray Icon right-click menu. The file "message.txt" should appear on the desktop, and the status window of the client should reflect the change. More information on the Endpoint Encryption file deployment mechanism can be found in the File Groups and Management chapter. McAfee Endpoint Encryption for PC 5.2.13 45 Creating an install package Endpoint Encryption client is installed by running a special archive file created from the Endpoint Encryption Manager. This archive file contains all the components necessary to install Endpoint Encryption. The Endpoint Encryption Manager compresses the files needed into a single selfcontained executable for ease of management. Deploy sets can be created for Machine groups, and individual machines for both fully online, and temporary offline situations. This chapter deals with creating the install package, for information on how to apply it, see the Installing, Upgrading and Removing Endpoint Encryption for PC chapter. Contents Selecting the Group/Machine Select the install set type Importing a transport directory Select the install set type Select the master directory Selecting the Group/Machine The First step in creating an install set is to select the object you want to create the set for, e.g. an individual machine or a machine group. Install sets created for a machine can only be used to install that one machine - the target PC always takes the database entry the install set was created for. Sets created for groups of machines can be used to install any number of machines in that group - each machine looks in the deployed group for its name - if found it uses that object. If not, it creates a new object based on its network name. 46 McAfee Endpoint Encryption for PC 5.2.13 Creating an install package Select the install set type Select the install set type For the second step you need to determine whether you expect the machine to be online or offline at the time of install. Figure 15: Creating an Installation Set Online Installs Online installations expect the master Object Directory (the directory the administrator is currently connected to) to be available via the LAN during the install process. Once Endpoint Encryption for PC is installed, after the next boot, Endpoint Encryption will contact the Object Directory and download all the configuration and object data for the machine and users. If a "placeholder" object for the machine name exists (a machine object created, but not installed), it will use the configuration stored in that object. If no placeholder exists, the machine will obtain its configuration from the machine group that the install set was created for. If the machine name is already used in the directory, and the existing machine is not a “placeholder”, the new machine will append a four digit number to the end of its name and install. For example, where a machine called “JSMACHINE” already exists, an object “JSMACHINE0001” will be created. NOTE: By editing the file scm.ini on the client before Endpoint Encryption is activated (i.e. after setup, but before the first reboot) the group can be changed. Offline Installs If the machine is expected to be disconnected from the Endpoint Encryption Server during the install, an "offline" install set can be created. In this case a "transport directory" containing the necessary objects and configuration data will be included in the deploy set. After local configuration, the transport directory will need to be reimported into the master directory before the machine can be recovered. Selecting an Offline install mode allows the additional choice to include the "individual objects" in the transport directory. If they are included, then all users and machines in the set will be deployed with the transport directory (and therefore will be available immediately, even before the machine connects back to the master directory). If they are not included, then there will be no login prompt until the machine has performed its first connection and brought down its user list. NOTE: Until the transport directory containing the machine’s completed configuration is imported back into the master directory, no connection or configuration of the client can be performed. Also, in the case where the offline install set was created from a group, it will not be possible McAfee Endpoint Encryption for PC 5.2.13 47 Creating an install package Importing a transport directory to recover the machine until it has successfully synchronized with its master database. In the case where the offline install set was created for an individual machine, or in the case of users, synchronization is not necessary for the machine to be recovered. Importing a transport directory The Transport directory is a file called sbxferdb.sdb, and can be found in the directory the Endpoint Encryption client is installed into. To import the details in this directory back into the master, select the machine group you want to contain the entries, and use the Import Machines right-click option. This brings the keys and configuration from the machine into the master database, giving the ability to synchronize with, reconfigure, and recover the machine. Select the install set type For the second step you need to determine whether you expect the machine to be online or offline at the time of install. Figure 16: Creating an Installation Set Online Installs Online installations expect the master Object Directory (the directory the administrator is currently connected to) to be available via the LAN during the install process. Once Endpoint Encryption for PC is installed, after the next boot, Endpoint Encryption will contact the Object Directory and download all the configuration and object data for the machine and users. If a "placeholder" object for the machine name exists (a machine object created, but not installed), it will use the configuration stored in that object. If no placeholder exists, the machine will obtain its configuration from the machine group that the install set was created for. If the machine name is already used in the directory, and the existing machine is not a “placeholder”, the new machine will append a four digit number to the end of its name and install. For example, where a machine called “JSMACHINE” already exists, an object “JSMACHINE0001” will be created. NOTE: By editing the file scm.ini on the client before Endpoint Encryption is activated (i.e. after setup, but before the first reboot) the group can be changed. 48 McAfee Endpoint Encryption for PC 5.2.13 Creating an install package Select the master directory Offline Installs If the machine is expected to be disconnected from the Endpoint Encryption Server during the install, an "offline" install set can be created. In this case a "transport directory" containing the necessary objects and configuration data will be included in the deploy set. After local configuration, the transport directory will need to be reimported into the master directory before the machine can be recovered. Selecting an Offline install mode allows the additional choice to include the "individual objects" in the transport directory. If they are included, then all users and machines in the set will be deployed with the transport directory (and therefore will be available immediately, even before the machine connects back to the master directory). If they are not included, then there will be no login prompt until the machine has performed its first connection and brought down its user list. NOTE: Until the transport directory containing the machine’s completed configuration is imported back into the master directory, no connection or configuration of the client can be performed. Also, in the case where the offline install set was created from a group, it will not be possible to recover the machine until it has successfully synchronized with its master database. In the case where the offline install set was created for an individual machine, or in the case of users, synchronization is not necessary for the machine to be recovered. Select the master directory Select the final Object Directory that the new client will communicate with to synchronize configuration details. The default is the directory that the administrator is currently using, but could be any directory the administrator has access to. Usually the clients will access the Object Directory via a Endpoint Encryption server, rather than locally. Figure 17: Selecting the Master Object Directory Connections through a Endpoint Encryption Server have the category type called Remote. You can specify multiple connection points for machines, if you have more than one server defined. You can also change the order that the client will look for servers, and enable automatic random selection of servers by using the wizard. NOTE: For information on setting up a Endpoint Encryption Server, see the Endpoint Encryption Manager Guide. McAfee Endpoint Encryption for PC 5.2.13 49 Installing, upgrading, and removing EEPC Running an “Install Package” created by the Endpoint Encryption administrator on the target machine enables and installs Endpoint Encryption for PC. For information on creating install packages see the Creating an Install Package chapter. Contents Offline package installs Online package installs Removing Endpoint Encryption client Upgrading Endpoint Encryption from previous versions Offline package installs Create the install file as per the Creating an Install Package chapter; selecting Offline install, and including the users and machines required. Run the package on the target client and let it reboot. Once restarted, you must retrieve the file sbxferdb.sdb which needs to be imported back into the master directory. For information on this procedure see the Creating an Install Package chapter. Once the transport directory has been imported into the master database; if there is a network connection between the client and a Endpoint Encryption Server, you will be able to remotely manage the machine. If you do not retrieve the transport directory, then you will not be able to recover or reconfigure the machine. If your machines are unable to connect to the master database after install, for example, and you are working in a permanently disconnected environment, you may want to retrieve the .sdb file AFTER encryption has finished – the status of encryption will then be properly reflected in the master database. In the case of machines which connect to the master database after offline install, this property will be automatically updated during the sync process. Online package installs Create an Online install package as per the Creating an Install Package chapter. Simply run this file on the target machine(s). Once they have installed and rebooted, they will contact one of the Endpoint Encryption Servers specified and create their directory entries. 50 McAfee Endpoint Encryption for PC 5.2.13 Installing, upgrading, and removing EEPC Removing Endpoint Encryption client Removing Endpoint Encryption client You can specify four modes of operation for Endpoint Encryption in the machine’s General properties page. For full details of these modes per the General section. To disable Endpoint Encryption, i.e. put it into a mode where it is applying no protection but can be easily re-enabled, set the machine status to Disable. You can then at a future time set the status to Enable and Endpoint Encryption will re-apply the protection specified. To completely remove Endpoint Encryption, select either Remove or Remove and Reboot – Endpoint Encryption Client will perform the action after the next synchronization event. Upgrading Endpoint Encryption from previous versions Where 5.x is mentioned, version Endpoint Encryption 5.1 and above should be assumed. Upgrading Endpoint Encryption from previous versions Where 5.x is mentioned, version Endpoint Encryption 5.1 and above should be assumed. Upgrading Endpoint Encryption 4.2 Clients to 5.x Please see the Endpoint Encryption Update and Migration Guide. Upgrading existing 5.x clients to a later service pack or patch version To upgrade between service pack or patch levels, for example, from v5.0 to v5.1 you can create a new file set in the Endpoint Encryption Object Directory. Task 1 Update your database and administration system as described in chapter 8 of the Endpoint Encryption Manager Administration Guide. 2 Create a new file group for the new 5.x files. 3 You have to set the File Group Properties to Client files to have it available under the Files section in the machine properties. Therefore right-click the file group, choose Properties | Content and check the Client Files box. In case of new language file groups you need to check client files and language as properties. 4 Right-click the new group and select Import File Set. Select the file SBClientFileSet.ini from the administration system directory (usually c:\program files\sbadmin). 5 Deselect the Endpoint Encryption 5.x Client Files file set from the machines you wish to upgrade, and select Endpoint Encryption 5.1x Client Files instead. During the next synchronization, the machine will download the latest files and code and apply the upgrade. CAUTION: The deselection of all old Endpoint Encryption file groups and the selection of all new Endpoint Encryption file groups MUST be done at the same time, e.g. if you deselect the Endpoint Encryption 4.x Client Files and the English (British) KB/Language file group without selecting the new Endpoint Encryption 5.x Client File groups then you risk corrupting your client. McAfee Endpoint Encryption for PC 5.2.13 51 Installing, upgrading, and removing EEPC Upgrading Endpoint Encryption from previous versions If you have other options selected, such as the File Encryptor, or Token modules, be sure to also deselect the v4 modules, and select the appropriate 5.x versions of these as well. 6 For each machine you want to upgrade, deselect the machines current client file set, and select the new 5.x file set you created in step 2. Removing Endpoint Encryption 5.x from a machine Task 1 Set Endpoint Encryption to either Remove or Remove and Reboot from the machines General properties. The next time the machine synchronizes with the database it will remove all encryption and authentication; it will then uninstall the Endpoint Encryption program files. If you simply want to disable the Endpoint Encryption protection, set the Client to Disable instead. NOTE: If the machine is unable to synchronize, perhaps because of a network or Windows issue, you can still remove Endpoint Encryption by performing an emergency SafeTech removal followed by the Sbsetup -Uninstall command from the Endpoint Encryption program files directory. 52 2 Set Endpoint Encryption to either Remove or Remove and Reboot from the machines General properties. The next time the machine synchronizes with the database, it will remove all encryption and authentication. 3 Now, uninstall the Endpoint Encryption program files. If you simply want to disable the Endpoint Encryption protection, set the Client to Disable instead. If the machine is unable to synchronize, perhaps because of a network or Windows issue, you can still remove Endpoint Encryption by performing an emergency SafeTech removal followed by the Sbsetup -Uninstall command from the Endpoint Encryption program files directory. McAfee Endpoint Encryption for PC 5.2.13 Client software The Endpoint Encryption Client connects to its Object Directory, or configuration store, which may be on the same machine, a network drive, or, through the Endpoint Encryption Server. It does this every time the machine boots and optionally at set time intervals or when a RAS session is initiated. Once connected to the directory, the Endpoint Encryption client uploads the latest audit and password changes to the directory, and if necessary downloads any configuration changes specified centrally. Contents The tool tray icon Client auditing Boot and logon process Endpoint Encryption screen saver Windows Sign-On and logon mechanisms Changing the password Section 508: Logon accessibility The tool tray icon The only user-visible part of Endpoint Encryption is the “Endpoint Encryption Monitor” icon in the user’s tool-tray. By double-clicking the icon users can start the system screen saver (which may be protected by Endpoint Encryption). By right-clicking it they can select one of four actions. Activate Screen Saver The default action when the Endpoint Encryption tray icon is clicked is to bring up a password protected screen saver. McAfee Endpoint Encryption for PC 5.2.13 53 Client software Client auditing Show Status The configuration process within Endpoint Encryption is largely transparent to the user. The only evidence of Endpoint Encryption working can be found from the status menu available from Endpoint Encryption's tool tray icon. Figure 18: Endpoint Encryption Client Status Window The Status window displays any on-going configuration tasks (such as encryption processes) and status messages from the last directory connection. • Synchronize Endpoint Encryption tries to establish connection with its directory during the boot process. In a situation where the directory is unavailable, for example - a notebook user who is connecting via dial-up networking, the user can establish a connection at any time, and select the Synchronize option to connect to a remote directory and collect/upload changes. For details of the supported functions within the Endpoint Encryption client, please see the User and Machine configuration sections in the Endpoint Encryption Manager Administration Guide, and also this guide. Client auditing User events are audited locally and then transferred to the Object Directory as part of the synchronization process. For more information on the events tracked see the chapter on Auditing. Boot and logon process The Endpoint Encryption for PC boot screen allows the user to select a login method (one of the available tokens), and then provide authentication credentials such as a user id and password. If the user can provide the correct details, the Endpoint Encryption boot code starts the transparent hard drive decryption process, loads the original MBR and executes it. When the operating system starts, the Endpoint Encryption Configuration Manager (SCM) runs and performs a logon to the operating system (if SSO is enabled). It then attempts to contact the Object Directory using the Directory Manager - this can be local or remote via a Endpoint Encryption Server and re-validates the user against any changes that have been made between the last validation. Following this SCM downloads and applies any configuration updates. This could include new user accounts. 54 McAfee Endpoint Encryption for PC 5.2.13 Client software Endpoint Encryption screen saver If the Object Directory validation is successful (i.e. no administrator has deleted or disabled the users account) the Windows startup completes, and the Endpoint Encryption icon is loaded into the tool tray to allow the user to run the screen saver, validate with the server, display status etc. After a period of inactivity or a power event, SCM activates the screen saver locking the user. If the user logs out of the operating system, they may be required to authenticate to Endpoint Encryption when they log back into windows. Endpoint Encryption screen saver The Endpoint Encryption for PC Client includes a simple logo screen saver. You can use any screen saver written to the Microsoft Screen Saver standards on the system, Endpoint Encryption will still protect the logon of them using the standard Endpoint Encryption logon window. NOTE: You can change the logo displayed in the screen saver by adding a file called “logo.bmp” to the Windows directory. You can also deploy logo.bmp using the File Update technology built into Endpoint Encryption. You may find extra graphics on your Endpoint Encryption CD in the “tools” directory. Users can start the screen saver through any of the normal Windows mechanisms, or by double-clicking on the Endpoint Encryption tool tray icon. Windows Sign-On and logon mechanisms Endpoint Encryption includes many options to reduce the numbers of passwords users have to remember. These options are used to ensure that when the user changes their Windows password, their Endpoint Encryption password is changed to the same. This happens without user interaction. Changing the password The Endpoint Encryption for PC password can only be changed in the pre-boot environment. To change the password: Task 1 Restart the PC. 2 Enter the current user ID and password in the login dialog box. 3 Enable the change box, and click OK. 4 Follow the on-screen prompts to change the password. Section 508: Logon accessibility US legislation 508 requires that information technology is accessible to people with disabilities. To comply with 508 the pre-boot logon needs to be accessible by blind or partially sighted people. McAfee Endpoint Encryption for PC 5.2.13 55 Client software Section 508: Logon accessibility There are a limited range of sounds which enable access to the basic logon. Other options, e.g. About and Recovery screens are not accessible. As the user tabs (or shitf-tabs) between controls, the pre-boot will emit various beep sequences to indicate where they are. Other beep sequences will be used when an error is displayed, when password timeouts are displayed and when a logon is successful. The sequences are: Table 7: Logon Accessibility 56 Options Sounds User name field beep Password field beep-beep Change password checkbox beep-pause-beep OK button beep-pause-beep-beep Cancel button beep-pause-beep-beep-beep Token selection list beep-beep-beep-beep Error beep-pause-beep-beep-pause-beep Password timeout beep-beep-beep-beep-beep Logon successful beep-beep-beep Insert token dialog box beep-beep-pause-beep McAfee Endpoint Encryption for PC 5.2.13 Windows Sign-on and SSO Endpoint Encryption can ease the logon process for users by doing the Windows logon for them, as well as taking responsibility for screen saver logons and re-logon requests. The features available can be configured by clicking on the General icon of a machine or machine group object. Contents Windows logon features How Windows logon works Windows logon features Windows Logon Features Feature Description Require Endpoint Encryption Logon Endpoint Encryption takes control of the normal windows logon screen, and screen saver logon. Users will be prompted for their Endpoint Encryption credentials rather than their Windows Credentials. Attempt automatic Windows Logon Endpoint Encryption tracks the users Windows id, password and domain, and presents these automatically to windows logon boxes. This mechanism means once the user has authenticated to Endpoint Encryption at the boot screen, they do not need to enter any more passwords for Windows. If the user’s Windows id and password are different from their Endpoint Encryption id and password, Endpoint Encryption stores the windows credentials the first time they are used. It may take two boots before the single sign on becomes active. Require Endpoint Encryption re-logon If the user loges out of Windows, Endpoint Encryption will control the login box for the next login. Automatically logon as boot user If there are no stored Windows credentials for the user, Endpoint Encryption tries to login to Windows with the user’s Endpoint Encryption credentials. Endpoint Encryption logon component always active If selected, the Endpoint Encryption login component is kept active on the machine even if all the other options are disabled. This means that it can be reactivated mid-session during synchronization with the Object Directory. If all options are deactivated, the Endpoint Encryption logon component can only be reactivated after a reboot. McAfee Endpoint Encryption for PC 5.2.13 57 Windows Sign-on and SSO How Windows logon works Feature Set Endpoint Encryption Password to Windows Password NOTE: This option is applicable to Password token users only. Description If the Windows and Endpoint Encryption login passwords differ, Users will be prompted to set the Endpoint Encryption password to the Windows password. This option also captures the Windows Change Password event, and again, sets the users Endpoint Encryption password to match. If you are using this option, it is important to ensure that the password template and quality rules in Endpoint Encryption are identical, or more lenient than those in Windows, otherwise a failed password change may occur and the user will be reset to 12345. Must Match Windows User Name This option ensures the SSO details are only captured in the situation that the user’s Endpoint Encryption and Windows IDs match. If they are different, no SSO details will be stored. How Windows logon works Endpoint Encryption intercepts the Windows Logon mechanism, using a “Pass through Shim Gina” on Windows NT, 2000 and XP, and a Credential Provider on Vista. On Windows 2000, and XP operating systems a custom .ini file (SBGINA.INI) is used to help Endpoint Encryption analyze the logon screen and paste the credentials into the correct boxes on screen. In Windows VISTA Microsoft has replaced the original MSGINA (Graphical Identification and Authentication) with a new method called Microsoft Credential Provider. Endpoint Encryption has modified the Single Sign On architecture and implemented a Credential Provider to communicate with Windows. We display each of the Endpoint Encryption Tokens as a potential logon method. If you logon to Endpoint Encryption, you will be asked for your Windows credentials only for the first time and Endpoint Encryption will store the Windows Credentials securely within Endpoint Encryption. On subsequent logon events, Endpoint Encryption will use the stored Windows credentials to logon. You can find out more about Microsoft Vista Credential Providers from the Microsoft MSDN Website: http://msdn.microsoft.com/msdnmag/issues/07/01/CredentialProviders/default.aspx For more information on Endpoint Encryption ini files, see the Endpoint Encryption Configuration Files chapter of this guide. Also, see the Endpoint Encryption Configuration Files chapter of this guide SBGina.ini if you wish to enable smartcard based Single-Sign-On to Microsoft. Note: this feature is not supported under Vista. First Boot The first time a user starts the newly Endpoint Encryption protected system, Endpoint Encryption authenticates them at boot time. If successful, the operating system starts. Normally they would next be presented with a Windows logon – if the Endpoint Encryption Windows Logon architecture is fully activated, Endpoint Encryption will automatically present the user’s stored SSO id and password to windows. If these details are accepted, Endpoint Encryption stores a record of these credentials in a special encrypted area of the user’s profile. If Windows fails the SSO credentials, for example, if they have not been set, Windows displays the standard login box and the user is forced to enter their Windows id and password. 58 McAfee Endpoint Encryption for PC 5.2.13 Windows Sign-on and SSO How Windows logon works Again, once a valid login has taken place, Endpoint Encryption stores the correct credentials in the user’s encrypted profile, which are uploaded to the central Object Directory on the next synchronization. Second Boot The second and subsequent times the user starts the machine, they login to the Endpoint Encryption boot screen, then Endpoint Encryption supplies the stored Windows credentials to the Windows login box. Failed Windows Password If/When the Windows Logon credentials become invalid, for instance if the user changes their windows password on another system, or has it reset by an administrator, the automatic login will fail and the standard Windows login box will appear. Once again, once a successful login has occurred, the correct details are stored encrypted in the user profile and uploaded on synchronization with the central Object Directory. Re Logon If a user chooses to “log off” windows, they would normally expect to see the standard Windows logon box. Endpoint Encryption takes control of this in the same way as the initial logon screen, forcing the next user to login with their Endpoint Encryption credentials. If you want to logon to Windows using a different account than your stored credentials, they simply cancel the default login window, then clear the “Automatically logon to Windows” box. Once cleared, simply select the token you want to login with. Setting and Changing a users SSO details You can pre-set or change the SSO details associated with a user by right-clicking their object and selecting “Set SSO Details”. McAfee Endpoint Encryption for PC 5.2.13 59 Auditing Introduction McAfee Endpoint Encryption for PC audits user, system, and server activity. By right-clicking on an object in the Endpoint Encryption Object Directory, you can select the view audit function. Audit trails are uploaded to the central directory each time a machine synchronizes. Until that time the audit is cached internally in the encrypted Endpoint Encryption file system. In SB4.1.1 and above, the last 3000 entries are cached locally; when the limit is reached the oldest 300 entries are culled. The local audit will retain approximately 2 years of normal operation before culling begins. The permission to view or clear an audit log can be controlled on a user or group basis. Both the administration level and administration function rights are checked before allowing access to a log. For more information on setting these permissions see the Endpoint Encryption for PC User Policies chapter. Audit trails can be exported to a CDF file by using the Audit menu option, or by right-clicking the trail and selecting Export. Also, the entire audit of the directory can be exported using the “SBAdmCL” tool. For information on this option please contact your Endpoint Encryption representative. The Object Directory audit logs are open-ended, i.e. they continue to grow indefinitely, but can be cleared on mass again using SBAdmCL. Contents Common audit events Common audit events The text displayed in the audit log will depend on your localization and language settings. The following table lists the common events and their ID codes for the American English version of Endpoint Encryption. Many events can appear at multiple places, for example the “Login Successful” event will be logged both in the user account doing the login, and the machine being logged into simultaneously. Information Events 60 Description Event Audit cleared 01000000 Boot started 01000001 Boot complete 01000002 Booted non-secure 01000003 McAfee Endpoint Encryption for PC 5.2.13 Auditing Common audit events Description Event Backwards Date Change 01000005 Booted from floppy 01000004 Token battery low 01000010 Power fail 01000011 A virus was detected 01000013 Synchronization Event 01000014 Crypt Start 01000015 Crypt End 01000016 Add group 01000082 Add object 01000083 Delete group 01000084 Delete object 01000085 Import object 01000086 Export object 01000087 Export configuration 01000088 Update object 01000089 Import file set 01000090 Create token 01000091 Reset token 01000092 Export key 01000093 Recover 01000094 Create database 01000095 Reboot machine 01000096 Move Object between groups XE "groups" 01000098 Rename Object 01000099 Server started 010000C0 Server stopped 010000C1 Try Events Description Event Logon attempt 02000001 Change password 02000002 Forced password change 02000003 Recovery started 02000016 Database logon attempt 02000081 Logon successful 04000001 McAfee Endpoint Encryption for PC 5.2.13 61 Auditing Common audit events Description Event Password changed successfully 04000002 Boot once recovery 04000016 Password reset 04000017 Password timeout 04000018 Lockout recovery 04000018 Change token recovery 04000019 Screen saver recovery 0400001A Database logon successful 04000081 Logon failed 08000001 Password change failed 08000002 Password invalidated 08000005 Recovery failed 08000017 Database logon failed 08000081 Machine configuration expired Undefined A virus was detected Undefined Succeed Events Description Event Logon successful 04000001 Password changed successfully 04000002 Boot once recovery 04000016 Password reset 04000017 Password timeout 04000018 Lockout recovery 04000018 Change token recovery 04000019 Screen saver recovery 0400001A Database logon successful 04000081 Failure Events 62 Description Event Logon failed 08000001 Password change failed 08000002 Password invalidated (too many incorrect attempts) 08000005 Machine configuration expired 08000012 Recovery failed 08000017 Database logon failed 08000081 McAfee Endpoint Encryption for PC 5.2.13 Recovering users and systems You can recover users using the Endpoint Encryption Manager, WebHelpdesk, or the procedure documented in this chapter. For information on recovery through the Endpoint Encryption Center WebRecovery and WebHelpdesk options, please see the Endpoint Encryption Manager Administration Guide. CAUTION: Recovery cannot be used for resetting or changing the pin codes of smart cards. Contents McAfee Endpoint Encryption for PC 5.2.13 63 Offline recovery Resetting a remote user’s password or replacing their logon token if it has been lost requires a challenge/response procedure to be followed. The users start their machine, cancel any logon dialog boxes that may appear; they must then click Options in the bottom left-hand part of the screen followed by the Recovery option from the menu. This process can be used at the boot screen, windows logon, or screen saver logon. Selecting machine recovery or user recovery After (optionally) entering their user name, a set of codes is displayed on the user’s screen. The users need to telephone their helpdesk and read the codes to the administrator. The user code is time based, and unique to the user and machine. Figure 19: The user selects Machine Recovery or User Recovery 64 McAfee Endpoint Encryption for PC 5.2.13 Offline recovery The administrator must log on to the Endpoint Encryption Manager and select any machine group. This will activate the Recovery button options on the toolbar and the top menu. The administration should then click the Recovery button. NOTE: There is no need to find the correct user beforehand. Figure 20: Recovery code The administrator is prompted to type the user code in the wizard, and if correct will be given the opportunity to check the user's profile if the administrator has sufficient access rights to recover the user (based on their level and group memberships). The administrator should use this opportunity to validate the user by asking them questions based on the hidden information stored in their account. Only if successful should the helpdesk actually allow the user's password to be reset. If the administrator is sure that the user on the telephone is legitimate, they can proceed with the next step in recovery. McAfee Endpoint Encryption for PC 5.2.13 65 Offline recovery Select recovery option The administrator selects the option they want to perform. If a user name is entered, then a user recovery proceeds, if no user name is entered, then a machine recovery can be performed. Figure 21: Select recovery option • Machine options • Boot the machine Once—The machine boots with no user logged in. • Unlock Screen Saver—The screen saver is cleared. • Reset the user’s password—The user’s password is reset to the token default. The user can then change this to a new password – This option will not function if the user is disabled due to too many invalid passwords – to resolve this issue see “Change Token”. NOTE: The following tokens do not support password resets through Endpoint Encryption: • DataKey Smartcard • RSA Smartcard • Aladdin eToken Pro For information on how to reset the password on these devices, contact the appropriate manufacturer. To recover an Endpoint Encryption user who has forgotten their password in this case, either issue them with a new token, or temporarily switch them to use a password using the “Change Token” recovery option. • User options • Unlock a disabled user—If a user account is marked as disabled in the object database, it can be temporarily activated using this option. When the system synchronizes with the Object Directory, the account is disabled again, if their security profile in the Directory still indicates this. • Create Token—If supported by the token, this option allows administrators to remotely create a new token for the user to replace a lost one. The Endpoint Encryption Password login always supports remote recreation. For further information on other tokens see the Using Tokens with Endpoint Encryption for PC. • Change the user’s token to—Changes or resets the user’s token to the one specified. The administrator needs to have pre-generated the token for the user. If a user has 66 McAfee Endpoint Encryption for PC 5.2.13 Offline recovery invalidated their password account through too many invalid attempts, changing their token to “password only” recreates their “soft token” and allows them to enter the default password again. CAUTION: If you change a user’s token using this method, remember that next time their machine synchronizes with the Endpoint Encryption directory, their token will be set to whatever is specified in their user properties stored currently in the database. If you want the change to be permanent remember to set their token type in the user properties window. Figure 22: User’s recovery code The final step is to read the recovery code back to the user. The length of this code is controlled by their token recovery key set in the user’s “token” properties, or in the case of a machine, the recovery key set in the encryption properties. The user simply enters the code line by line into the pre-boot dialog box. Each line is verified and once the code has been entered, the elected action will occur. McAfee Endpoint Encryption for PC 5.2.13 67 Local recovery The Local Recovery option allows the user to reset a forgotten password by answering a set of security questions. The full list of security questions is set by the administrator using the Endpoint Encryption Manager. NOTE: Endpoint Encryption contains a generic set of questions. When the user first sets up their local recovery feature they will be prompted to select a number of questions and provide the answers to them. These form the basis for their local self recovery feature. Setting Local Recovery for a user name or user group Using Endpoint Encryption Manager, the administrator assigns the local recovery option to the user’s logon, or, to a user group. The local recovery options are available from the user logon or group Properties screen. Figure 23: Setting the Local Recovery options • Enable Local Recovery—Selecting this check box sets Local Recovery for the specified user or user group. Require ? questions to be answered—This option determines how many questions the user must select to perform a Local Recovery. Allow ? logons before forcing user to set answers—This option determines how many times a user can logon without setting their Local Recovery questions and answers. Add—The Add button loads the Local Self Recovery Question dialog box and allows you to create a new question. You can also specify the language that question should be in and 68 McAfee Endpoint Encryption for PC 5.2.13 Local recovery Configure your local recovery questions the minimum number of characters the user must specify when configuring the answer to this question. Remove—The Remove button removes a selected question from the list. Edit—The Edit button allows you to edit the configuration of a selected question. Apply—The Apply button saves any changes that have been made. Restore—The Restore button undoes your changes and restores the Local Recovery options to the previous settings (providing you have not clicked the Apply button). Configure your local recovery questions The Local Recovery option allows the user to reset a forgotten password by answering a set of security questions. The user must configure these questions; provide the answers to a selected set of questions. In the event that the user forgets their password, they can run a local self-recovery to gain access to their machine. Before you begin Make sure that you have appropriate permissions to perform this task. Task 1 Enter your user name and password at the logon screen. 2 From the Local Recovery Enrollment screen, select a question from the drop down list. 3 Enter the answer to the question into the Answer box. 4 Click Next. 5 Repeat this process until you have answered all the questions. NOTE: The Endpoint Encryption administrator determines how many questions you need to answer. 6 When you have answered all the questions, click the Finish button. Local Recovery is now set. Perform local recovery The client user must use the following procedures to perform a local self recovery. Before you begin Make sure that you have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 At the preboot screen, cancel the Endpoint Encryption Logon. 2 Click the Options button on the preboot screen. 3 Click Recovery from the menu followed by Local Recovery. 4 Type your user name into the User name field and click Next. McAfee Endpoint Encryption for PC 5.2.13 69 Local recovery Perform local recovery 70 5 Type the answer to each question in turn, clicking the Next button to move forward. 6 Type a new password and confirm it. 7 Click the OK button to complete the process. 8 Select the Password Only Token option from the preboot screen. 9 Enter your user name and new password to log on. McAfee Endpoint Encryption for PC 5.2.13 Online recovery If a user’s machine is online when they forget their password or lose their token, simply create a new token for them in the Endpoint Encryption directory, and force sync their machine to make the appropriate change. You can reset a user’s password by simply generating a new password token for them. McAfee Endpoint Encryption for PC 5.2.13 71 Trusted applications Endpoint Encryption’s client has the capability to restrict which applications and code users will be allowed to run. Using this mechanism, you can restrict access for a few users to certain applications, or, prevent users running any applications that are not pre-defined. With this system you can apply untrusted control, for example, to prevent access to pre-defined tools such as regedit.exe for all but administrators. With untrusted control, unknown applications are allowed to run - known applications are blocked. You can also apply trusted control where ONLY pre-defined code can run, and unknown control is blocked. This is useful, for example, when you want to restrict an entire build image so it becomes impossible for users to run any application other than the ones distributed in the gold build. Endpoint Encryption application control takes effect once a user has logged into Windows – it does not affect code run in the context of booting the operating system. To prevent applications and code being run at this stage, Endpoint Encryption recommends appropriate operating system security settings be used, for example, disallowing device driver updates etc. Contents Hash sets Hash sets The first step in applying application control to Endpoint Encryption users is to create sets of “hashes” for the code modules using the Endpoint Encryption Hash Generator (see the Hash Generator chapter). A hash set contains a unique digital signature for each file in the scope of the set. This digital signature is unique to the file – no two files will ever have the same signature. When Endpoint Encryption applies control to applications, it calculates the “hash” of the code (.exe file, .dll etc) that the user is trying to run, and compares it to the list of hashes applied to the user. The actual location of the code does not matter, only its content - so, if a user moves a restricted application to another directory, it will still be blocked. After creating a hash set for the files or directories containing the sample code modules you can create an “Endpoint Encryption Hashes Group” in the Endpoint Encryption database to 72 McAfee Endpoint Encryption for PC 5.2.13 Trusted applications Hash sets contain them. Within the group, create new hashes objects to contain your hash sets created previously. Figure 24: Hash group Hash set properties—General • Hash Count—Displays the number of file hashes stored in this object. You can remove duplicates using the File Hashes/Compact function. • Description—A text description of this hash set – for example its source. File hashes • Import—Allows you to import one or many hash sets created with the Endpoint Encryption Hash Generator into this hash object. • Export—Saves the contents of this hash object as a hash set. • Compact—Removes duplicate entries from this hash object – As Endpoint Encryption Application Control is driven by the hash (or digital signature) of a file, not its location, only one entry per file is required. • Remove—The option removes a single file entry from this hash object. CAUTION: You can add entries only by importing hash files. Using hash sets After creating hash sets, you can assign both hash objects, and hash groups to users through their “application control” properties. You can specify one of two modes of application control – “Untrusted” and “Trusted”. • Untrusted—In the case of untrusted control, if the hash is known then the code is prevented from running. • Trusted—In the case of trusted control, if the code is known then it is allowed to run, whereas all unknown code is blocked. Known Applications Unknown Applications Untrusted Application Control Optionally Blocked Allowed Trusted Application Control Allowed Optionally Blocked You can also set whether to actually block the untrusted code, or to simply log it for future analysis – this option (log with no blocking) is useful when debugging hash sets which do not block appropriately. McAfee Endpoint Encryption for PC 5.2.13 73 Hash generator Endpoint Encryption Hash Generator creates Hash Sets for use with the application control feature of Endpoint Encryption. For more information on application control, see the Using Hash Sets section. The generator creates MD5 hashes of the selected files and packages them into an Endpoint Encryption hash set (HSH file). Contents Using hash generator Using hash generator Open the Hash Generator by selecting Start | McAfee | Endpoint Encryption Manager | Endpoint Encryption File Hash Generator. After selecting the output file name, add the files (or folders) you want to include in the hash set. Finally, select Hash – the specified HSH file will be generated. The progress window shows the activity. Once completed, you can import the resultant hash set into your Endpoint Encryption directory. 74 McAfee Endpoint Encryption for PC 5.2.13 Common criteria EAL4 mode operation To use your implementation of Endpoint Encryption in its Common Criteria mode of operation, make sure that the following conditions are met. • Endpoint Encryption must be installed using the Endpoint Encryption AES (FIPS) 256-bit algorithm. • Administrators must enforce the following Policy Settings: • A minimum password length of five characters or more • Disabling of accounts after 10 or less invalid password attempts • All data and operating system partitions on the systems where Endpoint Encryption client has been installed must be fully encrypted. You can check the conformance to this issue by viewing the Endpoint Encryption client status window—if any drives are highlighted in red then they are not fully encrypted. • Administrators must enforce use of the Endpoint Encryption Secure Screen Saver Mode • Use of Autoboot Mode is prohibited • System and User recovery key sizes must be non-zero (System/Encryption properties and User/Token properties) Contents Administrator guidance User guidance Administrator guidance To comply with CC regulations, these policy settings must be applied before installing any clients. • There must be a system in place for maintaining secure backups that are separately encrypted or physically protected to ensure data security is not compromised through theft of, or unauthorized access to, backup information. • Backups should be regular and complete to enable system recovery. This is essential in the event of loss or damage to data as a result of the actions of a threat agent and to avoid vulnerability through being forced to use less secure systems. • Users (including administrators) must protect all access credentials, such as passwords or other authentication information in a manner that maintains IT security objectives. • Customers implementing a Endpoint Encryption enterprise must ensure that they have in place a database of authorized TOE-users along with user-specific authentication data for the purpose of enabling administrative personnel to verify the identity of a user over a voice-only telephone line before providing them with support or initiating recovery. Endpoint Encryption provides the means to display personal information such as the users ID number as part of the User Information Fields—but any other appropriate system is acceptable. McAfee Endpoint Encryption for PC 5.2.13 75 Common criteria EAL4 mode operation User guidance • Administrators should ensure their users are fully trained in the use of the Endpoint Encryption for PC Client software as described in the Client Software chapter of this guide, and should remind them of the security procedures detailed in the User Guidance. User guidance Administrators should ensure their users are fully trained in the use of the Endpoint Encryption for PC Client software as described in the Client Software chapter of this guide, and should remind them of the security procedures detailed in the User Guidance. • Users must maintain the confidentiality of their logon credentials, such as passwords and tokens. • Users must not leave a Endpoint Encryption protected PC unattended in a logged on state, unless it is protected by the secure screen saver. • Users must be informed of the process that they need to go through to contact their administrator in the event that they need to recover their PC, if, for example, they forget their password, or, their user account becomes disabled; this could be through the actions of the administrator or repeated incorrect login attempts. 76 McAfee Endpoint Encryption for PC 5.2.13 Endpoint Encryption configuration files Endpoint Encryption uses many .ini files to maintain information about the configuration of various components. Some of the more important files are listed here. Contents sbgina.ini scm.ini defscm.ini sdmcfg.ini TrivialPwds.dat Bootcode.ini BootManager.INI Errors.XML AutoBoot.ini SBCP.INI sbgina.ini This is used by the Endpoint Encryption for PC client to control the Windows logon mechanism. SBGina.ini contains the references used to populate the user id, password and domain boxes of a logon dialog box, and also the id of the OK button. The Trace option is an aid to implementing SSO to further dialog boxes. If this option is set to Yes, then information about every window that is created during the logon process is output to the defined trace file. If you want to activate smart card based Single Sign On with the possibility to pass through the smart card PIN to Windows, you will need to add the [Smartcard] section as specified in the example below: [Global] ;Version 5110 ; ; This option is an aid to implementing SSO to further dialogs. If this option ; is set to "Yes", then information about every window that is created when ; a logon dialog is expected is saved to the file specified (or "LOGONWND.TXT" ; if not supplied). Note the file will always be in the SafeBoot directory. ; Trace.LogonWindowInfo=No Trace.FileName=LOGONWND.TXT ; ; This is an option (NT only) that controls the behaviour of SafeBoot's Gina ; when unlocking a locked workstation. The possible values are ; McAfee Endpoint Encryption for PC 5.2.13 77 Endpoint Encryption configuration files sbgina.ini ; SbOnly = only a SafeBoot logon is used (the default) ; ; SbWindowsSso = a SafeBoot logon is required then SSO is atempted ; to the original Gina. ; ;Option.UnlockWorkstationMode=SbOnly ; ; This options (NT only) controls the ability of the user to cancel the ; Windows SSO attempt from the SafeBoot logon dialog. Possible values are ; ; Yes - Allows the user to cancel the SSO attempt (the default) ; ; No - Prevents the user from cancelling the SSO attempt ; ;Option.AllowSsoCancel=Yes ; ; These options control how the user names are treated when they are compared. ; The UPN (User Principal Name) format is of the form user@domain.com. To ; successfully compare the user names, the format needs to be the same for ; both the Windows and SafeBoot names. ; ; Note that Windows will always supply the user name to the SafeBoot Gina ; module as a user name and domain name (i.e. not DNS name). ; ; If the DetectUPN option is set to "Yes", then SafeBoot will attempt if the ; user names are in UPN format by looking for an "@" character. If this is ; set to any other value, SafeBoot will not manipulate the user names in any ; way. ; ; Examples:; ; SB user name = "user@domain.com" ; Windows user name = "user" ; Windows domain = "domain" ; ; Comparision will be between SB="user" and Win="user". ; ; SB user name = "user" ; Windows user name = "user@domain.com" ; Windows domain = "domain" ; ; Comparision will be between SB="user" and Win="user". ; ; SB user name = "user@domain.com" ; Windows user name = "user@domain.com" ; Windows domain = "domain" ; ; Comparision will be between SB="user" and Win="user". ; 78 McAfee Endpoint Encryption for PC 5.2.13 Endpoint Encryption configuration files sbgina.ini ;Option.Username.DetectUPN=Yes [SmartCard] ; ; This option enables looking for smart cards used for Windows logon. It ; can be either "On" or "Off". If this is set to "On", the SB Gina will ; attempt to detect the presence of a smart card and allow the user to ; choose to logon with the smart card or with the standard user name and ; password. ; ;Enabled=Off ; ; If the smart card check is enabled, then this option can be used to force ; the use of smart cards or the standard password. This can be "Off" to ; automatically determine which to use, "Pin" to force the use of a smart ; card or "Pwd" to force the use fo a smart card. ; ;Force=Off ; : This options controls the number of seconds the gina will wait for the ; user to decide which logon method to use (smart card or password). If this ; is set to a zero, then the user will not be prompted at all. ; ;TimeoutSecs=5 ; ; This option controls whether the SafeBoot SSO detsils are updated when ; the user logs on with a smart card. If this is set to "No", then the SSO ; details are not changed if the user logs on with a smart card. This will ; prevent the smart card PIN being used as to automatically logon to Windows. ; ;EnableSso=Yes ; ; If this option is set to "Yes", then if a smart card is inserted when ; a user logs off and back on again, the SafeBoot logon will not be displayed ; even if it is set to do so in the configuration. If a smart card is not ; present, then the SafeBoot logon will be displayed. ; ;DontSbRelogonIfSc=No [Windows.NT.Logon] ; ; Lists all the sections that contain information about the logon windows for ; the NT derived versions of Windows (NT4/2000/XP). ; ; The keys should be of the form "Window" with an incrementing number appended. ; The sections are checked in incrementing numerical order. The numbering ; cannot contain any gaps. ; Window1=MSGina.NT4.LogonDialog Window2=MSGina.W2K.LogonDialog Window3=MSGina.XP.LogonDialog Window4=MSGina.WIN2003.LogonDialog Window5=NWGina.NT.LogonDialog Window6=NWGinaJP.NT.LogonDialog McAfee Endpoint Encryption for PC 5.2.13 79 Endpoint Encryption configuration files sbgina.ini Window7=FSSGina.XP.LogonDialog Window8=CSGina.W2K.LogonDialog Window9=CSCOGina.W2K.LogonDialog Window10=ODYGINA.W2K.LogonDialog Window11=PRM_GINA.XP.LogonDialog Window12=IPASS.XP.LogonDialog Window13=TRYIT.XP.LogonDialog [Windows.NT.Locked] ; ; Lists all the sections that contain information about the workstation locked ; logon windows for the NT derived versions of Windows (NT4/2000/XP). ; ; The keys should be of the form "Window" with an incrementing number appended. ; The sections are checked in incrementing numerical order. The numbering ; cannot contain any gaps. ; Window1=MSGina.XP.LockedDialog Window2=FSSGina.XP.LockedDialog [Windows.9x.Logon] ; ; Lists all the sections that contain information about the logon windows for ; the Windows 9x versions of Windows (95/98/ME). ; ; The keys should be of the form "Window" with an incrementing number appended. ; The sections are checked in incrementing numerical order. The numbering ; cannot contain any gaps. ; Window1=MSNP.9x.LogonDialog Window2=NWNP.9x.LogonDialog Window3=NWNPJP.9x.LogonDialog ;---------------------------------------------------------------------------; The logon window definition sections for NT/W2K/XP ; [MSGina.NT4.LogonDialog] ; ; The operating system version to which this section applies. You can specify ; the value of "Any" for either field (which is the default if not specified). ; OS.MajorVersion=4 OS.MinorVersion=Any ; ; The original DLL to which this section applies. If the name is not ; specified or set to "Any", all original DLLs match. If any part of the ; for digit file version is set to "x", then then all values for that ; component are matched (e.g. 4.1.0.x). ; OrigDll.Name=MSGINA.DLL OrigDll.FileVersion=x.x.x.x ; ;Specifies information about the window that we can use to indentifiy it. ; For both the class and title, setting a value of "Any" will match any ; window. Starting the value with a "*" means the remainder of the value ; is treayed as a substring, and hence if it occurs anywhere in the window ; title/class it is matched. Otherwise the whole value must match (case ; insensitive). ; Window.Title=Any Window.Class=#32770 80 McAfee Endpoint Encryption for PC 5.2.13 Endpoint Encryption configuration files sbgina.ini ; ; The control identifiers of controls that are used by the SSO module to ; simulate logons. ; Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1453 Dlg.CtrlId.Password=1454 Dlg.CtrlId.Domain=1455 ; ; Optional entries which list up to 10 IDs that must come before the ID ; specified above and up to 10 IDs that must come after. The IDs are specified ; as a comma-seperated list. ; ;Option.CtrlId.OK.Preceeding=1,2,3 ;Option.CtrlId.OK.Following=5,6,7 ;Option.CtrlId.UserName.Preceeding=1,2,3 ;Option.CtrlId.UserName.Following=5,6,7 ;Option.CtrlId.Password.Preceeding=1,2,3 ;Option.CtrlId.Password.Following=5,6,7 ;Option.CtrlId.Domain.Preceeding=2204,2203 ;Option.CtrlId.Domain.Following=5,6,7 ; ; If this is set to "Yes" then the user/password fields are captured from the ; dialog box rather than using the values supplied by the original gina. ; Option.CaptureFromDlg=Yes ; ; These options define how text is entered into the various fields when ; simulating a logon. Mode 0 sets the text directly into the controls, while ; mode 1 sends characters one at a time (simulating pressing keys) and mode 2 ; selects from a combo box. ; Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [MSGina.W2K.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=0 OrigDll.Name=MSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [CSCOGINA.W2K.LogonDialog] ;This section for Ciscos Gina for Windows 2000 which is the same as the standard one, but McAfee Endpoint Encryption for PC 5.2.13 81 Endpoint Encryption configuration files sbgina.ini ;has a different extention. OS.MajorVersion=5 OS.MinorVersion=0 OrigDll.Name=CSCOGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [ODYGINA.W2K.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=0 OrigDll.Name=ODYGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [PRM_GINA.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=1 OrigDll.Name=PRM_GINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [CSGina.W2K.LogonDialog] ;This section for Ciscos Gina for Windows 2000 which is the same as the standard one, but ;has a different extention. OS.MajorVersion=5 OS.MinorVersion=0 OrigDll.Name=CSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 82 McAfee Endpoint Encryption for PC 5.2.13 Endpoint Encryption configuration files sbgina.ini Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [MSGina.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=01 OrigDll.Name=MSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [IPASS.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=1 OrigDll.Name=ipgina.dll Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 ;this one just trys the standard settings... [TRYIT.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=1 OrigDll.Name=Any Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 McAfee Endpoint Encryption for PC 5.2.13 83 Endpoint Encryption configuration files sbgina.ini [MSGina.XP.LockedDialog] OS.MajorVersion=5 OS.MinorVersion=01 OrigDll.Name=MSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1953 Dlg.CtrlId.Password=1954 Dlg.CtrlId.Domain=1956 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [MSGina.WIN2003.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=02 OrigDll.Name=MSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [NWGina.NT.LogonDialog] OS.MajorVersion=Any OS.MinorVersion=Any OrigDll.Name=NWGINA.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1202 Dlg.CtrlId.Password=1204 Dlg.CtrlId.Domain=1001 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=2 Option.CtrlId.UserName.Preceeding=1201 Option.CtrlId.Password.Preceeding=1203 Option.CtrlId.Domain.Preceeding=2204,2203 [NWGinaJP.NT.LogonDialog] OS.MajorVersion=Any OS.MinorVersion=Any 84 McAfee Endpoint Encryption for PC 5.2.13 Endpoint Encryption configuration files sbgina.ini OrigDll.Name=NWGINA.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=3002 Dlg.CtrlId.Password=3004 Dlg.CtrlId.Domain=1001 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=2 [FSSGina.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=01 OrigDll.Name=FSSGINA.DLL Window.Title=Any Window.Class=Any Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=0 Dlg.CtrlId.Password=1001 Dlg.CtrlId.Domain=0 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=2 [FSSGina.XP.LockedDialog] ;This Section for Macnica specifc FSS Gina OS.MajorVersion=5 OS.MinorVersion=01 OrigDll.Name=FSSGINA.DLL Window.Title=Any Window.Class=Any Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=0 Dlg.CtrlId.Password=1001 Dlg.CtrlId.Domain=0 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=2 ;---------------------------------------------------------------------------; The logon window definition sections for Win9x/ME ; [MSNP.9x.LogonDialog] OS.MajorVersion=4 OS.MinorVersion=Any OrigDll.Name=MSNP32.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any McAfee Endpoint Encryption for PC 5.2.13 85 Endpoint Encryption configuration files sbgina.ini Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=21 Dlg.CtrlId.Password=23 Dlg.CtrlId.Domain=25 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=0 [NWNP.9x.LogonDialog] OS.MajorVersion=4 OS.MinorVersion=Any OrigDll.Name=NOVELLNP.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1202 Dlg.CtrlId.Password=1204 Dlg.CtrlId.Domain=1001 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=0 [NWNPJP.9x.LogonDialog] OS.MajorVersion=4 OS.MinorVersion=Any OrigDll.Name=NOVELLNP.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=3002 Dlg.CtrlId.Password=3004 Dlg.CtrlId.Domain=1001 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=0 sberrors.ini This file is used to increase the detail available in on-screen error messages. You can add further descriptions to errors by amending this file. sbhelp.ini This file is used to match on-screen windows to their help file sections. 86 McAfee Endpoint Encryption for PC 5.2.13 Endpoint Encryption configuration files scm.ini sbfeatur.ini This file controls the feature set available to Endpoint Encryption. This file is digitally signed by the Endpoint Encryption team and must not be modified. scm.ini Configuration manager file, controls options such as which directory to connect to, and which group to install into. [Install] GroupID=the ID of the group this machine will relate to [Databases] DatabaseID1=1 TryLastGoodFirst=Yes LastGoodConnection=1 [Uninstall] Sbsetup.exe=sbsetup.exe You can specify the maximum number of lines to hold in the SCMLOG.txt file using the following parameters. If scmlog reaches a size of beyond 10,000 lines, performance of your machine can suffer. [Log] MaxSize=number of KB keep in log (128). PurgeSize=number of KB to delete when log reaches MaxSize (16). You can specify the pre-configuration connection behavior by setting the following parameters [Defaults] ;this section defines settings that apply before the SafeBoot is ;actually active on the machine. BootSynchDelay=0 ; delay before synching on boot in minutes RandSynchDelay=0 ; an extra max random delay to synch in minutes SynchInterval=0 ; time between automatically retrying synch You can turn on tracing of the Endpoint Encryption client with the following section. Trace is output to SBCM.log in the same directory of the application. [Debug] Trace=1 ;Trace activity, 1 = on, 0 = off You can set a message to be displayed and a timeout when an administrator performs a remote shutdown of the client (using the machine/Reboot menu option). [Reboot] Message=some text to display Timeout=10 (seconds) [disk] Sbfs.defaultsize=10 ;Default size of SafeBoot.FS (in MB) Install.clearcryptlist=1(0) ;Determines whether to clear the cryptlist McAfee Endpoint Encryption for PC 5.2.13 87 Endpoint Encryption configuration files defscm.ini ;for a drive on install, or to leave it set. Boot.message=Starting SafeBoot %d%d ;The default starting message [boot] Hookflags=… ;Internal use only—do not change. defscm.ini You can pre-set parameters used in the SCM.ini file created within install sets by creating a file “defscm.ini” in the Administration system directory containing the lines and sections you want to pre-define. defscm.ini is used as a seed to create the unique scm.ini file for the install set. sdmcfg.ini This file is used by the Endpoint Encryption Client to control the connection to the Object Directory XE "object directory" . There may be many connections listed in the file, the multi-connection behavior is controlled through scm.ini. [Databases] Database1=192.168.20.57 The ip address for the remote server. This can be a DNS XE "DNS" name. [Database1] Description=SH-DELL-W2K IsLocal=No Authenticate=Yes Port=5555 ServerKey=… The public key for the remote Server. This is used to stop a hacker putting a rogue server in place and intercepting the traffic. ExtraInfo=… Padding for the serverkey. TrivialPwds.dat This file provides a dictionary of forbidden passwords. Simply create a Unicode text file, with one password per line, and deploy it to the client machines. You need to enable the user template option no simple passwords. The file needs to be deployed to the [appdir]\SBTokens\Data folder. NOTE: It is more effective to restrict passwords using a template which insists on numeric or special characters, rather than supply a long list of forbidden words. 88 McAfee Endpoint Encryption for PC 5.2.13 Endpoint Encryption configuration files Bootcode.ini Bootcode.ini Bootcode.ini defines the behaviour of the Endpoint Encryption pre-boot environment. This file is not commonly modified by the end user as it is a system only file. The file is stored in Endpoint Encryption's pre-boot environment in the \boot directory. [TokenSelect] ; the token type id of the last token the user selected. Default=0x01000000 [Locale] ; ; the user selected language to use (reference a key in the [Languages] section ; of the \Locale\Locale.ini file). ; Language=EnglishUS ; ; the user selected keyboard to use (reference a key in the [Keyboards] section ; of the \Locale\Locale.ini file). ; Keyboard=US [Audit] ; ; The maximum alllowed audit events ; MaxEvents=3000 ; ; The number of events to remove when the maximum is reached ; PurgeCount=300 BootManager.INI This file controls the partition names specified when the Endpoint Encryption Boot Manager is enabled. The file is stored in Endpoint Encryption's pre-boot environment in the \boot directory. [Partition.Names] Partition0=My secure partition Partition1=My Insecure partition Errors.XML This is an XML version of SBErrors.ini to allow Unicode translation. Endpoint Encryption for PC uses SBErrors.XML instead of SBErrors.ini if both exist. McAfee Endpoint Encryption for PC 5.2.13 89 Endpoint Encryption configuration files AutoBoot.ini AutoBoot.ini The autoboot.ini file allows you to set a unique default password for the $autoboot$ user(s). The file is created in the [appdir]\Boot directory in the following format: [AutoBoot] Password=mypassword SbClientFileSet.ini The SbClientFileSet.ini file is used to define what files are imported into the database. SBWinLogonOpts.XML This file can be used to exclude users from single-sign-on logon, e.g. VMware user accounts can overwrite the single-sign-on even though the "Must Match the Window user name" option has been selected. - <SafeBoot> - <SetSbPwd> - <Exclusions> <User name="__Vmware_User__" /> </Exclusions> </SetSbPwd> </SafeBoot> SBCP.INI Microsoft has introduced a new logon method for the Vista operating system: a credential provider (CP) that will replace the MSGina.dll. This CP works differently to the MSGina, for example, each credential provider, rather than be cascaded, can be active next to each other. If you enable the Require Endpoint Encryption logon option in the Machine | General | Windows Logon options, then the Endpoint Encryption credential provider is activated on the client's Windows logon; be aware that all other credential providers will also be available. The SBCP.ini activates the CP. If a customer requires another CP to run in parallel, this can be defined in the SbCp.ini (in the Endpoint Encryption client directory). Create the SBCP.ini; to enable all other credential providers add: [CredentialProvider.Filter] DefaultAction=Enable If you want to enable/disable specific credential providers, then add entries to the section [ CredentialProvider.Filter.Providers ] containing the credential provider's GUID on the left and either "Enable" or "Disable" on the right. For example, to enable just MS password credential provider you would add: [CredentialProvider.Filter] DefaultAction=Disable [CredentialProvider.Filter.Providers] {6f45dc1e-5384-457a-bc13-2cd81b0d28ed}=Enable 90 McAfee Endpoint Encryption for PC 5.2.13 Endpoint Encryption configuration files SBCP.INI Setting up other multiple domains in the logon dialog box The WindowCredentials.Domains section of the SBCP.ini allows you to specify other domains which the user can select during single sign on. The content of this section will determine what appears in the logon dialog box. See example below. [WindowsCredentials.Domains] ; ; Lists the domains to be added to the domain list. Note that the left side of the equals can be any value - it is ignored (of course it must be unique for this section). ; 1=MyDomain1 2=MyDomain2 3=MyDomain3 [WindowsCredentials.Options] ; ; Set this to "No" to prevent the local computer name automatically being added to the list of domains. ; AddLocalComputerToDomains=Yes ; ; Sets the domain to select as the default. If this is not specified, the current domain for the system is selected if there is one or the local computer name if there is not. ; DefaultDomain=MyDomain1 ; ; If set to "Yes", the domain box will only list domains that the system marks as domain controllers. If set to "No" (the default), all servers will be listed. ; DomainControllersOnly=No ; ; If set to "Yes", then the username and the domain of the last logged on user is automatically filled in (if it is available). ; SelectLastUsed=Yes Deploying the SBCP.ini file When you create this file, you can import it into the Endpoint Encryption for PC Client Files file group, or alternatively, create a new file group, specify its function as “Client Files” and assign it to a machine. See the File Groups and Management chapter for further information. McAfee Endpoint Encryption for PC 5.2.13 91 Endpoint Encryption program and driver files McAfee Endpoint Encryption for PC contains some important .exe, .dll, and .sys files that provide the drivers and settings required for crypting, logging on, and managing Endpoint Encryption. The .exe files are used to install the software package, recover EEPC installed systems, and to notify when a token is removed. Contents EXE Files DLL files SYS files EXE Files McAfee Endpoint Encryption for PC contains some important .exe files, used to install the software package, recover EEPC installed systems, and to notify when a token is removed. SafeTech SafeTech is the disaster recovery tool for Endpoint Encryption client. Setup Setup.exe is the core executable in Endpoint Encryption’s' packaging mechanism. It is used as an exe stub for the install package and also handles the de-install process. Setup takes one parameter "-Uninstall" which prompts it to walk through sbfiles41.lst, deleting files (or marking them for deletion if they are in use) and reversing registry settings. Setup also re-runs any installation executables with the -Uninstall flag to remove programs. The order of removal is reverse to the install, i.e. Installation executables, registry settings, files. SBTokWatch The SBTokWatch.exe file notifies Endpoint Encryption for PC when a token has been removed. This is for Vista installations only. DLL files McAfee Endpoint Encryption for PC contains some important .dll files that control the encryption algorithm module and logon settings. sbalgxx The Utility Encryption algorithm module. 92 McAfee Endpoint Encryption for PC 5.2.13 Endpoint Encryption program and driver files SYS files sbgina Windows login pass through GINA driver for NT / 2000. Usually Endpoint Encryption monitors the GINA settings in the registry to ensure that nothing removes or disables the login system. You can change the behavior of this system by editing the SB-NoUpdateGina DWORD key in [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]. The following values can be set: • 0 - SafeBoot will install and remove it's Gina • 1 - SafeBoot will *not* install it's Gina, but will remove it. • 2 - SafeBoot will *not* remove it's Gina, but will install it. • 3 - SafeBoot will *not* install or remove it's Gina. You can use these settings to force compatibility with other GINA replacement login systems. If you use option 1,2,3 you are responsible for keeping the GINA chain correct, as Endpoint Encryption will not be monitoring some aspects of it . SYS files McAfee Endpoint Encryption for PC contains some important .sys files that provide the drivers and settings required for crypting, logging on, and managing Endpoint Encryption. SafeBoot.SYS The core device driver for Endpoint Encryption, handling crypt of the disk, and management functions. You can block the use of Safe Mode when Endpoint Encryption is installed by setting the following parameters. These options are included in the BlockSafeMode file group option in Endpoint Encryption for PC. [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SafeBoot] ;Prevent Safe Mode access if SafeBoot is activated PreventSafeMode=dword:00000001 ;The warning message to display (default if not set) ;PreventSafeModeMsg="" ;The screen background color (default red) ;PreventSafeModeBkCol=dword:00000000 ;The Screen forground color (default white) ;PreventSafeModeFgCol=dword:0000000f Endpoint Encryption for PC uses several sectors of the hard disk between 1 and 63 - commonly termed the "partition gap" - to store power fail information while encryption and decryption is in progress. If you have other applications also using these sectors, you can exclude them from the range used by specifying registry settings as below. For each sector you need to exclude, add a DWORD value of 1 with a name of the decimal sector number to the following registry key as follows: [HKLM\Software\SafeBoot International\SafeBoot\DiskManager\ExcludedSectors] 14=dword:1 15=dword:1 McAfee Endpoint Encryption for PC 5.2.13 93 Endpoint Encryption program and driver files SYS files You can specify any number of exclusions using this method, but be aware that at least two sectors are required, and the smaller the number available, the slower encryption processes will run. You can add this information to the client NTDRV.SRG registry file to ensure it is applied on all machines at point of install. SBALG.SYS This file is Endpoint Encryption’s device driver crypto algorithm module. SafeBoot.CSC/RSV Endpoint Encryption Pre-Boot sector chain for the boot loader. The SafeBoot.csc file was renamed to SafeBoot.RSV in 5.0.1 for better defrag protection. SafeBoot.FS This file is the encrypted pre-boot environment (stored as a single file). SbRegFlt This file is applicable to Vista installations only. It allows the administrator to properly support auto logon, i.e. ensure the control-alt-delete behavior is correct for single sign on. Other Files — srg files Endpoint Encryption registry files – these are standard regedit files which are processed into the registry by Endpoint Encryption, without using the windows regedit utility. 94 McAfee Endpoint Encryption for PC 5.2.13 WinTech and SafeTech WinTech and SafeTech are Endpoint Encryption’s disaster recovery and diagnostic tools. Use them only in the event of a catastrophic failure of the machine, for example, after severe hard disk corruption, virus attack, or, a complete OS failure. Contents WinTech and SafeTech functions WinTech and SafeTech functions WinTech and SafeTech can perform the following functions. • Decrypt the drive using information obtained from the Endpoint Encryption Manager • Start the Endpoint Encryption Emergency Repair process • Perform forensic analysis on encrypted data. These tools should only be used by trained Endpoint Encryption staff. For more information, and access to the WinTech and SafeTech Administration Guide, please contact your McAfee representative. McAfee Endpoint Encryption for PC 5.2.13 95 Themes and localization McAfee Endpoint Encryption for PC is the most flexible product of its kind in terms of localization capabilities. It supports unlimited numbers of Pre-Boot languages and keyboards, and offers full localized Pre-Boot on screen keyboard and automatic language detection. Contents Localization support Creating your own language file Pre-Boot language Pre-Boot token descriptions Windows languages Localization support You can also restyle almost any aspect of the Pre-Boot interface, from changing colors and graphics, to moving buttons and text on the screen. Endpoint Encryption provides full localization and customization services, but for those interested, the following information is provided to help you gain experience of how all the components fit together. We provide numerous languages and graphical layouts (themes) with our product. Readers are strongly advised to look to those while reading these sections to understand how they work. A tip to future theme designers - the Endpoint Encryption for PC client will synchronize any file changes found in the [appdir]\locale and [appdir]\graphics trees into the Endpoint Encryption pre-boot file system on every policy sync event, so, rather than making your changes and uploading them to the Endpoint Encryption Manager, you can simply change the files directly on a Endpoint Encryption client and perform a sync event to load them into the pre-boot. A successful sync is not required - only an attempt. Themes McAfee Endpoint Encryption for PC uses graphical "Themes" to control the look and feel of the Pre-Boot environment. These Themes are stored as "Client File" type file sets within the Endpoint Encryption Object Directory. Only one theme can be assigned to a machine at any time. To assign a theme to a Endpoint Encryption for PC machine, simply enable its file set from the "Files" tab of either the machine, or machine group properties. Themes are comprised of the following components: 96 File or Directory Description Graphics Graphics.ini Master definition file for the graphical theme. This file dictates the overall look of the theme, the button an d McAfee Endpoint Encryption for PC 5.2.13 Themes and localization Localization support window positions, and the various graphical elements which are used for each resolution. ENGLISH The English language font files 640x480 Images for this resolution 800x600 Images for this resolution 1024x768 Images for this resolution 1280x960 Images for this resolution 1280x1024 Images for this resolution 1400x1050 Images for this resolution 1440x900 Images for this resolution 1440x1050 Images for this resolution 1600x1200 Images for this resolution 1680x1050 Images for this resolution 1680x1280 Images for this resolution 1920x1440 Images for this resolution Shared Shared images used in all modes Locale Language Translations. This file sets all the options re various language and keyboard support options. Locale.ini The options in Local.ini determine which font sets from Graphics.ini are used. For information about the parameters in the Graphics.ini and Local.ini files, see the example theme which has fully commented versions. Keyboards Physical Keyboard Layouts Endpoint Encryption for PC supports many physical keyboard layouts, and also supports automatic detection of the Windows keyboard layout in an attempt to choose the most appropriate pre-boot layout. Having the correct pre-boot layout selected is essential when authenticating, for example, imagine the user has the French keyboard enabled in Windows, but has the USA keyboard enabled in Endpoint Encryption for PC Pre-Boot. Row 2 of the French keyboard begins "azerty…" whereas row 2 of a USA keyboard begins "qwerty…" - so if the users password contains either "a" or "z", then they will not be able to press the same keys in pre-boot to authenticate. Defining and adding layouts to the Endpoint Encryption PBA Endpoint Encryption for PC can support an unlimited number of different keyboard layouts. To define which layouts are available, usually you simply need to select the appropriate file group for a machine and the layout will be added. The PBA determines which layouts are installed by considering the Locale\Locale.ini file in the pre-boot environment. This file is synchronised along with the entire [app-dir]\locale directory each time the machine performs a sync operation. An example keyboard layout is defined as follows in Locale.ini: Node Description ;Norwegian Stub ;B5100 McAfee Endpoint Encryption for PC 5.2.13 97 Themes and localization Localization support [Settings] DefaultKeyboard=0414 [Keyboards] 0414=Keyboard.0414 043B=Keyboard.043B [Keyboard.0414] name=Norwegian mapfile=0414_E.MAP OSK=0414_OSK.XML Defines the default keyboard if no mapping in [LanguageIDMap] can be determined Defines the list of possible keyboards. In this example, two keyboards are defined (0414 and 043B), which are described in the sections keyboard.0414 and keyboard.043b. The definition names and section names are arbitary, but we recommend you use the actual keyboard ID for consistency. This is a keyboard definition section, it describes the name of the keyboard (displayed in the selection list), the map file to use (stored in \Locale), and the On screen keyboard file to use (again, stored in \locale) Instead of using the "name" tag, you can use NameW which takes a comma separated list of hex char codes, for example: NameW=32,54,23,6A,43DF With NameW you can display Unicode chars which are useful when defining double-byte languages. [Keyboard.043B] name=Norwegian with Sami mapfile=043B_E.MAP OSK=043B_OSK.XML [LanguageIDMap] 0414.Keyboard=0414 043B.Keyboard=043B This section describes how the client should attempt to map the selected Windows keyboard to the pre-boot keyboards. Keyboard=0414 indicates if Windows is using a keyboard with the ID 0414, Endpoint Encryption should use the keyboard described in [keyboards] under the definition name 0414. Locale.ini Normally Language and keyboard layouts are defined within the Endpoint Encryption Database, and each language has a locale.ini file configured as a Merge INI. This system enables administrators to add and remove languages without having to define the exact set prior to distribution. As all keyboards and Languages are defined in the same Locale.ini file, without merge INIs you would have to create a locale.ini file describing the exact combination of keyboards and locales prior to sending it to a Endpoint Encryption for PC client. For examples of how to define a Locale.ini, see one of the supplied languages stored in the Endpoint Encryption Manager install directory \Languages tree. NOTE: If the language is changed in Windows, then auto detect will not work. The new language file for preboot and keyboard should be deployed using file groups. Select the language file from file groups and apply it to the machine or group. The machine or machine group must then synchronize with the admin system. The user(s) must then restart their machines. In the preboot screen they must select "Options". This will load a menu. They must then select "Options" from this menu. From the "Options" screen you can then specify the preboot language and the keyboard language. Creating your own keyboard layout Keyboard layouts are compiled from a source text file with the following structure: Name=the keyboard name Flags=keyboard flags Scancode=Unicode char number, mask, keystate… 98 McAfee Endpoint Encryption for PC 5.2.13 Themes and localization Localization support For example: flags=0x8000007C NAME=Norwegian with Sami ;---0x02=0x0031,0x009F,0x0000 ;-normal 0x02=0x0021,0x009F,0x0010 ;-shift 0x02=0x0000,0x009F,0x0009 ;-altgr 0x02=0x0031,0x009F,0x0080 ;-caps 0x02=0x0000,0x009F,0x0090 ;-shiftcaps 0x02=0x0000,0x009F,0x0019 ;-shiftaltgr 0x02=0x0000,0x009F,0x0089 ;-altgrcaps 0x02=0x0000,0x009F,0x0099 ;-shiftaltgrcaps The keyboard map source file is comprised of the following components: Node Description flags Operational flags which control the behaviour of this keyboard map. Defined flags include: 0x00000001 Caps is Shift 0x00000002 Shift unsets Caps 0x00000004 Acute 0x00000008 Grave 0x00000010 Circumflex 0x00000020 Umlaut (Diaresis) 0x00000040 Tilde 0x00000080 Caron 0x00000100 Apostrophe 0x00000200 Cedliia 0x00000400 Breve 0x00000800 Ogonek 0x00001000 Dotabove 0x00002000 DoubleAcute 0x00004000 Degree 0x00008000 Tonos 0x00010000 Middle Dot 0x00020000 Low Nine 0x00040000 Dialytika 0x00080000 Quotation 0x00100000 Polish Programmers Tilde 0x00200000 Ring Above 0x00400000 Macron 0x80000000 Extended Mode (should always be enabled) Name The keyboard name Key definitions Each key (scan code) behaviour is defined in a number of entries which state the Unicode character which should be produced. Each key may have many states (normal, shifted, caps etc) so there may be multiple entries per key. McAfee Endpoint Encryption for PC 5.2.13 99 Themes and localization Localization support The possible states are defined with a mask (which keys to consider) and a state (the key state itself) The possible keys you can use in the mask and keystate are: RIGHT_ALT_PRESSED 0x0001 LEFT_ALT_PRESSED 0x0002 RIGHT_CTRL_PRESSED 0x0004 LEFT_CTRL_PRESSED 0x0008 SHIFT_PRESSED 0x0010 NUMLOCK_ON 0x0020 SCROLLLOCK_ON 0x0040 CAPSLOCK_ON 0x0080 ENHANCED_KEY 0x0100 So as an example, to define key 2 (the number 1 key on a USA keyboard) you would add an entry for scan code 0x02 (the scan code of this key) followed by a number of possible key states. 0x02=0x0031,0x009F,0x0000 Would define the number 1 key to display the char "1" in the situation that none (keystate of 0x000) of the modifiers capslock, shift, left-alt, right-ctrl, left-ctrl and right-alt (0x09F) is pressed. To define the behaviour of this key when shift alone is pressed we use the following line: 0x02=0x0021,0x009F,0x0010 As above, if key 2 is pressed, create a quotation mark (Unicode char 21) if shift (0x0010) is pressed out of the combination of capslock, shift, left-alt, right-ctrl, left-ctrl and right-alt (0x09F). Of course, in both the cases above, the keys not considered in the keystate must not be pressed. The Mask defines which keys to consider, and the keystate defines the state of each of those keys. If you wish to create a custom keyboard map, you will need to have it compiled by Endpoint Encryption before it can be used. On Screen Keyboards On-Screen keyboards provide visual representation of the physical keyboard. Each keyboard map can be defined to provide either its own OSK, or, the system default OSK (US English). The symbols on each key can be defined for the normal, alt, altgr, shift, caps, and ctrl states, and also any combination of states. OSK's are defined in Endpoint Encryption pre-boot using an XML file which controls the layout (key spacing, number of rows etc), and the display char for each key. The OSK file (keyboardID_OSK.XML) is usually stored in the SBFS\Locale directory. The can be many OSK's installed, and each physical keyboard map can choose one of the installed OSK's to display on request. Administrators can choose to always display an OSK for the user by selecting the "always display on-screen keyboard" option of the Machine/General properties. NOTE: Though the OSK displays the character for each possible state, the OSK sends the scan code and modifier (shift/alt etc) to the selected keyboard driver for conversion, so the actual 100 McAfee Endpoint Encryption for PC 5.2.13 Themes and localization Localization support character printed will be a result of the keyboard driver, NOT necessarily the one displayed on the OSK. A Sample OSK Keyboard could be defined as follows: <?xml version="1.0" encoding="UTF-16"?> <keyboard> <options col="lightgray" button_col="lightgray" border_col="black" txt_col="black" font="System" down_col="blue" button_style="square" border_width="3"> </options> <layout id="English (US)"> <layout> <row> <key id="18" obey-caps="true" scancode="0x11"> <default display="w" /> <shifted display="W" /> <caps display="W" /> <alt_gr display="GR" /> <text state="alt+shift" display="AS" /> <text state="alt+shift+ctrl" display="ASC" /> <text state="shift+ctrl" display="SC" /> <text state="caps+shift" display="PS" /> <text state="altgr+ctrl" display="GC" /> </key> <key id="19" obey-caps="false" scancode="0x056"> … </key> <row> … </row> </layout> </keyboard> The following nodes should be considered: Node Description Options/font The name of the font used by this OSK. This should be defined in graphics.ini and needs to be an OnTime Binary font Layout ID The name of this OSK layout - displayed in the title bar of the OSK Key/ID A decimal representation of the key - usually the decimal scan code ID McAfee Endpoint Encryption for PC 5.2.13 101 Themes and localization Creating your own language file Key/Obey-Caps If this key is subject to any caps state switching, this should be set to true. Key/Scancode The Scancode produced by this key Key/default The default display char Key/shifted The shifted display char Key/caps The caps lock state char Key/alt_gr The alt_gr state char Key/text/state The combination states for this key - The text/state attribute takes precedence over the key/default key/shift etc states. You can specify single states, for example Text state="shift" display="Q" Or combination states, for example Text state="shift+altgr" display="%" For any key to consider any caps behaviour, the key/obey_caps needs to be true. To set which OSK is displayed per keyboard map, add an "OSK=" tag to the keyboard definition in locale.ini, for example: [Keyboard.043B] name=Norwegian with Sami mapfile=043B_E.MAP OSK=043B_OSK.XML Node Description Name The display name of the Keyboard Mapfile The name of the map file to use to map the key presses to chars OSK The name of the OSK file to display Creating your own language file McAfee Endpoint Encryption for PC Language files are created from a Unicode master which describes the text to display for each defined pre-boot message. You can obtain a pre-boot English master text file from your Endpoint Encryption distributor. Once translated, the file needs to be compiled by Endpoint Encryption. Normally Language and keyboard layouts are defined within the Endpoint Encryption Database, and each language has a locale.ini file configured as a "Merge Ini". This system enables administrators to add and remove languages without having to define the exact set prior to distribution. As all keyboards and Languages are defined in the same Locale.ini file, without merge INIs you would have to create a locale.ini file describing the exact combination of keyboards and locales prior to sending it to a Endpoint Encryption for PC client. For examples of how to define a Locale.ini, see one of the supplied languages stored in the Endpoint Encryption Manager install directory \Languages tree. 102 McAfee Endpoint Encryption for PC 5.2.13 Themes and localization Pre-Boot language Pre-Boot language Endpoint Encryption for PC supports many languages, and also supports automatic detection (Note: this is only during Endpoint Encryption activation) of the Windows Language in an attempt to choose the most appropriate pre-boot language. NOTE: If the language is changed in Windows, then auto detect will not work. The new language file for preboot and keyboard should be deployed using file groups. Select the language file from file groups and apply it to the machine or group. The machine or machine group must then synchronize with the admin system. The user(s) must then restart their machines. In the preboot screen they must select "Options". This will load a menu. They must then select "Options" from this menu. From the "Options" screen you can then specify the preboot language and the keyboard language. The selectable languages are defined in the SBFS Locale\Locale.ini file, for example: Node Description Chinese Stub ;B5100 [Settings] DefaultLanguage=0804 The default language to use if no mapping is found in the [LanguageIDMap] section [Languages] 0804=Lang.0804 0404=Lang.0404 The defined languages - Both the definition name and section name are arbitrary. [LanguageIDMap] 0804.Language=0804 0404.Language=0404 0004.Language=0804 0C04.Language=0404 0404.Keyboard=0404 0804.Keyboard=0804 The Windows language to Endpoint Encryption Pre-Boot language map. For example, if Windows is using the Locale 0404, then the Pre-boot should use the definition 0404 for its language. Both the major and minor language can be checked, so in this example both Windows languages 0804 and 0004 use the Endpoint Encryption pre-boot definition section 0804. If the primary variant for example 0F04 is found in Windows, then 0004 will be used in Endpoint Encryption [Lang.0804] ;Name=Chinese Simplified (PRC) NameW=,0020,0050,0052,0043,0029 ID=0804 StringFile=0804.STR FontSection=Fonts.SuperFont This section defines a language. The Name tag is the name displayed in the pre-boot selection list. You can supply a NameW tag instead which takes a comma separated list of char codes. This enables you to set a Unicode name for the list. The ID describes the Locale ID, this should be the ANSI recognised ID for this languages. The StringFile describes the actual compiled definition file to use (stored in \locale). The FontSection describes the section in Graphics.ini which contains the fonts to be used for this particular language. Each language can use its own fonts, or can use fonts shared by other languages. Pre-Boot token descriptions You can localise the token names used in the Endpoint Encryption for PC by adding a XML definition file to the [appdir]\SBTokens\Languages directory. The client searches for resources in the following order: McAfee Endpoint Encryption for PC 5.2.13 103 Themes and localization Windows languages • The [appdir]\SBTokens\Languages \LanguageID directory • The [appdir]\SBTokens\Languages \LanguageMajor directory • The [appdir]\SBTokens\Languages directory The definition file for each token is described in an XML file with the name Token_tokenID.xml as follows: Node Description <SbTokenInformation> <Token type="xxxxxxxx"> The ID of the Token - see the Tokens section of this guide. <PromptName>prompr text</PromptName> The text to display in the login box <ListName>list text</ListName> The text to display in the list of tokens </Token> </SbTokenInformation> Windows languages McAfee Endpoint Encryption for PC uses resource DLL's and other files to convert its Windows components to display in alternate languages. The client searches for resources in the following order: • Looks to the [appdir]\Languages\LanguageID directory • Looks to the [appdir]\Languages\LanguageMajor directory • Looks to the [appdir]\Languages directory • Looks to the [appdir] directory and uses built in resources For example, on a US English system (Language ID 0409) Endpoint Encryption for PC will look for resources in [appdir]\Languages\0409, then [appdir]\Languages\0009, then [appdir]\Languages then [appdir] The following components are supported for localization: • DLL resources (Windows resources) • SBErrors.XML (Unicode Error code descriptions) • SBErrors.INI (ASCII Error code descriptions) • SBClient.CHM (Help file) • SBHelp.INI (Help file index) 104 McAfee Endpoint Encryption for PC 5.2.13 Troubleshooting PCs For the latest information on Endpoint Encryption issues, patches and information please see our web site, www.mcafee.com. We maintain several sections with the latest tips from our implementation teams, and any suggested changes and updates. You can also subscribe to an update list which uses e-mail to keep you informed of any significant issues. Contents Error messages Error messages Please see the file sberrors.ini for more details of these error messages. You can also find more information on error messages on our web site, www.mcafee.com. Module codes The following codes can be used to identify from which Endpoint Encryption module the error message was generated. Error Code Module 1c00 IPC 5501 SBHTTP Page Errors 5502 SBHTTP User Web Recovery 5c00 SBCOM Protocol 5c02 SBCOM Crypto a100 ALG c100 Scripting db00 Database Misc db01 Database Objects db02 Database Attributes e000 Endpoint Encryption General e001 Endpoint Encryption Tokens e002 Endpoint Encryption Disk e003 Endpoint Encryption SBFS e004 Endpoint Encryption BootCode e005 Endpoint Encryption Client e006 Endpoint Encryption Algorithms e007 Endpoint Encryption Users e010 Endpoint Encryption Keys e011 Endpoint Encryption File McAfee Endpoint Encryption for PC 5.2.13 105 Troubleshooting PCs Error messages e012 Endpoint Encryption Licenses e013 Endpoint Encryption Installer e014 Endpoint Encryption Hashes e015 Endpoint Encryption App Control e016 Endpoint Encryption Admin 1C000 IPC Errors Code Message and Description [1c000001] Timeout during IPC [1c000002] IPC terminated [1c000003] Unable to initialise IPC [1c000004] Unknown or unsupported function [1c000005] Request to send data that is too big [1c000006] Timeout sending data [1c000007] Timeout waiting for reply [1c000008] Out of memory 5C00 Communications Protocol 106 Code Message and Description [5c000000] Unsupported version The server and client are not talking the same communications protocol version [5c000005] Out of memory [5c000008] A corrupt or unexpected message was received [5c000009] Unable to load the Windows TCP/IP library (WSOCK32.DLL) Check that the TCP/IP protocol is installed [5c00000a] Communications library not initialised This is an internal programmatic error [5c00000c] Unable to create TCP/IP socket [5c00000d] Failed while listening on a TCP/IP socket [5c00000e] Unable to convert a host name to an IP address Check the host file or the DNS settings [5c00000f] Failed to connect to the remote computer The computer may not be listening or it is too busy to accept connections [5c000010] Failed while accepting a new TCP/IP connection [5c000011] Failed while receiving communications data The remote computer may have reset the connection [5c000012] Failed while sending communications data [5c000013] Invalid communications configuration [5c000014] Invalid context handle [5c000015] A connection has already been established [5c000016] No connection has been established [5c000017] Request for an unknown function has been received [5c000018] Unsupported or corrupt compressed data received [5c000019] Data block is too big [5c00001a] Data of an unexpected length has been received [5c00001b] Message too big to be received This may occur if an attempt is made to import large amounts of data into the database (e.g. a file) McAfee Endpoint Encryption for PC 5.2.13 Troubleshooting PCs Error messages [5c00001c] Unable to create thread mute [5c00001d] Message too big to be sent This may occur if an attempt is made to import large amounts of data into the database (e.g. a file) [5c00001e] Wrong Endpoint Encryption Communications Protocol Version You are most likely trying to connect to a v4 Endpoint Encryption Server using a v5 Server definition with server authentication enabled. Check that you do not have both v4 and v5 servers running (perhaps as a service) at the same time. 5C02 Communications Cryptographic Code Message and Description [5c020000] The Diffie-Hellmen data is invalid or corrupt [5c020001] An unsupported encryption algorithm has been requested [5c020002] An unsupported authentication algorithm has been requested [5c020003] Unable to sign data [5c020004] Authentication signature is not valid [5c020005] Authentication parameters are invalid or corrupt [5c020006] Failed while generating DSA parameters [5c020007] No session key has been generated [5c020008] Unable to authenticate user [5c020009] Session key too big A100 Algorithm Errors Code Message and Description [a1000000] Not enough memory [a1000001] Unknown or unsupported function [a10000002] Invalid handle [a1000003] Encryption key is too big [a1000004] Encryption key is too small [a1000005] Unsupported encryption mode [a1000006] Invalid memory address [a1000007] Invalid key data DB00 Database Errors Code Message and Description [db000000] Out of memory [db000001] More data is available [db000002] The database has not been created or initialised yet Check the database path or create a new database. To force the new database wizard to be run, delete the SDMCFG.INI file and restart the administration program. [db000003] Invalid context handle [db000004] The name was not found in the database db000005] Authentication was not successful. Check that you have the correct token for this database [db000006] Unknown database McAfee Endpoint Encryption for PC 5.2.13 107 Troubleshooting PCs Error messages [db000007] Invalid database type [db000008] The database could not be found. Check the database path settings [db000009] Database already exists. Choose a different database path [db00000a] Unable to create the database Check the path settings and make sure you have write access to the directory [db00000b] Invalid database handle [db00000c] The database is currently in use by another entity You cannot delete a database while someone is using it [db00000d] Unable to initialise the database [db00000e] User aborted [db00000f] Memory access violation [db000010] Invalid string [db000011] No default group has been defined [db000012] The group could not be found [db000013] File not found [db000014] Unable to read file [db000015] Unable to create file [db000016] Unable to write to file [db000017] File corrupt [db000018] Invalid function [db000019] Unable to create mutex [db00001a] Invalid license The license has been modified so that the signature is now invalid [db00001b] License has expired [db00001c] The license is not for this database Check the database ID and ensure it is the same as the one specified in the license. Each time you create a new database, a different ID is generated. There is no way to change the ID of a database. [db00001d] You do not have permission to access the object [db00001e] Endpoint Encryption is currently busy with another task. Please wait for it to complete and try again. This usually means that your hard disks are in the process of being encrypted or decrypted. You can check the current Endpoint Encryption status from the right-click menu of the Endpoint Encryption task bar icon. [db00001f] Endpoint Encryption is still installed on this machine [db000020] Buffer too small [db000021] The requested function is not supported [db000022] Unable to update the boot sector The disk may be in use by another application or Explorer itself. The disk may be protected by an anti-virus program. DB01 Database Objects 108 Code Message and Description [db010000] The object is locked Someone else is currently updating the same object [db010001] Unable to get the object ID [db010002] Unable to change the object's access mode Someone else may by accessing the object at the same time. If you are trying to write to the object while someone else has the McAfee Endpoint Encryption for PC 5.2.13 Troubleshooting PCs Error messages object open for reading, you will not be able to change to write mode. [db010003] Object is in wrong access mode [db010004] Unable to create the object in the database The disk may be full or write protected [db010005] Operation not allowed on the object type [db010006] Insufficient privilege level You do not have the access rights required to access the object. [db010007] The object status is disabled This is usually associated with User objects. Disabling the user's object prevents them logging on until their account is re-enabled. [db010008] The object already exists [db01000f] The object is in use [db010010] Object not found The object has been deleted from the database [db010011] License has been exceeded for this object type Check that your licenses are still valid and if not obtain further licenses if necessary DB02 Database Attributes Code Message and Description [db020000] Attribute not found [db020001] Unable to update attribute [db020002] Unable to get attribute data [db020003] Invalid offset into attribute data [db020004] Unable to delete attribute [db020005] Incorrect attribute length [db020006] Attribute data required E000 Endpoint Encryption General Code Message and Description [e0000000] User aborted [e0000001] Insufficient memory [e0000002] Invalid date/time [e0000010] Invalid date/time. Clock is reporting a time before 1992 or after 2038. E001 Tokens Code Message and Description [e0010000] General token error [e0010001] Token not logged on [e0010002] Token authentication parameters are incorrect [e0010003] Unsupported token type [e0010004] Token is corrupt [e0010005] The token is invalidated due to too many invalid logon attempts [e0010006] Too many incorrect authentication attempts [e0010007] Token recovery key incorrect McAfee Endpoint Encryption for PC 5.2.13 109 Troubleshooting PCs Error messages [e0010010] The password is too small [e0010011] The password is too large [e0010012] The password has already been used before. Please choose a new one. [e0010013] The password content is invalid [e0010014] The password has expired [e0010015] The password is the default and must be changed. [e0010016] Password change is disabled [e0010017] Password entry is disabled [e0010020] Unknown user [e0010021] Incorrect user key [e0010022] The token is not the correct one for the user [e0010023] Unsupported user configuration item [e0010024] The user has been invalidated [e0010025] The user is not active [e0010026] The user is disabled [e0010027] Logon for this user is not allowed at this time [e0010028] No recovery key is available for the user [e0010030] The algorithm required for the token is not available [e0010040] Unknown token type [e0010041] Unable to open token module [e0010042] Unable to read token module [e0010043] Unable to write token module [e0010044] Token file not found [e0010045] Token type not present [e0010046] Token system class is not available [e0018000] Sony Puppy requires fingerprint [e0018001] Sony Puppy requires password [e0018002] Sony Puppy not trained E002 Endpoint Encryption Disk 110 Code Message and Description [e0000002] Invalid date/time [e0020000] No more data is available [e0020001] No more data is available [e0020002] Unsupported disk driver function [e0020003] Invalid disk driver request [e0020004] Disk request buffer too small [e0020005] Unsupported encryption algorithm [e0020006] Unknown disk number [e0020007] Error reading disk sector [e0020008] Error writing disk sector [e0020009] Unable to get disk partition information [e002000a] Endpoint Encryption disk information not present [e002000b] Not enough space for the Endpoint Encryption disk information [e002000c] The Endpoint Encryption disk information is invalid McAfee Endpoint Encryption for PC 5.2.13 Troubleshooting PCs Error messages [e002000d] Sector not valid for Endpoint Encryption disk information use [e002000e] Sector chain is invalid [e002000f] Sector chain type incorrect [e0020010] Sector chain sequence number incorrect [e0020011] Sector chain checksum invalid [e0020012] Crypt state information too big for available space [e0020013] Crypt list full [e0020014] Crypt range too big. [e0020015] Attempt to crypt while in power fail state not allowed [e0020016] Attempt to crypt in-progress I/O [e0020017] Error communicating with Endpoint Encryption disk driver [e0020018] Endpoint Encryption disk driver not present [e0020019] Unsupported disk driver version [e002001a] No encryption has been key set [e002001b] Unable to find the system boot disk [e002001c] Unknown message slot [e002001d] Message slot data too large [e002001e] Unable to lock floppy disk driver for access [e002001f] Unable to access floppy disk [e0020020] The boot disk type is not supported [e0020021] Access to driver not permitted E003 Endpoint Encryption SBFS Code Message and Description [e0030001] The SafeBot File System is already mounted [e0030002] Unable to mount the Endpoint Encryption File System [e0030003] Unable to unmount the Endpoint Encryption File System [e0030004] The Endpoint Encryption File System is not mounted [e0030005] Error reading Endpoint Encryption File System sector [e0030006] Error writing Endpoint Encryption File System sector [e0030007] Endpoint Encryption File System too fragmented [e0030008] Endpoint Encryption File System size invalid [e0030009] Error creating Endpoint Encryption File System host file [e003000a] Error reading Endpoint Encryption File System host file [e003000b] Error writing Endpoint Encryption File System host file [e003000c] Error setting Endpoint Encryption File System host file pointer [e003000d] Unable to locate sectors corresponding to the Endpoint Encryption File System host file [e003000e] No host driver found for the Endpoint Encryption File System E004 Boot Code Image Code Message and Description [e0040001] Unable to open boot code image file [e0040002] Error reading boot code image file McAfee Endpoint Encryption for PC 5.2.13 111 Troubleshooting PCs Error messages [e0040003] Boot code image file too big [e0040004] Error creating boot code image host file [e0040005] Error reading boot code image host file [e0040006] Error writing boot code image host file [e0040007] Error setting boot code image host file pointer [e0040008] Unable to locate boot code image host file sectors [e0040009] No host driver found for boot code image file [e004000a] Unhandled instruction [e004000b] Invalid instruction [e004000c] Protected mode General Protection Fault E005 Client 112 Code Message and Description [e0050001] Endpoint Encryption Client not activated [e0050002] The Endpoint Encryption Client is already activated [e0050003] The Endpoint Encryption Client activation is already in progress [e0050004] The wrong version of the Endpoint Encryption Client is currently active [e0050005] Unable to save original MBR [e0050006] Disk Manager not open [e0050007] Unable to load MBR copy [e0050008] Unable to load the Endpoint Encryption MBR [e005000a] Too many work items to perform encryption. [e005000b] Endpoint Encryption MBR invalid [e005000c] Endpoint Encryption Client sync failed to start [e005000d] Endpoint Encryption Client sync already in progress [e005000e] Key not available to the Endpoint Encryption Client [e005000f] The recovery key is incorrect [e0050010] Failed to start cryption [e0050011] Cryption already in progress [e0050012] The hard disk key is incorrect [e0050013] The machine configuration is corrupt or invalid [e0050014] Unable to load string data [e0050015] String data is invalid [e0050016] Incorrect user logon [e0050017] The isolation period has expired [e0050018] A possible virus has been detected [e0050019] Recovery data is invalid [e005001a] Recovery file version unsupported [e005001b] Invalid recovery command [e005001c] Invalid recovery type [e005001d Recovery data not found [e005001d] Client not initialized for emergency boot [e0050020] Unable to open the client data store [e0050021] The client data store is not open [e0050022] The client data store already exists McAfee Endpoint Encryption for PC 5.2.13 Troubleshooting PCs Error messages [e0050023] Error creating client data store [e0050024] Unable to create client data store directory [e0050025] Client data store in use [e0050026] Unable to delete client data store [e0050027] The client data store is corrupt [e0050028] Unsupported client data store version [e0050030] Client data store object not found [e0050031] Client data store object not open [e0050032] Client data store object not exclusive [e0050033] Client data store object ID invalid [e0050034] Client data store object ID already exists [e0050035] Unable to create client data store object directory [e0050036] Client data store object name already exists [e0050037] Unable to read client data store object name [e0050038] Unable to write client data store object name [e0050040] Unable to remove client data store object [e0050041] Client data store attribute not found [e0050042] Client data store attribute not open [e0050043] Unable to open client data store attribute [e0050044] Unable to create client data store attribute [e0050045] Unable to read client data store attribute [e0050046] Unable to write data store attribute [e0050047] Client data store attribute version incorrect [e0050048] Client data store attribute corrupt [e0050049] Invalid size of client data store attribute [e005004a] Access denied to client data store attribute [e0050060] Upgrade of client is not possible [e0050061] Upgrade old SbFs is invalid [e0050062] Upgrade old SbFs not found [e0050063] Upgrade old SbFs drive not found [e0050064] Upgrade, unable to read old SbFs [e0050065] Upgrade, old machine configuration invalid [e0050066] Upgrade, invalid user data. [e0050067] Upgrade, user directory version invalid [e0050068] Upgrade, invalid user directory [e0050069] Upgrade, unable to get original MB [e005006a] Upgrade, unable to get audit data E006 Algorithms Code Message and Description [e0060001] Unknown encryption algorithm [e0060002] Unable to install pre-boot encryption algorithm module [e0060003] Error relocation 16-bit encryption algorithm code [e0060004] Error initializing 16-bit encryption algorithm module [e0060005] 16-bit encryption algorithm module invalid McAfee Endpoint Encryption for PC 5.2.13 113 Troubleshooting PCs Error messages E007 Readers Code Message and Description [e0070001] Unknown reader type [e0070002] Unable to open reader module [e0070003] Unable to read reader module [e0070004] Unable to write reader module [e0070005] Reader failure [e0070006] Unable to create reader context [e0070007] Invalid reader parameter [e0070008] Reader not present [e0070009] Reader timeout [e007000a] Reader sharing violation [e007000b] Token not present in reader [e007000c] Reader protocol mismatch [e007000d] Reader communications error [e007000e] Token not powered in reader [e007000f] Token not reset in reader [e0070010] Token removed from reader E008 Users Code Message and Description [e0080001] User configuration invalid or corrupt [e0080002] User information field index invalid [e0080003] User has no hard disk encryption key E010 Keys Code Message and Description [e0100001] Encryption key too big [e0100002] Encryption key size invalid E011 Files Code Message and Description [e0110001] Unable to create file [e0110002] Unable to open file [e0110003] Error reading file [e0110004] Error writing file [e0110005] Error setting file pointer [e0110006] Error getting file size E012 Licences 114 Code Message and Description [e0120001] License invalid [e0120002] License expired [e0120003] License is not for this database McAfee Endpoint Encryption for PC 5.2.13 Troubleshooting PCs Error messages [e0120004] License count exceeded E013 Installer Code Message and Description [e0130002] No installer executable stub found [e0130003] Unable to read installer executable stub [e0130004] Unable to create file [e0130005] Error writing file [e0130006] Error opening file [e0130007] Error reading file [e0130008] Installer file invalid [e0130009] No more files to install [e013000a] Install archive block data too large [e013000b] Install archive data not found [e013000c] Install archive decompression failed [e013000d] Unsupported installer archive compression type [e013000e] Installation error [e013000f] Unable to create temporary directory [e0130010] Error registering module E014 Hashes Code Message and Description [e0140001] Insufficient memory [e0140002] Error opening hashes file [e0140003] Error reading hashes file [e0140004] Hashes file invalid [e0140005] Unable to create hashes file [e0140006] Error writing hashes file [e0140007] Hashes file is not open [e0140008] Hashes file data invalid [e0140009] Hashes file data too big [e014000a] User aborted E015 Application Control Code Message and Description [e0150001] Insufficient memory [e0150002] Application control invalid parameter [e0150003] Error communicating with application control driver [e0150004] Application control driver not installed [e0150005] Error opening application control log file [e0150006] Invalid hashes object list E016 Administration Center Code Message and Description [e0160001] Invalid plugin information McAfee Endpoint Encryption for PC 5.2.13 115 Troubleshooting PCs Error messages xxH: BIOS If Endpoint Encryption’s boot loader detects a hardware error from the BIOS, it reports the standard error code in the format “Endpoint Encryption ?? Error code H??” The following list of codes may be reported: 116 Code Message and Description 01H Invalid function call 02H Address mark not found 03H Disk is write protected 04H Sector not found 05H Reset failed (hard disk) 06H Diskette has been changed 07H Drive parameter activity failed (hard disk) 08H DMA overrun 09H DMA attempted across 64K boundary 0AH Bad sector flag detected (hard disk) 0BH Bad track detected (hard disk) 0CH Unsupported track or invalid media 0DH Invalid number of sectors for Format (hard disk) 0EH Control data address mark detected (hard disk) 0FH DMA arbitration level out of range (hard disk) 10H Uncorrectable CRC or ECC error on read 11H ECC corrected data error (hard disk) 20H Disk controller failure 31H No media in drive 32H Drive does not support media type 40H Seek failed 80H Timeout (disk not ready) AAH Drive not ready B0H Volume not locked in drive (INT 13 extensions) B1H Volume locked in drive (INT 13 extensions) B2H Volume not removable (INT 13 extensions) B3H Volume in use (INT 13 extensions) B4H Lock count exceeded (INT 13 extensions) B5H Valid eject request failed (INT 13 extensions) BBH Undefined error (hard disk) CCH Write fault (hard disk) E0H Status register error (hard disk) FFH Sense failed (hard disk) McAfee Endpoint Encryption for PC 5.2.13 Technical specifications and options The following options are available from Endpoint Encryption but may not be included on your install CD, or be appropriate for your version of Endpoint Encryption. Please contact your Endpoint Encryption representative for information if you wish to use one of these optional components. Contents Tokens System requirements Encryption Algorithms Endpoint Encryption supports many custom algorithms. Only one algorithm can be used in a Endpoint Encryption Enterprise. Algorithm performance is based on the “PassMark” rating which gives an overall indication of system performance. All tests were performed on a K6-II-300 machine running NT4.0. This test platform has a PassMark of 20.7. The closer to this figure an algorithm gets, the less the impact of Endpoint Encryption on the user. Faster machines will achieve correspondingly faster passmark ratings, but the percentage difference between them will be comparable. RC5-12 (FASTEST) CBC Mode, 1024 bit key, 12 rounds, 64 bit blocks. PassMark 20.7 (100%) RC5-18 CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks, PassMark 20.7 (100%) The 18 round RC5 variant is designed to prevent the theoretical “Known Plaintext” attack. AES-FIPS (FIPS 140-2 Approved) - RECOMMENDED CBC Mode, 256 bit key, 128 bit blocks, PassMark 19.3 (93%). This algorithm is approved for FIPS 140-2 use. Smart Card Readers The following smart card readers are supported. PCMCIA Smart Card Readers • SCR243 / SCR201 and compatibles such as HP DC350B, ActivIdentity and others) • PCMCIA smart card reader. See http://www.scmmicro.com/security/SCR243.html for more information. McAfee Endpoint Encryption for PC 5.2.13 117 Technical specifications and options Tokens • SCR201 and compatibles such as PCSR and Cisco PCMCIA readers Generic USB CCID Smart Card Reader and compatibles This module provides support for the following devices: • Universal CCID USB smart card reader support (supports all industry standard CCID readers) • Dell D620 Integrated Smart Card Reader • Gemplus GemPC430 USB Smart Card Reader • Omnikey 3121 USB Smart Card Reader • ACR38 USB Smart Card Reader USB Smart Card Reader non CCID Mako DT3500 Desktop smart card reader with USB Interface. PCI Smart Card Readers • HP 6400 Integrated Smart Card Reader • Dell D610/810 Integrated Smart Card Reader Tokens Please see the Using Tokens with Endpoint Encryption for PC chapter for further information. For the latest list of authentication methods using smart cards, tokens, fingerprint readers please consult your McAfee representative. Language support Client Pre-Boot Languages (auto detect) Arabic Czech Chinese (Simplified) Chinese (Traditional) Dutch English (United Kingdom) English (United States) Estonian German Hungarian Italian Japanese Korean Polish Portuguese Russian Slovak Republic Swedish Spanish Turkish Pre-Boot Keyboards (auto detect) Arabic 101 118 Greek 319 Arabic 102 Greek 220 Latin Arabic AZERTY Greek 319 Latin Belgian Comma Hebrew Belgian Period Hungarian Canadian Multilingual Italian Canadian French Icelandic Canadian French Legacy Irish Chinese Bopomofo Japanese Chinese ChaiJei Kazakh Croatian Korean Czech (Czech Republic) Latin American Czech (QWERTY) Norwegian Czech (Programmers) Norwegian with Sami Danish Polish 214 Dutch Polish Programmers McAfee Endpoint Encryption for PC 5.2.13 Technical specifications and options System requirements English (United States) Portuguese Brazil English (United Kingdom) Portuguese Portugal English (US International) Romanian English (UK Extended) Russian Estonian French (Belgium) Russian Typewriter French (France) Slovak French (Canada) Slovak QWERTY French (Swiss) Slovenian Finnish Spanish (Spain) Gaelic Spanish (International) German (Standard) Spanish Variant German (IBM) Swedish Greek Swiss German Greek Latin Thai Kedmanee Greek 220 Turkish F Turkish Q US Dvorak Most of the keyboard layouts also support On-Screen representations. Please note – other languages are available on request. We are continuously updating our language translations and encourage feedback from our users. Windows Languages (auto detect) English (United Kingdom) English (United States) System requirements Implementation documentation discussing appropriate hardware for typical installations of Endpoint Encryption is available from your representative. Client • Microsoft Windows 2000 Professional, XP Professional, Windows Server 2003, Vista 32-bit (all versions), Vista 64-bit (all versions) • 128 MB RAM, or OS Minimum specification • 5-35 MB Free hard disk space depending on localization and number of desired users) • Pentium compatible processor, multi-processor (up to 32 way), dual-core and hyper threading processors, Pentium-compatible processors such as AMD processors. • For remote administration, a TCP/IP network connection is required. McAfee Endpoint Encryption for PC 5.2.13 119 Appendix This chapter highlights and explains the legal notices, open source license, and FIPS compliat details. Contents Legal notices Open source components license details Legal notices McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com McAfee, SafeBoot and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners. © 2013 McAfee, Inc. All rights reserved. Your rights to install, run, copy, reproduce, distribute or make any other use of the accompanying software is subject to your license agreement with McAfee, Inc. If you have any questions, please review your software license or contact your McAfee representative. McAfee SafeBoot products make use of the following third party open source technologies: • ZLIB, a general compression library • OpenSSL/OpenSSLeay - a general SSL/PKI communications library • OpenLDAP - a general LDAP library Open source components license details Communications Layer - ZLIB License /* zlib.h -- interface of the 'zlib' general purpose compression library version 1.2.8, April 28th , 2013 Copyright (C) 1995-2013 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 120 McAfee Endpoint Encryption for PC 5.2.13 Appendix Open source components license details • The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. • Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. • This notice may not be removed or altered from any source distribution. Jean-loup Gailly jloup@gzip.org Mark Adler madler@alumni.caltech.edu Communications Layer and LDAP Connector - OpenSSL/OpenSSLEAY LICENSE ISSUES The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. OpenSSL License /* ==================================================================== Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. • All advertising materials mentioning features or use of this software must display the following acknowledgment: • This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) • The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. • Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. • Redistributions of any form whatsoever must retain the following acknowledgment: • This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE McAfee Endpoint Encryption for PC 5.2.13 121 Appendix Open source components license details OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Original SSLeay License Copyright (C) 1998-2011 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are ahe ared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: • Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. • All advertising materials mentioning features or use of this software must display the following acknowledgement: • This product includes cryptographic software written by Eric Young (eay@cryptsoft.com) NOTE: The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related. • If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: • This product includes software written by Tim Hudson (tjh@cryptsoft.com) THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] 122 McAfee Endpoint Encryption for PC 5.2.13 Appendix Open source components license details Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved. This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California. Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it, subject to the following restrictions: • The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it. • The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in the documentation. • Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits must appear in the documentation. • This notice may not be removed or altered. Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved. This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California. Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it, subject to the following restrictions: • The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it. • The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in the documentation. • Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits must appear in the documentation. • This notice may not be removed or altered. LDAP Connector - OpenLDAP Copyright (c) 1994 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. • All advertising materials mentioning features or use of this software must display the following acknowledgement: • This product includes software developed by the University of California, Berkeley and its contributors. • Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; McAfee Endpoint Encryption for PC 5.2.13 123 Appendix Open source components license details LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @(#)COPYRIGHT 8.1 (Berkeley) 3/16/94 LDAP Connector Copyright (c) 1994 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. • All advertising materials mentioning features or use of this software must display the following acknowledgement: • This product includes software developed by the University of California, Berkeley and its contributors. • Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @(#)COPYRIGHT 8.1 (Berkeley) 3/16/94 LDAP Connector - The OpenLDAP Public License Version 2.0.1, 21 December 1999. Copyright 1999, The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: • Redistributions of source code must retain copyright statements and notices. Redistributions must also contain a copy of this document. • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. • The name "OpenLDAP" must not be used to endorse or promote products derived from this Software without prior written permission of the OpenLDAP Foundation. For written permission, please contact foundation@openldap.org. 124 McAfee Endpoint Encryption for PC 5.2.13 Appendix Open source components license details • Products derived from this Software may not be called "OpenLDAP" nor may "OpenLDAP" appear in their names without prior written permission of the OpenLDAP Foundation. OpenLDAP is a trademark of the OpenLDAP Foundation. • Due credit should be given to the OpenLDAP Project (http://www.openldap.org/). THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Making Endpoint Encryption for PC FIPS Compliant The following procedures must be followed to operate McAfee Endpoint Encryption for PCs cryptographic module in a FIPS Approved mode: • The module software must be operating in “FIPS” mode. This is done by setting the FIPS registry key value from 0 (disabled) to 1 (enabled). The first step is to create a FIPS registry script (see Appendix A for details). Once the file is created right-click on the newly created .reg file and select Merge from the drop down menu. • To verify that the registry has been updated properly the user must install a registry editor and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Verifier and verify the value of FipsMode equals 1. • All application databases and external media on the device where McAfee Endpoint Encryption for PCs has been installed MUST be fully encrypted. This is performed by setting the module’s internal memory encryption parameter to Encrypt Entire Device. • The PC used to run McAfee Endpoint Encryption for PCs Client must be built using production grade components and configured in a single operator mode. To do this, the following operating system services must be disabled: • Fast user switching • Terminal services • Remote registry service • Secondary logon service • Telnet service • Remote desktop and Remote assistance services Creating the FIPS enable script The following needs to be saved to a text file with the extension “.reg” and then merged into the registry as a requirement for installing the module in a FIPS-compliant mode of operation: REGEDIT4 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Verifier] "FipsMode"=dword:00000001 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Verifier\1] McAfee Endpoint Encryption for PC 5.2.13 125 Appendix Open source components license details "Path"="c:\\windows\\system32\\drivers\\SafeBoot.sys" [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Verifier\2] "Path"="c:\\windows\\system32\\drivers\\SbAlg.sys" 126 McAfee Endpoint Encryption for PC 5.2.13 Index A adding users 27 algorithms 8 appendix 120 audit viewing 14 audit events 60 auditing 60 authentication 29 Encryption data protection 7 Pre-Boot Authentication 7 Endpoint Encryption 7, 8, 10, 46, 51, 52 EEPC 7 removing 52 upgrading 51 Endpoint Encryption Manager 46 ePO 10 error messages 105 eToken 18 exe files 92 B biometric key using 25 Boot 54 boot protection 29 C client 10 client auditing 54 client software 53 client system 8 common criteria 75 configuration files 77 configuring systems 27 conventions used in this guide 10 creating install set 27 creating systems 27 F file group function setting 41 File Groups 40 file properties setting 42 file update 44 files deleting 42 exporting 42 fingerprint reader 23, 24, 26 setting 24 using 26 forcing synchronization 27 G group configuration resetting to group configuration 14 D Deploy sets 40, 46 disk encryption 7 dll files 92 documentation typographical conventions 10 documentation for products, finding 11 driver files 92 driver support 18 H hash generator 74 using 74 hash group 72 hash sets 72 using 72 I E EAL4 mode 75 EE client removing 51 EE Configuration Manager 54 EE Manage installing 13 EE Manager 13 EE Monitor 53 EE Server 53 EE Tool Tray 53 EEPC 14, 18, 27, 40 user policies 14 EEPC setup 24 McAfee Endpoint Encryption for PC 5.2.13 Install package 46 install set selecting 47, 48 Installing EEPC 50 K KnowledgeBase, Technical Support ServicePortal 11 L language file creating 102 language sets 40 127 Index Legal notices 120 local recovery 68, 69 performing 69 local recovery questions configuring 69 localization 96 locking machine 27 logon 29, 55 Logon 54 logon features 57 M machine creating 27 deleting 27 exporting 27 importing 27 renaming 27 machine groups 29 machine properties 27 management 10 master directory selecting 49 McAfee ServicePortal, accessing 11 N new file copying 44 new files importing 42 O object directory 8, 53, 54 offline install 47, 48 offline package installs 50 offline recovery 64 online install 47, 48 online package installs 50 online recovery 71 open source 120 P password changing 55 forcing password change 14 policies 13 pre-boot 13 Pre-Boot client 8 Pre-Boot language 103 Pre-Boot token 103 program files 92 puppy support installing EE 24 R recovery 29 recovery code 64 128 McAfee Endpoint Encryption for PC 5.2.13 recovery option selecting 64 Registry file 44 Removing EEPC 50 requirements, operating system 11 requirements, software 11 requirements, system 11 RSA session 53 S SafeTech 95 screen saver 29, 53 ServicePortal, finding product documentation 11 show status 53 Sign-On 55 smart card 18 specification 117, 118 algorithm 117 tokens 118 SSO details 14 stored value tokens 19 synchronize 53 sys files 93 system requirements client 119 systems recovering 63 T Technical Support ServicePortal at McAfee 11 themes 96 themes and localization 96 token 14, 18 creating 14 resetting 14 token compatibility 21 token operation 18 tokens 18, 19 crypt only 19 transport directory importing 48 troubleshooting 105 trusted applications 72 U Upgrading EEPC 50 users recovering 63 V viewing audit 27 W Windows languages 104 Windows logon 58 WinTech 95 WinTech and SafeTech functions 95