(Endpoint Mcafee) EEM5210 Admin Guide

McAfee Endpoint Encryption Manager-5.2.
10
Administration Guide
COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
McAfee Endpoint Encryption Manager5.2.10
Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
What is McAfee Endpoint Encryption for PC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Design philosophy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 How McAfee Endpoint Encryption solution works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 The Endpoint Encryption components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Finding product documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Installing Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Install Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Upgrade Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Endpoint Encryption Manager interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Administration level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Starting McAfee Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Groups of users, systems, and other objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Finding orphaned objects using Group Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Audit trails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
The Endpoint Encryption Object Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

The Object Directory structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Object locking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
User management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Creating and configuring users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 User administration functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 User configuration options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Setting user administrative privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Hardware device support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Endpoint Encryption application support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Assigning the token to the user and create it. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Contents
Install and configure Upek fingerprint reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
File Groups and Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Endpoint Encryption file groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Setting file group functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Importing new files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Exporting files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Deleting files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Setting file properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Common audit events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Managing Object Directories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Managing connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Adding a new directory connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Endpoint Encryption Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Installing the Endpoint Encryption Server program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Creating a new server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Server configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Using server/client authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Service accounts parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Key administration functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Key configuration options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Add a policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Managing policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Assign a policy object to a user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Assign a policy object to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Endpoint Encryption connector manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Connector manager tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Adding and removing connector instances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
NT Connector (NTCon). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Summary of connected attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 General options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Group mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 User information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Contents
LDAP Connector (LDAPCon). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Summary of connected attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 General options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Group mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 User mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 User attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Excluded users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Using binary data attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 LDAP browser from Softerra. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Active Directory Connector (ADCon). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Summary of connected attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 General options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Group mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 User mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 User attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Excluded users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Using binary data attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 LDAP browser from Softerra. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Endpoint Encryption webHelpdesk server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

About Endpoint Encryption HTTP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 webRecovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Remote password change. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Password expiration warning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Activating Endpoint Encryption webHelpdesk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Install an SSL Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Configuring the webHelpdesk server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Configuring webRecovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Recovering users using webHelpdesk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

With Challenge-Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Recovering users by directly changing their password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 User self recoverywebRecovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Registering for webRecovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Recovery using webRecovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
License management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
License information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Contents
Common criteria EAL4 mode operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Administrator guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 User guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Tuning the Object Directory (The Name Index). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

About name indexing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Enabling and configuring name indexing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Enabling directory compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Endpoint Encryption configuration files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

sbnewdb.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Endpoint Encryption Manager program and driver files. . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Exe file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 DLL file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 SYS file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Error messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Module codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 5501 Web Server page errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 5502 Web Server user web recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 5C00 communications protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 5C02 communications cryptographic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 A100 algorithm errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 C100 scripting errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 DB00 database errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 DB01 database objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 DB02 database attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 E000 Endpoint Encryption general. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 E001 tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 E012 licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 E013 installer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 E014 hashes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 E016 administration center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 92h error. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Technical specifications and options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Encryption algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Language support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Introduction
McAfee Endpoint Encryption features a new dimension in IT security incorporating many new enterprise level options, including automated upgrades, file deployment, flexible grouping of users and centralized user management. In addition, users credentials can be imported and synchronized with other deployment systems. Around 1,000,000 laptops go missing each year, causing an estimated 4 billion USD worth of lost data. Is your data safely stored? Ever thought about the risks you run for your company and your clients? The Endpoint Encryption product range was developed with the understanding that often the data stored on a computer is much more valuable than the hardware itself. Contents What is McAfee Endpoint Encryption for PC Design philosophy How McAfee Endpoint Encryption solution works The Endpoint Encryption components About this guide Conventions Finding product documentation Requirements
What is McAfee Endpoint Encryption for PC

To ensure data protection in todays dynamic IT environment, we need to protect what matters most the data. McAfee Endpoint Encryption for PC is a strong cryptographic facility for denying unauthorized access to data stored on any system or disk when it is not in use. It prevents the loss of sensitive data, especially from lost or stolen equipment. It protects the data with strong access control using Pre-Boot Authentication and a powerful encryption engine. To log on to a system, the user must first authenticate through the Pre-Boot environment. On a successful authentication, the client system's operating system loads and gives access to normal system operation. McAfee Endpoint Encryption for PC is completely transparent to the user and has little impact on performance of the computer. McAfee Endpoint Encryption for PC is the encryption software installed on client systems. It is deployed and managed through the Endpoint Encryption Manager using policies. A policy is a set of rules that determine how encryption functions on the users computer.
Introduction Design philosophy
Design philosophy
The Endpoint Encryption product range enhances the security of devices by providing data encryption and a token-based logon procedure using, for example a Smart Card, Fingerprint or USB Key. McAfee also has optional File and Media encryption programs (VDisk, File Encryptor and Endpoint Encryption for Files and Folders), as well as hardware VPN solutions further enhancing the security offered. Endpoint Encryption supports the following operating systems: Microsoft Windows 2000 Professoinal Microsoft Windows XP Professional (32-bit only) Microsoft Vista 32-bit and 64-bit (all versions) Microsoft Windows Server 2003 and 2008 Microsoft Windows 7 All Endpoint Encryption products are centrally managed through a single system, which supports scalable implementations and rich administrator control of policies.
How McAfee Endpoint Encryption solution works

McAfee Endpoint Encryption for PC protects the data on a system by taking control of the hard disk from the operating system. The Endpoint Encryption driver encrypts all data written to the disk; it also decrypts the data read off the disk. The client software is installed on the client system. After the installation, the system synchronizes with EEM and acquires the user data, token data, and Pre-Boot graphics. When this is complete, the user authenticates and logs on through the Pre-Boot environment, which loads the operating system, and uses the system as normal. On PDAs such as Pocket Windows and PalmOS, Endpoint Encryption installs applications and drivers to provide authentication and encryption services. Endpoint Encryption can protect memory cards, internal databases (such as e-mail and contact lists), and provide secure, manageable authentication services. Management Every time a Endpoint Encryption protected system starts, and optionally every time the user initiates a dial-up connection or after a set period of time, Endpoint Encryption tries to contact its Object Directory. This is a central store of configuration information for both systems and users, and is managed by Endpoint Encryption Administrators. The Object Directory could be on the users local hard disk (if the user is working completely standalone), or could be in some remote location and accessed over TCP/IP through a secure Endpoint Encryption Server (in the case of a centrally managed enterprise). McAfee Endpoint Encryption applications query the directory for any updates to their configuration, and if needed download and apply them. Typical updates could be a new user assigned to the system by an administrator, a change in password policy, or an upgrade to the Endpoint Encryption operating system or a new file specified by the administrator. At the same time Endpoint Encryption uploads details such as the latest audit information, any user password changes, and security breaches to the Object Directory. In this way, transparent synchronization of the enterprise becomes possible.
Introduction The Endpoint Encryption components
Objects, entities, and attributes explained The Endpoint Encryption database stores information about users, systems, servers, PDAs etc in collections called objects - from an internal point of view, it does not matter to Endpoint Encryption what an object represents, only the information in it matters. So an object representing a user, say John Smith, and an object representing a system, for example Johns and Laptop both contain information about encryption keys, account status and administration level. Within the object are collections of configuration data called attributes, again the same type of attribute may exist across many object types. To take our previous example of John and his laptop, the details of the encryption keys, user status and administration level would all be stored as separate attributes. Entities are applications within the Endpoint Encryption system. Because of the generality of the object design, all Endpoint Encryption applications also have some generality about them, for instance the entity representing the Endpoint Encryption client, and the entity representing the Endpoint Encryption Server, both authenticate to the Object Directory in the same way as an object which could be a system or user - which it is does not matter. This generality is mainly hidden from users and administrators, but because of this core design, you will find that many Endpoint Encryption related functions and tasks are common between users, systems and entities.
The Endpoint Encryption components

Endpoint Encryption Manager (EEM) The most important component of the Endpoint Encryption enterprise is the Endpoint Encryption Manager, the administrator interface. This utility allows privileged users to manage the enterprise from any workstation that can establish a TCP/IP link or file link to the Object Directory.
Figure 1: Endpoint Encryption Manager Typical procedures that the Endpoint Encryption Administrator handles are:
Adding users to systems Configuring Endpoint Encryption protected systems Creating and configuring users Revoking users logon privileges Updating file information on remote systems Recovering users who have forgotten their passwords Creating logon tokens such as smart cards for users. Endpoint Encryption Server The Endpoint Encryption Server facilitates connections between the client and Endpoint Encryption Manager, and the central Object Directory over an IP connection. The server performs authentication of the entity using DSA signatures, and link encryption using the Diffie-Hellman key exchange and bulk algorithm line encryption. This ensures that snooping the connection cannot result in any secure key information being disclosed. The server exposes the Object Directory through fully routed TCP/IP, meaning that access to the Object Directory can be safely exposed to the Internet/Intranet, allowing clients to connect wherever they are. As all communications between the server and client are encrypted and authenticated, there is no security risk in exposing it in this way. There is a unique PDA Server which provides similar services to PDAs such as Microsoft Pocket Windows and PalmOS devices. Endpoint Encryption Object Directory The Endpoint Encryption Object Directory is the central configuration store for EEPC and is used as a repository of information for all the Endpoint Encryption entities. The default directory uses the operating systems file system driver to provide a high performance scalable system which mirrors an X500 design. Alternative stores such as LDAP are possible contact your Endpoint Encryption representative for details. The standard store has a capacity of over 4 billion users and machines. Typical information stored in the Object Directory includes: User Configuration information Machine Configuration information Client and administration file lists Encryption key and recovery information Audit trails Secure Server Key information.
10
Endpoint Encryption for PC Client The Endpoint Encryption for PC client software is largely invisible to the end user. The only visible part is an entry, the Endpoint Encryption icon in the users tool tray.
Figure 2: Endpoint Encryption client Clicking on this icon allows the user to lock the PC with the screen saver (if the administrator has set this option). Right-clicking on the monitor allows them to perform a manual synchronization with their Object Directory, or, monitor the progress of any active synchronization. Normally the Endpoint Encryption client attempts to connect to its home server or directory each time the system restarts, or, establishes a new dial-up connection. During this process, any configuration changes made by the Endpoint Encryption administrator are collected and implemented by the Endpoint Encryption client. In addition, information such as the last audit logs are uploaded to the directory. Endpoint Encryption PDA server The Endpoint Encryption PDA Server facilitates connections between entities such as the Endpoint Encryption client, the Management Center and the central Object Directory over an IP connection (rather than the file based "local" connection). The server performs authentication of the entity using DSA signatures and link encryption using Diffie-Hellman key exchange and bulk algorithm line encryption. This ensures that snooping the connection cannot result in any secure key information being disclosed. NOTE: The default port for PDA Server is 5557. The server exposes the Object Directory through fully routed TCP/IP, meaning that access to the Object Directory can be safely exposed to the Internet or Intranet, allowing clients to connect wherever they are. As all communications between the server and client are encrypted and authenticated, there is no security risk in exposing it in this way. Endpoint Encryption file encryptor By right clicking on a file, users can elect to encrypt it using various keys. Files can be encrypted with other Endpoint Encryption users keys, and/or passwords. Once protected in this way, the file can be sent elsewhere, for example through e-mail, or on a floppy disk, without the risk of disclosure. When the file needs to be used, it just needs to be double clicked, a password or logon prompt is presented for authentication, if correct, the file is decrypted. The File Encryptor also has an
11
Introduction About this guide
option to create an RSA key pair for recovery if the password to a file is lost, then the file can still be recovered using the correct recovery key. Endpoint Encryption Connector Manager Endpoint Encryptions object directory keeps track of security information. It is designed so that synchronization of details between Endpoint Encryption and other systems is possible. The Connector Manager is a customizable module which enables data from systems such as X500 directories (commonly used in PKI infrastructures) to propagate to the Endpoint Encryption Object Directory. Using this mechanism, it is possible to replicate details such as a users account status between Endpoint Encryption for PC and other directories. Current connector options include LDAP, Active Directory, and a NT Domain Connector. For information on these components, contact your Endpoint Encryption representative, or, see the Endpoint Encryption Manager Administration Guide.
About this guide

This document helps corporate security administrators to implement and deploy the Endpoint Encryption Manager. Although this guide is complete in terms of setting up and managing Endpoint Encryption systems, it does not attempt to teach the topic of Enterprise Security as a whole. Refer to the Administration Guides for individual Endpoint Encryption products, such as the Endpoint Encryption for PC, for specific information. Target audience This guide is designed to be used by qualified system administrators and security managers. Knowledge of basic networking and routing concepts, and a general understanding of the aims of centrally managed security is required.
Conventions
This guide uses the following typographical conventions.
Book title or Emphasis
Bold Title of a book, chapter, or topic; introduction of a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Additional information, like an alternate method of accessing an option. Suggestions and recommendations. Valuable advice to protect your computer system, software installation, network, business, or data. Critical advice to prevent bodily harm when using a hardware product.
User input or Path Code

User interface Hypertext blue Note Tip Important/Caution Warning
12
Introduction Finding product documentation
Finding product documentation

McAfee provides the information you need during each phase of product implementation, from installing to using and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. 1 2 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. Under Self Service, access the type of information you need:
To access... User documentation Do this... 1 2 3 KnowledgeBase Click Product Documentation. Select a Product, then select a Version. Select a product document. Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version.
Requirements
System requirements
Systems Endpoint Encryption Manager Requirements CPU: Pentium III 1GHz or higher. RAM: 512 MB minimum (1 GB recommended). Hard Disk: 200 MB minimum free disk space.
Operating system requirements

Systems Endpoint Encryption Manager Software Microsoft Windows 7 32-bit and 64-bit Microsoft Windows 2000 Professoinal Microsoft Windows XP Professional (32-bit only) Microsoft Vista 32-bit and 64-bit (all versions) Microsoft Windows Server 2003 and 2008
13
Installing Endpoint Encryption Manager

McAfee Endpoint Encryption Manager is the administration tool for managing all Endpoint Encryption applications. NOTE: If you are unfamiliar with Endpoint Encryption, you should follow the Endpoint Encryption for PC Quick Start Guide which describes setting up an Endpoint Encryption enterprise. Please read the Quick Start guide before tackling any of the topics in this guide. You will find this in your Endpoint Encryption box, or,on your Endpoint Encryption CD. Install Endpoint Encryption Manager Upgrade Endpoint Encryption Manager
Install Endpoint Encryption Manager

Install Endpoint Encryption Manager by running the appropriate setup.exe from the Endpoint Encryption CD or download. Before you begin You should run this first on the system that will be the master or administrators system. Task 1 2 Run the appropriate setup.exe from the Endpoint Encryption CD or download. Follow the on-screen prompts and select a language, a smart card reader, and encryption algorithm. The McAfee Endpoint Encryption Manager software is now installed on your system. Restart your system. The Endpoint Encryption Management suite adds the required items to your system start menu: Endpoint Encryption Manager which starts the management console; the Database Server which starts the communication server and provides encrypted links between clients and the configuration. Run the Endpoint Encryption Manager program. A wizard walks you through the creation of a new Endpoint Encryption directory. NOTE: If you have an existing Object Directory in your network, you can connect to it by cancelling the wizard and manually configuring a connection. For information on this procedure, see Managing Object Directories.
Upgrade Endpoint Encryption Manager

Use this task to upgrade Endpoint Encryption Manager to the latest version of the software.
14
Installing Endpoint Encryption Manager Upgrade Endpoint Encryption Manager
Before you begin Make sure you install this package to a system where the Endpoint Encryption Manager database is already present. Task For option definitions, click ? in the interface. 1 2 Download the Endpoint Encryption Manager software from the McAfee download site. Run the setup file and complete the upgrade. See Install Endpoint Encryption Manager for the installation procedures. NOTE: See the Endpoint Encryption Update and Migration Guide (contained in the download) for more details.
15
Endpoint Encryption Manager interface

McAfee Endpoint Encryption Manager allows certain classifications of user to manage and interact with the backend Object Directory. Users and systems can perform certain tasks and change certain details within the directory, depending upon their assigned Administration Privilege, and administrative rights. Contents Administration level Starting McAfee Endpoint Encryption Manager Groups of users, systems, and other objects Finding orphaned objects using Group Scan Audit trails
Administration level
Each object in the directory has a certain administration privilege with a range of between 1 (lowest) to 32 (root administrator), no object except the root administrator can change the attributes of an object of its privilege or above, but some attributes can be read regardless. This mechanism stops low privilege users from changing their own configuration, and protects high-level administrators from the activities of lower levels. The recommended assigned privileges are:
User Classification Root Administrator Other Administrators Normal Users Normal Machines Administration Level 32 10 1 1
NOTE: As there are no objects with a privilege above 32, all level 32 objects are treated equally and without restraint (except delete rights). This means that any top-level admin can edit the properties of any other top-level admin. However, a level 32 administrator with limited admin functions cannot add those restricted functions to another level 32 administrator. For this reason, it is recommended that general Endpoint Encryption administrators use accounts with a privilege below 32, and the master (or root) administrator account should be used only in extreme circumstances. In addition to this rule, extra restrictions on what administration processes an individual may use can be set when they are created, for instance the ability to add users may be blocked, as may be the ability to create install sets.
16
Endpoint Encryption Manager interface Starting McAfee Endpoint Encryption Manager
This gives the ability to create high-privilege users with no admin abilitiesthese users cannot be administered or recovered by lower privilege users although the lower level users may have access to the administration functions.
Starting McAfee Endpoint Encryption Manager

McAfee Endpoint Encryption Manager communicates with the Object Directory and requests a user authentication on start-up, which it uses to connect to an Object Directory. Users and administrators authenticate using their Endpoint Encryption credentials, so if they usually use a smart card to login to Endpoint Encryption, they will need the same card to access Endpoint Encryption Manager. NOTE: For details on setting up connections to directories, see Managing Object Directories. There is no real limit to the number of concurrent Endpoint Encryption sessions that can be connected to each directory, either directly or via an Endpoint Encryption Server. In the case of two administrators updating an objects configuration at the same time, the last one to click Save overrides all others. The limiting factor is the hardware supplying access to the directory, i.e. the network and server speed.
Groups of users, systems, and other objects

Within the Endpoint Encryption Directory, objects are grouped in order to simplify configuration. For example, in a large corporate with many departments, the Endpoint Encryption administrator may choose to create groups of systems based on their physical location - for instance Sales and Helpdesk. The configuration of these two groups would be similar, but not identical - for instance, the Sales group of PCs may not synchronize with the Object Directory so often, and the Helpdesk PCs would not be receiving some sales-related database information. To facilitate configuration at group level, two types of group can be created: Controlled groups Members of configuration-controlled groups cannot have their core configuration altered on a member-by-member basis (non-core items include system description for instance). All changes have to be made at group level, and immediately affect all members of the group. When an object is moved into a controlled group, it immediately loses its individuality and inherits the groups properties. Controlled groups are used where it is not necessary to have many individual objects with their own configurations, for example an administrator may choose to enforce a strict security policy which must be adhered to. In this situation, there is no scope for objects to have individual configurations. Another use is where a collection of systems needs to have their configurations synchronized as one. For example, if there was a controlled group of 200 systems with the property of Endpoint Encryption enabled set as false, if the option was enabled at group level, this change would affect each system in the group. Each system would automatically enable Endpoint Encryption the next time it synchronizes with the directory.
17
Endpoint Encryption Manager interface Finding orphaned objects using Group Scan
Free groups Free groups have no master control; objects inherit the properties of the group when they are created, but this configuration is stored individually for the object and can be altered at any time. Existing objects moved into a free group do not inherit any group properties; they simply retain their own configurations. Changing the group configuration only effects new objects created within the group, it does not affect existing objects. One Group for each object type is defined as the default. Unless otherwise specified this is the group which new Objects (systems, users etc) appear under and inherit their initial attributes. This group may or may not be configuration controlled, and is displayed in bold type in the object tree. To set the default group, select it and use the right-click menu option Set as Default Group. Finding Objects You can search the object trees by either typing into the Find box on the tool bar of Endpoint Encryption Manager, or, by using the Filter or Find by ID options from the Objects Menu.
Finding orphaned objects using Group Scan

You can search the object trees either by typing into the Find box on the tool bar of Endpoint Encryption Manager, or, by using the Filter or Find by ID options from the Objects Menu. The Group Scan feature within the Groups drop down menu allows you to scan through any group and identify missing objects, for example, systems, users, etc. Before you begin Make sure that you have appropriate permissions perform this task. Task 1 2 3 4 5 Select a group from the Users, System, Policies, or Devices tabs. Click the Groups option from the menu bar. Click Group Scan. Select a group from the drop down list. Click OK. This begins a search across the selected group for orphaned objects. The report output will appear in the bottom right pane.
Audit trails
Endpoint Encryption audits the most types of object. To view the current audit, select the object in question and use the right-click menu option View Audit. Audit trails can be exported as comma delimited files for use in other applications. The ability for a user to be able to view another users audit is a function of their relative administration level, and their View Audit administration right. It is recommended that not all users are given this permission.
18
The Endpoint Encryption Object Directory

Endpoint Encryption stores all its configuration and security information in a central, generic data store referred to as the Object Directory. This store resembles a tree-based modular, object-structured directory, similar in design to an X500 directory. The Endpoint Encryption Configuration Manager on the protected system periodically checks this store via a connection manager (the Directory Manager) to see if there are any changes to apply, and delivers any updates necessary in return. The directory stores information for the configuration of users, systems etc in logical Objects containing data blocks ("attributes"). Contents The Object Directory structure Object locking
The Object Directory structure

The Object Directory manages three levels of information, object type, actual Objects, and attributes. This can be viewed as a correlation of a file or directory system. The top level has the various object classifications, user, group, and system. Below this level is the individual Objects, for example, in the case of the user tree, there would be Objects containing the attributes for users. For each object there are many attributes, for example, account status, private key, and password. NOTE: Supported accessible Objects are Users, systems, Servers, Files, Directories, and Groups. Endpoint Encryption makes no distinction between the different types of object at the management and access level. Only the Attributes stored within them differ. This independence greatly increases the speed the object store can work at. There is no requirement for any particular type of directory within as long as the directory engine can support the minimum layout. All data sources are viable, for example, ODBC, Access, LDAP, DAP, X500 etc. Endpoint Encryption ships with two directory drivers, one, a high performance file system based driver for large corporate users, and a small single-file transport directory driver designed for single use and disconnected deployment. For information on porting Endpoint Encryption's backend directory to an alternate system, please contact your McAfee Services representative. A simple pictorial layout of the directory structure could be explained thus: Root Directory | Users-------Machines-------Groups-------Servers--------Files (Object Classes) | User.0-----User.1-----User.2-----User.3----- User.n (User level) | Attrib.0----Attrib.1-----Attrib.2------Attrib.n (Attributes containing Configuration information) This structure mirrors an X500 directory, and allows fast access to attributes and modification (adding new attributes, new object classes etc) without significant effort.
19
The Endpoint Encryption Object Directory Object locking
Object locking
To prevent problems where two or more processes try to access the same data simultaneously, only one process can have write permission to an Object at any time. Normally an object such as a user is only locked during the actual write process, if there is a conflict in locks, one process will wait for the other to release. This usually takes only a few seconds. In the standard file managed directory, object locking is provided by the operating system itself.
20
User management
New users can be created in Endpoint Encryption Manager by selecting the group they need to be in, and using the menu option Create User. You can also create users automatically using a connector to another directory, such as Active Directory, or an automated script. Please see the Endpoint Encryption Connector Manager chapter, or, the Endpoint Encryption Scripting Tool Users Guide. Contents Creating and configuring users User administration functions User configuration options Setting user administrative privileges
Creating and configuring users

The new users logon id and recovery information about them can be entered. The users password or token is inherited from the group, and can be set or generated at this point.
Figure 3: Creating new users The fields of information are used to identify the user in case of a helpdesk issue, such as the user forgetting their password. The helpdesk and user can see the majority of these fields, but some may be defined as "hidden from user" - in this example, the field Group Access is one of those. Hidden fields can only be seen by administrators with a higher privilege than the user, or the root administrator.
21
User management User administration functions
This gives the helpdesk operator the ability to ask the user a question to validate their identity. For more information on recovery, see the Recovery chapters of your product administrators guide. Once created, the user assumes the configuration of the group they were created in. If this group is "controlled", then only a few options are available to be configured on a user-by-user basis. If the group is "Free" then although the user assumes the properties of the group on creation, the parameters can then be set individually afterwards.
User administration functions

The following administration functions can be set for users, or groups of users. Create Token Creates a new Token for the selected user - this could be a soft (password) token, or a hard token such as a smart card or eToken. NOTE: In the case of hard tokens, creating the token does not necessarily set the user to actually use that token. This must be accomplished separately from the users Token properties page. Reset Token Resets the token authentication to the default. In the case of the soft (password) token resets the password to 12345. NOTE: Some hard tokens may not be able to be reset using Endpoint Encryption - for example Datakey Smart Cards. In this case, contact the manufacturer of your token to determine the correct re-use procedure. Set SSO Details Sets the Single-Sign-On details for the user. For more information on SSO, see the Endpoint Encryption for PC Administration Guide. Force Password Change at Next Logon Forces the user to change their password at their next logon. This policy option applies to both the Endpoint Encryption Manager and all compatible applications, such as Endpoint Encryption for PC. View Audit Displays the audit for the user. Reset (All) to Group Configuration Resets the configuration of the user, or all the users in the group, to the groups configuration. Create Copy Creates a new object based on the selected object.
22
User management User configuration options
Properties Displays the properties of the selected object.
User configuration options

The following configuration options can be set for users, or groups of users. General The General page enables you to display the User ID, manage auto-boot, the user accounts, and to manage other General options.
Figure 4: User options-General Table 1: General Options

Settings General Options User ID Description The user ID of a given user is the system-wide identifier that Endpoint Encryption uses internally to keep track of the user. This number is unique within the Object Directory and is displayed for technical support purposes. The users recovery screens also show this number. Special user ids containing the tag $autoboot$ with a password of 12345 (or set by administrators) can be used to auto-boot a Endpoint Encryption Endpoint Encryption for PC protected machine. This option is useful if an auto boot of a machine is needed, for example when updating software using a distribution package such as SMS or Zenworks. This ID should be used with caution though, as it effectively bypasses the security of Endpoint Encryption. You can find out more about the $autoboot$ user from the Endpoint Encryption for PC Administration Guide.
Auto-boot users
23
Settings
Options Enabled
Description Shows whether the user account is enabled or not. The enabled status is always user selectable. Once a system has synchronized, it checks the user account list to ensure that the currently logged on user is still valid (because they logged on at boot time before the network and Object Directory was available). Users with disabled accounts (or users who have been removed from the user list) will find the screen saver will activate and they will be unable to log in. NOTE: If you want to force a Endpoint Encryption machine to synchronize (and hence immediately stop the user from accessing the machine), you can use the force sync option of the machines right-click menu to force an update. For more information see the Endpoint Encryption for PC Administration Guide. Valid From/UntilSets the period that this account is valid until. Once the period has past, the user will no longer be able to log on. If the user is logged on while the account expires, then the user will not be automatically logged off the system (but if they reboot, or the screen saver activates, they will not be able to log on again). Both Valid From and Valid Until settings can be made. This enables the administrator to set up accounts that self-activate sometime in the future and/or expire at some fixed point (Example: For contracted employees with a fixed term contract starting and expiring on a given day).
Change Picture
Allows the administrator to set a picture for the user. The picture helps the helpdesk in the identification of a user when doing a challenge or response password reset. The imported picture can be any size bitmap image. When a user is created several fields of information may be set to help the helpdesk identify the user during the recovery process. For a full description of the use of these fields see Creating Users, and Recovering Users and Machines.
User Defined Labels (Information Fields)
24
Password parameters
Figure 5: User configuration-Password parameters Table 2: Password parameters

Settings Password change Options Force Change if 12345 Description Ticking this option prevents users from continuing to use the Endpoint Encryption default password of 12345. If this password is ever used, for instance after recovering a user, it must be changed before Endpoint Encryption allows the operating system to boot. The force password change mechanism is also supported in the Windows Screen Saver. Disables the Change Password option on the Endpoint Encryption boot screen, and on the directory logon screen. Endpoint Encryption records previous passwords, and stops the user repeating old passwords when they are forced to change them. The maximum number of previous passwords that can be saved is limited by the users token, typically a password token can remember 19 previous passwords, whereas a smart card token only 10. Passwords are added to the history list when the user sets them, so the default password (12345) may be used once again, as is not added to the history list when a user is created . Special smart card scripts can be made available which increase the maximum history count beyond 10, at the expense of the time needed to log on. For information on these scripts please contact your Endpoint Encryption representative.
Prevent Change
Enable Password History
25
Settings
Options Require Change After
Description Forces the user to change their password after a period of days. WarnWarns the user that their password will expire a set number of days in advance of their password change.
Incorrect passwords
Timeout password
When logging on, the user has three attempts to present Endpoint Encryption with a correct password. If the user fails, then a "lockout" period of 60 seconds commences. The user cannot log in while this period is in force, and if they reboot the PC, the period starts again. Once the period has expired, the user is allowed further logon attempts, which the time period between each logon doubling: 1st incorrect attemptNo lockout 2nd incorrect attemptNo lockout 3rd incorrect attempt60 seconds lockout 4th incorrect attempt120 seconds lockout 5th incorrect attempt4 min lockout 9th incorrect attempt64 min lockout
Invalidate password after
After a sequence of incorrect passwords, Endpoint Encryption can disable the users account. To log on again once this has happened, the user will need to call their Endpoint Encryption helpdesk for a password reset. The number of incorrect passwords that have to be entered before this occurs is normally 10, but can be set as needed.
26
Password Template
Figure 6: User configuration - Password template Table 3: User configuration - Password template
Settings Password template Options Password length Description Sets the expected length of the users password between two extremes. Recommended settings are a minimum length of five characters, and a maximum length of 40 characters. Enforcing content in password forces the user to pick more secure passwords, but also reduces the number of possible passwords the user can select from. Content is not case sensitive. AlphaA minimum number of characters from the range a-z and A-Z. AlphanumericA minimum number of non-symbol chars from the range a-z, A-Z, and 0-9. NumericNumbers only, from the range 0-9. Symbols!"$%^&*()_+{}~@:><,./ :;@'~#<,>.?/`[], and other non alpha and non numeric characters.
Enforce Password Content
Content restrictions force the user to be more particular when they change their password. Depending upon the selected options, passwords, which are related, will not be accepted. No Anagrams "wordpass" is not acceptable after a password of "password". No palindromesThe passwords "1234321", "asdsa" etc are unacceptable. No Sequences"password2" after "password1" is unacceptable, as are passwords such as aaaaaa and 111111. No Simple WordsAllows an administrator-defined dictionary to be set containing forbidden passwords. You can create this dictionary using a unicode text
27
Settings
Options
Description editor. Place each forbidden word on its own line in the file. Name the file TrivialPWDs.dat and place it in your client install set in the [appdir]\SBTokens\Data folder. The password password is excluded by default. Cant Be User NamePrevents users from using their user name as their password. Windows content rulesMirrors the standard Windows password content rule. For passwords to be accepted, they must contain at least 3 of the following: Lower case letters Upper case letters Numbers Symbols and special characters.
Token type Sets the token for a given user/group of users. The list of available tokens is created from the token modules installed in the Object Directory. For information on particular token options, please see the Tokens chapter. Some tokens may be incompatible with other options - for instance, you cannot use the Floppy Disk token if the users floppy disk access is disabled, set to read only, or set as Encrypted.
Figure 7: Token type Assigning a token to a user does not necessarily mean they will be able to log into a machine for example giving a user a smart card does not mean their machine has a smart card reader, or the software needed to drive such a reader. NOTE: When you change a users token, Endpoint Encryption automatically brings up the token creation wizard. You need to remember to create Soft Tokens even though theyre just passwords. Recovery KeyYou can reset a users password, or change their token type using the recovery process this involves the user reading a small challenge of 18 characters from the machine to an administrator, then typing in a larger response from the administrator.
28
The recovery key size defines the exact length of this code exchange. The range of options of the recovery key is dependent apron the maximum key size of the algorithm in use. A key size of 0 disables the user recovery system. Allow web-based self recoveryYou can prevent a password-only user from registering for web recovery by selecting this option. Administration rights
Figure 8: Administration rights Table 4: Administration rights

Settings Administration rights Options Administration level Description The administration level of a given user defines their Administration Scope. Users can only work with directory objects (machines, other users etc) below their own level, thus a level 2 user can only administer users of level 1. All users are by default created at level 1, and are therefore unable to administer each other. The user who first created the directory is created at level 32, and can therefore administer any other object in the directory. NOTE: A special case exists for the highest level of user (root users), allowing them to administer at level 32. Administration Functions Options in the administration functions box select what administrative options are available to a given user / group of users. When creating a new user, the administration rights of the creator are reflected to the new user. Most administration functions are obvious but the following may require more explanation: Users/Allow Administration controls a users right to start administration systems such as the Endpoint Encryption Manager or Connector Manager. If this option is removed for all users, the management environment will be unavailable.
29
Logon hours Endpoint Encryption can prevent a user from accessing any machine during particular time periods. In the example above, the user "John Smith" can access any machine his account has been allocated to during the hours of 9am - 5pm any day.
Figure 9: Logon hours If the Force user to logoff box is not ticked, restricting the logon hours of a user does not prevent them continuing to use a machine out of hours if they were logged on when the restriction comes into force, however it does prevent them logging on after this time, for instance at a screen saver prompt. Devices This is used by Endpoint Encryption for PC only. Please see the Endpoint Encryption for PC Administration Guide. Application Control This policy is used by Endpoint Encryption for PC only. Please see the Endpoint Encryption for PC Administration Guide. Policies Endpoint Encryption can control other systems through the Policies Interface. You can define the actual parameters of a policy through its entry on the System Tree, and assign which policies are enforced for a particular user, or group of users, from the policies tab. For more information on policies see the Policies chapter. Add/RemoveClick Add or Remove to associate a policy with a user. You can only associate one policy of each type with a user. Bindings The Endpoint Encryption Connectors use the bindings specified for a user to match their Endpoint Encryption account with their account on an alternate system. When a connector creates a new Endpoint Encryption user, it automatically fills in the binding tabs to make the association. It is
30
possible though to connect one, or many users created in Endpoint Encryption to a connected account, by manually editing the bindings list.
Figure 10: Connector Bindings For information on the correct system tag to use for a given connector, please see the Endpoint Encryption Connector Manager chapter. Local recovery The Local Recovery option allows the user to reset a forgotten password by answering a set of security questions. The full list of security questions is set by the administrator using the Endpoint Encryption Manager. NOTE: Endpoint Encryption contains a generic set of questions. When the user first sets up their local recovery feature they will be prompted to select a number of questions and provide the answers to them. These form the basis for their local self recovery feature.
31
Setting Local recovery for a user name or user group Using Endpoint Encryption Manager, the administrator assigns the local recovery option to the users logon, or, to a user group. The local recovery options are available from the user logon or group Properties screen.
Figure 11: Local recovery Table 5: Local recovery

Settings Local recovery Options Enable Local Recovery Description Selecting this check box will set Local Recovery for the specified user or user group. Require__questions to be answeredThis option determines how many questions the user must select to perform a Local Recovery. Allow__logons before forcing user to set answersThis option determines how many times a user can logon without setting their Local Recovery questions and answers.
Add
The Add button will load the Local Self Recovery Question dialog box and allow you to create a new question. You can also specify the language that question should be in and the minimum number of characters the user must specify when configuring the answer to this question. The Remove button will remove a selected question from the list. The Edit button will allow you to edit the configuration of a selected question. The Apply button will save any changes that have been made. The Restore button will undo your changes and restore the Local Recovery options to the previous settings (providing you have not clicked the Apply button).
Remove
Edit
Apply
Restore
32
User management Setting user administrative privileges
See the Endpoint Encryption for PC Administrators Guide or the Help File for the user local recovery procedures. Administration groups The groups which an administrator can manage can be restricted this gives the ability to create high privilege administrators who can only work a particular population of users and machines for instance departmental administrators. You can specify all group types for the restriction, so you can also create administrator accounts that have the ability to manage only servers, certain groups of users, or certain groups of machines.
Figure 12: Administration groups When group restrictions are in place, the users view of the database is restricted to only the groups specified. Leaving the admin groups box empty gives the account admin capability throughout the Object Directory. When an administrator with group restrictions creates a new user, the group restrictions are reflected into the new users properties. If the new user also inherits groups from their group membership, these too will be set. NOTE: Do not restrict the administrative scope of the root administrator or you may not be able to make configuration changes in the future.
Setting user administrative privileges

Endpoint Encryption has a powerful and flexible administration structure. You can set three conditions that must be met before a user can perform an administration task. Administration level This must be higher than the object you are trying to administer, or in the case of top-level objects (level 32), must also be level 32.
33
Groups If there are any groups specified for administration, the object you are trying to administer must be in one of the groups. Administration Functions The feature or command you are trying to use must be enabled in you Admin Rights list. If all these conditions are met then the user will be able to perform the function. Using a selection of these features enables certain administration hierarchies to be created. We advise that the minimum administration rights are given to each user, to prevent unauthorized configuration of the security. By delegating responsibility, administration can become a simple task. Example 1: Top-down administration Root User level 32. Master Administrator(s)Level 30, no other restrictions. Sub Admin(s)Level 20, no other restrictions. UsersLevel 1, all rights removed. In this scenario there is a simple top-down chain of administration. Example 2: Tree administration In this scenario, the departmental administrators are prevented from managing each others department by the group restriction. Administrators are also prevented from adding any of their users to machines in the other department by the same mechanism. Only the Enterprise Administrator(s) can start or manage Endpoint Encryption Servers. Root UserLevel 32 Enterprise Administrator(s)Level 30, no other restrictions Department A Administrator(s)Level 20, restricted to user and machine groups in department A only. Rights for server management removed. Department B Administrator(s)Level 20, restricted to user and machine groups in department B only. Rights for server management removed. Department A UsersLevel 1, all rights removed Department B Users Level 1, all rights removed Example 3: Function/Department Administration In this scenario, there are additional accounts for the Server Manager a person responsible for keeping the Endpoint Encryption Server running. Their account has no ability to manage users or logon to clients. There could also be other accounts with the ability to add/remove users (for example used by the personnel department). Root UserLevel 32 Enterprise AdministratorLevel 30, no other restrictions Server Manager Level 30, groups restricted to servers only, Rights restricted to managing servers only. Department A AdministratorLevel 20, restricted to user and machine groups in department A only. Rights for server management removed.
34
Department B AdministratorLevel 20, restricted to user and machine groups in department B only. Rights for server management remove. Department A UsersLevel 1, all rights removed Department B UsersLevel 1, all rights removed
35
Tokens
The Endpoint Encryption Manager and connected applications support many different types of logon token, for example passwords, smart cards, fingerprint readers and others. Before a user can use a non-password token, you must ensure any machine they are going to use has been suitably prepared. Go to https://kc.mcafee.com/corporate/index?page=content&id=pd20895 for the supported smart cards and tokens. Contents Hardware device support Endpoint Encryption application support Assigning the token to the user and create it Install and configure Upek fingerprint reader
Hardware device support

Ensure the system has the appropriate Windows drivers for the hardware tokens it needs to support, for example, if you intend to use Aladdin eTokens you need to install the Aladdin eToken RTE (Run Time Environment). If you intend to use smart cards, you need to ensure that a Endpoint Encryption supported smart card reader is installed, along with its drivers for example the Mako/Infineer LT4000 PCMCIA smart card reader must be installed. In both cases, the appropriate device drivers are available either direct from the manufacturer, or from the Endpoint Encryption install CD in the Tools directory.
Endpoint Encryption application support

Once you have installed hardware support for the devices, you can enable software support for them. See the dedicated product administration guide for details how to enable tokens for that particular product.
Assigning the token to the user and create it

From the users Token properties pane, select the token you want the user to log on with. Endpoint Encryption prompts you to insert the token and creates the appropriate data files on it.
36
Tokens Install and configure Upek fingerprint reader
If all steps are followed, when you install Endpoint Encryption, or after the machines synchronize, users will be able to log in using their new token.
Install and configure Upek fingerprint reader

The Upek Protector Suite QL software must be installed and configured on the client system. The software can be found on the McAfee Endpoint Encryption Tools download. Please consult your McAfee representative for further information. Before you begin Make sure that you have appropriate permissions to perform this task. Task 1 From the Endpoint Encryption Manager, create a file group for the Upek token and import the token files: SbTokenUpek.dll and SbTokenUpek.dlm. NOTE: The Upek file group must be assigned to the system or system group. The fingerprint reader must be assigned to a user or a user group. See the user or user group Properties | Tokens screen. 2 The user logs on to the client system using the Upek token module in password mode. The users are presented with a dialog box to register their fingerprints with Endpoint Encryption; the user configures the fingerprint reader to work with one or more of their fingerprints. From then on the users need to authenticate to Endpoint Encryption with their fingerprint instead of a password.
37
File Groups and Management

Endpoint Encryption for Manager uses central collections of files, called Deploy Sets, to manage what versions of files are used on many Endpoint Encryption applications. For information on a particular applications support for File Groups, please see the Administration Guide. Contents Endpoint Encryption file groups Setting file group functions Importing new files Exporting files Deleting files Setting file properties
Endpoint Encryption file groups

When Endpoint Encryption Manager is installed, it automatically adds the entire standard Endpoint Encryption administrator files into the file groups and also may create language sets, for example English Language. An INI file, ADMFILES.INI determines the contents of the core groups. INI files such as these can be edited to allow custom collections of files to be
38
File Groups and Management Endpoint Encryption file groups
quickly imported and then applied using the Import file list menu option. For more information on ADMFILES.ini see the Endpoint Encryption Configuration Files chapter.
Figure 13: Endpoint Encryption file groups Other file sets created as standard include those to support login tokens, such as smart card readers, and USB Key tokens.
39
File Groups and Management Setting file group functions
Setting file group functions

You can specify the function of a file group by right-clicking it and selecting its properties. Some file selection windows, for example the file selector for machines, only display certain classes of file group (in this example, those marked as Client Files).
Figure 14: File group content
Importing new files

New files can be imported one by one into an existing deploy set using the Import files menu option. Simply select the file, the Endpoint Encryption Manager will then import it into the directory and add it to the deploy set.
Exporting files
You can export a file group, or an individual file back to a directory. This may be useful, for example if you have an out of date administration system driver and there is an updated file in the Object Directory.
Deleting files
You can delete individual files from a file set. With connected applications this usually results in the deletion of the file from their local directory at the next synchronization event.
Setting file properties

To see the properties of a file, right click on the file in question and select Properties. Two screens of information are available: File Information and Advanced.
40
File Groups and Management Setting file properties
The name of the file is the actual name, which will be used when deploying the file on the remote machine. The ID is the Object Directory object ID which is used as a reference for the file from the client PC.
Figure 15: File Properties, file information The version number is an incremental version of the file. When the file is updated, the version is incremented. This is used by the clients to check whether an update is needed. Other information such as the name of the user who imported the file and its size may be shown.
Figure 16: File Properties, Advanced Table 6: File Properties, Advanced

Settings Setting File Properties Options File Types File Location Operating System Description Sets the type of the file. Set the destination directory for the file. Because some files are only applicable to some operating system(s), the target operating system(s) for the file must be selected. This is to prevent Windows NT drivers being installed on
41
File Groups and Management Setting file properties
Settings
Options
Description Windows 98 machines, or windows 9x registry files being run on Windows 2000 servers.
App ID
If you are installing file which is shared between multiple Endpoint Encryption applications, you can specify this applications ID. This prevents one application from installing files shared by another. Specify when Endpoint Encryption should update the file.
Update
42
Auditing
Introduction The Endpoint Encryption Manager audits user, system, and server activity. By right-clicking on a object in the Endpoint Encryption Object Directory, you can select the view audit function. Audit trails are uploaded to the central directory by both the Administration Center and connected Endpoint Encryption Applications such as Endpoint Encryption for PC and Endpoint Encryption for Files and Folders. The permission to view or clear an audit log can be controlled on a user or group basis. Both the administration level and administration function rights are checked before allowing access to a log. For more information on setting these permissions see the Creating and Configuring Users chapter. Audit trails can be exported to a CDF file by using the Audit menu option, or by right-clicking the trail and selecting Export. Also, the entire audit of the directory can be exported using the SBAdmCL tool. For information on this option please contact your Endpoint Encryption representative. The Object Directory audit logs are open-ended, that is, they continue to grow indefinitely, but can be cleared on mass again using SBAdmCL. Contents Common audit events
Common audit events

The text displayed in the audit log depends on your localization and language settings. The table lists the common events and their ID codes for the American English version of Endpoint Encryption. Many events can appear at multiple places, for example the Login Successful event will be logged both in the user account doing the logon, and the system being logged on to simultaneously. You can find out about product specific events from its dedicated administration guide for example to find out about Endpoint Encryption for PC events, refer to the Endpoint Encryption for PC Administration Guide. Information Events
Description Audit cleared Boot started Boot complete Event 01000000 01000001 01000002
43
Auditing Common audit events
Description Booted non-secure Backwards Date Change Booted from floppy Token battery low Power fail A virus was detected Synchronization Event Crypt Start Crypt End Add group Add object Delete group Delete object Import object Export object Export configuration Update object Import file set Create token Reset token Export key Recover Create database Reboot machine Move Object between groups XE "groups" Rename Object Server started Server stopped
Event 01000003 01000005 01000004 01000010 01000011 01000013 01000014 01000015 01000016 01000082 01000083 01000084 01000085 01000086 01000087 01000088 01000089 01000090 01000091 01000092 01000093 01000094 01000095 01000096 01000098 01000099 010000C0 010000C1
Try Events
Description Logon attempt Change password Forced password change Recovery started Database logon attempt Event 02000001 02000002 02000003 02000016 02000081
44
Description Logon successful Password changed successfully Boot once recovery Password reset Password timeout Lockout recovery Change token recovery Screen saver recovery Database logon successful Logon failed Password change failed Password invalidated Recovery failed Database logon failed Machine configuration expired A virus was detected
Event 04000001 04000002 04000016 04000017 04000018 04000018 04000019 0400001A 04000081 08000001 08000002 08000005 08000017 08000081 Undefined Undefined
Succeed Events
Description Logon successful Password changed successfully Boot once recovery Password reset Password timeout Lockout recovery Change token recovery Screen saver recovery Database logon successful Event 04000001 04000002 04000016 04000017 04000018 04000018 04000019 0400001A 04000081
Failure Events
Description Logon failed Password change failed Password invalidated (too many incorrect attempts) Machine configuration expired Recovery failed Event 08000001 08000002 08000005 08000012 08000017
45
Description Database logon failed
Event 08000081
46
Managing Object Directories

All Endpoint Encryption Manager connected applications require a connection and log on to an Object Directory. The Endpoint Encryption logon screen provides an interface to manage these connections, whether they are direct to local directories or through Endpoint Encryption servers. The logon system automatically remembers the last token which was used, and displays that interface to the userif you want to log on with a different token, for instance a smart card, or fingerprint scan, simply cancel the log on box and select a different token from the token selection list. Contents Managing connections Adding a new directory connection
Managing connections
You can add and remove directory connections by clicking Cancel on the Endpoint Encryption Manager Logon dialog box, then selecting Edit Connections on the Select Your Login Method dialog box.
Figure 17: Endpoint Encryption Database Connections The Endpoint Encryption Database Connections window lists the currently configured directory locations and types. Local directories are accessed directly; remote directories are accessed through a Endpoint Encryption server. Where authentication parameters for the directory connection have been imported, the connection appears with a tick.
47
Managing Object Directories Adding a new directory connection
Adding a new directory connection

Click Add to create a new connection. If you are going to access the directory directly, for example in the case of the Endpoint Encryption file directory, it is stored on your local system, or on an accessible network drive, select the Local option from the connection type dropdown list. If the directory has an Endpoint Encryption server supplying its information, use the Remote option. Remote directories
Option Description Description Type a description for the directory - this is used to identify the directory in the list. Supply the address or DNS name of the server, and the port it is running on. Set the port the server should communicate on. The default is 5555. Server authentication prevents a malicious "rogue" server masquerading as a valid Endpoint Encryption server, by forcing DSA key checking between the server and Endpoint Encryption application. If the key the server returns is invalid, the Endpoint Encryption application will refuse to connect to the server and inform the user of a key mismatch.
Server Address
Server Port
Authenticate
When adding a new server, if you elect to create an authenticated link, you are prompted to provide a key file (.spk file). You can obtain this key from an existing connected administrator by asking them to right-click on the server definition in the Endpoint Encryption Manager, and choose Export Public Key. NOTE: If you are authenticated to a directory, you can add alternate Endpoint Encryption server connections to this directory to the list by simply right clicking on the servers directory entry in the system tree, and selecting Add to Directories. This process sets up the connection in advance and adds all the key information if available. Local directories Local directories (accessed without a Endpoint Encryption server) need a UNC or mapped drive data path (or a file location in the case of a file directory) and a description. Endpoint Encryption servers always use a local directory - you cannot chain one server onto another. The default driver for Endpoint Encryptions Directory is sbfiledb.dll.
48
Endpoint Encryption Server

The Endpoint Encryption Server provides a secure communication interface between the Object Directory , and other components, such as Endpoint Encryption Manager, Endpoint Encryption for PC Client, and Endpoint Encryption Directory Synchronizer, over a TCP/IP link.
Figure 18: Endpoint Encryption Server Contents Installing the Endpoint Encryption Server program Creating a new server Server configuration Using server/client authentication Service accounts parameters
Installing the Endpoint Encryption Server program

The Endpoint Encryption Server is installed as part of the Endpoint Encryption Manager setup. You can install multiple servers attached to one directory, simply install a new copy of Endpoint Encryption Manager, and manually configure the connection to the existing directory by canceling the Object Directory creation wizard, and setting up a new local or remote connection in the subsequent logon box.
49
Endpoint Encryption Server Creating a new server
Creating a new server

Before The Endpoint Encryption Server can start, an entry for it must be created in a Endpoint Encryption Object Directory. This entry/object contains the servers public and private key set, configuration and other parameters.
Figure 19: Creating a new Endpoint Encryption Server Object To create a new server object, you can either use the New Server option to create a new server in the System/Endpoint Encryption Servers tree using Endpoint Encryption, or you can use the create button on the Endpoint Encryption Server startup screen shown after authenticating to the Object Directory. Both procedures follow the same path. Creating a new Endpoint Encryption Server object, automatically adds the definition to the local directories list. The next time you perform a directory logon, you will be able to choose to log on to the new Server. Starting the Endpoint Encryption Server for the first Time Once the object for the server has been created the program SBServer.exe may be run. The first task is to log on to the local Object Directory. For information on how to set up directory connections, see Managing Object Directories. Once the directory has been selected, and a logon id and password supplied, a prompt to select the object is displayed. From this dialog box, a new server definition can be created, or an existing ID selected. The definition selected controls the startup parameters for the server, and the authentication keys it will use.
Figure 20: Selecting the Endpoint Encryption Server Object to use for configuration
50
Endpoint Encryption Server Server configuration
Server configuration
The Endpoint Encryption Server obtains its configuration from three places. The local file sdmcfg.ini supplies the location and type of Object Directory the server should connect to. It also supplies the logon ID and password to use in case of an automated start. This file is shared between all the Endpoint Encryption entities. The server's object within the Object Directory specified in sdmcfg.ini supplies the port the server should speak on, and its public and private key information. The local file sbserver.ini supplies the id of the object in the local Object Directory that the server uses for its port, etc. It also specifies whether the user should be prompted to select an id each time the server starts. Starting the Endpoint Encryption Server as a service In Windows 2000 you can start the Endpoint Encryption Server as a true service. To do this: 1 2 select the Start as service option from the server menu supply a user ID and password for the server to use for subsequent starts
The Endpoint Encryption Server stores the users authentication key in sbserver.ini for use in subsequent logons. This is not the users password, but could give a hacker a method of attacking the Object Directory. TIP: You can stop certain user accounts being used to start servers as services by removing their administration privilege Start Server as service.
Using server/client authentication

Endpoint Encryption clients exchange highly sensitive information with their respective Servers, and rely on their server for their configuration, including details of what drives should be encrypted. One possible way around the Endpoint Encryption security would be to substitute an organizations Endpoint Encryption server and Object Directory, with a Rogue server which told Endpoint Encryption protected machines to decrypt their hard drives. To prevent this kind of attack, the Endpoint Encryption Server generates a public-private key set on install. The public part of the key is distributed on install to the clients, who then use it to verify the private key on the server each time they communicate with it. With this mechanism if the server is substituted by re-routing the network traffic or DNS name for instance, the clients will recognize the change and refuse to communicate. Setting up the Endpoint Encryption Server/Endpoint Encryption authentication Once an Endpoint Encryption server has been created and started, its public key may be exported from the Object Directory as a file. This key file can be freely distributed or placed in a publicly accessible repository - for instance on a web site. To extract a Server key from the Object Directory, simply select the server from the server tree, and use the Export public key option. The resulting .sky file can then be freely distributed.
51
Endpoint Encryption Server Service accounts parameters
To import the information into a directory connection use the Advanced button on the logon screen. For information on this process see Managing Object Directories. NOTE: If the Object Directory selected during the creation of a deploy set already has authentication configured, then this information will be automatically included within the deploy set. Connecting to a new Endpoint Encryption Server Once a server has been created it appears in the Object Directory system tree. If this server was created by someone else in the Endpoint Encryption enterprise, you can still add this server to the local list of Endpoint Encryption servers used in the logon dialog box by selecting the Add to Directories option. This creates a new entry in the local list, and if necessary downloads the servers public key information. For more information see Managing Object Directories. Checking a Servers status remotely You can check the status of an Endpoint Encryption Server listed in the Object Directory by right-clicking its object, and selecting Get Status. If the server is online and responsive, it will return its current status in the system log. NOTE: The active connections list will always show 1 more than the current user/machine connections, due to the connection by Endpoint Encryption to get the status. Using restricted user ID's for servers Although any valid user id can start an Endpoint Encryption server, the access yielded to it by the Object Directory is a reflection of that users directory permissions. For instance if a very low admin privilege user starts the Endpoint Encryption Server, then high level users and machines will not receive any configuration updates because their admin level exceeds that which can be accessed by the Endpoint Encryption Server. For this reason the Endpoint Encryption Server should usually only be started by uses with very high, or the highest, level admin rights. For practical reasons it is often not the master Endpoint Encryption administrator who starts the Endpoint Encryption Serverusually the corporate server managers have this responsibility. It would not be good security for the master accounts to be given out to any users except those directly involved with the Endpoint Encryption parameters. To overcome this conflict of interestsfull access to the objects with no administrative ability - Endpoint Encryption allows you to create very high privilege users with no administrative abilitywe will term these Service Accounts.
Service accounts parameters

Service accounts are created in the same way as normal users. We recommend they be created in their own group Service Accounts. The following parameters can be set to yield an account useless for login on to PCs. With these parameters the only use for the account is as a login to the Object Directory. PasswordsPrevent Change set and Require Change disabled Admin RightsAdministration Level 30 and All rights cleared except Start as Service DevicesNo access to any devices
52
Endpoint Encryption Server Service accounts parameters
TokenPassword Only CAUTION: Remember not to add any service accounts or the group you create them in to machines.
53
Keys
Keys are generic purpose objects which other Endpoint Encryption-Aware applications can use to encrypt information, for example, Endpoint Encryption for Files and Folders uses Key objects to protect files and folders on network and user hard disks. Contents Key administration functions Key configuration options Users
Key administration functions

The following are some important key administration functions. Create new key This function creates a new Key. You can select the key name, its algorithm, and enter a description of the key to support in its identification. To create a new policy: 1 2 3 4 5 6 Navigate to the System tab of the object tree. Find the key provider. Double-click it to expand its groups. Either open an existing group, or create a new group by right-clicking the top node and selecting Create Key Group. From the open group window, right-click and select Create New Key. Enter the name for the new key, select an algorithm, and select OK.
Rename Key This option changes the name of a keythis does not affect the association of keys to users, or the protection of data. Only the human-readable name is changed. Delete Key This option deletes a key from the system. To delete a key 1 2 Find the key from the Keys node of the System tab within the object tree. Right-click the key and select Delete.
NOTE: If you permanently delete a key, all data protected with that key will be permanently lost; however, you can restore the key if it has been backed up.
54
Keys Key configuration options
Reset to group configuration Sets the properties of a key to be those of its group. This includes the user list assigned to the key. Reset to group configuration (exclude users) Sets the properties of a key to be those of its group excluding the keys user list. Properties Displays the properties of a key.
Key configuration options

The following are some important key configuration options. InformationDisplays information about the key DescriptionA text description of the key, this can be used to identify the purpose or use of the key. ValidityYou can specify when a key is valid until, and whether it can be cached on users local systems Key is EnabledTick to make the key accessible to usersif the key is disabled, then all requests for this key (and therefore all data protected by it) will be denied. ExpiryYou can specify a date where the key will be valid until. After this date access to the key (and therefore access to data protected by it) will be denied. Caching Allow keys to be cached locallyEnables local caching of the key. Normally keys are obtained on access from the network Endpoint Encryption Key Server. This means that the only way to access protected data is to have a good connection to the corporate Key Server. If you need data to be available to users offline, for example, when they are working disconnected from the network, you can allow local caching of a particular key. Each time a key is requested, the user must authenticate against a Endpoint Encryption Key Server to obtain a fresh copy of the key. If the Key Server is not accessible then the user authenticates against a local key cache and queries it for a copy of the key. If the key could be obtained from the Key Server, then the local copy may be installed, or updated at the same time. If the users credentials are not correct, no keys are released. Remove from cache afterCauses a local cached copy of a key to be wiped from the local key cache after a certain number of days of disconnection. This prevents users obtaining keys, then continuing to use them for extended periods of time without validating their credentials against the central Endpoint Encryption Key Server. You can use this option to ensure that if you make changes to the validity or user list of cacheable keys, that these changes are enforced within a certain period of time. .
55
Keys Users
Users
You can restrict access to keys to certain users by adding them to the keys user list. When the list is empty, any user who has valid Endpoint Encryption credentials can obtain the key. Once one or more users are added to the list though, only those users can obtain, or administer the key. This prevents general Endpoint Encryption administrators from being able to access sensitive data. NOTE: You can restrict what administration functions regarding keys (add key, delete key, properties etc) by setting a users administration rights. See the Administration Rights section for more information. Restrict access to Defines the user list for a key. If the list is empty, then any user can access the key. If one or more users are added then only they can access or administer the key. Minimum admin level required You can specify the minimum admin level required to access a key. This parameter is enforced in addition to the restricted user lists. If you add a user to the user list, and also set an admin level, then if the user does not match or exceed the level they will not be able to access the key. For more information on admin levels see the Administration Rights section.
56
Policies
Endpoint Encryption can manage other systems and applications from the main Administration console. Each additional application provides a Policy system which allows the parameters for the application to be definedfor example the Endpoint Encryption for Files and Folders policy provider integrates into the Endpoint Encryption Database, and allows you to set the functions and parameters for the Endpoint Encryption for Files and Folders system. You can assign policies to most kinds of Endpoint Encryption supported object, such as users, systems, PDAs etcwherever appropriate for the individual policy type. You can assign policies to both individual objects (such as users), and also to groups of objects (such as groups of systems). Contents Add a policy Managing policies Assign a policy object to a user Assign a policy object to a system
Add a policy
You can create any number of policies of each type. You should create policies to fulfill an organizational or functional needfor example, a policy for a role within your organization, such as Management Team. Before you begin Make sure that you have appropriate permissions to perform this task. Task 1 2 3 4 5 6 Navigate to the Policies tab of the object tree. Find the Policy provider you want to create a new policy forfor example, Endpoint Encryption for Files and Folders Policies. Double-click it to expand its groups. Either open an existing group, or create a new group by right-clicking the top node and selecting Create Policy Group. From the open group window, right-click and select Add. Enter the name for the new policy, and select OK.
57
Policies Managing policies
Managing policies
Use these important policy options to rename, delete, and manage the policy options. Renaming a policy Changes the name of the policy. This does not affect the association of the policy to other objects. Deleting a policy If you delete a policy, all users of that policy will receive the Default policy instead the next time they update. To delete a policy: Find the policy from the Policies tab of the object tree. Right-click the policy and select Delete. Create installation set To install a policy object, some types allow you to create an installation set directly from the Endpoint Encryption database for that applicationfor example, to install Endpoint Encryption you can create an Install EXE direct from the policy object. Reset to group configuration Resets the properties in the selected policy to those of its group. Create copy Creates a copy of a policy object based on the selected one. Properties Opens the properties of the selected group or object. For more information about Endpoint Encryption, see the Endpoint Encryption for Files and Folders Administration Guide.
Assign a policy object to a user

Use this task to assign a policy object to a user or a user account. Before you begin Make sure that you have appropriate permissions to perform this task. Task 1 2 3 4 Open the users Properties window. Move to the Policies properties type in the properties list. Click the Add button. Select the policy you want to associate with that user.
58
Policies Assign a policy object to a system
Click OK. You can normally only assign one policy of each type to any particular object, for example one Endpoint Encryption for Files and Folders policy, per user.
Assign a policy object to a system

Use this task to assign an object to a system. Before you begin Make sure that you have appropriate permissions to perform this task. Task 1 2 3 4 5 Open the system Properties window. Move to the Policies properties type in the properties list. Click the Add button. Select the policy you want to associate with that system. Click OK. You can normally only assign one policy of each type to any particular object, for example one Asset policy per system.
59
Endpoint Encryption connector manager

The Connector Manager is responsible for managing the correlation of information between the Endpoint Encryption Object Directory and another data source. This remote source may be another Object Directory, or may be some different system (for example an X500 directory over LDAP, or an NT Domain). The Connector Manager is a set of customizable routines that can be used to quickly implement the desired synchronization functions. Contents Connector manager tools Adding and removing connector instances
Connector manager tools

The Connector Manager tools are supplied pre-configured to provide Endpoint Encryption directory to alternate systems such as NT Domains, Active Directory, and Novell Netware NDS as a uni-directional process. Support for alternate data stores are implemented on a customer basis. To discuss synchronization with other data stores please contact your McAfee representative.
Figure 21: Connector manager tools
60
Endpoint Encryption connector manager Adding and removing connector instances
Adding and removing connector instances

You can add connectors to the Manager Tree simply by right-clicking the root node (Endpoint Encryption Connector Manager). Add connector Creates a new connector instance. You can select from the available connector types, and give the connector a unique name. Delete connector Deletes the selected connector from the tree. Any connected users will become orphaned, unconnected to any alternate system. Rename connector You can rename a connector to a more descriptive name. Service mode The Connector Manager uses the Windows Scheduled Task Service to run individual connectors at preset times and intervals. This happens automaticallyyou do not need to run a special version of the connector manager. Scheduled tasks are enabled from the moment they are created. Schedule and log You can pre-set or change the SSO details associated with a user by right-clicking their object and selecting Set SSO Details. Each connector has a schedule and log controlled through the Connector Manager. You can add periodic events to the schedule to control when each connector performs its activity. You can also set repeat intervals for the tasks. To set the schedule for a connector, or change its log settings, simply click its name in the connector tree. The activity of the connector is logged centrally to the Connector Manager. You can also specify that the log should be appended to a file as it is created. Running connectors interactively You can run a connector interactively from the run now tab. The connector will output a progress log of its activities. Error messages For information on error messages generated by the Connector Manager, or one of its connectorsplease see the Error Messages chapter.
61
NT Connector (NTCon)
The NT connector is designed to populate the Endpoint Encryption user list from an existing NT Domain. By specifying a server to synchronize with, the connector mines the domain user list, creating Endpoint Encryption user accounts for those domain users not found. If a domain user account is deleted or disabled, the connector makes the appropriate change to the Endpoint Encryption user account for that user. The NT Connector needs to be run on either an NT4.0 Domain Server, or a Windows 2000 server/workstation, and needs access to the Endpoint Encryption Object Directory. Contents Summary of connected attributes General options Group mappings User information
Summary of connected attributes

McAfee Endpoint Encryption for Manager has the following connected attributes that you need to understand and configure correctly. Domain username Used to create new Endpoint Encryption users. Also used in the Endpoint Encryption user-binding tab to maintain a connection to the domain user. If the domain user is deleted, the Endpoint Encryption user is either deleted or disabled depending upon the state of the Disable Users Only box. CAUTION: If you delete an Endpoint Encryption user account, no files protected by only that Endpoint Encryption user id will be recoverable. We recommend you disable users only, and delete them manually. Domain user status The Endpoint Encryption user status mirrors the domain user status. Either enabled or disabled. Domain user logon hours The Endpoint Encryption user logon hours are set to match the domain users. Password change The ability to change the password is reflected in the Endpoint Encryption user account.
62
NT Connector (NTCon) General options
Full name The domain user full name field is placed in the Endpoint Encryption users field list. Description The domain user description is placed in the Endpoint Encryption users field list. Valid until The expiry date of the domain account is placed in the Endpoint Encryption user valid until field. Group membership On creation, logic can be applied to determine which group the new Endpoint Encryption user is created in (if at all).
General options
McAfee Endpoint Encryption for Manager has the following general options that you need to understand and configure correctly. NT server Specify the server you want to obtain the user list from. You can use the local machine, or specify a domain server. Click the Servers button to obtain a list of machines accessible from this station. Disable users only If a user is deleted from the domain, their matched Endpoint Encryption account can be either deleted or disabled. CAUTION: If you delete a Endpoint Encryption user account, no files protected by only that Endpoint Encryption user id will be recoverable. We recommend you disable users only, and delete them manually. Use configuration checksum The connector can store a checksum of the domain configuration in the domain user comment. This negates the need to read the entire configuration each time a sync on the user occurs. To use this option you need to run the connector on a primary or backup domain controlleryou cannot use this option on a remote server. Throttling You can specify a delay between checking each user account to make the synchronization process more network-friendly. NOTE: The domain password for a user account is not available for Endpoint Encryption, each new user will be created with the default password of 12345you should ensure that all Endpoint Encryption groups which receive new users from the NT Connector have the Change password if default attribute set.
63
NT Connector (NTCon) Group mappings
Group mappings
To ease the configuration of many synchronized domain users, you can map them to different Endpoint Encryption user groups based on their domain membership. As each domain account is checked, the NT Group Name fields are compared with the domain users memberships. The first match found causes NT Connector to create the user in the specified Endpoint Encryption user group. By pre-creating Endpoint Encryption user groups with specific machine access and attributes, you can effectively synchronize a domain user list into Endpoint Encryption and have minimal configuration work left. For example, if the following group mappings were specified:
NT group name Domain Admins Domain Guests Sales Domain Users Endpoint Encryption group name NT Domain Admins NT Domain Guests NT Domain Sales NT Domain Users
A domain user with memberships of Domain Admins and Sales would be placed in the Endpoint Encryption user group NT Domain Admins. A user with membership to Domain Users and Sales would be placed in NT Domain Sales as it is listed first. If you clear the Add user to default group tick box, and the NT user being checked does not belong to any of the specified groups, they will not be synchronized into the Endpoint Encryption directory.
User information
You can specify which Endpoint Encryption information fields receive information from the domain account comment and description. You can also select the default behavior when new users are created.
64
LDAP Connector (LDAPCon)

LDAPCon is an optional connector designed to populate the Endpoint Encryption user list from an existing LDAP Protocol 1-3 Directory server. By specifying the directory to synchronize with, the connector mines the directory, creating Endpoint Encryption user accounts for directory users who meet certain pre-defined criteria. For information on purchasing these connectors please contact your McAfee representative. If a directory user account is deleted or disabled, the connector makes the appropriate change to the Endpoint Encryption user account for that user. You can also make decisions to globally disable users based on any attribute using the excluded users function. The v4.2.12+ versions of the LDAP Connector can also use certificates stored in the AD to create users who can logon to Endpoint Encryption applications using Smart Cards and eTokens. These crypt-only tokens do not have to be initialized for use with Endpoint Encryption, as the PKI certificates stored on them can be used without any initialization. LDAPCon can run on Windows 2000, XP and Vista. It requires network access to both an Endpoint Encryption Server, and the directory server itself. Contents Summary of connected attributes General options Group mappings User mapping User attributes Excluded users Using binary data attributes LDAP browser from Softerra

McAfee Endpoint Encryption for Manager has the following connected attributes for LDAP that you need to understand and configure correctly. Username Used to create new Endpoint Encryption users. Various directory attributes can be used to create the Endpoint Encryption user name. If the user is deleted, the Endpoint Encryption user is either deleted or disabled depending upon the state of the Disable Users Only box. CAUTION: If you delete an Endpoint Encryption user account, no files protected solely by that Endpoint Encryption users key will be recoverable. We recommend you disable users only, and delete them manually.
65
LDAP Connector (LDAPCon) General options
User status The Endpoint Encryption user status mirrors the directory user status. Either enabled or disabled. User logon hours The Endpoint Encryption user logon hours are set to match the directory users. Password change The ability to change the password is reflected in the Endpoint Encryption user account. Information fields Up to 10 fields of information from the directory can be placed in the Endpoint Encryption users field list. Valid until The expiry date of the directory account is placed in the Endpoint Encryption user valid until field. Group membership Logic can be applied to determine which group the new Endpoint Encryption user is created in (if at all). Also, if certain changes happen to the directory user, their Endpoint Encryption group can be set to change accordingly.
General options
McAfee Endpoint Encryption for Manager has the following general options that you need to understand and configure correctly. Connection details
Options Connection name Host Description A text description for this incident of the connector. The IP address, or DNS Name of the directory server you wish to connect to. The TCP/IP port that the target directory is publishing on. This is usually 389 or 636 for secure connections. This option is used to get full access to the directory. You may have to obtain a certificate from your directory manager. Use the Certificate button to point the connector to the appropriate .DER file. The LDAP Protocol version your directory supports this is usually Version 3. This option allows you to specify a secure connection. It will change the port number to 636 (note: this is configurable). The Certificate... button will also activate and you can browse and select the right certificate from the Microsoft Certificate store. Certificates are generated for particular users. Microsoft has removed the ability to
Port
Use secure connection
Protocol version
66
LDAP Connector (LDAPCon) General options
Options
Description specify a user logon in this instance; the encryption and logon is determined by the certificate
Anonymous login
If your directory supports anonymous login, check this box, otherwise complete the Logon Credentials section. Enter the full distinguished name for the administrators account. Enter and confirm the password for the account you specified in the User DN field.
User DN
Password
Search Settings
Options Base DN Description The base distinguished name for the section of the directory this instance of the connector is to work with. You can set the Base DN to a sub-branch of your directory if you need to limit the scope of the connector. Enter an appropriate filter to restrict the connectors view of objects in the directory. The default filter: (&(objectClass=User)(!objectClass=Computer)) Restricts the view to directory objects that are of a class User and not of a class Computer. If you only need to synchronize a small segment of users from your directory to Endpoint Encryption, you can specify a detailed Object Filter this will make the process more efficient by forcing the connector only to look at the users which are interesting to it. For example, to restrict the connectors view to users of the group Endpoint Encryption only, you could use a query like: ( & ( o b j e c t C l a s s = u s e r ) ( ! o b j e c t C l a s s = c o m p u t e r ) ( m e m b e r O f = C N = M c A f e e , O U = U k , D C = c b i , D C = c o m ) ) Wherever you specify a search query, you must use the full parameters as accepted by the directory, so in the example above the memberOf parameter must match exactly that shown in the user. You can use an LDAP browser to see the correct attribute details. Timeout Entry limit Specify the connection timeout for your directory. Specify the maximum number of objects to synchronize this setting is useful when you need to test the behavior of the connector. For production use, set it to 0 (unlimited). Some directory servers may not accept this parameter. If your directory uses referrals, you can enable this feature in the connector. You can limit the scope of the connector by reducing the section of the directory that is searched for users. If your directory supports change logging, you can enable monitoring to enhance the performance of the connector. This sets up an asynchronous search on the directory server which reports when leafs are updated.
Object filter
Referrals
Search depth
Monitor changes
67
LDAP Connector (LDAPCon) Group mappings
Search groups You can specify a list of DNs for group objects in your directory which contain members you wish to include in this connectors scope of operation. Search Groups takes precedence over the object filter specified in the Search Settings pane. Attribute types Binary data attributes must be defined in this list before they can be used by the connector. You can also specify which attributes to substring search. By default, the entire value of an attribute is considered significant by specifying it for substring search you can allow sub-values to be significant. For example, in the DN CN= McAfee,CN=COM,FN=Fred if substring searching is enabled for DN, then CN=COM is a valid match.
Group mappings
To ease the configuration of many synchronized directory users, you can map them to different Endpoint Encryption user groups based on some attribute in their directory object. As each directory account is checked, the specified attributes are compared with the table set in the Group Mapping tab. The first match found per user causes the LDAPCon to create or assign the user in the specified Endpoint Encryption user group. You can create new entries by double-clicking the table, by right-clicking an entry you can change its order, edit, or delete it. By pre-creating Endpoint Encryption user groups with specific machine access and attributes, you can effectively synchronize a directory user list into Endpoint Encryption and have minimal configuration work left. For example, if the following group mappings were specified:
Directory Organizational Unit Endpoint Encryption group (attribute value) name OU=R&D OU=Sales OU=Support OU=Management R&D Sales Techsup MT Directory service Attribute distinguishedName distinguishedName distinguishedName distinguishedName
A directory user with memberships of Sales and Support would be placed in the Endpoint Encryption user group Sales as that clause comes first in the list. By specifying the No Mapping Exists behavior you can select one of four options: 1 2 3 4 Use a defined group Create a new group based on an existing Endpoint Encryption group, generating the name from an attribute of the user (such as their DN). Add the user to the default group Ignore, Remove, Disable or Recycle the user
NOTE: If you map based on the value of a binary data type attribute, you need to properly define and escape the data.
68
LDAP Connector (LDAPCon) User mapping
User mapping
The LDAPCon has the ability to map up to 10 fields of information from the directory into the Endpoint Encryption Directory. A typical use of this feature would be security question-answer sessions to aid validation of a remote user. To add a new entry either double click, or right click on the input table. If the directory attributes mapped to these Endpoint Encryption fields change, then the users Endpoint Encryption account will be updated accordingly. New users password When a new account is created in the Endpoint Encryption directory, the password will be set to the option specified. If you set the account to a random password, the user will need to be recovered or the account manually set to a known password before the user will be able to authenticate to Endpoint Encryption. Removal behavior You can choose to either: Remove users from Endpoint Encryption if their account is removed from the directory Disable them only Ignore this event NOTE: If you choose to remove users from Endpoint Encryption, no data protected solely with their personal Endpoint Encryption key will be retrievable. New users token If you are using certificates, via for example Microsoft Certificate Server, you can allow your users to login to Endpoint Encryption using their existing Certificate Token, for example an Activcard, eToken, or Setec token. For information about the supported tokens please see the Tokens chapter of this guide. Select from the list of installed tokens which one to create for the user. You can also decide the behavior if there is no valid certificate for the user. Search Endpoint Encryption for user binding Traditionally the connector searches the directory for all users which match the set criteria. By selecting this option the search for users will be disabled, and the connector will expect to find the users pre-existing in the Endpoint Encryption directory. The connector will search for users with a binding which matches its identifier, and will only process those users. You can use the Search Endpoint Encryption option to process directories which contain a large population of uninteresting users. If you can pre-seed the Endpoint Encryption directory with the names of the users, and appropriate binding information (for example using the scripting tool) you can greatly streamline the process.
User attributes
The User Bindings tab is used to correlate the directory attributes to the Endpoint Encryption Directory. The attributes specified on this tab should not need changing unless the directory is set up in a non-standard way.
69
LDAP Connector (LDAPCon) Excluded users
Binding attribute The non-changing unique identifier for the user. This should be an item that is unique for that user, and unlikely to change for the existence of this account despite changes in surname or group membership. Endpoint Encryption username An attribute used to create the Endpoint Encryption username. NOTE: Endpoint Encryption user ids are limited to 256 characters; you should not use an attribute that is likely to exceed this length. Change attribute The directory attribute containing the account change stamp. Logon hours The directory attribute containing the User Logon Hours information. Account control The directory attribute containing the user account disabled/enabled information. Account expires The directory attribute containing the account expiry date. Delay between each user You can stifle the bandwidth that this connector consumes by putting a delay between each user synchronization.
Excluded users
You can specify a selection of attributes to check to globally exclude a series of users from the synchronization process. You can also optionally disable existing Endpoint Encryption users that are bound to the excluded users. Revocation check If you are using certificates to authenticate your users, you can enable revocation checking to ensure that if certificates are revoked, the user is denied access to Endpoint Encryption. Specify the appropriate LDAP parameters for your published revocation list, and the behavior the connector should follow when revoking users.
Using binary data attributes

In some circumstances you may want to use binary attributes to perform matching and group associations in the LDAPCon. The values for such attributes cannot be directly entered into the connector fields; they must be entered as escaped sequences.
70
LDAP Connector (LDAPCon) LDAP browser from Softerra
To determine what values to add, use your LDAP Browser to view the data in the directory, for example: In this schema, the attributes objectGUID and objectSid are binary attributes. If you wanted to manually link an existing Endpoint Encryption user to this directory user connecting via their objectGUID, you would need to assign the binding attribute to objectGUID in the Endpoint Encryption users User Bindings properties, and add a binding to LDAPConnector.username in their Endpoint Encryption profile which matched the escaped attribute value, and also define the attribute objectGUID as a binary data type in the Attribute Types list in general options.
Figure 22: Connector binding with escaped value
LDAP browser from Softerra

When configuring the LDAPCon, it is highly desirable to view the Netware Directory in its unadulterated, raw, LDAP state. To do this we strongly recommend the free tool LDAP Browser from Softerra (http://www.ldapbrowser.com). This tool may be found on your Endpoint Encryption CD, or included on the Endpoint Encryption Enterprise CD in the Tools directory. Connecting to your directory using LDAP browser To connect LDAP Browser to your directory, you will need to know its IP or DNS name, and have a valid administrative account to access the data with. Create a new entry in LDAP Browser, for your directory server, you may not need to enter a Base DN, but will need the full distinguished name for your administration account. Once you have successfully connected to your Netware Directory, you can start browsing the information to check the appropriate fields to use for the LDAPCon. Choosing the correct fields for synchronization The exact settings used in any particular installation of LDAPCon are particular to each installation; in most cases the default settings are appropriate for general use, although some customization can be performed, especially when considering custom user to Endpoint Encryption group mapping, and custom exclusion of users. In the case of the user whose properties are listed above, it can be seen that there are multiple objectClass attributes these could be used to make a decision on their mapping to Endpoint
71
LDAP Connector (LDAPCon) LDAP browser from Softerra
Encryption groups (by using the Group Information fields). Also, it can be seen that any of the attributes cn, givenName, sn could be used to populate the Endpoint Encryption Username, although some of these may result in collisions with other similarly named users. Attributes such as groupMembership or securityEquals could also be used to map a user to a group, or to exclude a particular user from the synchronization process. NOTE: The distinguishedName attribute is treated as a special case when matching valuesany fragment of the value can be matched. All other attributes are matched on their entire value. This attribute may not be displayed in a browser window, but exists internally.
72
Active Directory Connector (ADCon)

ADCon is an optional connector designed to populate the Endpoint Encryption user list from an existing Microsoft Active Directory. By specifying an Active Directory to synchronize with, the connector mines the directory, creating Endpoint Encryption user accounts for Active Directory users who meet certain pre-defined criteria, and continuously updating their policy to mach that stored in the AD. For information on purchasing ADCon please contact your McAfee representative. If an Active Directory user account is deleted or disabled, the connector makes the appropriate change to the Endpoint Encryption user account for that user. You can also make decisions to globally disable users based on any attribute using the excluded users function. The v4.2.12+ versions of the Active Directory Connector can also use certificates stored in the AD to create users who can logon to Endpoint Encryption applications using Smart Cards and eTokens. These crypt-only tokens do not have to be initialized for use with Endpoint Encryption, as the PKI certificates stored on them can be used without any initialization. ADCon can run on Windows 2000 Professional, XP Professional and Vista. It requires network access to both an Endpoint Encryption Server, and the Active Directory itself. Contents Summary of connected attributes General options Group mappings User mapping User attributes Excluded users Using binary data attributes

McAfee Endpoint Encryption for Manager has the following connected attributes for AD that you need to understand and configure correctly. Active Directory username Used to create new Endpoint Encryption users. Various Active Directory attributes can be used to create the Endpoint Encryption user name. If the Active Director user is deleted, the Endpoint Encryption user is either deleted or disabled depending upon the state of the Disable Users Only box. CAUTION: If you delete an Endpoint Encryption user account, no files protected solely by that Endpoint Encryption user s key will be recoverable. We recommend you disable users only, and delete them manually.
73
Active Directory Connector (ADCon) General options
Active Directory user status The Endpoint Encryption user status mirrors the Active Directory user status. Either enabled or disabled. Active Directory user logon hours The Endpoint Encryption user logon hours are set to match the Active Directory users. Password change The ability to change the password is reflected in the Endpoint Encryption user account. Information fields Up to 10 fields of information from the Active Directory can be placed in the Endpoint Encryption users field list. Valid until The expiry date of the Active Directory account is placed in the Endpoint Encryption user valid until field. Group membership Logic can be applied to determine which group the new Endpoint Encryption user is created in (if at all). Also, if certain changes happen to the Active Directory user, their Endpoint Encryption group can be set to change accordingly.
General options
McAfee Endpoint Encryption for Manager has the following general options that you need to understand and configure correctly. Connection details
Options Connection name Host Description A text description for this incident of the connector. The IP address, or DNS Name of the Active Directory server you wish to connect to. The TCP/IP port that the target Active Directory is publishing on. This is usually 389. This option allows you to specifiy a secure connection. It will change the port number to 636 (note: this is configurable). The LDAP Protocol version your Active Directory supportsthis is usually Version 3. This option allows you to specify a secure connection. It will change the port number to 636 (note: this is configurable). The Certificate... button will also activate and you can browse and select the right certificate from the Microsoft Certificate store. Certificates are generated for particular users. Microsoft has removed the ability to
Port
Protocol version
74
Options
Description specify a user logon in this instance; the encryption and logon is determined by the certificate
Anonymous login
If your Active Directory supports anonymous logon, check this box, otherwise complete the Logon Credentials section. The account name you use to authenticate to the AD must have full view access of the full set of user attributes you want to synchronize with. Enter the full distinguished name for the AD administrators account, or the account you intend to use the connector with. You can find this by contacting your AD Administrator. You can also specify the user name in a fully qualified AD format, for example, someone@somewhere.com. Enter and confirm the password for the account you specified in the User DN field.
User DN
Password
Search Settings Search Settings define which AD users are visible to the connector, decisions as to whether to process these users are made in Group Settings described later on in this chapter. You can also use Search Groups to define which users the connector processes, for more information, see the next section. NOTE: Either Search Settings, or Search Groups can be used, they cannot be used together. Search Groups takes precedence.
Options Base DN Description The base distinguished name for the section of the directory this instance of the connector is to work with. You can set the Base DN to a sub-branch of your Active Directory if you need to limit the scope of the connector. Enter an appropriate filter to restrict the connectors view of objects in the directory. The default filter: (&(objectClass=User)(!objectClass=Computer)) Restricts the view to directory objects that are of a class User and not of a class Computer. If you only need to synchronize a small segment of users from the AD to Endpoint Encryption, you can specify a detailed Object Filter this will make the process more efficient by forcing the connector only to look at the users which are interesting to it. For example, to restrict the connectors view to users of the group Endpoint Encryption only, you could use a query like: (&(objectClass=user)(!objectClass=computer)(memberOf=CN= McAfee,OU=Uk,DC=cbi,DC=com)) Wherever you specify a search query, you must use the full parameters as accepted by the AD, so in the example above the memberOf parameter must match exactly that shown in the user. You can use an LDAP browser to see the correct attribute details. Timeout Entry limit Specify the connection timeout for your Active Directory. Specify the maximum number of objects to synchronize this setting is useful when you need to test the behavior of the connector. For production use, set it to 0
Object filter
75
Options
Description (unlimited). Some versions of Active Directory may not accept this parameter.
Referrals
If your Active Directory uses referrals, you can enable this feature in the connector. You can limit the scope of the connector by reducing the section of the directory that is searched for users. If your Active Directory supports change logging, you can enable monitoring to enhance the performance of the connector. This sets up an asynchronous search on the Active Directory server which reports when leafs are updated. The Active Directory search monitoring cannot take account of complex Object Filters, if you need to specify more criteria than the default to prevent the monitor returning unwanted users, you can edit the Connector Manager Settings file manually, adding entries in the following section: UserValid0.DSAttrib=objectClass UserValidity0.AttribVal=user UserValid1.DSAttrib=objectCategory UserValidity1.AttribVal=CN=Person UserValid2.DSAttrib=memberOf UserValidity2.AttribVal='full memberOf attribute'
Search depth
Monitor changes
Search groups Search Groups define which AD users are visible to the connector, decisions as to whether to process these users are made in Group Settings described later on in this chapter. You can also use Search Settings to define which users the connector processes, for more information, see the previous section. NOTE: Either Search Settings, or Search Groups can be used, they cannot be used together. Search Groups takes precedence. With Search Groups you can specify the DNs of a list of group objects from your AD. The connector will then retrieve all the members from the specified groups (and any groups contained within), then individually process the derived user list. This method can be more efficient that the Search Settings method if the population of users which are needed to be synchronized are defined in a small number of groups. If the users can be identified through another attribute, or are all within certain OUs, Search Settings may be more appropriate. NOTE: Search Groups can only be used with true LDAP Groups (i.e. objects containing members. You cannot use this method with OUs. Attribute types Binary data attributes must be defined in this list before they can be used by the AD connector. You can also specify which attributes to substring search. By default, the entire value of an attribute is considered significant; by specifying it for substring search you can allow sub-values to be significant. For example, in the DN CN= McAfee,CN=COM,FN=Fred ; if substring searching is enabled for DN, then CN=COM is a valid match.
76
Active Directory Connector (ADCon) Group mappings
Group mappings
To ease the configuration of many synchronized Active Directory users, you can map them to different Endpoint Encryption user groups based on some attribute in their directory object. As each Active Directory account is checked, the specified attributes are compared with the table set in the Group Mapping tab. The first match found per user causes the ADCon to create or assign the user in the specified Endpoint Encryption user group. You can create new entries by double-clicking the table, by right-clicking an entry you can change its order, edit, or delete it. By pre-creating Endpoint Encryption user groups with specific machine access and attributes, you can effectively synchronize an Active Directory user list into Endpoint Encryption and have minimal configuration work left. For example, if the following group mappings were specified:
Active Directory Organizational Unit (attribute value) OU=R&D OU=Sales OU=Support OU=Management Endpoint Encryption group name R&D Sales Techsup MT Directory service Attribute
distinguishedName distinguishedName distinguishedName distinguishedName
An Active Directory user with memberships of Sales and Support would be placed in the Endpoint Encryption user group Sales as that clause comes first in the list. You can use any attribute of the user to map, for example their DN, or a group membership. By specifying the No Mapping Exists behavior you can select one of four options: 1 2 3 4 Use a defined group Create a new group based on an existing Endpoint Encryption group, generating the name from an attribute of the user (such as their DN). Add the user to the default group Ignore, Remove, Disable or Recycle the user
NOTE: If you map based on the value of a binary data type attribute, you need to properly define and escape the data.
User mapping
The ADCon has the ability to map up to 10 fields of information from the Active Directory into the Endpoint Encryption Directory. A typical use of this feature would be security question-answer sessions to aid validation of a remote user. To add a new entry either double click, or right click on the input table. If the Active Directory attributes mapped to these Endpoint Encryption fields change, then the users Endpoint Encryption account will be updated accordingly. New users password When a new account is created in the Endpoint Encryption directory, the password will be set to the option specified. If you set the account to a random password, the user will need to be
77
Active Directory Connector (ADCon) User attributes
recovered or the account manually set to a known password before the user will be able to authenticate to Endpoint Encryption. Removal behavior You can choose to remove users from Endpoint Encryption if their account is removed from the Active Directory, disable them only, or ignore this event. NOTE: If you choose to remove users from Endpoint Encryption, no data protected solely with their personal Endpoint Encryption key will be retrievable. New users token If you are using certificates, via for example Microsoft Certificate Server, you can allow your users to login to Endpoint Encryption using their existing Certificate Token, for example an Activcard, eToken, or Setec token. For information about the supported tokens please see the Tokens chapter of this guide. Select from the list of installed tokens which one to create for the user. You can also decide the behavior if there is no valid certificate for the user. Search Endpoint Encryption for user binding Traditionally the connector searches the directory for all users which match the set criteria. By selecting this option the search for users will be disabled, and the connector will expect to find the users pre-existing in the Endpoint Encryption directory. The connector will search for users with a binding which matches its identifier, and will only process those users. You can use the Search Endpoint Encryption option to process directories which contain a large population of uninteresting users. If you can pre-seed the Endpoint Encryption directory with the names of the users, and appropriate binding information (for example using the scripting tool) you can greatly streamline the process.
User attributes
The User Bindings tab is used to correlate the Active Directory attributes to the Endpoint Encryption Directory. The attributes specified on this tab should not need changing unless the Active Directory is set up in a non-standard way. Binding attribute The non-changing unique identifier for the user. This should be an item that is unique for that user, and unlikely to change for the existence of this account despite changes in surname or group membership. Endpoint Encryption username An attribute used to create the Endpoint Encryption username. NOTE: Endpoint Encryption user ids are limited to 256 characters; you should not use an attribute that is likely to exceed this length. Change attribute The Active Directory attribute containing the account change stamp.
78
Active Directory Connector (ADCon) Excluded users
Logon hours The Active Directory attribute containing the User Logon Hours information. Account control The Active Directory attribute containing the user account disabled/enabled information. Account expires The Active Directory attribute containing the account expiry date. Delay between each user You can stifle the bandwidth that this connector consumes by putting a delay between each user synchronization.
Excluded users
You can specify a selection of attributes to check to globally exclude a series of users from the synchronization process. You can also optionally disable existing Endpoint Encryption users that are bound to the excluded users. Revocation check If you are using certificates to authenticate your users, you can enable revocation checking to ensure that if certificates are revoked, the user is denied access to Endpoint Encryption. Specify the appropriate LDAP parameters for your published revocation list, and the behaviour the connector should follow when revoking users.
Using binary data attributes

In some circumstances you may want to use binary attributes to perform matching and group associations in the ADCon. The values for such attributes cannot be directly entered into the connector fields; they must be entered as escaped sequences. To determine what values to add, use your LDAP Browser to view the data in the Active Directory. In this schema, the attributes objectGUID and objectSid are binary attributes. If you wanted to manually link an existing Endpoint Encryption user to this Active Directory user connecting via their objectGUID, you would need to assign the binding attribute to objectGUID in the Endpoint Encryption users User Bindings properties, and add a binding to ADConnector.username in their Endpoint Encryption profile which matched the escaped attribute value, and also define the attribute objectGUID as a binary data type in the Attribute Types list in general options.
LDAP browser from Softerra

When configuring the ADCon, it is highly desirable to view the Active Directory in its unadulterated, raw, LDAP state. To do this we strongly recommend the free tool, LDAP
79
Active Directory Connector (ADCon) LDAP browser from Softerra
Browser, from Softerra (http://www.ldapbrowser.com). This tool may be found on your ADCon CD, or, included on the Endpoint Encryption Enterprise CD in the Tools directory. Connecting to your Active Directory using LDAP browser To connect LDAP Browser to your active directory, you will need to know its IP or DNS name, and have a valid administrative account to access the data with. Create a new entry in LDAP Browser, for Microsoft Active Directory, you may not need to enter a Base DN, but will need the full distinguished name for your administration account. Typical properties of an Active Directory connection are: Once you have successfully connected to your Active Directory, you can start browsing the information to check the appropriate fields to use for the ADCon. Choosing the correct fields for synchronization The exact settings used in any particular installation of ADCon are particular to each installation; in most cases the default settings are appropriate for general use, although some customization can be performed, especially when considering custom user to Endpoint Encryption group mapping, and custom exclusion of users. In the case of the user whose properties are listed above, it can be seen that there are multiple memberOf attributes these could be used to make a decision on their mapping to Endpoint Encryption groups (by using the Group Information fields). Also, it can be seen that any of the attributes userPrincipalName, sn, sAMAccountName, name, givenName, or cn could be used to populate the Endpoint Encryption Username, although some of these may result in collisions with other similarly named users. Attributes such as memberOf or distinguishedName could also be used to map a user to a group, or to exclude a particular user from the synchronization process. NOTE: The distinguishedName attribute is treated as a special case when matching values any fragment of the value can be matched. All other attributes are matched on their entire value.
80
Endpoint Encryption webHelpdesk server

Endpoint Encryption webHelpdesk Server allows Endpoint Encryption administrators and users to perform password reset functions (The Endpoint Encryption Challenge Response system) via a web interface. Contents About Endpoint Encryption HTTP server webRecovery Remote password change Prerequisites Password expiration warning
About Endpoint Encryption HTTP server

The normal recovery interface requires the administrator to have access to a Endpoint Encryption Manager console. In some environments this may not be practical; in this case the Endpoint
81
Endpoint Encryption webHelpdesk server webRecovery
Encryption webHelpdesk Server can be used to present the same recovery interface via a web browser.
Figure 23: WebHelpdesk/webRecovery
webRecovery
A further enhancement available with the Endpoint Encryption webHelpdesk Server, is the ability for users to reset their own passwords - this is an optional service which allows, after
82
Endpoint Encryption webHelpdesk server Remote password change
pre-registering, users to drive the challenge/response system themselves simply by providing the correct answers to a selection of pre-registered questions.
Figure 24: webRecovery Registration Questions The Endpoint Encryption webHelpdesk server is a dedicated SSL (Secure Sockets Layer) web server, customised to prevent against known web server hacking attacks. It is stand-alone and does not require Microsoft IIS, or any other web services to be installed on the hosting computer.
Remote password change

As a final option, you can also change a users password directly within the Endpoint Encryption database using the Reset Users Password option. This allows administrators to set new passwords for other administrators and users, without going through the recovery process.
Prerequisites
To install this component, you will need a pre-configured Endpoint Encryption Manager at version 4.2 or above. You can check the version of Endpoint Encryption you are using through Help/About/Modules. Endpoint Encryption HTTP Server is designed to function on Windows 2000/XP only and does not use any other internet services. We strongly advise that Microsoft IIS is not used on the same computer as a Endpoint Encryption Manager system or database for security reasons. Because Endpoint Encryption webHelpdesk Server uses HTTPS. You will need to provide it with a suitable SSL certificate. You can purchase one of these from Endpoint Encryption, or from other certificate vendors.
83
Endpoint Encryption webHelpdesk server Password expiration warning
Password expiration warning

The Web Helpdesk administration and support passwords will not expire without a prior warning. The time of this warning can be set in the User | Properties | Passwords screen of the Endpoint Encryption Manager.
84
Activating Endpoint Encryption webHelpdesk

Once installed you can start the Endpoint Encryption webHelpdesk server with the following command prompt command or from the services manager:
sbhttp -startservice
The service XE "service" can be correspondingly stopped either using the system service manager, or
sbhttp -stopservice
The service will not start correctly until you have installed an SSL certificate. Contents Install an SSL Certificate Configuring the webHelpdesk server Configuring webRecovery
Install an SSL Certificate

You must install a SSL certificate before the server runs correctly and import a Server Authentication certificate into the Personal certificate store for the service. If you are using a Endpoint Encryption certificate, you can also import the Endpoint Encryption root CA cert into the Trusted Root Certification Authorities store, either for the Endpoint Encryption service, Local Computer, or Local User. Before you begin Make sure that you have appropriate permissions to perfoem this task. Task 1 2 3 4 5 6 7 8 Open the MMC Console through Start | Run | MMC. Click File and then Add/Remove Snap-in Click Add from the Standalone tab. Select Certificates from the Add Standalone Snap-in dialog box. This will add the Certificates option to the Console. See screenshot overleaf. Click the Endpoint Encryption HttpServer\Personal option and then select the Certificates folder inside it. Right-click in the right hand pane and select All Tasks followed by Import. Browse until you find the certificate files (*.cer, *.crt, *.pfx). Click the Place all certificates in the following store option (EndpointEncryptionHttpServer\Personal).
85
Activating Endpoint Encryption webHelpdesk Configuring the webHelpdesk server
Click Next followed by Finish to add the certificate. If the certificate you are using is allocated to the same machine name that you are running the server on, once you have installed it you can restart the service using one of the following commands or the system service manager:
net start "Endpoint Encryption HTTP Server" sbhttp -startservice
10 Follow the same procedure for other certificates.
If the certificate has a different name then the server will not start and will log a Certificate Not Found error. You can edit the section
[Configuration] Server.Ssl.CertName=Name of the cert
In the file SBHTTP.ini to point to the Machine name registered in the cert. Endpoint Encryption ships with an evaluation server certificate with the name "127.0.0.1.pfx" and password "12345 " which can be found in the Tools directory of your Endpoint Encryption CD. You can purchase a full cert from CBI, or use one from a third party certificate provider. NOTE: If you use a mismatched site/machine/cert name, then users and administrators will be warned that the certificate is invalid every time they access the recovery web site.
Configuring the webHelpdesk server

Once you have installed the program, added a certificate, and restarted the service, you can log on to the webHelpdesk server and configure it to talk to a Endpoint Encryption Object Directory, or edit SBHTTP.ini directly. The server uses the same connection details as Endpoint Encryption administrator, any connection type specified in the login box for Endpoint Encryption can be used.
86
Activating Endpoint Encryption webHelpdesk Configuring webRecovery
To configure the connection, click the Administrators section link and then click Configure Endpoint Encryption HTTP Server. You will need to login with a user id which has Endpoint Encryption Start Server as Service rights.
Figure 25: Configuring the Endpoint Encryption HTTP server

Options Server name Port Server certificate name Log file Logon timeout Descriptions A logical name used to identify the server The port the server should expose the interface on (usually 443) The machine name specified in the SSL certificate. A path/name for the server diagnostic log. A time (in minutes) to keep inactive Administrator connections authenticated for (usually 5 minutes).
NOTE: When you configure the webHelpserver you will need to close the browser and restart the webRecovery server for the changes to take effect.
Configuring webRecovery
You configure the user webRecovery server via its web interface. You can specify a number of questions (1-10) to be registered, and the number to be answered to authenticate the user for self recovery. The questions can be changed by editing the SBWebRec.ini file. The user name
87
Activating Endpoint Encryption webHelpdesk Configuring webRecovery
and password you log in to configure webRecovery are stored in sbwebrec.ini and used for future sessions. NOTE: You must log in to webRecovery at least one to set up its initial parameters if you do not, users will not be able to reset their password and will receive db010010 Object Not Found messages.
Figure 26: Configuring webRecovery CAUTION: When you configure the webHelpserver you will need to close the browser and restart the webRecovery server for the changes to take effect. Questions and Answers are stored as pairs in the users Endpoint Encryption profile so you can safely change the questions at any time. This will not prevent users with out of date questions from recovering their password. Questions and Answers are stored as pairs in the users Endpoint Encryption profile so you can safely change the questions at any time. This will not prevent users with out of date questions from recovering their password.
88
Recovering users using webHelpdesk

The client system users and user accounts can be recovered using webHelpdesk. NOTE: webHelpdesk cannot be used for resetting or changing the pin codes of smart cards. Contents With Challenge-Response Recovering users by directly changing their password User self recoverywebRecovery
With Challenge-Response
After navigating in to the helpdesk operators section of the web helpdesk, choosing either to reset an Endpoint Encryption, or a pocket Endpoint Encryption system, and logging in using their Endpoint Encryption id and password, the operator is presented with the webHelpDesk User Challenge screen.
Figure 27: webHelpdesk Challenge
89
Recovering users using webHelpdesk With Challenge-Response
The helpdesk operator enters the challenge from the users screen (the user reads it to the helpdesk operator over the telephone), and selects the action they want to perform, for example Reset Users Password followed by the Next button.
Options Reset Users Password Unlock User Change Token 4.2 SP1 + Create Token Boot Machine Once Cancel Screen Saver Bypass Preboot Authentication Description Selecting this action will reset a users forgotten password. This option will unlock a user whose account has become locked. This option allows you to change the authentication token for the user. Choose from the drop down list. This action allows you to create a token for version 4.2 of Endpoint Encryption (SafeBoot). This option will reboot the machine. This action will cancel the Endpoint Encryption screen saver. This action will skip the authentication option and log the user into Windows. The user can then change their Windows password and allow the synchronization and single-sign-on processes to follow through.
Figure 28: webHelpdesk response If the challenge was entered correctly, a response page is displayed which gives the operator the correct recovery code to read out to the user which will perform the selected operation (in this case, reset their password to 12345). The page also displays user information which can be used to check the authenticity of the user: The helpdesk operator can ask the user, for example, What is your mothers maiden name? and then check the answer. Various Endpoint Encryption applications, such as Endpoint Encryption for Files and Folders, Endpoint Encryption for PC etc can be recovered using this system.
90
Recovering users using webHelpdesk Recovering users by directly changing their password
Recovering users by directly changing their password

From the main page, select the Reset Users Password button. You will then be forced to authenticate using your normal Endpoint Encryption administrator ID and Password. You will next be presented with a simple form which allows you to specify a user id, and their new password (and password confirmation). As long as the administrator performing the change has greater admin rights than the user being reset, the new password will be applied.
Figure 29: webRecovery Reset Password
User self recoverywebRecovery

The webRecovery interface allows users to reset their own forgotten passwords for Endpoint Encryption on PCs once they have pre-registered with the service. Users register a variable number of answers to pre-set questions, they are required to recall the correct answers to authenticate themselves to get their password reset. It is not as secure as the helpdesk driven
91
Recovering users using webHelpdesk Registering for webRecovery
recovery service, as its quite possible for users to enter simple or trivial information for their recovery questions, but has the advantage that it can operate 24x7 without human interaction.
Figure 30: webRecovery
Registering for webRecovery

Before users can reset their own passwords, they must register a number of questions and answers that they use to prove their identity to the system using the recovery interface. They must also have the Allow webRecovery option ticked in their Token properties. See the Creating and Configuring Users chapter.
92
Recovering users using webHelpdesk Registering for webRecovery
After clicking the Register button, users need to log in with their current Endpoint Encryption ID and Password.
Figure 31: webRecovery Registration NOTE: If Users do not know their password at this time, they will have to call their Endpoint Encryption helpdesk and get their password reset using one of the helpdesk driven mechanisms.
93
Recovering users using webHelpdesk Recovery using webRecovery
Figure 32: webRecovery registration questions Once they have registered their preferred questions and answers, they are free to use the recovery service if they forget their password.
Recovery using webRecovery

To use the webRecovery service, the user who has forgotten their password simply access the HTTP Server via a web terminal, perhaps in an internet Caf, and clicks the Reset Password button. They then enter the challenge that is displayed on their Endpoint Encryption screen.
Figure 33: webRecovery challenge
94
Recovering users using webHelpdesk Recovery using webRecovery
If the challenge is correct, they will be asked to enter the correct answers for a selection of their registered questions, and if these are correct, the user is presented with the response to type back into their Endpoint Encryption boot screen.
Figure 34: webRecovery answers
Figure 35: webRecovery response
95
License management
The Endpoint Encryption directory is licensed in terms of number of allowed users, number of allowed machines, and license file expiry dates. You can view the current license status of your directory by using the file/license information option. The summary boxes at the bottom of the screen indicate the current active license count. Any expired or invalid licenses are not included, although they may still be shown in the license list. Contents License information
License information
Multiple license files can be added to the list using the Add button, but each file can only be added once.
Figure 36: User information

Options License Restrictions Number of Users Number of Machines Number of PDA Devices Directory locked Description License files can have many restrictions built in: Restricts the maximum number of users that can be managed. Restricts the maximum number of machines that can be managed. Restricts the maximum number of CE Machines that can be managed. Some license files can be locked to only work on a particular directory. If you re-create your directory, you will need to obtain a new license file.
96
License management License information
Options Expires Exclusive
Description Some license files expire after a certain time period. License files marked as exclusive do not co-exist with other license files. Only one exclusive license file can be used at any time. If you import two exclusive license files, only the first one will be effective. Extra components such as SBAdmCL, Connectors, and other utilities may require additional license code. The names of the additional components licensed will be displayed in this field. You may have received an extra license file with your copy of Endpoint Encryption if so you can import it into the directory using the Add button. If you need more licenses, you can save the current information out of your directory using the Save button this creates a text file which you can fax or e-mail to your McAfee representative. They can obtain all the details required to create new extended licenses from this information. You may also want to save the license file information to help you order replacement files in the event of a drive crash.
Addons
97
Common criteria EAL4 mode operation

To use your implementation of Endpoint Encryption in its Common Criteria mode of operation, make sure that the following conditions are met. Endpoint Encryption must be installed using the Endpoint Encryption AES (FIPS) 256-bit algorithm. Administrators must enforce the following Policy Settings: A minimum password length of five characters or more Disabling of accounts after 10 or less invalid password attempts All data and operating system partitions on the systems where Endpoint Encryption client has been installed must be fully encrypted. You can check the conformance to this issue by viewing the Endpoint Encryption client status windowif any drives are highlighted in red then they are not fully encrypted. Administrators must enforce use of the Endpoint Encryption Secure Screen Saver Mode Use of Autoboot Mode is prohibited Machine and User recovery key sizes must be non-zero (Machine/Encryption properties and User/Token properties) Contents Administrator guidance User guidance
Administrator guidance
To comply with CC regulations, these policy settings must be applied before installing any clients. There must be a system in place for maintaining secure backups that are separately encrypted or physically protected to ensure data security is not compromised through theft of, or unauthorized access to, backup information. Backups should be regular and complete to enable system recovery. This is essential in the event of loss or damage to data as a result of the actions of a threat agent and to avoid vulnerability through being forced to use less secure systems. Users (including administrators) must protect all access credentials, such as passwords or other authentication information in a manner that maintains IT security objectives. Customers implementing a Endpoint Encryption enterprise must ensure that they have in place a database of authorized TOE-users along with user-specific authentication data for the purpose of enabling administrative personnel to verify the identity of a user over a voice-only telephone line before providing them with support or initiating recovery. Endpoint Encryption provides the means to display personal information such as the users ID number as part of the User Information Fields but any other appropriate system is acceptable.
98
Common criteria EAL4 mode operation User guidance
Administrators should ensure their users are fully trained in the use of the Endpoint Encryption for PC Client software as described in the chapter Client Software of the Endpoint Encryption for PC Administration Guide, and should remind them of the security procedures detailed in the User Guidance.
User guidance
Administrators should ensure their users are fully trained in the use of the Endpoint Encryption for PC Client software as described in the Client Software chapter of this guide, and should remind them of the security procedures detailed in the User Guidance. Users must maintain the confidentiality of their logon credentials, such as passwords and tokens. Users must not leave a Endpoint Encryption protected PC unattended in a logged on state, unless it is protected by the secure screen saver. Users must be informed of the process that they need to go through to contact their administrator in the event that they need to recover their PC, if, for example, they forget their password, or, their user account becomes disabled; this could be through the actions of the administrator or repeated incorrect login attempts.
99
Tuning the Object Directory (The Name Index)

To improve object name-to-id lookup and license validation, Endpoint Encryption contains an extra "Name Index" ability which can be enabled to improve performance on object directories with large numbers of users (>3000) or high levels of synchronous activity (more than 10 simultaneous administration connections). If your Endpoint Encryption object directory server is showing high or constant hard disk access, with a low CPU usage, you may also benefit from enabling name caching. Contents About name indexing Enabling and configuring name indexing Enabling directory compression
About name indexing

Most lookup events in the Endpoint Encryption object directory are performed by object id - for instance when a machine synchronizes, it navigates directly to its attributes via a unique object id. This mechanism holds true for the majority of activity over the directory. When a user logs in through, for instance the file encryptor, or Administration console, the directory infrastructure performs a name-to-id lookup, this involves trawling the object directory to find the the user object with a name attribute which matches the one requested. Also when a new object is created a trawl of the entire database is initiated to check that the new user/machine etc is unique. The Name Index creates a "shortcut" to name-to-id lookup by periodically creating indexes of the name/id attributes of all objects in the directory. Once created, all lookups pass through the cache for resolution - as the Cache is much smaller than the directory this leads to dramatic increases of performance, mainly through better use of the operating system file cache. As a side-effect, the name index also speeds up counting objects in the database (part of license validation).
Enabling and configuring name indexing

The Name Index is controlled through the file dbcfg.ini stored in the root of the object directory (normally the sbdata directory). The index files are stored in the root of each object type. The following sections should be in dbcfg.ini:
[NameIndex] Enabled=Yes
100
Tuning the Object Directory (The Name Index) Enabling directory compression
More details about the dbcfg.ini file, and further tuning options can be found in the Endpoint Encryption Configuration Files chapter. Performance tests These tests are approximate indications of the benefits of the Name Index running on a 5000 user database. They were performed using a login id which was at the end of the database (worst case scenario).
Name Index Enabled Task Create User 1 Bucket +455% 16 Buckets +460% 64 Buckets +500% 256 Buckets +400%
As you can see from the table above, enabling the Name Index drastically improves the performance of the enumeration functions. The exact parameters to use for any particular database / server combination depend largely upon the memory and cache functions of the server itself. As a rough guide, CBI consultants have found that tuning the bucket number to give cache files not exceeding 64KB has proved optimal. If you require performance tuning for your object database, please consider a consultancy visit as tinkering with the Endpoint Encryption object database can result in loss of users and machines.
Enabling directory compression

To reduce the number of files stored in an Object Directory, a special mode can be enabled which uses a single attribute file instead of the numerous files created within a standard sbfiledb structures. Using a single file has the following advantages/disadvantages:
Advantages The OD uses less disk space because there is a reduced number of files, therefore the cluster size overhead is reduced. A reduction in disk space of a factor of 10 can be expected. Disadvantages The size of the actual data in the OD increases due to header overheads in the attribute files.
Entire objects are cached , not just the most recent opened Resilience to corruption is reduced as all the object attribute files leading to a -theoretical- increase in attributes are in one file, whereas before resilience was performance if frequent large updates take place. gained by splitting them up into multiple files. The reduced number of files makes handling the OD for backups and replication easer, and faster. Name-to-id resolution time is increased unless the Name Index mode (UK4005) is also enabled. If frequent small updates take place, or infrequent updates, overall database performance will drop.
Migrating to a compressed directory All local connections to a compressed object database must go through a sbfiledb.dll which has the compression code - You cannot mix connections as the previous drivers do not understand the compressed attributes. You can enable compression on an existing database, in such a way as either only new objects will be created compressed, or in self-compress mode where each object gets compressed as it is written to. CBI can provide a tool to entirely compress an Object Directory, or compress only a branch of it.
101
Tuning the Object Directory (The Name Index) Enabling directory compression
Enabling and configuring directory compression Dbcfg.ini file from the root of the object directory needs the following section added:
[Attribs] ; If this option is set to "yes" then all new objects created will use the ;compressed format Singlefile=Yes ;If this option is set to "yes" then all existing uncompressed objects which are updated ;will be converted to the new compressed format at that time. AutoConvert=yes
Performance notes No performance change has been noted between identical compressed and uncompressed databases up to 5000 users. There may be some benefit on servers with exceptionally high amounts of memory. With large (>10000) databases, performance may well drop when using the compressed directory mode.
102
Endpoint Encryption configuration files

Endpoint Encryption uses many .ini files to maintain information about the configuration of various components. Some of the more important files are listed here. Contents sbnewdb.ini
sbnewdb.ini
Used to customize the creation of Endpoint Encryption Object Directories. The sbnewdb file contains instructions as to creating custom groups, setting the default user id and password, and other instructions related to the location of the directory. sberrors.ini Used to increase the detail available in on-screen error messages. You can add further descriptions to errors by amending this file. In 5.1 and beyond, you can substitute the Unicode file SBErrors.XML in place of SBErrors.ini to give localized translations of the error messages. sbhelp.ini This file is used to match on-screen windows to their help file sections. sbadmin.ini This file controls the tree layout and behavior of SBAdmin.exe - you can modify it to display certain nodes of the database on tabs other than the defaults. sbfeatur.ini This file controls the feature set available to Endpoint Encryption. This file is digitally signed by the Endpoint Encryption team and must not be modified. sbfiledb.ini SBFileDB controls the locking behavior of local running database connections. [LockOptions] Timeout=time in 100ths of a second (3000) Sleep=time in 1000ths of a second (10)
103
Endpoint Encryption configuration files sbnewdb.ini
dbcfg.ini This file controls the global database behavior - for this reason it is stored not in the application directory, but in the root of the file database. For more information on dbcfg.ini, see the Tuning the Object Directory chapter. [NameIndex] Enabled=No ; the time we wait for the lock on the index file to become available ; in 100ths of a second (default is 30 seconds). LockTimeout=3000 ; the time we wait before re-trying locking of the index file ; in 1000th of a second. LockSleep=10 ; the number of "buckets" into which the hash of the name is split HashCount=16 ; the minimum space to allocate per object name MinEntrySize=16 ; the time (in seconds) for which the index will be used before it is ; automatically re-created (default is 30 minutes). A value of zero means ; that it never expires. LifeTime=1800 [Attribs] ; if set to "Yes", all the attributes will be stored in a single TLV file ; rather than individual ones. SingleFile=No ; if this is set to "Yes", then when objects are opened for writing all the ; attribute are automatically converted to a single file. Otherwise only ; new objects will use the single file. AutoConvert=No [Tracking] ; if set to "Yes", then all changes to attributes will be recorded e.g. for ; possible use with a replication system. AttributeChanges=No ; if set to "Yes", the whenever an object is modified, that fact is recorded ; in a single file. This file could then be used to determine which objects ; have changed since a certain time by reading only a single file. ObjectChanges=No [idassignment] ;firstid= hex number starting point for ALL objects ;lastid= hex number
104
sdmcfg.ini Used by the Endpoint Encryption Client to control the connection to the Object Directory. There may be many connections listed in the file, the multi-connection behavior is controlled through scm.ini. [Databases] Database1=192.168.20.57 The ip address for the remote server. This can be a DNS name. [Database1] Description=SH-DELL-W2K IsLocal=No Authenticate=Yes Port=5555 ServerKey= The public key for the remote Server. This is used to stop a hacker putting a rogue server in place and intercepting the traffic. ExtraInfo= Padding for the serverkey. SBServer.ini This SBServer.ini is used to store the credentials by the server in service mode. You can adjust the maximum number of connections the Endpoint Encryption server will accept and the behavior when the maximum is reached. By default, the maximum is 200 connections. When the limit has been reached, it can behave in one of two ways: either it simply stops accepting connections or it accepts connections and then immediately closes them. Because Windows maintains a queue of 5 pending connections, the first 5 connections after the maximum is reached will be held in the queue until the number of connections has dropped below the maximum. Thus, when in (the default) Accept At Max=No mode, those 5 will not timeout at the client end and the client will appear to hang until a connection becomes free. In the Accept At Max mode, the client will fail with a communications error. [Connections] Max=200 AcceptAtMax=No sbconmgr.ini Used to define the active connectors displayed in the Connector Manager, for example [Connectors] SBNTCON=SBNTCON.DLL [Authentication] DatabaseId=1 ObjectType=0x00000001 ObjectId=0x00000001 [Manager] LastFile=G:\Program Files\SBAdmin\CmSettings.ini ;the check interval (ms) defines how often the connector manager looks for an updated cmsettings.ini file. CheckInterval=500
105
Cmsettings.ini Used to define the parameters associated with each individual connector. The settings contained in this file are usually maintained by the connector manager application. Only manual settings are documented below. LDAPCon Manual Settings SearchAttribs=objectClass,uid,cn,givenName Limits the attributes that a directory search returns. Normally all attributes are returned. This can affect the performance of the directory server if many are not wanted. LDAPCon/ADCon Manual Settings CaseSensitive=0 / 1 Switches on and off case sensitive attribute searches. The default value is 1 (searches are case sensitive) SBHTTP.ini Configuration for the main webServer [Configuration] ; The port on which the server listens for connections. The default is 443 ; which is the standard HTTPS port. Server.Port=443 ; Optional log file to record server activity. If no name is specified here, ; then no logging will occur (the default). Server.Log.FileName= ; Flags that control what is logged if logging is enabled. This is a 32-bit ; hex number. The following bits are used: ; ; Bit 0 (value=1) = Log request headers ; Bit 1 (value=2) = Log request data (e.g. form results) ; Bit 3 (value=4) = Log response headers ; ; The default is a value of "5" which logs request and response headers, but ; no request data. ; Server.Log.Flags=00000005 ; Specifies the name of the Subject field of the certificate the server ; should use for SSL connections. The certificate must reside in the server's ; private store (SbHttpServer service store). If this is not specified, the ; network name of the computer is used. ;Server.Ssl.CertName= ; ; Specifies the period of inactivity (in minutes) after a logged on user is
106
; automatically logged off. Server.Logon.Timeout=5 [Strings] ; ; These are strings that the server can display. Use the "|" character to ; specify a new line. ; Server.String.1=Web Server Server.String.2=The challenge you entered was not correct. Please try again. Server.String.3=The recovery action you selected was not valid. Pleast try again. Server.String.4=The requested URL "%s" was not found. [Page.Handlers] ; ; This section lists all the optional page handlers that will get loaded ; by the web server. The left side should start with "Handler." and the right ; side is the name of the DLL to load. ; Handler.CeRecovery=SBCEDEV.DLL Handler.WebRecovery=SBWEBREC.DLL SBwebRec.ini Configuration for webRecovery [Configuration] Register.Questions.Required=5 Recover.Questions.Asked=3 Database.User.Id=00000001 Database.User.Key= Recover.Attempts.Max=3 Recover.Attempts.Timeout=3600 [Strings] String.1=The challenge you entered was not correct. Please try again. String.2=Some of your answers were not correct. Please try again. [Questions] Question1=What is your favorite color? Question2=What is your pet's name? Question3=Who is your favorite musician? Question4=What is a memorable date? Question5=What is your date of birth? Question6=What is your favorite place? Question7=Who is your favorite actor?
107
Question8=What is your favorite film? Question9=What is your favorite song? Question10=What is your favorite food? The questions used can be changed at any time without affecting current registered users.
108
Endpoint Encryption Manager program and driver files

McAfee Endpoint Encryption Manager contains some important .exe, .dll, and .sys files that used to install the Endpoint Encryption Manager software, algorithm module, and the registry files. Contents Exe file DLL file SYS file
Exe file
Endpoint Encryption Manager has this .exe file to install and configure it. SBAdmin.exe This is the main Endpoint Encryption Manager Executable files.
DLL file
McAfee Endpoint Encryption Manager contains this important .dll file that controls the encryption algorithm module. sbalgxx This file install the required utility Encryption algorithm module.
SYS file
McAfee Endpoint Encryption Manager contains this important .sys file that provide the drivers for crypting algorithm. SBALG.SYS This file provides the required Endpoint Encryptions device driver crypto algorithm module.
109
Endpoint Encryption Manager program and driver files SYS file
srg files Endpoint Encryption registry filesThese are standard regedit files which are processed into the registry by Endpoint Encryption, without using the windows regedit utility.
110
Error messages
Please see the file sberrors.ini for more details of these error messages. You can also find more information on error messages on our web site, www.mcafee.com. Please note that many of these error codes are not designed to ever be shown they are mentioned for completeness. This kind of error is termed an Assertion - a place in our software where we ensure a number of conditions are true before continuing, even though the design does not allow for a specific case where the conditions could not be true. As the code and design does not expect such errors to be generated, resolving them involves working through the context of the issue without knowing the steps required to reproduce the error it would not be possible to conclude how the system managed to arrive at the error state. Contents Module codes 5501 Web Server page errors 5502 Web Server user web recovery 5C00 communications protocol 5C02 communications cryptographic A100 algorithm errors C100 scripting errors DB00 database errors DB01 database objects DB02 database attributes E000 Endpoint Encryption general E001 tokens E012 licenses E013 installer E014 hashes E016 administration center 92h error
Module codes
The following codes can be used to identify from which Endpoint Encryption module the error message was generated.
111
Error messages 5501 Web Server page errors
Error Code 1c00 5501 5502 5c00 5c02 a100 c100 db00 db01 db02 e000 e001 e002 e003 e004 e005 e006 e007 e010 e011 e012 e013 e014 e015 e016
Module IPC SBHTTP Page Errors SBHTTP User Web Recovery SBCOM Protocol SBCOM Crypto ALG Scripting Database Misc Database Objects Database Attributes Endpoint Encryption General Endpoint Encryption Tokens Endpoint Encryption Disk Endpoint Encryption SBFS Endpoint Encryption BootCode Endpoint Encryption Client Endpoint Encryption Algorithms Endpoint Encryption Users Endpoint Encryption Keys Endpoint Encryption File Endpoint Encryption Licenses Endpoint Encryption Installer Endpoint Encryption Hashes Endpoint Encryption App Control Endpoint Encryption Admin
5501 Web Server page errors

Code [55010000] [55010001] [55010002] [55010003] [55010004] [55010005] [55010006] [55010007] [55010008] [55010009] [5501000a] Message and Description URL not found Invalid parameter encoding Invalid parameter Missing parameter Not logged on No user challenge has been provided Unable to get configuration Unable to set configuration Incorrect user challenge Invalid recovery action Reparse required
112
Error messages 5502 Web Server user web recovery
5502 Web Server user web recovery

Code [55020000] Message and Description Permission to use web recovery is denied
5C00 communications protocol

Code [5c000000] [5c000005] [5c000008] [5c000009] [5c00000a] [5c00000c] [5c00000d] [5c00000e] [5c00000f] [5c000010] [5c000011] [5c000012] [5c000013] [5c000014] [5c000015] [5c000016] [5c000017] [5c000018] [5c000019] [5c00001a] [5c00001b] Message and Description Unsupported version The server and client are not talking the same communications protocol version Out of memory A corrupt or unexpected message was received Unable to load the Windows TCP/IP library (WSOCK32.DLL) Check that the TCP/IP protocol is installed Communications library not initialised This is an internal programmatic error Unable to create TCP/IP socket Failed while listening on a TCP/IP socket Unable to convert a host name to an IP address Check the host file or the DNS settings Failed to connect to the remote computer The computer may not be listening or it is too busy to accept connections Failed while accepting a new TCP/IP connection Failed while receiving communications data The remote computer may have reset the connection Failed while sending communications data Invalid communications configuration Invalid context handle A connection has already been established No connection has been established Request for an unknown function has been received Unsupported or corrupt compressed data received Data block is too big Data of an unexpected length has been received Message too big to be received This may occur if an attempt is made to import large amounts of data into the database (e.g. a file) Unable to create thread mute Message too big to be sent This may occur if an attempt is made to import large amounts of data into the database (e.g. a file) Wrong Endpoint Encryption Communications Protocol Version You are most likely trying to connect to a v4 Endpoint Encryption Server using a v5 Server definition with server authentication enabled. Check that you do not have both v4 and v5 servers running (perhaps as a service) at the same time.
[5c00001c] [5c00001d]
[5c00001e]
113
Error messages 5C02 communications cryptographic
5C02 communications cryptographic

Code [5c020000] [5c020001] [5c020002] [5c020003] [5c020004] [5c020005] [5c020006] [5c020007] [5c020008] [5c020009] Message and Description The Diffie-Hellmen data is invalid or corrupt An unsupported encryption algorithm has been requested An unsupported authentication algorithm has been requested Unable to sign data Authentication signature is not valid Authentication parameters are invalid or corrupt Failed while generating DSA parameters No session key has been generated Unable to authenticate user Session key too big
A100 algorithm errors

Code [a1000000] [a1000001] [a10000002] [a1000003] [a1000004] [a1000005] [a1000006] [a1000007] Message and Description Not enough memory Unknown or unsupported function Invalid handle Encryption key is too big Encryption key is too small Unsupported encryption mode Invalid memory address Invalid key data
C100 scripting errors

Code [c1000001] [c1000002] [c1000003] [c1000004] [c1000005] [c1000006] [c1000007] [c1000009] Message and Description Invalid Argument Missing Parameter There is a required parameter missing Missing Value Machine Already In Group Database Not Found User Already In Group Wrong Group Type Wrong Database Capabilities Usually only returned when the database does not have ID assignment support. The standard Endpoint Encryption database includes this feature. Parameter Needed You must enter one of the required parameters, for example user or group name. Parameter Positive You must specify a positive value for this parameter.
[c1000009] [c100000a]
114
Error messages DB00 database errors
Code [c100000b] [c100000c] [c100000d] [c100000e] [c100000f] [c1000010] [c1000011] [c1000012] [c1000013] [c1000014] [c1000015] [c1000016] [c1000017] [c1000018]
Message and Description Unsupported Connection Type No Admin Name Specified No Admin Password Specified Unknown Authentication Type No Connection Reference Unknown Connection Mutex Creation Failed Caused when there are insufficient system resources in the host OS to create another mutex Command Skipped No Command Specified Unknown Command No User ID specified No User Key Found No Key File No key file was specified Key File Not Found The authentication key file specified as UserIDKeyFile was not found
DB00 database errors

Code [db000000] [db000001] [db000002] Message and Description Out of memory More data is available The database has not been created or initialised yet Check the database path or create a new database. To force the new database wizard to be run, delete the SDMCFG.INI file and restart the administration program. Invalid context handle The name was not found in the database [Authentication was not successful. Check that you have the correct token for this database Unknown database Invalid database type The database could not be found. Check the database path settings Database already exists. Choose a different database path Unable to create the database Check the path settings and make sure you have write access to the directory Invalid database handle The database is currently in use by another entity You cannot delete a database while someone is using it Unable to initialise the database User aborted Memory access violation Invalid string No default group has been defined The group could not be found File not found
[db000003] [db000004] db000005] [db000006] [db000007] [db000008] [db000009] [db00000a] [db00000b] [db00000c] [db00000d] [db00000e] [db00000f] [db000010] [db000011] [db000012] [db000013]
115
Error messages DB01 database objects
Code [db000014] [db000015] [db000016] [db000017] [db000018] [db000019] [db00001a] [db00001b] [db00001c]
Message and Description Unable to read file Unable to create file Unable to write to file File corrupt Invalid function Unable to create mutex Invalid license The license has been modified so that the signature is now invalid License has expired The license is not for this database Check the database ID and ensure it is the same as the one specified in the license. Each time you create a new database, a different ID is generated. There is no way to change the ID of a database. You do not have permission to access the object Endpoint Encryption is currently busy with another task. Please wait for it to complete and try again. This usually means that your hard disks are in the process of being encrypted or decrypted. You can check the current Endpoint Encryption status from the right-click menu of the Endpoint Encryption task bar icon. Endpoint Encryption is still installed on this machine Buffer too small The requested function is not supported Unable to update the boot sector The disk may be in use by another application or Explorer itself. The disk may be protected by an anti-virus program.
[db00001d] [db00001e]
[db00001f] [db000020] [db000021] [db000022]
DB01 database objects

Code [db010000] [db010001] [db010002] Message and Description The object is locked Someone else is currently updating the same object Unable to get the object ID Unable to change the object's access mode Someone else may by accessing the object at the same time. If you are trying to write to the object while someone else has the object open for reading, you will not be able to change to write mode. Object is in wrong access mode Unable to create the object in the database The disk may be full or write protected Operation not allowed on the object type Insufficient privilege level You do not have the access rights required to access the object. The object status is disabled This is usually associated with User objects. Disabling the user's object prevents them logging on until their account is re-enabled. The object already exists The object is in use
[db010003] [db010004] [db010005] [db010006] [db010007]
[db010008] [db01000f]
116
Error messages DB02 database attributes
Code [db010010] [db010011]
Message and Description Object not found The object has been deleted from the database License has been exceeded for this object type Check that your licenses are still valid and if not obtain further licenses if necessary
DB02 database attributes

Code [db020000] [db020001] [db020002] [db020003] [db020004] [db020005] [db020006] Message and Description Attribute not found Unable to update attribute Unable to get attribute data Invalid offset into attribute data Unable to delete attribute Incorrect attribute length Attribute data required
E000 Endpoint Encryption general

Code [e0000000] [e0000001] [e0000002] [e0000010] Message and Description User aborted Insufficient memory Invalid date/time Invalid date/time. Clock is reporting a time before 1992 or after 2038.
E001 tokens
Code [e0010000] [e0010001] [e0010002] [e0010003] [e0010004] [e0010005] [e0010006] [e0010007] [e0010010] [e0010011] Message and Description General token error Token not logged on Token authentication parameters are incorrect Unsupported token type Token is corrupt The token is invalidated due to too many invalid logon attempts Too many incorrect authentication attempts Token recovery key incorrect The password is too small The password is too large
117
Error messages E012 licenses
Code [e0010012] [e0010013] [e0010014] [e0010015] [e0010016] [e0010017] [e0010020] [e0010021] [e0010022] [e0010023] [e0010024] [e0010025] [e0010026] [e0010027] [e0010028] [e0010030] [e0010040] [e0010041] [e0010042] [e0010043] [e0010044] [e0010045] [e0010046] [e0018000] [e0018001] [e0018002]
Message and Description The password has already been used before. Please choose a new one. The password content is invalid The password has expired The password is the default and must be changed. Password change is disabled Password entry is disabled Unknown user Incorrect user key The token is not the correct one for the user Unsupported user configuration item The user has been invalidated The user is not active The user is disabled Logon for this user is not allowed at this time No recovery key is available for the user The algorithm required for the token is not available Unknown token type Unable to open token module Unable to read token module Unable to write token module Token file not found Token type not present Token system class is not available Sony Puppy requires fingerprint Sony Puppy requires password Sony Puppy not trained
E012 licenses
Code [e0120001] [e0120002] [e0120003] [e0120004] Message and Description License invalid License expired License is not for this database License count exceeded
118
Error messages E013 installer
E013 installer
Code [e0130002] [e0130003] [e0130004] [e0130005] [e0130006] [e0130007] [e0130008] [e0130009] [e013000a] [e013000b] [e013000c] [e013000d] [e013000e] [e013000f] [e0130010] Message and Description No installer executable stub found Unable to read installer executable stub Unable to create file Error writing file Error opening file Error reading file Installer file invalid No more files to install Install archive block data too large Install archive data not found Install archive decompression failed Unsupported installer archive compression type Installation error Unable to create temporary directory Error registering module
E014 hashes
Code [e0140001] [e0140002] [e0140003] [e0140004] [e0140005] [e0140006] [e0140007] [e0140008] [e0140009] [e014000a] Message and Description Insufficient memory Error opening hashes file Error reading hashes file Hashes file invalid Unable to create hashes file Error writing hashes file Hashes file is not open Hashes file data invalid Hashes file data too big User aborted
119
Error messages E016 administration center
E016 administration center

Code [e0160001] Message and Description Invalid plugin information
92h error
Code 92h Message and Description Safeboot.fs is corrupted by deflag tools
120
Technical specifications and options

The following options are available from Endpoint Encryption but may not be included on your install CD, or be appropriate for your version of Endpoint Encryption Manager. Please contact your Endpoint Encryption representative for information if you wish to use one of these optional components. Contents Encryption algorithms Language support System requirements
Encryption algorithms
Endpoint Encryption supports many custom algorithms. Only one algorithm can be used in an Endpoint Encryption Enterprise. RC5-12 CBC Mode, 1024 bit key, 12 rounds, 64-bit blocks The RC5-12 algorithm is compatible with the Endpoint Encryption 3.x algorithm. RC5-18 CBC Mode, 1024-bit key, 18 rounds, 64-bit blocks The 18 round RC5 variant is designed to prevent the theoretical Known Plaintext attack. AES-FIPS (FIPS 140-2 Approved)RECOMMENDED CBC Mode, 256-bit key, 128-bit blocks). This algorithm is approved for FIPS 140-2 use. Smart Card Readers TThe following smart card readers are supported. Any Windows supported smart card reader All PC/SC Smart Card Readers Tokens Smart CardsFor the latest list of authentication methods using smart cards, tokens, fingerprint readers please consult your McAfee representative.
121
Technical specifications and options Language support
Language support
Endpoint Encryption Manager Czech, Dutch, English (United States), English (United Kingdom), French, Japanese, Korean, Portuguese (Brazil)
System requirements
Implementation documentation discussing appropriate hardware for typical installations of Endpoint Encryption is available from your representative. The following specifications should be considered appropriate for evaluation deployments only. Endpoint Encryption Database Server Windows 2000 Professoinal, XP Professional, Windows Server 2003, Vista 32-bit (all versions), Vista 64-bit (all versions) 256 MB RAM, or, OS Minimum specification 200 MB Free hard disk space depending on localization and number of desired users) Pentium compatible processor, multi-processor (up to 32 way), dual-core and hyper threading processors, Pentium-compatible processors such as AMD processors. For remote administration a TCP/IP network connection with a static DNS name/ip address is required. This configuration is considered appropriate for evaluation systems only. For production systems, please contact your McAfee representative for enterprise implementation documentation. Administration Windows 2000 Professoinal, XP Professional, Windows Server 2003, Vista 32-bit (all versions), Vista 64-bit (all versions) 256 MB RAM, or, OS Minimum specification 40 MB Free hard disk space depending on localization and number of desired users) Pentium compatible processor, multi-processor (up to 32 way), dual-core and hyper threading processors, Pentium-compatible processors such as AMD processors. For remote administration a TCP/IP network connection is required. SFDBBack All versions of Windows (IE4.0 with Offline Browsing Pack required for Windows 95 and NT4.0sp6a) Active Directory Connector Windows 2000 Professoinal, XP Professional, Windows Server 2003, Vista 32-bit (all versions), Vista 64-bit (all versions) Requires read/write access to v3+ Active Directory.
122
Technical specifications and options System requirements
Novell Netware/LDAP Connector Windows 2000 Professoinal, XP Professional, Windows Server 2003, Vista 32-bit (all versions), Vista 64-bit (all versions) Novell eDirectory 8.6.x with Novell Server 7.x. Future versions of Novell are expected to function. NT Connector Windows 2000 Professoinal, XP Professional, Windows Server 2003, Vista 32-bit (all versions), Vista 64-bit (all versions) Domain account access for Windows 2000+. NOTE: The NT connector must be installed on a PDC or BDC on Windows NT4.0.
123
Index
92h error 120
A
accounts parameters 52 Active Directory Connector 73 AD excluded users 79 AD binary data attributes using 79 AD connected attributes 73 AD connection details 74 AD group mappings 77 AD group membership 73 AD information fields 73 AD password change 73 AD user attributes 78 AD user logon hours 73 AD user mapping 77 AD user status 73 AD username 73 admin rights 16 administration functions 22 administrative privileges user 33 algorithm errors 114 algorithms 9 application support 36 audit viewing 22 audit trails 18 auditing 43 auditing events 43
connector adding 61 deleting 61 renaming 61 connector manager 60 connector manager tools 60 Controlled groups 17 conventions used in this guide 12
D
database attributes errors 117 database connections 47 database errors 115 database objects 116 Deploy sets 38 directory compression enabling 101 directory connection adding 48 disk encryption 7 dll files 109 documentation typographical conventions 12 documentation for products, finding 13 domain user logon hours 62 domain user status 62 domain username 62
E
EAL4 mode 98 EE Server 57 EE server program installing 49 EE tokens 36 EEM 38 EEM driver files 109 EEM program files 109 Endpoint Encryption 7, 8, 12 Endpoint Encryption Manager 7, 14, 16, 17 Administration level 16 installing 14 starting 17 upgrading 14 Endpoint Encryption server 49 ePO 8 error messages 111 exe files 109
C
challenge-response 89 client 8 client software 57 client system 9 common criteria 98 Communications Cryptographic errors 114 Communications Protocol errors 113 configuration files 103 configuration options admin rights 23 general 23 log on hours 23 password 23 password template 23 recovery 23 token 23 connected attributes 62 connections managing 47
F
file group functions setting 40 file groups adding 38 File Groups 38
124
Index
file properties setting 40 files deleting 40 exporting 40 Free groups 17
license managing 96 license errors 118 license information 96 logon token 36
M G
general errors 117 group configuration resetting 22, 54, 58 group mappings 64 groups systems 17 users 17 McAfee ServicePortal, accessing 13 module codes 111
N
name indexing 100 configuring 100 enabling 100 new files importing 40 NT Connector 62 NT server 63
H
hardware device support 36 hash errors 119 HTTP server 81
O
object directories managing 47 object directory 57 Object Directory 16, 19, 100 structure 19 tuning 100 object locking 20 objects finding 17
I
installation set creating 58 installer errors 119
K
key renaming 54 key access users 56 key configuration options setting 55 keys 54 creating 54 deleting 54 KnowledgeBase, Technical Support ServicePortal 13
P
password changing 22, 91 password change 62 policies 14 policy adding 57 managing 58 renaming 58 policy object assigning to a system 59 assigning to a user 58 pre-boot 8 Pre-Boot 14
L
language sets 38 language support 122 LDAP 9 LDAP attribute types 66 LDAP binary data attributes using 70 LDAP browser Softerra 71 LDAP connected attributes 65 LDAP connection details 66 LDAP Connector 65 LDAP excluded users 70 LDAP group mappings 68 LDAP group membership 65 LDAP information fields 65 LDAP password change 65 LDAP revocation check 70 LDAP search groups 66 LDAP search settings 66 LDAP user attributes 69 LDAP user logon hours 65 LDAP user mapping 69 LDAP user status 65 LDAP username 65
R
remote password change 83 requirements, operating system 13 requirements, software 13 requirements, system 13 RSA session 57
S
scripting errors 114 server configuring 51 creating 50 server/client authentication 51 service mode 61 ServicePortal, finding product documentation 13
125
Index
specification algorithms 121 specifications 121 SSL Certificate installing 85 SSO deatils setting 22 sys files 109 system requirements AD connector 122 administration 122 NT connector 122 server 122
U
Upek fingerprint reader configuring 37 installing 37 user information 64 user management 21 configuring users 21 creating users 21 User Web Recovery errors 113 users recovering 89
W
warning password expiry 84 Web Server Page Errors 112 webHelpdesk 81, 85, 86 activating 85 configuring 86 webRecovery 82, 87, 91, 92, 94 configuring 87 recovery 94 registering 92 self recovery 91
T
Technical Support ServicePortal at McAfee 13 throttling 63 token assigning to the user 36 token errors 117 tokens creating 22 resetting 22
126

(Endpoint Mcafee) EEM5210 Admin Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(Endpoint Mcafee) EEM5210 Admin Guide

Uploaded by

Copyright:

Available Formats

McAfee Endpoint Encryption Manager-5.2.

McAfee Endpoint Encryption Manager5.2.10

Installing Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Endpoint Encryption Manager interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

The Endpoint Encryption Object Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

McAfee Endpoint Encryption Manager5.2.10

Install and configure Upek fingerprint reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

File Groups and Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Managing Object Directories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Endpoint Encryption Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Endpoint Encryption connector manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

McAfee Endpoint Encryption Manager5.2.10

LDAP Connector (LDAPCon). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Active Directory Connector (ADCon). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Endpoint Encryption webHelpdesk server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Activating Endpoint Encryption webHelpdesk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Recovering users using webHelpdesk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

McAfee Endpoint Encryption Manager5.2.10

Common criteria EAL4 mode operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Tuning the Object Directory (The Name Index). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Endpoint Encryption configuration files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Endpoint Encryption Manager program and driver files. . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Error messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Technical specifications and options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

McAfee Endpoint Encryption Manager5.2.10

What is McAfee Endpoint Encryption for PC

McAfee Endpoint Encryption Manager5.2.10

Introduction Design philosophy

How McAfee Endpoint Encryption solution works

McAfee Endpoint Encryption Manager5.2.10

Introduction The Endpoint Encryption components

The Endpoint Encryption components

McAfee Endpoint Encryption Manager5.2.10

Introduction The Endpoint Encryption components

McAfee Endpoint Encryption Manager5.2.10

Introduction The Endpoint Encryption components

McAfee Endpoint Encryption Manager5.2.10

Introduction About this guide

About this guide

User input or Path Code

McAfee Endpoint Encryption Manager5.2.10

Introduction Finding product documentation

Finding product documentation

Operating system requirements

McAfee Endpoint Encryption Manager5.2.10

Installing Endpoint Encryption Manager

Install Endpoint Encryption Manager

Upgrade Endpoint Encryption Manager

McAfee Endpoint Encryption Manager5.2.10

Installing Endpoint Encryption Manager Upgrade Endpoint Encryption Manager

McAfee Endpoint Encryption Manager5.2.10

Endpoint Encryption Manager interface

McAfee Endpoint Encryption Manager5.2.10

Endpoint Encryption Manager interface Starting McAfee Endpoint Encryption Manager

Starting McAfee Endpoint Encryption Manager

Groups of users, systems, and other objects

McAfee Endpoint Encryption Manager5.2.10

Finding orphaned objects using Group Scan

McAfee Endpoint Encryption Manager5.2.10

The Endpoint Encryption Object Directory

The Object Directory structure

McAfee Endpoint Encryption Manager5.2.10