Endpoint Encryption for PC 5.2.13 Administration

Transcription

McAfee Endpoint Encryption for PC 5.2.13
Administration Guide
COPYRIGHT
Copyright © 2013 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,
WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in
connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property
of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
2
Contents
Introducing McAfee Endpoint Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
What is McAfee Endpoint Encryption for PC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How McAfee Endpoint Encryption for PC works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Endpoint Encryption product components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Endpoint Encryption for PC features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Finding product documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Installing Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Install Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
EEPC user policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
User administration functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
User configuration options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Using tokens with EEPC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Supported Smart Cards and tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
General token operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Stored value tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Certificate, or crypt only tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Other types of token. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Token compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Specific token notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Sony Puppy fingerprint reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Setting up the Sony Puppy fingerprint reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Endpoint Encryption for PC setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Installing Endpoint Encryption with Puppy support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Aladdin eToken 64KB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
SafeNet IKEY 2032. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Using Endpoint Encryption Phantom USB biometric key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Using Upek fingerprint reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3
Contents
Creating and configuring systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Machine administration functions (right-click menu). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Machine configuration options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
File groups and management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Endpoint Encryption file groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Setting file group functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Importing new files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Exporting files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Deleting files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Setting file properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Using Endpoint Encryption as a file deploy system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Copying a new file to the desktop (Example). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Creating an install package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Selecting the Group/Machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Select the install set type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Importing a transport directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Select the install set type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Select the master directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Installing, upgrading, and removing EEPC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Offline package installs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Online package installs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Removing Endpoint Encryption client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Upgrading Endpoint Encryption from previous versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Upgrading existing 5.x clients to a later service pack or patch version. . . . . . . . . . . . . . . . . . . . . . . . 51
Removing Endpoint Encryption 5.x from a machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Client software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
The tool tray icon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Client auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Boot and logon process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Endpoint Encryption screen saver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Windows Sign-On and logon mechanisms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Changing the password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Section 508: Logon accessibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Windows Sign-on and SSO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Windows logon features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
How Windows logon works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4
Contents
Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Common audit events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Recovering users and systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Offline recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Local recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Configure your local recovery questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Perform local recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Online recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Trusted applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Hash sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Hash generator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Using hash generator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Common criteria EAL4 mode operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Administrator guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
User guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Endpoint Encryption configuration files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
sbgina.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
scm.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
defscm.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
sdmcfg.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
TrivialPwds.dat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Bootcode.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
BootManager.INI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Errors.XML. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
AutoBoot.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
SBCP.INI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Endpoint Encryption program and driver files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
EXE Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
DLL files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
SYS files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
WinTech and SafeTech. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
WinTech and SafeTech functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Themes and localization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Localization support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Creating your own language file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Pre-Boot language. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5
Contents
Pre-Boot token descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Windows languages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Troubleshooting PCs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Error messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Technical specifications and options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Encryption Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Legal notices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Open source components license details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
6
Introducing McAfee Endpoint Encryption
With data breaches on the rise, it is important to protect information assets and comply with
privacy regulations. McAfee Endpoint Encryption for PC (EEPC) delivers powerful encryption
that protects data from unauthorized access, loss, and exposure.
McAfee Endpoint Encryption for PC features a new dimension in IT security incorporating many
new enterprise level options, including automated upgrades, file deployment, flexible grouping
of users and centralized user management. In addition, user’s credentials can be imported and
synchronized with other deployment systems.
Contents
What is McAfee Endpoint Encryption for PC
How McAfee Endpoint Encryption for PC works
Endpoint Encryption product components
Endpoint Encryption for PC features
About this guide
Conventions
Finding product documentation
Requirements
What is McAfee Endpoint Encryption for PC
To ensure data protection in today’s dynamic IT environment, we need to protect what matters
most – the data. McAfee Endpoint Encryption for PC is a strong cryptographic facility for denying
unauthorized access to data stored on any system or disk when it is not in use. It prevents the
loss of sensitive data, especially from lost or stolen equipment. It protects the data with strong
access control using Pre-Boot Authentication and a powerful encryption engine.
To log on to a system, the user must first authenticate through the Pre-Boot environment. On
a successful authentication, the client system's operating system loads and gives access to
normal system operation. McAfee Endpoint Encryption for PC is completely transparent to the
user and has little impact on performance of the computer.
McAfee Endpoint Encryption for PC is the encryption software installed on client systems. It is
deployed and managed through the Endpoint Encryption Manager using policies. A policy is a
set of rules that determine how encryption functions on the user’s computer.
7
McAfee Endpoint Encryption for PC protects the data on a system by taking control of the hard
disk from the operating system. The Endpoint Encryption driver encrypts all data written to the
disk; it also decrypts the data read off the disk.
The client software is installed on the client system. After the installation, the system synchronizes
with EEM and acquires the user data, token data, and Pre-Boot graphics. When this is complete,
the user authenticates and logs on through the Pre-Boot environment, which loads the operating
system, and uses the system as normal.
On PDAs such as Pocket Windows and PalmOS, Endpoint Encryption installs applications and
drivers to provide authentication and encryption services. Endpoint Encryption can protect
memory cards, internal databases (such as e-mail and contact lists), and provide secure,
manageable authentication services.
Endpoint Encryption Manager (EEM)
The most important component of the Endpoint Encryption enterprise is the Endpoint Encryption
Manager, the administrator interface. This utility allows privileged users to manage the enterprise
from any workstation that can establish a TCP/IP link or file link to the Object Directory. Typical
procedures that the Endpoint Encryption Administrator handles are:
• Adding users to systems
• Configuring Endpoint Encryption protected systems
• Creating and configuring users
• Revoking users logon privileges
• Updating file information on remote systems
• Recovering users who have forgotten their passwords
• Creating logon tokens such as smart cards for users.
Endpoint Encryption Server
The Endpoint Encryption Server facilitates connections between the client and Endpoint
Encryption Manager, and the central Object Directory over an IP connection. The server performs
authentication of the entity using DSA signatures, and link encryption using the Diffie-Hellman
key exchange and bulk algorithm line encryption. This ensures that snooping the connection
cannot result in any secure key information being disclosed.
The server exposes the Object Directory through fully routed TCP/IP, meaning that access to
the Object Directory can be safely exposed to the Internet/Intranet, allowing clients to connect
wherever they are. As all communications between the server and client are encrypted and
authenticated, there is no security risk in exposing it in this way.
There is a unique PDA Server which provides similar services to PDAs such as Microsoft Pocket
Windows and PalmOS devices.
Endpoint Encryption Object Directory
The Endpoint Encryption Object Directory is the central configuration store for EEPC and is used
as a repository of information for all the Endpoint Encryption entities. The default directory uses
8
the operating systems file system driver to provide a high performance scalable system which
mirrors an X500 design. Alternative stores such as LDAP are possible – contact your Endpoint
Encryption representative for details. The standard store has a capacity of over 4 billion users
and machines. Typical information stored in the Object Directory includes:
• User Configuration information
• Machine Configuration information
• Client and administration file lists
• Encryption key and recovery information
• Audit trails
• Secure Server Key information.
Endpoint Encryption for PC Client
The Endpoint Encryption for PC client software is largely invisible to the end user. The only
visible part is an entry, the Endpoint Encryption icon in the user’s tool tray.
Clicking on this icon allows the user to lock the PC with the screen saver (if the administrator
has set this option). Right-clicking on the monitor allows them to perform a manual
synchronization with their Object Directory, or, monitor the progress of any active
synchronization.
Normally the Endpoint Encryption client attempts to connect to its home server or directory
each time the system restarts, or, establishes a new dial-up connection. During this process,
any configuration changes made by the Endpoint Encryption administrator are collected and
implemented by the Endpoint Encryption client. In addition, information such as the last audit
logs are uploaded to the directory.
Endpoint Encryption File Encryptor
By right clicking on a file, users can elect to encrypt it using various keys. Files can be encrypted
with other Endpoint Encryption users’ keys, and/or passwords. Once protected in this way, the
file can be sent elsewhere, for example, through e-mail or a floppy disk, without the risk of
disclosure.
When the file needs to be used, it just needs to be double clicked; a password or login prompt
will be presented for authentication. If they are authenticated correctly, the file will be decrypted.
The File Encryptor also has an option to create an RSA key pair for recovery—if the password
to a file is lost, the file can still be recovered using the correct recovery key.
Endpoint Encryption Connector Manager
Endpoint Encryption’s object directory keeps track of security information. It is designed so that
synchronization of details between Endpoint Encryption and other systems is possible.
The Connector Manager is a customizable module which enables data from systems such as
X500 directories (commonly used in PKI infrastructures) to propagate to the Endpoint Encryption
Object Directory. Using this mechanism, it is possible to replicate details such as a user’s account
status between Endpoint Encryption for PC and other directories.
Current connector options include LDAP, Active Directory, and a NT Domain Connector. For
information on these components, contact your Endpoint Encryption representative, or, see the
Endpoint Encryption Manager Administration Guide.
9
Install and Deployment
Endpoint Encryption is installed on users systems by running small deploy sets created by the
Endpoint Encryption Manager. This executable file contains the core components and drivers
needed to enable Endpoint Encryption on a user’s system.
With the increasing necessity of install mechanisms which do not involve end users, and software
industries striving to make the cost of ownership and implementation of products as small as
possible, Endpoint Encryption for PC utilizes smart-update type technology.
Endpoint Encryption’s file deploy mechanism can also be used to push other files to Endpoint
Encryption protected system, for instance, virus databases can be stored in the central Endpoint
Encryption directory, when it needs updating a Endpoint Encryption administrator upgrades the
central copy. All Endpoint Encryption protected systems notice the change and automatically
download the new file. This deploy mechanism can also be used to make registry changes on
remote systems and can even execute files.
• McAfee Endpoint Encryption leverages the award-winning Endpoint Encryption Manager
infrastructure for automated security reporting, monitoring, deployment, and policy
administration. Integrates itself fully into EEM management software, so that the management
can now be performed from this console.
• Enables transparent encryption without hindering users or system performance.
• Enforces strong access control with Pre-Boot Authentication.
About this guide
This guide is designed to support corporate security administrators to implement and deploy
Endpoint Encryption for PC. Although this guide is complete in terms of setting up and managing
Endpoint Encryption systems, it does not attempt to teach the topic of Enterprise Security
as a whole.
Readers unfamiliar with Endpoint Encryption should follow the appropriate sections of the
Endpoint Encryption for PC Quick Start Guide which walks through setting up the Endpoint
Encryption enterprise before tackling any of the topics in this guide.
Target audience
The information in this guide is intended for McAfee Endpoint Encryption for PC administrators
who understand the fundamentals of EEPC.
Conventions
This guide uses the following typographical conventions.
10
Book title or Emphasis
Title of a book, chapter, or topic; introduction of a new
term; emphasis.
Bold
Text that is strongly emphasized.
User input or Path
Commands and other text that the user types; the path
of a folder or program.
Code
A code sample.
User interface
Words in the user interface including options, menus,
buttons, and dialog boxes.
Hypertext blue
A live link to a topic or to a website.
Note
Additional information, like an alternate method of
accessing an option.
Tip
Suggestions and recommendations.
Important/Caution
Valuable advice to protect your computer system, software
installation, network, business, or data.
Warning
Critical advice to prevent bodily harm when using a
hardware product.
McAfee provides the information you need during each phase of product implementation, from
installing to using and troubleshooting. After a product is released, information about the product
is entered into the McAfee online KnowledgeBase.
1
Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
2
Under Self Service, access the type of information you need:
To access...
Do this...
User documentation
1
Click Product Documentation.
2
Select a Product, then select a Version.
3
Select a product document.
KnowledgeBase
•
Click Search the KnowledgeBase for answers to your product questions.
•
Click Browse the KnowledgeBase for articles listed by product and
version.
Requirements
System requirements
Systems
Requirements
Endpoint Encryption Manager
•
CPU: Pentium III 1GHz or higher
•
RAM: 512 MB minimum (1 GB recommended)
•
Hard Disk: 200 MB minimum free disk space
•
CPU: Pentium III 1GHz or higher
•
RAM: 512 MB minimum (1 GB recommended)
•
Hard Disk: 200 MB minimum free disk space
Client systems for EEPC
11
Requirements
Software requirements
Software (or package name)
Requirements
McAfee management software
Operating system requirements
12
Systems
Software
See the Endpoint Encryption Manager Administration Guide
Client systems for EEPC
•
Microsoft Windows 7 32-bit and 64-bit
•
Microsoft Windows 2000 Professoinal
•
Microsoft Windows XP Professional (32-bit only)
•
Microsoft Vista 32-bit and 64-bit (all versions)
•
Microsoft Windows Server 2003 and 2008
Installing Endpoint Encryption Manager
McAfee Endpoint Encryption Manager is the administration tool for managing all Endpoint
Encryption applications.
NOTE: If you are unfamiliar with Endpoint Encryption, you should follow the Endpoint Encryption
for PC Quick Start Guide which describes setting up an Endpoint Encryption enterprise. Please
read the Quick Start guide before tackling any of the topics in this guide. You will find this in
your Endpoint Encryption box, or,on your Endpoint Encryption CD.
Install Endpoint Encryption Manager
Install Endpoint Encryption Manager
Install Endpoint Encryption Manager by running the appropriate setup.exe from the Endpoint
Encryption CD or download.
Before you begin
You should run this first on the system that will be the master or administrators system.
Task
1
Run the appropriate setup.exe from the Endpoint Encryption CD or download.
2
Follow the on-screen prompts and select a language, a smart card reader, and encryption
algorithm. The McAfee Endpoint Encryption Manager software is now installed on your
system.
3
Restart your system. The Endpoint Encryption Management suite adds the required items
to your system start menu: Endpoint Encryption Manager which starts the management
console; the Database Server which starts the communication server and provides encrypted
links between clients and the configuration.
4
Run the Endpoint Encryption Manager program. A wizard walks you through the creation
of a new Endpoint Encryption directory.
NOTE: If you have an existing Object Directory in your network, you can connect to it by
cancelling the wizard and manually configuring a connection.
For information on this procedure, see the Endpoint Encryption Manager Administration
Guide.
13
EEPC user policies
The following sections describe the Endpoint Encryption specific parameters.
Contents
User administration functions
User configuration options
User administration functions
Create Token
This option creates a new Token for the selected user - this could be a soft (password) token
or a hard token such as a smart card or eToken. See the Token Operation chapter for more
information.
In the case of hard tokens, creating the token does not necessarily set the user to actually use
that token. This must be accomplished separately from the user’s Token properties page.
Reset Token
This option resets the token authentication to the default. In the case of the soft (password)
token resets the password to 12345.
Some hard tokens may not be able to be reset using Endpoint Encryption, for example, Datakey
Smart Cards. In this case contact the manufacturer of your token to determine the correct
re-use procedure.
Set Single Sign On (SSO) Details
This option sets the SSO details for the user. For more information on SSO see the Windows
Logon Features chapter.
Force Password Change at Next Logon
This option Forces the user to change password at their next logon.
View Audit
This option displays the audit for the user - for more information see the Auditing chapter.
Reset (All) to Group Configuration
This option resets the configuration of the users, or, all the users in the group, to the groups
configuration.
14
EEPC user policies
Create Copy
This option creates a new object based on the selected object.
Properties
This option displays the properties of the selected object.
General
The General page displays the user details such as Used Id, user status, user validity and user
picture.
Figure 1: User Options-General
• Auto-boot users - The special user id “$autoboot$”, with a password of “12345”, can
be used to autoboot a Endpoint Encryption protected machine. This option is useful if an
auto-boot of a machine is required, for example, when updating software using a distribution
package such as SMS or Zenworks. However, this ID should be used with caution as it
effectively bypasses the security of Endpoint Encryption.
• Enabled - This option shows whether the user account is enabled or not. The enabled status
is always user selectable.
When an Endpoint Encryption for PC protected system synchronizes with the Endpoint
Encryption Manager, it checks the user account list to ensure that the currently logged on
user is still valid (because they logged on at a boot time before the network and Object
Directory were available).
Users with disabled accounts, or users who have been removed from the user list, will find
their workstation will lock and they will be unable to log in.
NOTE: If you want to force an Endpoint Encryption machine to synchronize (and hence
immediately stop the user from accessing the machine), you can use the "force sync" option
to force an update. See the Force Synchronization chapter.
15
EEPC user policies
Devices
The Devices page is used to specify (set) the access level for the floppy disk.
Figure 2: User Configuration - Devices
• Floppy Disk Access - Users can be prevented from accessing the floppy disk or, from
writing to it. You can also elect to allow only encrypted floppy disks: in this situation the
user must format their own disks, which only they can then use. Note: the disk is encrypted
with the user’s personal key.
• Ports - Endpoint Encryption can attempt to block access to the serial and/or parallel ports.
This blocking is implemented after the operating system has booted. Therefore, if the machine
has a serial mouse, it will still function. Likewise a printer connected to the parallel port will
still function. This option is designed to stop users adding serial and parallel devices AFTER
the machine has booted.
NOTE: The McAfee Port Control product provides granular device access by allowing you to
take detailed control of the devices which are available to your users.
Application Control
Endpoint Encryption includes an innovative application blocking system which can be used to
restrict what code can actually be run by a user. For more information on this feature see the
Trusted Applications chapter.
Figure 3: User Configuration - Application Control
16
EEPC user policies
• List Contains Untrusted Applications - This option allows you to specify files in the listed
file hash sets that should be blocked(untrusted). All unlisted executable files will be permitted
to execute code (trusted).
• List Contains Trusted Applications - This option allows you to specify files in the listed
file hash sets that will be permitted to execute code (trusted). All unlisted executable files
will be blocked (untrusted).
• Enable Blocking of Untrusted Applications - This option blocks code from executing
untrusted applications. If this option is not set, then any code can run. This is a debugging
option.
• Enable Logging of Executed Applications - This option makes a record of files that try
to execute code. A status message indicating whether the file is trusted or not, is written to
the SBAPPLOG.TXT file. This feature is useful for debugging trusted application file sets.
17
Using tokens with EEPC
Endpoint Encryption supports many different types of logon token, for example passwords,
smart cards, Aladdin eToken, and others. Before a user can use a nonpassword token, you
must ensure any machine they are going to use has been suitably prepared.
Contents
Supported Smart Cards and tokens
General token operation
Stored value tokens
Certificate, or crypt only tokens
Other types of token
Token compatibility
Specific token notes
Aladdin eToken 64KB
SafeNet IKEY 2032
Using Endpoint Encryption Phantom USB biometric key
Using Upek fingerprint reader
Supported Smart Cards and tokens
The link below contains the supported smart cards and tokens:
https://kc.mcafee.com/corporate/index?page=content&id=pd20895
General token operation
Hardware device support
Ensure the machine has the appropriate Windows drivers for the hardware tokens it needs to
support. For example, if you intend to use Aladdin eTokens you need to install the Aladdin
eToken RTE (Run Time Environment).
If you intend to use smart cards, you need to ensure that a Endpoint Encryption supported
smart card reader is installed, along with its drivers – for example the Mako/Infineer LT4000
PCMCIA smart card reader must be installed.
In both cases, the appropriate device drivers are available either direct from the manufacturer,
or from the Endpoint Encryption install CD in the \Tools directory.
18
Stored value tokens
Endpoint Encryption for PC driver support
Once you have installed hardware support for the devices, you can enable software support
for them: from the machine, or machine group Properties window, select the “Files” properties
pane and tick the appropriate options for the tokens you want the machine, or group of machines,
to support, e.g. if you want the machines to support eTokens, select the “eToken PRO Client
Token” file group. To support the Mako/Infineer Smart Card reader, select “Infineer Smart Card
Reader” file set.
NOTE: You should also note that some USB key tokens are in fact a combined USB Smart Card
reader and USB Device in one unit, therefore, you need to add USB CCID Smart Card reader
support to your EEPC clients for them to work. See the Token Compatibility section later in this
chapter for information on the tokens which are of this nature.
Assign the token to the user and create it
From the user’s Token properties pane, select the token you want that user to log in with.
Endpoint Encryption will prompt you to insert the token and will create the appropriate data
files on it.
If all steps are followed, when you install Endpoint Encryption, or after the machines synchronize,
users will be able to log in using their new token.
NOTE: When learning how to use Endpoint Encryption, we advise you always leave at least one
passwordonly user assigned to machines in case you make a mistake when setting up token
support.
Stored value tokens
Endpoint Encryption can store user keys on certain tokens, such as smart cards or USB keys
such as the Aladdin eToken.
Storage tokens host around 1KB of data unique to the Endpoint Encryption environment and
user, on each token. They are configured within the Endpoint Encryption Manager for the specific
user before they can be used.
Tokens offer the following advantages over passwords:
• The users key is not stored on the users machine, and is protected from brute force attack
by the microprocessor of the token
• The same token can be used to authenticate to many systems
• Tokens can be used for other physical purposes, for example door access systems
Certificate, or crypt only tokens
Endpoint Encryption can leverage your investment in PKI and tokens to allow users to
authenticate using their certificates. This can be quite advantageous in the corporate environment
for the following reasons:
• Leverage investment in PKI and existing tokens
• Tokens do not need to be provisioned specifically for Endpoint Encryption
• Users can login to Windows etc using their PKI certificates
• Revocation of certificates denies access to Endpoint Encryption-protected PCs
19
By using one of Endpoint Encryption’s certificate connectors, you can quickly make your Endpoint
Encryption enterprise aware of all certificate-holding users, and can allow them to be allocated
to computers using Endpoint Encryption for PC without having to create new smart cards or
other forms of token for them to use.
Endpoint Encryption has been tested with the following tokens and PKI environments – more
tokens and PKIs are being developed so if your environment is not listed, please contact your
Endpoint Encryption representative for the latest information.
You can use any token with any PKI.
How Certificate Tokens Work
Certificate tokens leverage the unique one-way properties of public-key encryption: a piece of
data can be encrypted for a user, using some public information, but cannot be subsequently
decrypted with that same information.
Endpoint Encryption uses the information stored in the public certificate store of a PKI to look
up users and encrypt their unique key with the public key stored in their certificate. This online
process is handled transparently by one of the Endpoint Encryption Connectors.
Once encrypted, Endpoint Encryption stores the information within its policy store, and makes
it available to all Endpoint Encryption-aware applications: for example, with Endpoint Encryption
for PC, the user’s key encrypted with their public key is stored on each machine the user is
assigned to. When a user tries to login, Endpoint Encryption sends their encrypted user key to
their token and asks it to be decrypted using the private key stored on the token. The actual
decryption happens securely within the microprocessor of the token and only after the user has
supplied the correct token PIN or password. This ensures the user’s decryption key (private
key) never has to leave the token.
Once decrypted, the resulting user key can be used to authenticate the user.
You can see from this process that there is no need for Endpoint Encryption to have prior
experience, or to have stored anything on the users token. All the information Endpoint
Encryption needs to prepare the system can be obtained online through the PKI certificate
server.
Certificate Connectors
Setting up Certificate tokens is the responsibility of the Endpoint Encryption Certificate connectors
– these are available for both Active Directory and LDAP systems, and more information on
configuring them can be found in the Endpoint Encryption Manager Administration Guide, in
the Active Directory Connector and LDAP Connector chapters.
The connectors can search AD and LDAP directories for users, and create them in Endpoint
Encryption based on certain criteria. The connectors can also monitor CRL lists for revoked
certificates, and also automatically handle the rollover of certificates on expiry.
There are other types of token also supported by Endpoint Encryption, such as Biometric and
Cognometric tokens. For more information on these tokens please contact the manufacturer
or your distributor.
Other Tokens Supported in Endpoint Encryption for PC:
• Sony Puppy Biometric Reader (http://www.sony.co.jp/puppy/)
20
Token compatibility
• RealUser Passfaces (http://www.realuser.com)
• Infineon Embedded TPM Chip
• Security Chip: TPM (TCG V1.2) with Infineon Package versions: InfineonTPM Professional
Package V2.5 and InfineonTPM Professional Package V2.5 SP1
• Upek Fingerprint Reader
Token compatibility
Endpoint Encryption supports many tokens, but due to the pre-boot nature of Endpoint Encryption
for PC, not all tokens are supported in all environments. If you have a specific token requirement,
please contact your Endpoint Encryption representative for the latest information. Please also
see the token overview spreadsheet. Contact your McAfee representative for further details.
Some USB key tokens are a combined USB Smart Card reader and USB Device in one unit. You
therefore need to add USB CCID Smart Card reader support to your Endpoint Encryption for
PC clients, to enable them to work.
RSA SID800 USB Token
Storage token supported pre-boot. This token requires firmware 1.01.33 or higher.
ActivIdentity Smart Cards and USB Keys
These modules support ActivIdentity 64K v1 (card profile S4), ActivIdentity 64K v2 (card profile
O4) and ActivIdentity 64K v2C (card profile S4 Cards. You can choose to use the card in Stored
Value mode, or Certificate mode. The Tested ActivIdentity ActivKeys are AAK300 version (product
code ZFG-3007-AB).
Infineon Embedded TPM Chip
The Infineon Trusted Platform Module (TPM) on Fujitsu PCs can be used as a token for Endpoint
Encryption allowing:
• Authentication to Endpoint Encryption Manager
• Pre-Boot Authentication
• Screensaver Authentication
NOTE: If you use TPM as a token for Endpoint Encryption Manager, ensure that the UserID is
not used on any other PC with a TPM. If it is, it will be locked to that PC from then on.
The embedded TPM chip, in its simplest form, can be envisaged as a smart card physically
attached to the motherboard of the PC. The TPM (Trusted Platform Module) can perform similar
cryptographic operations to PKI smart cards, such as encryption, decryption, key generation,
signing of data etc.
With the Endpoint Encryption TPM module, the TPM chip is used to secure a users logon
credentials. This means once initialized the users unique secret key is removed from the Endpoint
Encryption environment and secured by the TPM chip. The user from this stage onwards will
only be able to login to that particular machine.
21
Conversion from password mode to TPM mode is automatic and occurs as soon as the user
uses their account on a TPM protected machine. From activation onwards, that Endpoint
Encryption user will only be able to log into the machine on which the TPM chip holds their
keys.
Pre-Requisites for Endpoint Encryption Pre-Boot TPM Support
• Endpoint Encryption
• PC with Infineon TPM Chip installed (TCG Spec. Version 1.2)
Endpoint Encryption's TPM module also requires that the TPM be "initialized". This involves
creating the Endorsement Key, Storage Root Key and setting an Owner password. If this is not
done, Endpoint Encryption will find the TPM and try to convert the user to use it at first logon,
but the operation will fail and the user will not be able to logon.
• Infineon TPM Professional Package (Version 2.5)
• Infineon TPM Professional Package (Version 2.5 SP1)
The TPM initialization process is performed by the Infineon software after you install it. The
TPM Chip must be enabled in the BIOS on the target PC.
The TPM has to be enabled in the BIOS (which it is not by default). Until it is enabled, it is
essentially not present as far as Endpoint Encryption and Infineon software is concerned. If
you try to install the Infineon software with TPM disabled, it will warn you that the "Infineon
TPM not found" and abort the install (exactly as it does on machines without a TPM).
Endpoint Encryption has been tested with the following TPM Components:
• Infineon TPM Professional Package v2.5 HF2
• Chip State = Enabled
• Owner State = Initialized
• User State = Initialized
• Trusted Platform Module
• TCG Spec. Version = 1.2
• Vendor = Infineon Technologies AG
• Chip Version = SLB 9635 TT 1.2 (41313100) FW Version = 1.00 FW ROM CRC = 0x4028
• TPM Device Driver
• File name = ifxtpm.sys (x86)
• Version = 1.80.0002.00 built by: WinDDK
• TPM Device Driver Library
• File name = IFXTPM.dll
• Version = 2.50.0771.00
Configuring the TPM on the target PC
The following instructions detail how to enable TPM support for a user on a target PC:
22
1
From the system tray, double-click the TPM icon or from Start | All Programs | Infineon
Security Platform solution | Manage Security Platform.
2
Click on the User Settings tab.
3
Click on the Basic User Password | Change button.
4
Follow the on screen instructions to register password for the TPM.
Sony Puppy fingerprint reader
5
When you have successfully created the TPM password, exit the application.
Endpoint Encryption for PC setup
1
Install EEPC with TPM support.
2
Log on to the Endpoint Encryption Manager.
3
Click on Devices and from Endpoint Encryption Machine Groups add a new machine
group.
4
Right click on the machine group and select Properties.
5
Click on the Files icon and select TPM Machine Chip. Apply these settings.
6
Click on the Users tab and create an Endpoint Encryption user
7
Right click on the new Endpoint Encryption user and select Properties.
8
Assign an Infineon Embedded TPM Chip to the user and apply these settings.
NOTE: The Configure option does not apply to the Puppy token
9
Assign the user to the machine group.
10 Create an install set from the machine group.
Installing Endpoint Encryption with TPM
1
Install Endpoint Encryption on the client PC using the newly created install set.
2
Reboot and synchronize with the Endpoint Encryption database.
3
Log on to the Pre-Boot Authentication using the default password “12345”.
4
When prompted to change the password, select the same password as the Basic User
password for the TPM.
5
After the PCs next boot, the password for the TPM will be the TPM Basic User password.
6
Reboot the machine and log on at PBA by selecting the Sony Puppy token.
Recovery
When a user password recovery is performed Endpoint Encryption will reset the password to
the default ‘12345’ and will allow the user to login. The user will be prompted to change the
password. Select a new password and make sure that you change the TPM password to the
new one before rebooting the PC.
The Sony Puppy can be used as a token for Endpoint Encryption allowing:
• Authentication to Endpoint Encryption Manager
• Pre-Boot Authentication
• Screensaver Authentication
The Puppy allows two mode of operation: Fingerprint or Password. This means that if a user
fails to login using their fingerprint, they can do so using their password.
Requirements to use Sony Puppy with Endpoint Encryption
• Puppy Suite Enterprise / Personal - v2.1 or later
23
• Sony Puppy device (FIU-810-N03)
• Endpoint Encryption V5.0
The following instructions detail how to enable Sony Puppy Support for a user. For this you will
need to have a new Sony Puppy or Reset an exsiting one using the Sony Puppy Administration
Tools.
Setting up the Sony Puppy fingerprint reader
Installing Endpoint Encryption with Puppy support
Setting up the Sony Puppy fingerprint reader
Task
1
Install the Sony Puppy software - SC-API 810 setup (Basic).
2
Plug the Sony Puppy finger-print reader into an available USB Port.
3
Click Start | All Programs | FIU-810 tools | User Manager.
4
Follow the on screen instructions to register a User Name and Fingerprint/Password for
the device.
5
When you have successfully created the Sony Puppy User and registered your fingerprint(s)
exit the application.
Task
1
Install Endpoint Encryption for PC with Sony Puppy support.
2
Login to the Endpoint Encryption Manager.
3
Click on Devices and from Endpoint Encryption Machine Groups, add a new machine
group.
4
Right click on the Machine Group and select Properties.
5
Click on the Files icon and select Sony Puppy Client Files.
6
Apply these settings.
7
Click on the Users tab and create a Endpoint Encryption user (Keep a note of the UserID).
8
Right click on the new Endpoint Encryption user and select Properties.
9
Assign a Puppy token to the User and apply these settings.
NOTE: The configure option does not work with the Puppy token.
10 Assign the user to the machine group.
11 Create an install set from the machine group.
Installing Endpoint Encryption with Puppy support
Task
1
24
Install Endpoint Encryption for PC on the client using the newly created install set.
Aladdin eToken 64KB
2
Once installed, start SbPuppytrainer.exe from the default Endpoint Encryption
directory.
3
Select Train Puppy from the menu. The logon screen will appear.
4
Select Use Endpoint Encryption Username and enter the User ID and Password of
the Endpoint Encryption user and click the Logon with Password button. You will be
asked to verify your fingerprint.
5
Place your finger on the reader and it should verify OK. The training is complete. You may
Reboot the machine and logon at PBA by selecting the Sony Puppy token.
Aladdin eToken 64KB
Tokens with id 0x0514 and 0x0600 are supported. Tokens 0x050c are no longer supported as
they are discontinued by Aladdin.
This token module requires Aladdin RTE 3.65 to be installed.
SafeNet IKEY 2032
Requires the v3.4.7 drivers as available from www.safenet.com. The Windows update drivers
do not function. This token is supported in Storage Mode only.
Using Endpoint Encryption Phantom USB biometric
key
The Endpoint Encryption Phantom is a combined USB storage + Biometric authentication token.
To use it for Endpoint Encryption for PC Pre-Boot:
Task
1
Create a user and assign their finger within the USB Phantom by running SMCforUSB.exe
(this is the USB Management utility):
a Create user
b Enroll user i.e. register finger
c Assign a partition to the user
2
From the Endpoint Encryption Manager create a user account for the user name created
in step 1.
3
Assign Endpoint Encryption for USB token to user (default token is password)
NOTE: The default in EEPC is to create a default password of 12345.
4
Define the Machine Policy which should include file sets:
• Endpoint Encryption for PC client files
• READER: USB CCID smart card
• TOKEN V5x: Endpoint Encryption for USB Phantom client files
25
5
Create online installation set note: assign user or user group to the machine as part of
machine policy.
6
Install Endpoint Encryption for PC on the client computer.
After the second reboot, the client should see the Pre-Boot Authentication screen. This will
have the password and Endpoint Encryption for USB token options.
7
Select Endpoint Encryption for USB which should generate a Endpoint Encryption Biometric
challenge screen:
a Attach USB phantom to PC.
b Swipe enrolled finger on USB Phantom
c Tick the box for user listed Provide User Name.
The standard Endpoint Encryption logon screen should appear which will require the SAME
user name to be entered as the one registered with the USB Phantom. At this point you
will need to enter the default Endpoint Encryption password of 12345 which will configure
the Endpoint Encryption for PC client with the USB phantom. This step has completed the
integration of Endpoint Encryption for PC with the USB phantom.
The PC should now boot into Windows. After rebooting the client you will be prompted to
authenticate via the USB Phantom biometric reader.
Before the Upek fingerprint reader can be used as an authentication device the
following steps must be performed:
1
The Upek Protector Suite QL software must be installed and configured on the client
machine. The software can be found on the McAfee Endpoint Encryption Tools download.
Please consult your McAfee representative for further information.
2
From the Endpoint Encryption Manager:
• Create a file group for the Upek token and import the token files: SbTokenUpek.dll
and SbTokenUpek.dlm. See the File Groups and Management chapter for further
information.
• The Upek file group must be assigned to the machine or machine group.
• The fingerprint reader must be assigned to a user or a user group. See the user or user
group Properties | Tokens screen.
26
3
The user logs onto the client machine using the Upek token module in password mode.
4
The user will be presented with a dialog box which will ask them to register their fingerprints
with Endpoint Encryption; the user configures the fingerprint reader to work with one or
more of their fingerprints.
5
From then on the user will need to authenticate to Endpoint Encryption with their fingerprint
instead of a password.
Creating and configuring systems
The Object Directory contains a unique record for every system attached to it. When Endpoint
Encryption installs, it creates a record either directly in the Object Directory or in a transfer
directory for later inclusion—this object contains the system’s encryption key, hard drive
geometry, and secure configuration.
Each user system periodically tries to connect to its parent directory to check that its local
configuration matches the centrally defined one. If there are any differences, the local system
reconfigures itself to match. You can change any aspect of the system’s configuration centrally;
these changes get applied to the system the next time it synchronizes.
Systems normally create their own object in the directory when Endpoint Encryption first installs,
this happens automatically if you use a Group Install Set (see the Creating an Install Package
chapter), but you can pre-create a placeholder object for the system, set a unique custom
configuration for it, and then create an install set for that object only.
Users are assigned to systems and system groups. When the system synchronizes, it compares
its local user list with that in its Object Directory entry. Any changes are made in real time,
including disabling the current user if their account status, becomes removed or disabled.
Contents
Machine administration functions (right-click menu)
Machine configuration options
Create Machine
The Create Machine option creates a new placeholder system definition. If in the future a
new system with the same network name tries to install itself into the group, it will take over
the placeholder object and use the configuration set within it.
Rename
This option changes the Endpoint Encryption name of the system. This does not affect the
systems network name which can be seen from the General | Properties page.
Delete
This option deletes the system entry—you will be given the opportunity to Permanently Delete
the system, or to move the system to the Recycle Bin (where it can be later restored, if
necessary).
27
Import Machines
This option imports a system definition into the group—This definition could be from a system
created using an Offline Install (see Offline Package Installs for further information) or from an
export from another database.
Export Configuration
This option exports the configuration information for a system (.sdb file) which can be used for
diagnostic or troubleshooting tasks or for import into an alternate database.
Create Install Set
Creates a package of all the files and configuration needed to install Endpoint Encryption—for
more information, see Installing, Upgrading and Removing Endpoint Encryption for PC.
Force Synchronization
You can elect to force a system (or group of systems), which are online to perform immediate
configuration synchronization. You would perhaps do this if you have removed a user from a
group (or disabled them) and it is imperative that they are disabled immediately, or a user has
a configuration issue that needs resolving.
To do this, select the system (or system group) in question, and use the Force Synchronization
option from the window menu or right-click menu. The Endpoint Encryption Manager sends a
short message to the system in question (using its stored DNS or IP address) telling it to perform
an immediate synchronization to update its policies.
If you Force Sync a system that is not online, or refuses the request because Endpoint
Encryption is no longer installed, an error message is generated. If Endpoint Encryption is
already in the process of performing a configuration change on the remote system, the sync
request is ignored.
Reboot Machine
You can select the Reboot Machine option to attempt to reboot one or many systems—this
sends a message to the systems in question telling them to perform an immediate shutdown.
Users may not be given enough time to save their work, so this feature should be used with
caution.
You can configure the messages and timeout of the reboot option by editing the SCM.ini file,
as explained in Endpoint Encryption Configuration Files chapter of this guide.
There are some instances when Windows will prevent remote rebooting of a system, for example,
while the screen-saver is active.
Lock Machine
You can remotely activate the screen saver on a given system by using the Lock Machine
command. Both systems and groups of systems can be locked in this way.
Add Users
You can add a number of users to a collection of systems using this option—You can select the
system, or combination of systems you want to add users to from a group or search window.
View Audit
This option displays the audit for the system. For more information see the Auditing chapter.
28
Reset to Group Configuration
Resets the configuration of the system, or all the systems in the group, to the groups
configuration. Optionally, it sets the user list to match the group user list.
Create Copy
Creates a new object based on the selected object.
Properties
This option displays the properties of the selected object.
The following configuration options can be set for systems, or groups of systems.
Machine Groups
Description - You can enter a text description for a system group, such as the physical location
of the systems.
General
The General page enables you to select the Boot protection and other General options.
Figure 4: Boot Protection and General Options
Table 1: Boot Protection and General Options
Settings
Options
Description
General
Boot Protection
•
Disabled—Endpoint Encryption is installed,
but is not securing the computer. You can
change the status to another mode and this
will be reflected at the next synchronization.
•
Enabled—Endpoint Encryption is protecting
the system, and requiring users to log on.
•
Remove—Endpoint Encryption will decrypt
and uninstall itself at the next synchronization.
•
Remove and Reboot—as above, with the
addition that Endpoint Encryption will
automatically reboot the system after
uninstalling.
29
Settings
Options
Description
•
Removed—Endpoint Encryption is no longer
installed on the system, and its entry can be
deleted from the directory.
NOTE: If you select Remove and let the
system uninstall Endpoint Encryption,
remember to delete the entry from the
directory, or, set the protection back to Enable
before re installing Endpoint Encryption. If
you forget this, then as soon as the new
install connects, it will remove itself again.
Description
This field allows you to enter a text description
of the system, such as its specification, model or
physical location.
Network Name
The systems logical network name—you can find
and filter the Machine tree for the systems name
using the Object/Filter option.
Options (Windows Logon)
•
Require Endpoint Encryption
Logon—Endpoint Encryption takes control of
the normal windows logon screen, and screen
saver logon. Users will be prompted for their
Endpoint Encryption for PC credentials.
•
Attempt automatic Windows
Logon—Endpoint Encryption tracks the user’s
Windows id, password and domain, and
presents these automatically to Windows
logon boxes. This mechanism means once
the user has authenticated to Endpoint
Encryption at the boot screen, they do not
need to enter any more passwords for
Windows.
NOTE: If the user’s Windows credentials are
different from their Endpoint Encryption for
PC credentials, Endpoint Encryption stores
the Windows credentials the first time they
are used. It may take two reboots before the
Single Sign On becomes active.
30
•
Require Endpoint Encryption re-logon—If
the user logs out of Windows, Endpoint
Encryption controls the logon box for the next
log on.
•
Automatically logon as boot user—If
there are no stored Windows credentials for
the user, Endpoint Encryption tries to log on
to Windows with the user’s Endpoint
Encryption credentials.
•
Endpoint Encryption logon component
always active—If selected, the Endpoint
Encryption logon component is kept active on
the system even if all the other options are
disabled. This means that it can be
reactivated mid-session during
synchronization with the Object Directory. If
all options are deactivated, the Endpoint
Encryption logon component can only be
reactivated after a reboot.
•
Set Endpoint Encryption Password to
Windows Password—If the Windows and
Settings
Options
Description
Endpoint Encryption logon passwords differ,
users are prompted to set the Endpoint
Encryption password to the Windows
password. Also, if the user changes their
password in Windows, their Endpoint
Encryption password is set to match.
•
Booting
Must Match Windows user name—If a
users Endpoint Encryption and Windows user
ID’s do not match, no SSO credentials are
stored for the user if this option is enabled.
This prevents an administrators Windows
credentials being associated with a normal
user’s Endpoint Encryption account in the case
that the normal user logged on at Pre-Boot,
but then an administrator authenticated to
Windows.
Allow Booting from the hard disk—If disabled,
users will have to boot the system with a system
bootable token such as a Endpoint Encryption
Floppy Disk. This adds the additional security in
that the system is inaccessible without the token.
NOTE: This option is not available with Endpoint
Encryption version 4.1 or later.
Virus Protection
Enable MBR Virus protection—Endpoint
Encryption monitors boot sector activity, and
prevents any program writing to it. Endpoint
Encryption also monitors the bios signature to
further prevent boot viruses.
NOTE: If you have this option enabled and you
move a protected hard disk between two systems,
Endpoint Encryption will detect this as a possible
virus and prevent the system being used until a
virus reset has been performed. For information
on this procedure, see the chapter on WinTech
and SafeTech.
Miscellaneous
•
Do not display previous user
name—Hides the ID of the last logged on
user in all Endpoint Encryption logon dialogs,
and changes the Incorrect Password and
Unknown User ID error messages to a
generic message.
•
Reject Suspend/Hibernate
Requests—This option stops the system from
entering hibernation mode.
NOTE: This option is not supported in Vista.
•
Disable Checking for T—This option
switches off the $autoboot$ user support
on this system. If the system has many users
assigned, this option can speed up the boot
time.
•
Do not lock after AutoBoot is
removed—Normally Endpoint Encryption
locks the workstation if the current logged on
user is removed, or disabled, as part of a
synchronization event. This is to prevent the
system being used in the event that there is
31
Settings
Options
Description
no current user. Switching this option on
stops the autolock happening if the
$autoboot$ user is removed, and may be
useful in the case of automated software
updates.
Encryption
Encryption Mode
•
Allow AutoBoot user to be managed
locally—Enables support for the
-disablesecurity and -reenablesecurity
options of the Endpoint Encryption
Automation library–for more information on
these options see the SBAdmCL Users Guide.
•
Disable Clearing of status log—Prevents
users from clearing the Client side status log.
•
Always display On-screen
keyboard—Forces the Pre-Boot to always
display a clickable on screen representation
of the keyboard. This option is of most benefit
to TabletPC users.
•
Enable Boot Disk Compatibility—Some
systems have BIOS code which mounts USB
disks as physical drives. This is an unusual
mode of operation and means that after
Endpoint Encryption has finished it’s
authentication, Windows hangs trying to
access the drive through the BIOS physical
interface (because Endpoint Encryption is also
a 32-bit platform, it unloads all BIOS drives
when it finishes). This option forces the
low-level Endpoint Encryption drivers to block
access to disks other than the boot disk
meaning Windows will not detect these USB
drives until the USB stack is initialized. An
alternate solution would be to unplug all USB
drives before booting the system.
•
Always enable pre-boot USB
support—This option forces the Endpoint
Encryption Pre-Boot code to always initialize
the USB stack. Normally this option should
not be enabled as Endpoint Encryption will
dynamically enable USB on demand.
•
Do Not Lock Workstation if no User is
Authenticated—This option stops the client
manager from locking the workstation after
a synchronization if it finds that there is no
current Endpoint Encryption user logged on,
for example, after the first synchronization
during the install or if the Endpoint Encryption
user that is currently logged on is removed.
•
Do Not Lock Workstation if User is
Disabled—This prevents the client manager
from locking the workstation after a
synchronization if the currently logged on
Endpoint Encryption user is disabled.
The Encryption Mode drop down menu lets you
specify an encryption type for all drives in a
system group:
•
32
Manually select the drives to
encrypt—This option allows you to manually
select the encryption type for each drive using
the Full, Partial or None buttons.
Settings
Options
Description
•
Never encrypt any drives—This option
ensures no drives in the system group will be
encrypted.
•
Automatically encrypt all drives
partially—This option sets all drives in the
system group to be partially encrypted.
•
fully—This option sets0 all drives in the
system group to be fully encrypted.
Encryption
Before a system has first synchronized with the Object Directory, or in the case of the properties
of a system group, the Object Directory does not know what drives and partitions are available
to be encrypted. The Endpoint Encryption Manager provides the ability to specify any partition
name and elect to encrypt it.
Figure 5: Setting Drive Encryption
Once the system has synchronized, only the partitions present on it are shown.
You can specify one of three encryption modes—Full encrypts the entire partition, Partial
encrypts only the first 10% of the drive, None leaves the drive in plain text with no security.
The Last Reported Setting can be used to verify if the system has applied recent configuration
changes.
The Last Reported Setting for a drive is the exact state of encryption the last time the system
reported to the Database.
NOTE: Partial encryption is designed to encrypt the directory structure and file allocation table
on FAT drives—it does not stop a competent hacker reassembling file data from the drive.
Table 2: Encryption Options
Settings
Options
Description
Encryption
Encryption Mode
The Encryption Mode drop down menu lets you
specify an encryption type for all drives in a
system group:
•
Manually select the drives to
encrypt—This option allows you to manually
select the encryption type for each drive using
the Full, Partial or None buttons.
33
Settings
Options
Description
•
Never encrypt any drives—This option
ensures no drives in the system group will be
encrypted.
•
partially—This option sets all drives in the
system group to be partially encrypted.
•
fully—This option sets all drives in the system
group to be fully encrypted.
Recovery key
You can boot a system, or close the Endpoint
Encryption screen saver without logging on using
the recovery process—this involves the user
reading a small challenge of 18 characters from
the system to an administrator, then typing in a
larger response from the administrator. The
recovery key size defines the exact length of this
code exchange. For more information see the
Recovery Key chapter. A recovery key size of 0
disables the system recovery system.
Removable Devices
You can configure EEPC to also encrypt removable
drives such as USB or Firewire hard disks, Flash
drives etc. Normally, EEPC only protects physically
attached hard disks, for example, IDE or SCSI
hard disks. This is because EEPC is related to the
system, not the user – it’s impossible to share
drives encrypted with EEPC between different
systems. If you need to share data amongst users
and systems, please consider using EEFF.
•
Manually Select—Normally removable drives
will not be show in the encryption list.
Selecting this option makes them visible.
•
Always Encrypt—Forces encryption of
removable drives.
•
Never Encrypt—Prevents Endpoint
Encryption from attaching its drivers to
removable disks—this is the default option.
Users
You can add groups of users, and individual users, to a system (or system group). Either drag
and drop the user(s) from the user tree into the system properties User tab, or, use the user
picker to select them. Although Endpoint Encryption supports many hundreds of users on a
single system, we recommend that the actual number of users assigned is minimized to the
fewest possible. Every user added to a system is another possible account for a hacker to gain
entry. There is no purpose in adding entire departments of users to laptops which are used by
only one person.
• Auto-boot users—Special user IDs containing the name $autoboot$ with a password of
12345 can be used to auto-boot a protected system. This option is useful if an auto boot
of a system is needed; for example, when updating software using a distribution package
such as SMS or Zenworks. These IDs should be used with caution however, as they effectively
bypass the security of Endpoint Encryption. Any ID containing the string $autoboot$ can
be used, for example, my$autoboot$, $autoboot$123 etc. By using more than one ID,
you can improve database performance if many systems are synchronizing the $autoboot$
account at the same time.
The process for creating an $autoboot$ user is:
34
1
Create the user
2
Uncheck the Force password change at next logon
3
Click the Devices tab
4
Right-click the system group (or system, if preferred), and select Properties
5
Ensure the Disable checking for AutoBoot option is unchecked
6
Ensure the Allow AutoBoot user to be managed locally and Allow AutoBoot to be
cancelled options are checked
7
Click the Apply button to save these options.
The AutoBoot user is now ready. For further explanation of steps 5 and 6 see the General
section of Machine Configuration Options chapter.
You can also change the default password for the $autoboot$ accounts, to do so see the section
Autoboot.ini in Endpoint Encryption Configuration Files.
CAUTION: It is quite possible to create a system, or system group, with no users assigned. If
this configuration is deployed then no one will be able to log on to that system. To resolve this
issue, use the recovery “boot once” procedure, add some users to the system in question, and
then synchronize it again to update the configuration.
Warning Text
• Security warning—Text displayed to the user in the Endpoint Encryption login box.
Figure 6: Client Warning Text
• Recovery Message—Text displayed to the user when they select the Recover button.
This may include information such as their help desk telephone number.
35
Synchronization Settings
Endpoint Encryption systems try to keep their local configuration the same as their central
directory configuration; they do this by periodically synchronizing changes with the Object
Directory. The default behavior is to synchronize on boot, but further options can be set.
Figure 7: Synchronization Settings
Table 3: Synchronization Settings
Settings
Options
Description
Synchronization Settings
Automatically Resynchronize Endpoint Encryption tries to contact the Object
Directory every specified number of minutes. If
the directory cannot be contacted, the sync sleeps
until the next period.
Allow Local
Resynchronization
By right clicking on the Endpoint Encryption tool
tray icon, the user can force a synchronization
event by selecting the Synchronize option. This
feature can be disabled.
Resynchronize when RAS
connection is detected
This option causes a synchronization event to
occur if the user dials up to the internet/intranet.
Endpoint Encryption checks for new RAS (Remote
Access Service) connections every second.
Synchronize time with
directory
This option sets the local system time to the time
of the server/directory it is synchronizing with. If
the user’s system is in a different time zone to
the server, the correct local time will be set as
long as their time zone is correct.
CAUTION: This option is useful when logon hour
restrictions are in place—without this time check
the user could set their system clock back to gain
extra hours of system use.
36
Disable Synchronization of
Files
This option stops Endpoint Encryption monitoring
file group changes and deploying updates to the
remote systems.
Allow remote controlled
synchronization
This option allows an administrator initiate a
synchronization event using the ForceSync
option. The Endpoint Encryption client sends its
IP address to the ObjectDirectory each time it
connects to enable the communication channel.
Settings
Options
Description
The communication port can be set between 0
and 65535.
NOTE: The client IP appears in the Address field
within the Synchronize settings screen of the
system’s Properties screen.
Disable Access if not
synchronized…
If a system does not connect to its server within
the specified number of days, then all accounts
become disabled. This option prevents users
continuing to use systems offline from the
Endpoint Encryption Object Database for extended
periods of time. Also, if a system is stolen or lost,
you can be assured that it will disable itself after
the timeout has passed.
Delay Sync at boot for…
You can specify an optional offset and random
offset for the initial boot sync. This speeds up the
system, and also ensures any network load
created by 9am syndrome is distributed over a
longer period of time. You can set a value of Zero
for the delay time, this disables the initial
synchronization.
The synchronization settings take effect once
Endpoint Encryption has connected and picked
up its policy from the central object directory.
You can pre-set the parameters that Endpoint
Encryption will use while it is trying to establish
the initial first time connection through settings
in the file SCM.ini. More information on this file
can be found in Endpoint Encryption
Configuration Files.
Files
Select which groups of files need to be deployed to the system. Typically the Endpoint
Encryption Client File group is deployed, along with optional token and language files.
Figure 8: Client File Groups
Some file groups may not be displayed in the list—Only file groups with the property Client
File Sets are shown.
You can add your own file groups for deployment to the Endpoint Encryption Object Database.
37
If your Endpoint Encryption user account has group permissions set, some file groups assigned
to the system may be outside your control—in this case they will be marked as locked groups.
To gain the ability to change them, remove any Group administration restrictions on your
account.
Screen Saver
Figure 9: Screen Saver Properties
Table 4: Screen Saver
Settings
Options
Screen Saver
Enable Secure Screen Savers Endpoint Encryption will take control over all
screen savers, providing secure authentication
services. On Windows 2000, XP, Vista, and 7
operating systems, the Windows Logon options
also need to be configured.
Allow user access…
Description
This option allows the user to change the local
screen saver properties.
Run screen saver if token is If the current user’s token supports dynamic
removed…
removal, for example, a smart card or eToken,
then the screen saver will be activated if they
remove the token from the system.
Set Endpoint Encryption
screen saver as default
This option sets the current selected screen saver
to be the Endpoint Encryption Screen Saver.
Allow logon of
administrators…
This option allows administrators with accounts
on systems greater than the specified admin level
to unlock a screen saver that has locked by a
different user. If this option is not set, then only
the user who locked the system can unlock it.
Set screen saver inactivity… This option sets the timeout period for the screen
saver.
38
Boot
Figure 10: Boot Properties
Table 5: Boot
Settings
Options
Description
Boot
Boot Manager
Enable boot Manager—Switches on the built
in Pre-Boot partition boot manager. Users can
select which primary partition on the hard disk
they wish to boot.
You can control the display of the partitions
which the user can select to through the file
bootmanager.ini. For information about this
file, see the Endpoint Encryption Configuration
Files chapter of this guide.
Auto select After... seconds
This option allows you to select a period, which
once it has expired, causes the boot manager to
select the last used partition.
Graphics Mode
This menu allows you to specify the screen
resolution for a system or systems within a group.
The default option is Default Graphics Mode
which supports resolutions up to 1024x768.
NOTE: If the selected mode is not supported on
the system it will fall back to the default mode.
39
File groups and management
Endpoint Encryption for PC uses central collections of files, called Deploy Sets, to manage what
versions of files are used on remote Endpoint Encryption clients. When an administrator updates
a file in the central directory, all machines attached to that Deploy Set automatically collect the
new version of the file from the directory the next time they synchronize. This mechanism can
be used to update Endpoint Encryption clients to future versions, or to manage any file on a
Endpoint Encryption protected machine—for instance, updating a virus database, or, a new
version of an application.
Contents
Endpoint Encryption file groups
Setting file group functions
Importing new files
Exporting files
Deleting files
Setting file properties
Endpoint Encryption file groups
You can assign multiple file sets to be used on each system. Typically two are used, the first
for the core Endpoint Encryption files, the second for the language files. All assigned sets are
processed in the same way.
When the Endpoint Encryption Manager is installed, it automatically adds the entire standard
Endpoint Encryption administrator and client files into two core file groups: Administration
Center Files and Endpoint Encryption for PC 5 Client Files; it also may create language
sets, for example, English Language; two INI files - ADMFILES.INI for the administrator
files (determines the contents of the core groups) and SBCLIENTFILESET.INI for the client
files. These INI files can be edited to allow custom collections of files to be quickly imported
40
and then applied using the "Import file list" menu option. For more information on ADMFILES.ini
and SbClientFileSet.ini, see the Endpoint Encryption Configuration Files chapter of this guide.
Figure 11: Endpoint Encryption File Groups
Other file sets created as standard include those to support login tokens, such as smart card
readers, and USB Key tokens.
You can specify the function of a file group by right-clicking it and selecting its properties. Some
file selection windows, for example the file selector for machines, only display certain classes
of file group (in this example, those marked as Client Files).
Figure 12: File Group Content
41
Importing new files
Importing new files
New files can be imported one by one into an existing deploy set using the Import files menu
option. Simply select the file. The Endpoint Encryption Manager will then import it into the
directory and add it to the deploy set. The default options for the file mean that those machines
using this deploy set it will NOT automatically receive a download when they synchronize. This
chapter contains further information on how to achieve this. You can also import File Sets, for
instance, to add a new option to the Endpoint Encryption database.
Exporting files
You can export a file group, or an individual file back to a directory. This may be useful, for
example if you have an out of date administration system driver and there is an updated file in
the Object Directory.
Deleting files
You can delete individual files from a file set. In this case all machines that are maintaining a
link to the file through association will delete it from their local directory at the next
synchronization event.
Clients maintain a link to a particular file through its object id, not its name. If you delete a file
and re-import it, its id changes, clients will still delete the original and download the new copy.
To see the properties of a file, right click on the file in question and select Properties. Two
screens of information are available: File Information and Advanced.
The name of the file is the actual name, which will be used when deploying the file on the
remote machine. The ID is the Object Directory object ID which is used as a reference for the
file from the client PC.
42
The version number is an incremental version of the file. When the file is updated, the version
is incremented. This is used by the clients to check whether an update is needed. Other
information such as the name of the user who imported the file and its size may be shown.
Figure 13: File Properties, Advanced
Table 6: File Properties, Advanced
Settings
Options
Description
Setting File Properties
File Types
Sets the type of the file.
Operating System
Because some files are only applicable to some
operating system(s), the target operating
system(s) for the file must be selected. This is to
prevent Windows NT drivers being installed on
Windows 98 machines, or windows 9x registry
files being run on Windows 2000 servers.
App ID
If you are installing file which is shared between
multiple Endpoint Encryption applications, you
can specify this applications ID. This prevents one
application from installing files shared by another.
Update
Specify when Endpoint Encryption should update
the file.
43
Using Endpoint Encryption as a file deploy
system
Endpoint Encryption’s internal file update mechanism can be used to synchronize any file on
an Endpoint Encryption protected machine. When the Endpoint Encryption client performs
synchronization, it compares its internal file revision list with the revision of the files in the
Object Directory. If any files have been superseded (or are in the directory list but not in the
local list), the Endpoint Encryption downloads them.
The file type assigned in the Object Directory determines what happens to a file when it is
downloaded. The action can be summarized simply:
• Endpoint Encryption Registry File: Processed into registry
• Windows Registry File: Processed into registry using RegEdit
• Pre/post Installation Executable: Copied to specified location and Run either before or after
Endpoint Encryption.
• Any other file: Copied to specified location
Contents
Copying a new file to the desktop (Example)
This example shows how to set up a new text file that will be copied to the user’s desktop when
they synchronize.
Task
1
Check the File Group settings:
From the properties of the machine (or controlled machine group) you want to update,
check which file groups are assigned. The default file group is EEPC1: Endpoint
Encryption for PC 5.1.2 Client Files. You can create new file groups specifically for
your custom files and assign them to machines if you so wish.
2
Add the new text file.
a Select the file group from step 1, and then use the Import Files option (rightclick
inside the File Group window).
b Select the new file you want to import, for example, "message.txt". Once imported,
select the new file and go to its Advanced Properties box.
Because we are importing a "Known" file type, the file location will be set automatically to
[appdir]. We will override this with the location we want to send the file to, in this case
44
Using Endpoint Encryption as a file deploy system
c:\windows\desktop. We also want this file to be deployed on all operating systems, so we
check all the boxes.
Figure 14: Setting the new text file permissions.
Now, next time the machine synchronizes, it will notice the new file, and download it into
its c:\windows\desktop directory. If the file was defined as a type of Endpoint Encryption
or Windows Registry file, it would be applied. If it was marked as an "Installation
Executable", it would be run.
You can test this behavior by forcing the machine to resynchronize using either the "Force
Sync" option from the Endpoint Encryption Manager, or from the Endpoint Encryption client
tool tray Icon right-click menu.
The file "message.txt" should appear on the desktop, and the status window of the client
should reflect the change.
More information on the Endpoint Encryption file deployment mechanism can be found in
the File Groups and Management chapter.
45
Creating an install package
Endpoint Encryption client is installed by running a special archive file created from the Endpoint
Encryption Manager. This archive file contains all the components necessary to install Endpoint
Encryption.
The Endpoint Encryption Manager compresses the files needed into a single selfcontained
executable for ease of management. Deploy sets can be created for Machine groups, and
individual machines for both fully online, and temporary offline situations.
This chapter deals with creating the install package, for information on how to apply it, see the
Installing, Upgrading and Removing Endpoint Encryption for PC chapter.
Contents
Selecting the Group/Machine
Select the install set type
Importing a transport directory
Select the master directory
Selecting the Group/Machine
The First step in creating an install set is to select the object you want to create the set for,
e.g. an individual machine or a machine group. Install sets created for a machine can only be
used to install that one machine - the target PC always takes the database entry the install set
was created for. Sets created for groups of machines can be used to install any number of
machines in that group - each machine looks in the deployed group for its name - if found it
uses that object. If not, it creates a new object based on its network name.
46
For the second step you need to determine whether you expect the machine to be online or
offline at the time of install.
Figure 15: Creating an Installation Set
Online Installs
Online installations expect the master Object Directory (the directory the administrator is
currently connected to) to be available via the LAN during the install process. Once Endpoint
Encryption for PC is installed, after the next boot, Endpoint Encryption will contact the Object
Directory and download all the configuration and object data for the machine and users.
If a "placeholder" object for the machine name exists (a machine object created, but not
installed), it will use the configuration stored in that object. If no placeholder exists, the machine
will obtain its configuration from the machine group that the install set was created for. If the
machine name is already used in the directory, and the existing machine is not a “placeholder”,
the new machine will append a four digit number to the end of its name and install. For example,
where a machine called “JSMACHINE” already exists, an object “JSMACHINE0001” will be
created.
NOTE: By editing the file scm.ini on the client before Endpoint Encryption is activated (i.e. after
setup, but before the first reboot) the group can be changed.
Offline Installs
If the machine is expected to be disconnected from the Endpoint Encryption Server during the
install, an "offline" install set can be created. In this case a "transport directory" containing the
necessary objects and configuration data will be included in the deploy set. After local
configuration, the transport directory will need to be reimported into the master directory before
the machine can be recovered.
Selecting an Offline install mode allows the additional choice to include the "individual objects"
in the transport directory. If they are included, then all users and machines in the set will be
deployed with the transport directory (and therefore will be available immediately, even before
the machine connects back to the master directory). If they are not included, then there will
be no login prompt until the machine has performed its first connection and brought down its
user list.
NOTE: Until the transport directory containing the machine’s completed configuration is imported
back into the master directory, no connection or configuration of the client can be performed.
Also, in the case where the offline install set was created from a group, it will not be possible
47
to recover the machine until it has successfully synchronized with its master database. In the
case where the offline install set was created for an individual machine, or in the case of users,
synchronization is not necessary for the machine to be recovered.
The Transport directory is a file called sbxferdb.sdb, and can be found in the directory the
Endpoint Encryption client is installed into. To import the details in this directory back into the
master, select the machine group you want to contain the entries, and use the Import Machines
right-click option. This brings the keys and configuration from the machine into the master
database, giving the ability to synchronize with, reconfigure, and recover the machine.
For the second step you need to determine whether you expect the machine to be online or
offline at the time of install.
Figure 16: Creating an Installation Set
Online Installs
Online installations expect the master Object Directory (the directory the administrator is
currently connected to) to be available via the LAN during the install process. Once Endpoint
Encryption for PC is installed, after the next boot, Endpoint Encryption will contact the Object
Directory and download all the configuration and object data for the machine and users.
If a "placeholder" object for the machine name exists (a machine object created, but not
installed), it will use the configuration stored in that object. If no placeholder exists, the machine
will obtain its configuration from the machine group that the install set was created for. If the
machine name is already used in the directory, and the existing machine is not a “placeholder”,
the new machine will append a four digit number to the end of its name and install. For example,
where a machine called “JSMACHINE” already exists, an object “JSMACHINE0001” will be
created.
NOTE: By editing the file scm.ini on the client before Endpoint Encryption is activated (i.e. after
setup, but before the first reboot) the group can be changed.
48
Offline Installs
If the machine is expected to be disconnected from the Endpoint Encryption Server during the
install, an "offline" install set can be created. In this case a "transport directory" containing the
necessary objects and configuration data will be included in the deploy set. After local
configuration, the transport directory will need to be reimported into the master directory before
the machine can be recovered.
Selecting an Offline install mode allows the additional choice to include the "individual objects"
in the transport directory. If they are included, then all users and machines in the set will be
deployed with the transport directory (and therefore will be available immediately, even before
the machine connects back to the master directory). If they are not included, then there will
be no login prompt until the machine has performed its first connection and brought down its
user list.
NOTE: Until the transport directory containing the machine’s completed configuration is imported
back into the master directory, no connection or configuration of the client can be performed.
Also, in the case where the offline install set was created from a group, it will not be possible
to recover the machine until it has successfully synchronized with its master database. In the
case where the offline install set was created for an individual machine, or in the case of users,
synchronization is not necessary for the machine to be recovered.
Select the final Object Directory that the new client will communicate with to synchronize
configuration details. The default is the directory that the administrator is currently using, but
could be any directory the administrator has access to. Usually the clients will access the Object
Directory via a Endpoint Encryption server, rather than locally.
Figure 17: Selecting the Master Object Directory
Connections through a Endpoint Encryption Server have the category type called Remote. You
can specify multiple connection points for machines, if you have more than one server defined.
You can also change the order that the client will look for servers, and enable automatic random
selection of servers by using the wizard.
NOTE: For information on setting up a Endpoint Encryption Server, see the Endpoint Encryption
Manager Guide.
49
Installing, upgrading, and removing EEPC
Running an “Install Package” created by the Endpoint Encryption administrator on the target
machine enables and installs Endpoint Encryption for PC. For information on creating install
packages see the Creating an Install Package chapter.
Contents
Offline package installs
Online package installs
Removing Endpoint Encryption client
Upgrading Endpoint Encryption from previous versions
Offline package installs
Create the install file as per the Creating an Install Package chapter; selecting Offline install,
and including the users and machines required. Run the package on the target client and let it
reboot.
Once restarted, you must retrieve the file sbxferdb.sdb which needs to be imported back into
the master directory. For information on this procedure see the Creating an Install Package
chapter.
Once the transport directory has been imported into the master database; if there is a network
connection between the client and a Endpoint Encryption Server, you will be able to remotely
manage the machine. If you do not retrieve the transport directory, then you will not be able
to recover or reconfigure the machine.
If your machines are unable to connect to the master database after install, for example, and
you are working in a permanently disconnected environment, you may want to retrieve the
.sdb file AFTER encryption has finished – the status of encryption will then be properly reflected
in the master database. In the case of machines which connect to the master database after
offline install, this property will be automatically updated during the sync process.
Online package installs
Create an Online install package as per the Creating an Install Package chapter. Simply run this
file on the target machine(s). Once they have installed and rebooted, they will contact one of
the Endpoint Encryption Servers specified and create their directory entries.
50
You can specify four modes of operation for Endpoint Encryption in the machine’s General
properties page. For full details of these modes per the General section.
To disable Endpoint Encryption, i.e. put it into a mode where it is applying no protection but
can be easily re-enabled, set the machine status to Disable. You can then at a future time set
the status to Enable and Endpoint Encryption will re-apply the protection specified.
To completely remove Endpoint Encryption, select either Remove or Remove and Reboot
– Endpoint Encryption Client will perform the action after the next synchronization event.
Upgrading Endpoint Encryption from previous
versions
Where 5.x is mentioned, version Endpoint Encryption 5.1 and above should be assumed.
Where 5.x is mentioned, version Endpoint Encryption 5.1 and above should be assumed.
Upgrading Endpoint Encryption 4.2 Clients to 5.x
Please see the Endpoint Encryption Update and Migration Guide.
Upgrading existing 5.x clients to a later service pack or patch
version
To upgrade between service pack or patch levels, for example, from v5.0 to v5.1 you can create
a new file set in the Endpoint Encryption Object Directory.
Task
1
Update your database and administration system as described in chapter 8 of the Endpoint
Encryption Manager Administration Guide.
2
Create a new file group for the new 5.x files.
3
You have to set the File Group Properties to Client files to have it available under the
Files section in the machine properties. Therefore right-click the file group, choose
Properties | Content and check the Client Files box. In case of new language file
groups you need to check client files and language as properties.
4
Right-click the new group and select Import File Set. Select the file SBClientFileSet.ini
from the administration system directory (usually c:\program files\sbadmin).
5
Deselect the Endpoint Encryption 5.x Client Files file set from the machines you wish
to upgrade, and select Endpoint Encryption 5.1x Client Files instead. During the next
synchronization, the machine will download the latest files and code and apply the upgrade.
CAUTION: The deselection of all old Endpoint Encryption file groups and the selection of
all new Endpoint Encryption file groups MUST be done at the same time, e.g. if you deselect
the Endpoint Encryption 4.x Client Files and the English (British) KB/Language file group
without selecting the new Endpoint Encryption 5.x Client File groups then you risk corrupting
your client.
51
If you have other options selected, such as the File Encryptor, or Token modules, be sure
to also deselect the v4 modules, and select the appropriate 5.x versions of these as well.
6
For each machine you want to upgrade, deselect the machines current client file set, and
select the new 5.x file set you created in step 2.
Removing Endpoint Encryption 5.x from a machine
Task
1
Set Endpoint Encryption to either Remove or Remove and Reboot from the machines
General properties. The next time the machine synchronizes with the database it will
remove all encryption and authentication; it will then uninstall the Endpoint Encryption
program files. If you simply want to disable the Endpoint Encryption protection, set the
Client to Disable instead.
NOTE: If the machine is unable to synchronize, perhaps because of a network or Windows
issue, you can still remove Endpoint Encryption by performing an emergency SafeTech
removal followed by the Sbsetup -Uninstall command from the Endpoint Encryption
program files directory.
52
2
Set Endpoint Encryption to either Remove or Remove and Reboot from the machines
General properties. The next time the machine synchronizes with the database, it will
remove all encryption and authentication.
3
Now, uninstall the Endpoint Encryption program files. If you simply want to disable the
Endpoint Encryption protection, set the Client to Disable instead.
If the machine is unable to synchronize, perhaps because of a network or Windows issue,
you can still remove Endpoint Encryption by performing an emergency SafeTech removal
followed by the Sbsetup -Uninstall command from the Endpoint Encryption program files
directory.
Client software
The Endpoint Encryption Client connects to its Object Directory, or configuration store, which
may be on the same machine, a network drive, or, through the Endpoint Encryption Server. It
does this every time the machine boots and optionally at set time intervals or when a RAS
session is initiated.
Once connected to the directory, the Endpoint Encryption client uploads the latest audit and
password changes to the directory, and if necessary downloads any configuration changes
specified centrally.
Contents
The tool tray icon
Client auditing
Boot and logon process
Endpoint Encryption screen saver
Windows Sign-On and logon mechanisms
Changing the password
Section 508: Logon accessibility
The tool tray icon
The only user-visible part of Endpoint Encryption is the “Endpoint Encryption Monitor” icon in
the user’s tool-tray. By double-clicking the icon users can start the system screen saver (which
may be protected by Endpoint Encryption). By right-clicking it they can select one of four actions.
Activate Screen Saver
The default action when the Endpoint Encryption tray icon is clicked is to bring up a password
protected screen saver.
53
Client software
Client auditing
Show Status
The configuration process within Endpoint Encryption is largely transparent to the user. The
only evidence of Endpoint Encryption working can be found from the status menu available
from Endpoint Encryption's tool tray icon.
Figure 18: Endpoint Encryption Client Status Window
The Status window displays any on-going configuration tasks (such as encryption processes)
and status messages from the last directory connection.
• Synchronize
Endpoint Encryption tries to establish connection with its directory during the boot process.
In a situation where the directory is unavailable, for example - a notebook user who is
connecting via dial-up networking, the user can establish a connection at any time, and
select the Synchronize option to connect to a remote directory and collect/upload changes.
For details of the supported functions within the Endpoint Encryption client, please see the
User and Machine configuration sections in the Endpoint Encryption Manager Administration
Guide, and also this guide.
Client auditing
User events are audited locally and then transferred to the Object Directory as part of the
synchronization process. For more information on the events tracked see the chapter on Auditing.
Boot and logon process
The Endpoint Encryption for PC boot screen allows the user to select a login method (one of
the available tokens), and then provide authentication credentials such as a user id and password.
If the user can provide the correct details, the Endpoint Encryption boot code starts the
transparent hard drive decryption process, loads the original MBR and executes it.
When the operating system starts, the Endpoint Encryption Configuration Manager (SCM) runs
and performs a logon to the operating system (if SSO is enabled). It then attempts to contact
the Object Directory using the Directory Manager - this can be local or remote via a Endpoint
Encryption Server and re-validates the user against any changes that have been made between
the last validation. Following this SCM downloads and applies any configuration updates. This
could include new user accounts.
54
Client software
If the Object Directory validation is successful (i.e. no administrator has deleted or disabled the
users account) the Windows startup completes, and the Endpoint Encryption icon is loaded into
the tool tray to allow the user to run the screen saver, validate with the server, display status
etc.
After a period of inactivity or a power event, SCM activates the screen saver locking the user.
If the user logs out of the operating system, they may be required to authenticate to Endpoint
Encryption when they log back into windows.
The Endpoint Encryption for PC Client includes a simple logo screen saver. You can use any
screen saver written to the Microsoft Screen Saver standards on the system, Endpoint Encryption
will still protect the logon of them using the standard Endpoint Encryption logon window.
NOTE: You can change the logo displayed in the screen saver by adding a file called “logo.bmp”
to the Windows directory. You can also deploy logo.bmp using the File Update technology built
into Endpoint Encryption. You may find extra graphics on your Endpoint Encryption CD in the
“tools” directory.
Users can start the screen saver through any of the normal Windows mechanisms, or by
double-clicking on the Endpoint Encryption tool tray icon.
Windows Sign-On and logon mechanisms
Endpoint Encryption includes many options to reduce the numbers of passwords users have to
remember. These options are used to ensure that when the user changes their Windows
password, their Endpoint Encryption password is changed to the same. This happens without
user interaction.
Changing the password
The Endpoint Encryption for PC password can only be changed in the pre-boot environment.
To change the password:
Task
1
Restart the PC.
2
Enter the current user ID and password in the login dialog box.
3
Enable the change box, and click OK.
4
Follow the on-screen prompts to change the password.
US legislation 508 requires that information technology is accessible to people with disabilities.
To comply with 508 the pre-boot logon needs to be accessible by blind or partially sighted
people.
55
Client software
There are a limited range of sounds which enable access to the basic logon. Other options, e.g.
About and Recovery screens are not accessible.
As the user tabs (or shitf-tabs) between controls, the pre-boot will emit various beep sequences
to indicate where they are. Other beep sequences will be used when an error is displayed, when
password timeouts are displayed and when a logon is successful.
The sequences are:
Table 7: Logon Accessibility
56
Options
Sounds
User name field
beep
Password field
beep-beep
Change password checkbox
beep-pause-beep
OK button
beep-pause-beep-beep
Cancel button
beep-pause-beep-beep-beep
Token selection list
beep-beep-beep-beep
Error
beep-pause-beep-beep-pause-beep
Password timeout
beep-beep-beep-beep-beep
Logon successful
beep-beep-beep
Insert token dialog box
beep-beep-pause-beep
Windows Sign-on and SSO
Endpoint Encryption can ease the logon process for users by doing the Windows logon for them,
as well as taking responsibility for screen saver logons and re-logon requests. The features
available can be configured by clicking on the General icon of a machine or machine group
object.
Contents
Windows logon features
How Windows logon works
Windows logon features
Windows Logon Features
Feature
Description
Require Endpoint Encryption Logon
Endpoint Encryption takes control of the normal windows
logon screen, and screen saver logon. Users will be
prompted for their Endpoint Encryption credentials rather
than their Windows Credentials.
Attempt automatic Windows Logon
Endpoint Encryption tracks the users Windows id,
password and domain, and presents these automatically
to windows logon boxes. This mechanism means once
the user has authenticated to Endpoint Encryption at the
boot screen, they do not need to enter any more
passwords for Windows.
If the user’s Windows id and password are different from
their Endpoint Encryption id and password, Endpoint
Encryption stores the windows credentials the first time
they are used. It may take two boots before the single
sign on becomes active.
Require Endpoint Encryption re-logon
If the user loges out of Windows, Endpoint Encryption will
control the login box for the next login.
Automatically logon as boot user
If there are no stored Windows credentials for the user,
Endpoint Encryption tries to login to Windows with the
user’s Endpoint Encryption credentials.
Endpoint Encryption logon component always active If selected, the Endpoint Encryption login component is
kept active on the machine even if all the other options
are disabled. This means that it can be reactivated
mid-session during synchronization with the Object
Directory. If all options are deactivated, the Endpoint
Encryption logon component can only be reactivated after
a reboot.
57
Feature
Set Endpoint Encryption Password to Windows
Password
NOTE: This option is applicable to Password token users
only.
Description
If the Windows and Endpoint Encryption login passwords
differ, Users will be prompted to set the Endpoint
Encryption password to the Windows password. This
option also captures the Windows Change Password
event, and again, sets the users Endpoint Encryption
password to match.
If you are using this option, it is important to ensure that
the password template and quality rules in Endpoint
Encryption are identical, or more lenient than those in
Windows, otherwise a failed password change may occur
and the user will be reset to 12345.
Must Match Windows User Name
This option ensures the SSO details are only captured in
the situation that the user’s Endpoint Encryption and
Windows IDs match. If they are different, no SSO details
will be stored.
Endpoint Encryption intercepts the Windows Logon mechanism, using a “Pass through Shim
Gina” on Windows NT, 2000 and XP, and a Credential Provider on Vista. On Windows 2000,
and XP operating systems a custom .ini file (SBGINA.INI) is used to help Endpoint Encryption
analyze the logon screen and paste the credentials into the correct boxes on screen.
In Windows VISTA Microsoft has replaced the original MSGINA (Graphical Identification and
Authentication) with a new method called Microsoft Credential Provider. Endpoint Encryption
has modified the Single Sign On architecture and implemented a Credential Provider to
communicate with Windows. We display each of the Endpoint Encryption Tokens as a potential
logon method. If you logon to Endpoint Encryption, you will be asked for your Windows
credentials only for the first time and Endpoint Encryption will store the Windows Credentials
securely within Endpoint Encryption. On subsequent logon events, Endpoint Encryption will use
the stored Windows credentials to logon.
You can find out more about Microsoft Vista Credential Providers from the Microsoft MSDN
Website:
http://msdn.microsoft.com/msdnmag/issues/07/01/CredentialProviders/default.aspx
For more information on Endpoint Encryption ini files, see the Endpoint Encryption Configuration
Files chapter of this guide. Also, see the Endpoint Encryption Configuration Files chapter of this
guide SBGina.ini if you wish to enable smartcard based Single-Sign-On to Microsoft. Note: this
feature is not supported under Vista.
First Boot
The first time a user starts the newly Endpoint Encryption protected system, Endpoint Encryption
authenticates them at boot time. If successful, the operating system starts.
Normally they would next be presented with a Windows logon – if the Endpoint Encryption
Windows Logon architecture is fully activated, Endpoint Encryption will automatically present
the user’s stored SSO id and password to windows. If these details are accepted, Endpoint
Encryption stores a record of these credentials in a special encrypted area of the user’s profile.
If Windows fails the SSO credentials, for example, if they have not been set, Windows displays
the standard login box and the user is forced to enter their Windows id and password.
58
Again, once a valid login has taken place, Endpoint Encryption stores the correct credentials in
the user’s encrypted profile, which are uploaded to the central Object Directory on the next
synchronization.
Second Boot
The second and subsequent times the user starts the machine, they login to the Endpoint
Encryption boot screen, then Endpoint Encryption supplies the stored Windows credentials to
the Windows login box.
Failed Windows Password
If/When the Windows Logon credentials become invalid, for instance if the user changes their
windows password on another system, or has it reset by an administrator, the automatic login
will fail and the standard Windows login box will appear. Once again, once a successful login
has occurred, the correct details are stored encrypted in the user profile and uploaded on
synchronization with the central Object Directory.
Re Logon
If a user chooses to “log off” windows, they would normally expect to see the standard Windows
logon box. Endpoint Encryption takes control of this in the same way as the initial logon screen,
forcing the next user to login with their Endpoint Encryption credentials.
If you want to logon to Windows using a different account than your stored credentials, they
simply cancel the default login window, then clear the “Automatically logon to Windows” box.
Once cleared, simply select the token you want to login with.
Setting and Changing a users SSO details
You can pre-set or change the SSO details associated with a user by right-clicking their object
and selecting “Set SSO Details”.
59
Auditing
Introduction
McAfee Endpoint Encryption for PC audits user, system, and server activity. By right-clicking on
an object in the Endpoint Encryption Object Directory, you can select the view audit function.
Audit trails are uploaded to the central directory each time a machine synchronizes. Until that
time the audit is cached internally in the encrypted Endpoint Encryption file system. In SB4.1.1
and above, the last 3000 entries are cached locally; when the limit is reached the oldest 300
entries are culled. The local audit will retain approximately 2 years of normal operation before
culling begins.
The permission to view or clear an audit log can be controlled on a user or group basis. Both
the administration level and administration function rights are checked before allowing access
to a log. For more information on setting these permissions see the Endpoint Encryption for PC
User Policies chapter.
Audit trails can be exported to a CDF file by using the Audit menu option, or by right-clicking
the trail and selecting Export. Also, the entire audit of the directory can be exported using the
“SBAdmCL” tool. For information on this option please contact your Endpoint Encryption
representative.
The Object Directory audit logs are open-ended, i.e. they continue to grow indefinitely, but can
be cleared on mass again using SBAdmCL.
Contents
Common audit events
Common audit events
The text displayed in the audit log will depend on your localization and language settings. The
following table lists the common events and their ID codes for the American English version of
Endpoint Encryption. Many events can appear at multiple places, for example the “Login
Successful” event will be logged both in the user account doing the login, and the machine
being logged into simultaneously.
Information Events
60
Description
Event
Audit cleared
01000000
Boot started
01000001
Boot complete
01000002
Booted non-secure
01000003
Auditing
Common audit events
Description
Event
Backwards Date Change
01000005
Booted from floppy
01000004
Token battery low
01000010
Power fail
01000011
A virus was detected
01000013
Synchronization Event
01000014
Crypt Start
01000015
Crypt End
01000016
Add group
01000082
Add object
01000083
Delete group
01000084
Delete object
01000085
Import object
01000086
Export object
01000087
Export configuration
01000088
Update object
01000089
Import file set
01000090
Create token
01000091
Reset token
01000092
Export key
01000093
Recover
01000094
Create database
01000095
Reboot machine
01000096
Move Object between groups XE "groups"
01000098
Rename Object
01000099
Server started
010000C0
Server stopped
010000C1
Try Events
Description
Event
Logon attempt
02000001
Change password
02000002
Forced password change
02000003
Recovery started
02000016
Database logon attempt
02000081
Logon successful
04000001
61
Auditing
Common audit events
Description
Event
Password changed successfully
04000002
Boot once recovery
04000016
Password reset
04000017
Password timeout
04000018
Lockout recovery
04000018
Change token recovery
04000019
Screen saver recovery
0400001A
Database logon successful
04000081
Logon failed
08000001
Password change failed
08000002
Password invalidated
08000005
Recovery failed
08000017
Database logon failed
08000081
Machine configuration expired
Undefined
A virus was detected
Undefined
Succeed Events
Description
Event
Logon successful
04000001
Password changed successfully
04000002
Boot once recovery
04000016
Password reset
04000017
Password timeout
04000018
Lockout recovery
04000018
Change token recovery
04000019
Screen saver recovery
0400001A
Database logon successful
04000081
Failure Events
62
Description
Event
Logon failed
08000001
Password change failed
08000002
Password invalidated (too many incorrect attempts)
08000005
Machine configuration expired
08000012
Recovery failed
08000017
Database logon failed
08000081
Recovering users and systems
You can recover users using the Endpoint Encryption Manager, WebHelpdesk, or the procedure
documented in this chapter. For information on recovery through the Endpoint Encryption Center
WebRecovery and WebHelpdesk options, please see the Endpoint Encryption Manager
Administration Guide.
CAUTION: Recovery cannot be used for resetting or changing the pin codes of smart cards.
Contents
63
Offline recovery
Resetting a remote user’s password or replacing their logon token if it has been lost requires
a challenge/response procedure to be followed. The users start their machine, cancel any logon
dialog boxes that may appear; they must then click Options in the bottom left-hand part of the
screen followed by the Recovery option from the menu. This process can be used at the boot
screen, windows logon, or screen saver logon.
Selecting machine recovery or user recovery
After (optionally) entering their user name, a set of codes is displayed on the user’s screen.
The users need to telephone their helpdesk and read the codes to the administrator. The user
code is time based, and unique to the user and machine.
Figure 19: The user selects Machine Recovery or User Recovery
64
Offline recovery
The administrator must log on to the Endpoint Encryption Manager and select any machine
group. This will activate the Recovery button options on the toolbar and the top menu. The
administration should then click the Recovery button.
NOTE: There is no need to find the correct user beforehand.
Figure 20: Recovery code
The administrator is prompted to type the user code in the wizard, and if correct will be given
the opportunity to check the user's profile if the administrator has sufficient access rights to
recover the user (based on their level and group memberships). The administrator should use
this opportunity to validate the user by asking them questions based on the hidden information
stored in their account. Only if successful should the helpdesk actually allow the user's password
to be reset.
If the administrator is sure that the user on the telephone is legitimate, they can proceed with
the next step in recovery.
65
Offline recovery
Select recovery option
The administrator selects the option they want to perform. If a user name is entered, then a
user recovery proceeds, if no user name is entered, then a machine recovery can be performed.
Figure 21: Select recovery option
• Machine options
• Boot the machine Once—The machine boots with no user logged in.
• Unlock Screen Saver—The screen saver is cleared.
• Reset the user’s password—The user’s password is reset to the token default. The
user can then change this to a new password – This option will not function if the user
is disabled due to too many invalid passwords – to resolve this issue see “Change Token”.
NOTE: The following tokens do not support password resets through Endpoint Encryption:
• DataKey Smartcard
• RSA Smartcard
• Aladdin eToken Pro
For information on how to reset the password on these devices, contact the appropriate
manufacturer.
To recover an Endpoint Encryption user who has forgotten their password in this case,
either issue them with a new token, or temporarily switch them to use a password using
the “Change Token” recovery option.
• User options
• Unlock a disabled user—If a user account is marked as disabled in the object database,
it can be temporarily activated using this option. When the system synchronizes with the
Object Directory, the account is disabled again, if their security profile in the Directory
still indicates this.
• Create Token—If supported by the token, this option allows administrators to remotely
create a new token for the user to replace a lost one. The Endpoint Encryption Password
login always supports remote recreation. For further information on other tokens see the
Using Tokens with Endpoint Encryption for PC.
• Change the user’s token to—Changes or resets the user’s token to the one specified.
The administrator needs to have pre-generated the token for the user. If a user has
66
Offline recovery
invalidated their password account through too many invalid attempts, changing their
token to “password only” recreates their “soft token” and allows them to enter the default
password again.
CAUTION: If you change a user’s token using this method, remember that next time
their machine synchronizes with the Endpoint Encryption directory, their token will be
set to whatever is specified in their user properties stored currently in the database. If
you want the change to be permanent remember to set their token type in the user
properties window.
Figure 22: User’s recovery code
The final step is to read the recovery code back to the user. The length of this code is controlled
by their token recovery key set in the user’s “token” properties, or in the case of a machine,
the recovery key set in the encryption properties.
The user simply enters the code line by line into the pre-boot dialog box. Each line is verified
and once the code has been entered, the elected action will occur.
67
Local recovery
The Local Recovery option allows the user to reset a forgotten password by answering a set of
security questions.
The full list of security questions is set by the administrator using the Endpoint Encryption
Manager.
NOTE: Endpoint Encryption contains a generic set of questions.
When the user first sets up their local recovery feature they will be prompted to select a number
of questions and provide the answers to them. These form the basis for their local self recovery
feature.
Setting Local Recovery for a user name or user group
Using Endpoint Encryption Manager, the administrator assigns the local recovery option to the
user’s logon, or, to a user group. The local recovery options are available from the user logon
or group Properties screen.
Figure 23: Setting the Local Recovery options
• Enable Local Recovery—Selecting this check box sets Local Recovery for the specified
user or user group.
Require ? questions to be answered—This option determines how many questions the
user must select to perform a Local Recovery.
Allow ? logons before forcing user to set answers—This option determines how many
times a user can logon without setting their Local Recovery questions and answers.
Add—The Add button loads the Local Self Recovery Question dialog box and allows you to
create a new question. You can also specify the language that question should be in and
68
Local recovery
Configure your local recovery questions
the minimum number of characters the user must specify when configuring the answer to
this question.
Remove—The Remove button removes a selected question from the list.
Edit—The Edit button allows you to edit the configuration of a selected question.
Apply—The Apply button saves any changes that have been made.
Restore—The Restore button undoes your changes and restores the Local Recovery options
to the previous settings (providing you have not clicked the Apply button).
Configure your local recovery questions
The Local Recovery option allows the user to reset a forgotten password by answering a set of
security questions. The user must configure these questions; provide the answers to a selected
set of questions. In the event that the user forgets their password, they can run a local
self-recovery to gain access to their machine.
Before you begin
Make sure that you have appropriate permissions to perform this task.
Task
1
Enter your user name and password at the logon screen.
2
From the Local Recovery Enrollment screen, select a question from the drop down list.
3
Enter the answer to the question into the Answer box.
4
Click Next.
5
Repeat this process until you have answered all the questions.
NOTE: The Endpoint Encryption administrator determines how many questions you need
to answer.
6
When you have answered all the questions, click the Finish button. Local Recovery is now
set.
Perform local recovery
The client user must use the following procedures to perform a local self recovery.
Before you begin
Make sure that you have appropriate permissions to perform this task.
Task
For option definitions, click ? in the interface.
1
At the preboot screen, cancel the Endpoint Encryption Logon.
2
Click the Options button on the preboot screen.
3
Click Recovery from the menu followed by Local Recovery.
4
Type your user name into the User name field and click Next.
69
Local recovery
Perform local recovery
70
5
Type the answer to each question in turn, clicking the Next button to move forward.
6
Type a new password and confirm it.
7
Click the OK button to complete the process.
8
Select the Password Only Token option from the preboot screen.
9
Enter your user name and new password to log on.
Online recovery
If a user’s machine is online when they forget their password or lose their token, simply create
a new token for them in the Endpoint Encryption directory, and force sync their machine to
make the appropriate change.
You can reset a user’s password by simply generating a new password token for them.
71
Trusted applications
Endpoint Encryption’s client has the capability to restrict which applications and code users will
be allowed to run. Using this mechanism, you can restrict access for a few users to certain
applications, or, prevent users running any applications that are not pre-defined.
With this system you can apply untrusted control, for example, to prevent access to pre-defined
tools such as regedit.exe for all but administrators. With untrusted control, unknown
applications are allowed to run - known applications are blocked. You can also apply trusted
control where ONLY pre-defined code can run, and unknown control is blocked. This is useful,
for example, when you want to restrict an entire build image so it becomes impossible for users
to run any application other than the ones distributed in the gold build.
Endpoint Encryption application control takes effect once a user has logged into Windows – it
does not affect code run in the context of booting the operating system. To prevent applications
and code being run at this stage, Endpoint Encryption recommends appropriate operating
system security settings be used, for example, disallowing device driver updates etc.
Contents
Hash sets
Hash sets
The first step in applying application control to Endpoint Encryption users is to create sets of
“hashes” for the code modules using the Endpoint Encryption Hash Generator (see the Hash
Generator chapter).
A hash set contains a unique digital signature for each file in the scope of the set. This digital
signature is unique to the file – no two files will ever have the same signature. When Endpoint
Encryption applies control to applications, it calculates the “hash” of the code (.exe file, .dll etc)
that the user is trying to run, and compares it to the list of hashes applied to the user. The
actual location of the code does not matter, only its content - so, if a user moves a restricted
application to another directory, it will still be blocked.
After creating a hash set for the files or directories containing the sample code modules you
can create an “Endpoint Encryption Hashes Group” in the Endpoint Encryption database to
72
Trusted applications
Hash sets
contain them. Within the group, create new hashes objects to contain your hash sets created
previously.
Figure 24: Hash group
Hash set properties—General
• Hash Count—Displays the number of file hashes stored in this object. You can remove
duplicates using the File Hashes/Compact function.
• Description—A text description of this hash set – for example its source.
File hashes
• Import—Allows you to import one or many hash sets created with the Endpoint Encryption
Hash Generator into this hash object.
• Export—Saves the contents of this hash object as a hash set.
• Compact—Removes duplicate entries from this hash object – As Endpoint Encryption
Application Control is driven by the hash (or digital signature) of a file, not its location, only
one entry per file is required.
• Remove—The option removes a single file entry from this hash object.
CAUTION: You can add entries only by importing hash files.
Using hash sets
After creating hash sets, you can assign both hash objects, and hash groups to users through
their “application control” properties.
You can specify one of two modes of application control – “Untrusted” and “Trusted”.
• Untrusted—In the case of untrusted control, if the hash is known then the code is prevented
from running.
• Trusted—In the case of trusted control, if the code is known then it is allowed to run,
whereas all unknown code is blocked.
Known Applications
Unknown Applications
Untrusted Application Control
Optionally Blocked
Allowed
Trusted Application Control
Allowed
Optionally Blocked
You can also set whether to actually block the untrusted code, or to simply log it for future
analysis – this option (log with no blocking) is useful when debugging hash sets which do not
block appropriately.
73
Hash generator
Endpoint Encryption Hash Generator creates Hash Sets for use with the application control
feature of Endpoint Encryption. For more information on application control, see the Using Hash
Sets section.
The generator creates MD5 hashes of the selected files and packages them into an Endpoint
Encryption hash set (HSH file).
Contents
Using hash generator
Using hash generator
Open the Hash Generator by selecting Start | McAfee | Endpoint Encryption Manager |
Endpoint Encryption File Hash Generator.
After selecting the output file name, add the files (or folders) you want to include in the hash
set. Finally, select Hash – the specified HSH file will be generated.
The progress window shows the activity. Once completed, you can import the resultant hash
set into your Endpoint Encryption directory.
74
Common criteria EAL4 mode operation
To use your implementation of Endpoint Encryption in its Common Criteria mode of operation,
make sure that the following conditions are met.
• Endpoint Encryption must be installed using the Endpoint Encryption AES (FIPS) 256-bit
algorithm.
• Administrators must enforce the following Policy Settings:
• A minimum password length of five characters or more
• Disabling of accounts after 10 or less invalid password attempts
• All data and operating system partitions on the systems where Endpoint Encryption client
has been installed must be fully encrypted. You can check the conformance to this issue
by viewing the Endpoint Encryption client status window—if any drives are highlighted
in red then they are not fully encrypted.
• Administrators must enforce use of the Endpoint Encryption Secure Screen Saver Mode
• Use of Autoboot Mode is prohibited
• System and User recovery key sizes must be non-zero (System/Encryption properties
and User/Token properties)
Contents
Administrator guidance
User guidance
Administrator guidance
To comply with CC regulations, these policy settings must be applied before installing any clients.
• There must be a system in place for maintaining secure backups that are separately encrypted
or physically protected to ensure data security is not compromised through theft of, or
unauthorized access to, backup information.
• Backups should be regular and complete to enable system recovery. This is essential in the
event of loss or damage to data as a result of the actions of a threat agent and to avoid
vulnerability through being forced to use less secure systems.
• Users (including administrators) must protect all access credentials, such as passwords or
other authentication information in a manner that maintains IT security objectives.
• Customers implementing a Endpoint Encryption enterprise must ensure that they have in
place a database of authorized TOE-users along with user-specific authentication data for
the purpose of enabling administrative personnel to verify the identity of a user over a
voice-only telephone line before providing them with support or initiating recovery. Endpoint
Encryption provides the means to display personal information such as the users ID number
as part of the User Information Fields—but any other appropriate system is acceptable.
75
Common criteria EAL4 mode operation
User guidance
• Administrators should ensure their users are fully trained in the use of the Endpoint Encryption
for PC Client software as described in the Client Software chapter of this guide, and should
remind them of the security procedures detailed in the User Guidance.
User guidance
Administrators should ensure their users are fully trained in the use of the Endpoint Encryption
for PC Client software as described in the Client Software chapter of this guide, and should
remind them of the security procedures detailed in the User Guidance.
• Users must maintain the confidentiality of their logon credentials, such as passwords and
tokens.
• Users must not leave a Endpoint Encryption protected PC unattended in a logged on state,
unless it is protected by the secure screen saver.
• Users must be informed of the process that they need to go through to contact their
administrator in the event that they need to recover their PC, if, for example, they forget
their password, or, their user account becomes disabled; this could be through the actions
of the administrator or repeated incorrect login attempts.
76
Endpoint Encryption configuration files
Endpoint Encryption uses many .ini files to maintain information about the configuration of
various components. Some of the more important files are listed here.
Contents
sbgina.ini
scm.ini
defscm.ini
sdmcfg.ini
TrivialPwds.dat
Bootcode.ini
BootManager.INI
Errors.XML
AutoBoot.ini
SBCP.INI
sbgina.ini
This is used by the Endpoint Encryption for PC client to control the Windows logon mechanism.
SBGina.ini contains the references used to populate the user id, password and domain boxes
of a logon dialog box, and also the id of the OK button.
The Trace option is an aid to implementing SSO to further dialog boxes. If this option is set to
Yes, then information about every window that is created during the logon process is output
to the defined trace file.
If you want to activate smart card based Single Sign On with the possibility to pass through
the smart card PIN to Windows, you will need to add the [Smartcard] section as specified in
the example below:
[Global] ;Version 5110
;
; This option is an aid to implementing SSO to further dialogs. If this option
; is set to "Yes", then information about every window that is created when
; a logon dialog is expected is saved to the file specified (or "LOGONWND.TXT"
; if not supplied). Note the file will always be in the SafeBoot directory.
; Trace.LogonWindowInfo=No Trace.FileName=LOGONWND.TXT
;
; This is an option (NT only) that controls the behaviour of SafeBoot's Gina
; when unlocking a locked workstation. The possible values are
;
77
sbgina.ini
; SbOnly = only a SafeBoot logon is used (the default)
;
; SbWindowsSso = a SafeBoot logon is required then SSO is atempted
; to the original Gina.
;
;Option.UnlockWorkstationMode=SbOnly
;
; This options (NT only) controls the ability of the user to cancel the
; Windows SSO attempt from the SafeBoot logon dialog. Possible values are
;
; Yes - Allows the user to cancel the SSO attempt (the default)
;
; No - Prevents the user from cancelling the SSO attempt
;
;Option.AllowSsoCancel=Yes
;
; These options control how the user names are treated when they are compared.
; The UPN (User Principal Name) format is of the form [email protected]. To
; successfully compare the user names, the format needs to be the same for
; both the Windows and SafeBoot names.
;
; Note that Windows will always supply the user name to the SafeBoot Gina
; module as a user name and domain name (i.e. not DNS name).
;
; If the DetectUPN option is set to "Yes", then SafeBoot will attempt if the
; user names are in UPN format by looking for an "@" character. If this is
; set to any other value, SafeBoot will not manipulate the user names in any
; way.
;
; Examples:;
; SB user name = "[email protected]"
; Windows user name = "user"
; Windows domain = "domain"
;
; Comparision will be between SB="user" and Win="user".
;
; SB user name = "user"
; Windows user name = "[email protected]"
;
;
; SB user name = "[email protected]"
; Windows user name = "[email protected]"
;
;
78
sbgina.ini
;Option.Username.DetectUPN=Yes [SmartCard]
;
; This option enables looking for smart cards used for Windows logon. It
; can be either "On" or "Off". If this is set to "On", the SB Gina will
; attempt to detect the presence of a smart card and allow the user to
; choose to logon with the smart card or with the standard user name and
; password.
;
;Enabled=Off
;
; If the smart card check is enabled, then this option can be used to force
; the use of smart cards or the standard password. This can be "Off" to
; automatically determine which to use, "Pin" to force the use of a smart
; card or "Pwd" to force the use fo a smart card.
;
;Force=Off
; : This options controls the number of seconds the gina will wait for the
; user to decide which logon method to use (smart card or password). If this
; is set to a zero, then the user will not be prompted at all.
;
;TimeoutSecs=5
;
; This option controls whether the SafeBoot SSO detsils are updated when
; the user logs on with a smart card. If this is set to "No", then the SSO
; details are not changed if the user logs on with a smart card. This will
; prevent the smart card PIN being used as to automatically logon to Windows.
;
;EnableSso=Yes
;
; If this option is set to "Yes", then if a smart card is inserted when
; a user logs off and back on again, the SafeBoot logon will not be displayed
; even if it is set to do so in the configuration. If a smart card is not
; present, then the SafeBoot logon will be displayed.
;
;DontSbRelogonIfSc=No [Windows.NT.Logon]
;
; Lists all the sections that contain information about the logon windows for
; the NT derived versions of Windows (NT4/2000/XP).
;
; The keys should be of the form "Window" with an incrementing number appended.
; The sections are checked in incrementing numerical order. The numbering
; cannot contain any gaps.
;
Window1=MSGina.NT4.LogonDialog
Window2=MSGina.W2K.LogonDialog
Window3=MSGina.XP.LogonDialog
Window4=MSGina.WIN2003.LogonDialog
Window5=NWGina.NT.LogonDialog
Window6=NWGinaJP.NT.LogonDialog
79
sbgina.ini
Window7=FSSGina.XP.LogonDialog
Window8=CSGina.W2K.LogonDialog
Window9=CSCOGina.W2K.LogonDialog
Window10=ODYGINA.W2K.LogonDialog
Window11=PRM_GINA.XP.LogonDialog
Window12=IPASS.XP.LogonDialog
Window13=TRYIT.XP.LogonDialog
[Windows.NT.Locked]
;
; Lists all the sections that contain information about the workstation locked
; logon windows for the NT derived versions of Windows (NT4/2000/XP).
;
; Window1=MSGina.XP.LockedDialog
Window2=FSSGina.XP.LockedDialog
[Windows.9x.Logon]
;
; Lists all the sections that contain information about the logon windows for
; the Windows 9x versions of Windows (95/98/ME).
;
; Window1=MSNP.9x.LogonDialog
Window2=NWNP.9x.LogonDialog
Window3=NWNPJP.9x.LogonDialog
;---------------------------------------------------------------------------; The logon window definition sections for NT/W2K/XP
; [MSGina.NT4.LogonDialog]
;
; The operating system version to which this section applies. You can specify
; the value of "Any" for either field (which is the default if not specified).
; OS.MajorVersion=4 OS.MinorVersion=Any
;
; The original DLL to which this section applies. If the name is not
; specified or set to "Any", all original DLLs match. If any part of the
; for digit file version is set to "x", then then all values for that ; component are matched (e.g. 4.1.0.x).
;
OrigDll.Name=MSGINA.DLL
OrigDll.FileVersion=x.x.x.x
;
;Specifies information about the window that we can use to indentifiy it.
; For both the class and title, setting a value of "Any" will match any
; window. Starting the value with a "*" means the remainder of the value
; is treayed as a substring, and hence if it occurs anywhere in the window
; title/class it is matched. Otherwise the whole value must match (case ; insensitive).
; Window.Title=Any Window.Class=#32770
80
sbgina.ini
;
; The control identifiers of controls that are used by the SSO module to
; simulate logons.
; Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1453
Dlg.CtrlId.Password=1454
Dlg.CtrlId.Domain=1455
;
; Optional entries which list up to 10 IDs that must come before the ID
; specified above and up to 10 IDs that must come after. The IDs are specified
; as a comma-seperated list.
;
;Option.CtrlId.OK.Preceeding=1,2,3
;Option.CtrlId.OK.Following=5,6,7
;Option.CtrlId.UserName.Preceeding=1,2,3
;Option.CtrlId.UserName.Following=5,6,7
;Option.CtrlId.Password.Preceeding=1,2,3
;Option.CtrlId.Password.Following=5,6,7
;Option.CtrlId.Domain.Preceeding=2204,2203
;Option.CtrlId.Domain.Following=5,6,7
;
; If this is set to "Yes" then the user/password fields are captured from the
; dialog box rather than using the values supplied by the original gina.
; Option.CaptureFromDlg=Yes
;
; These options define how text is entered into the various fields when
; simulating a logon. Mode 0 sets the text directly into the controls, while
; mode 1 sends characters one at a time (simulating pressing keys) and mode 2
; selects from a combo box.
;
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2
[MSGina.W2K.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=0
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Option.CaptureFromDlg=No
[CSCOGINA.W2K.LogonDialog]
;This section for Ciscos Gina for Windows 2000 which is the same as the standard one, but
81
sbgina.ini
;has a different extention.
OS.MajorVersion=5
OS.MinorVersion=0
OrigDll.Name=CSCOGINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
[ODYGINA.W2K.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=0
OrigDll.Name=ODYGINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Option.EntryMode.Domain=2 [PRM_GINA.XP.LogonDialog]
OS.MajorVersion=5 OS.MinorVersion=1
OrigDll.Name=PRM_GINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
[CSGina.W2K.LogonDialog]
;This section for Ciscos Gina for Windows 2000 which is the same as the standard one, but
;has a different extention.
OS.MajorVersion=5
OS.MinorVersion=0
OrigDll.Name=CSGINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
82
sbgina.ini
[MSGina.XP.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=01
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Option.CaptureFromDlg=Yes
[IPASS.XP.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=1
OrigDll.Name=ipgina.dll
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
;this one just trys the standard settings...
[TRYIT.XP.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=1
OrigDll.Name=Any
Window.Title=Any Window.Class=#32770
Dlg.CtrlId.OK=1
83
sbgina.ini
[MSGina.XP.LockedDialog]
OS.MajorVersion=5
OS.MinorVersion=01
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
[MSGina.WIN2003.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=02
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
[NWGina.NT.LogonDialog]
OS.MajorVersion=Any
OS.MinorVersion=Any
OrigDll.Name=NWGINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Option.CtrlId.UserName.Preceeding=1201
Option.CtrlId.Password.Preceeding=1203
Option.CtrlId.Domain.Preceeding=2204,2203
[NWGinaJP.NT.LogonDialog]
OS.MajorVersion=Any
OS.MinorVersion=Any
84
sbgina.ini
OrigDll.Name=NWGINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
[FSSGina.XP.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=01
OrigDll.Name=FSSGINA.DLL
Window.Title=Any
Window.Class=Any
Dlg.CtrlId.OK=1
Dlg.CtrlId.Domain=0
[FSSGina.XP.LockedDialog]
;This Section for Macnica specifc FSS Gina
OS.MajorVersion=5
OS.MinorVersion=01
OrigDll.Name=FSSGINA.DLL
Window.Title=Any
Window.Class=Any
Dlg.CtrlId.OK=1
Dlg.CtrlId.Domain=0
;---------------------------------------------------------------------------; The logon window definition sections for Win9x/ME
; [MSNP.9x.LogonDialog]
OS.MajorVersion=4
OS.MinorVersion=Any
OrigDll.Name=MSNP32.DLL
Window.Title=Any
85
sbgina.ini
Window.Class=#32770
Dlg.CtrlId.OK=1
[NWNP.9x.LogonDialog]
OS.MajorVersion=4
OS.MinorVersion=Any
OrigDll.Name=NOVELLNP.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
[NWNPJP.9x.LogonDialog]
OS.MajorVersion=4
OS.MinorVersion=Any
OrigDll.Name=NOVELLNP.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
sberrors.ini
This file is used to increase the detail available in on-screen error messages. You can add further
descriptions to errors by amending this file.
sbhelp.ini
This file is used to match on-screen windows to their help file sections.
86
scm.ini
sbfeatur.ini
This file controls the feature set available to Endpoint Encryption. This file is digitally signed by
the Endpoint Encryption team and must not be modified.
scm.ini
Configuration manager file, controls options such as which directory to connect to, and which
group to install into.
[Install]
GroupID=the ID of the group this machine will relate to
[Databases]
DatabaseID1=1
TryLastGoodFirst=Yes
LastGoodConnection=1
[Uninstall]
Sbsetup.exe=sbsetup.exe
You can specify the maximum number of lines to hold in the SCMLOG.txt file using the following
parameters. If scmlog reaches a size of beyond 10,000 lines, performance of your machine can
suffer.
[Log]
MaxSize=number of KB keep in log (128).
PurgeSize=number of KB to delete when log reaches MaxSize (16).
You can specify the pre-configuration connection behavior by setting the following parameters
[Defaults]
;this section defines settings that apply before the SafeBoot is
;actually active on the machine.
BootSynchDelay=0 ; delay before synching on boot in minutes
RandSynchDelay=0 ; an extra max random delay to synch in minutes
SynchInterval=0 ; time between automatically retrying synch
You can turn on tracing of the Endpoint Encryption client with the following section. Trace is
output to SBCM.log in the same directory of the application.
[Debug]
Trace=1 ;Trace activity, 1 = on, 0 = off
You can set a message to be displayed and a timeout when an administrator performs a remote
shutdown of the client (using the machine/Reboot menu option).
[Reboot]
Message=some text to display
Timeout=10 (seconds)
[disk]
Sbfs.defaultsize=10 ;Default size of SafeBoot.FS (in MB)
Install.clearcryptlist=1(0) ;Determines whether to clear the cryptlist
87
defscm.ini
;for a drive on install, or to leave it set.
Boot.message=Starting SafeBoot %d%d
;The default starting message
[boot]
Hookflags=… ;Internal use only—do not change.
defscm.ini
You can pre-set parameters used in the SCM.ini file created within install sets by creating a file
“defscm.ini” in the Administration system directory containing the lines and sections you want
to pre-define. defscm.ini is used as a seed to create the unique scm.ini file for the install set.
sdmcfg.ini
This file is used by the Endpoint Encryption Client to control the connection to the Object
Directory XE "object directory" . There may be many connections listed in the file, the
multi-connection behavior is controlled through scm.ini.
[Databases]
Database1=192.168.20.57
The ip address for the remote server. This can be a DNS
XE "DNS" name.
[Database1]
Description=SH-DELL-W2K
IsLocal=No
Authenticate=Yes
Port=5555
ServerKey=…
The public key for the remote Server. This is used to
stop a hacker putting a rogue server in place and
intercepting the traffic.
ExtraInfo=…
Padding for the serverkey.
TrivialPwds.dat
This file provides a dictionary of forbidden passwords. Simply create a Unicode text file, with
one password per line, and deploy it to the client machines. You need to enable the user template
option no simple passwords.
The file needs to be deployed to the [appdir]\SBTokens\Data folder.
NOTE: It is more effective to restrict passwords using a template which insists on numeric or
special characters, rather than supply a long list of forbidden words.
88
Bootcode.ini
Bootcode.ini
Bootcode.ini defines the behaviour of the Endpoint Encryption pre-boot environment. This file
is not commonly modified by the end user as it is a system only file. The file is stored in Endpoint
Encryption's pre-boot environment in the \boot directory.
[TokenSelect]
; the token type id of the last token the user selected.
Default=0x01000000
[Locale]
;
; the user selected language to use (reference a key in the [Languages] section
; of the \Locale\Locale.ini file).
;
Language=EnglishUS
;
; the user selected keyboard to use (reference a key in the [Keyboards] section
; of the \Locale\Locale.ini file).
;
Keyboard=US
[Audit]
;
; The maximum alllowed audit events
;
MaxEvents=3000
;
; The number of events to remove when the maximum is reached
;
PurgeCount=300
BootManager.INI
This file controls the partition names specified when the Endpoint Encryption Boot Manager is
enabled. The file is stored in Endpoint Encryption's pre-boot environment in the \boot directory.
[Partition.Names]
Partition0=My secure partition
Partition1=My Insecure partition
Errors.XML
This is an XML version of SBErrors.ini to allow Unicode translation. Endpoint Encryption for PC
uses SBErrors.XML instead of SBErrors.ini if both exist.
89
AutoBoot.ini
AutoBoot.ini
The autoboot.ini file allows you to set a unique default password for the $autoboot$ user(s).
The file is created in the [appdir]\Boot directory in the following format:
[AutoBoot]
Password=mypassword
SbClientFileSet.ini
The SbClientFileSet.ini file is used to define what files are imported into the database.
SBWinLogonOpts.XML
This file can be used to exclude users from single-sign-on logon, e.g. VMware user accounts
can overwrite the single-sign-on even though the "Must Match the Window user name" option
has been selected.
- <SafeBoot>
- <SetSbPwd>
- <Exclusions>
<User name="__Vmware_User__" />
</Exclusions>
</SetSbPwd>
</SafeBoot>
SBCP.INI
Microsoft has introduced a new logon method for the Vista operating system: a credential
provider (CP) that will replace the MSGina.dll. This CP works differently to the MSGina, for
example, each credential provider, rather than be cascaded, can be active next to each other.
If you enable the Require Endpoint Encryption logon option in the Machine | General |
Windows Logon options, then the Endpoint Encryption credential provider is activated on the
client's Windows logon; be aware that all other credential providers will also be available.
The SBCP.ini activates the CP. If a customer requires another CP to run in parallel, this can be
defined in the SbCp.ini (in the Endpoint Encryption client directory).
Create the SBCP.ini; to enable all other credential providers add:
[CredentialProvider.Filter]
DefaultAction=Enable
If you want to enable/disable specific credential providers, then add entries to the section [
CredentialProvider.Filter.Providers ] containing the credential provider's GUID on the left and
either "Enable" or "Disable" on the right. For example, to enable just MS password credential
provider you would add:
[CredentialProvider.Filter]
DefaultAction=Disable
[CredentialProvider.Filter.Providers]
{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}=Enable
90
SBCP.INI
Setting up other multiple domains in the logon dialog box
The WindowCredentials.Domains section of the SBCP.ini allows you to specify other domains
which the user can select during single sign on.
The content of this section will determine what appears in the logon dialog box. See example
below.
[WindowsCredentials.Domains]
;
; Lists the domains to be added to the domain list. Note that the left side of the equals can be
any value - it is ignored (of course it must be unique for this section).
;
1=MyDomain1
2=MyDomain2
3=MyDomain3
[WindowsCredentials.Options]
;
; Set this to "No" to prevent the local computer name automatically being added to the list of
domains.
;
AddLocalComputerToDomains=Yes
;
; Sets the domain to select as the default. If this is not specified, the current domain for the
system is selected if there is one or the local computer name if there is not.
;
DefaultDomain=MyDomain1
;
; If set to "Yes", the domain box will only list domains that the system marks as domain
controllers. If set to "No" (the default), all servers will be listed.
;
DomainControllersOnly=No
;
; If set to "Yes", then the username and the domain of the last logged on user is automatically
filled in (if it is available).
;
SelectLastUsed=Yes
Deploying the SBCP.ini file
When you create this file, you can import it into the Endpoint Encryption for PC Client Files file
group, or alternatively, create a new file group, specify its function as “Client Files” and assign
it to a machine. See the File Groups and Management chapter for further information.
91
Endpoint Encryption program and driver files
McAfee Endpoint Encryption for PC contains some important .exe, .dll, and .sys files that
provide the drivers and settings required for crypting, logging on, and managing Endpoint
Encryption. The .exe files are used to install the software package, recover EEPC installed
systems, and to notify when a token is removed.
Contents
EXE Files
DLL files
SYS files
EXE Files
McAfee Endpoint Encryption for PC contains some important .exe files, used to install the
software package, recover EEPC installed systems, and to notify when a token is removed.
SafeTech
SafeTech is the disaster recovery tool for Endpoint Encryption client.
Setup
Setup.exe is the core executable in Endpoint Encryption’s' packaging mechanism. It is used as
an exe stub for the install package and also handles the de-install process. Setup takes one
parameter "-Uninstall" which prompts it to walk through sbfiles41.lst, deleting files (or marking
them for deletion if they are in use) and reversing registry settings. Setup also re-runs any
installation executables with the -Uninstall flag to remove programs. The order of removal is
reverse to the install, i.e. Installation executables, registry settings, files.
SBTokWatch
The SBTokWatch.exe file notifies Endpoint Encryption for PC when a token has been removed.
This is for Vista installations only.
DLL files
McAfee Endpoint Encryption for PC contains some important .dll files that control the encryption
algorithm module and logon settings.
sbalgxx
The Utility Encryption algorithm module.
92
SYS files
sbgina
Windows login pass through GINA driver for NT / 2000.
Usually Endpoint Encryption monitors the GINA settings in the registry to ensure that nothing
removes or disables the login system. You can change the behavior of this system by editing
the SB-NoUpdateGina DWORD key in [HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]. The following values can be set:
• 0 - SafeBoot will install and remove it's Gina
• 1 - SafeBoot will *not* install it's Gina, but will remove it.
• 2 - SafeBoot will *not* remove it's Gina, but will install it.
• 3 - SafeBoot will *not* install or remove it's Gina.
You can use these settings to force compatibility with other GINA replacement login systems.
If you use option 1,2,3 you are responsible for keeping the GINA chain correct, as Endpoint
Encryption will not be monitoring some aspects of it .
SYS files
McAfee Endpoint Encryption for PC contains some important .sys files that provide the drivers
and settings required for crypting, logging on, and managing Endpoint Encryption.
SafeBoot.SYS
The core device driver for Endpoint Encryption, handling crypt of the disk, and management
functions.
You can block the use of Safe Mode when Endpoint Encryption is installed by setting the following
parameters. These options are included in the BlockSafeMode file group option in Endpoint
Encryption for PC.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SafeBoot]
;Prevent Safe Mode access if SafeBoot is activated
PreventSafeMode=dword:00000001
;The warning message to display (default if not set)
;PreventSafeModeMsg=""
;The screen background color (default red)
;PreventSafeModeBkCol=dword:00000000
;The Screen forground color (default white)
;PreventSafeModeFgCol=dword:0000000f
Endpoint Encryption for PC uses several sectors of the hard disk between 1 and 63 - commonly
termed the "partition gap" - to store power fail information while encryption and decryption is
in progress. If you have other applications also using these sectors, you can exclude them from
the range used by specifying registry settings as below.
For each sector you need to exclude, add a DWORD value of 1 with a name of the decimal
sector number to the following registry key as follows:
[HKLM\Software\SafeBoot International\SafeBoot\DiskManager\ExcludedSectors]
14=dword:1
15=dword:1
93
SYS files
You can specify any number of exclusions using this method, but be aware that at least two
sectors are required, and the smaller the number available, the slower encryption processes
will run.
You can add this information to the client NTDRV.SRG registry file to ensure it is applied on all
machines at point of install.
SBALG.SYS
This file is Endpoint Encryption’s device driver crypto algorithm module.
SafeBoot.CSC/RSV
Endpoint Encryption Pre-Boot sector chain for the boot loader. The SafeBoot.csc file was renamed
to SafeBoot.RSV in 5.0.1 for better defrag protection.
SafeBoot.FS
This file is the encrypted pre-boot environment (stored as a single file).
SbRegFlt
This file is applicable to Vista installations only. It allows the administrator to properly support
auto logon, i.e. ensure the control-alt-delete behavior is correct for single sign on.
Other Files — srg files
Endpoint Encryption registry files – these are standard regedit files which are processed into
the registry by Endpoint Encryption, without using the windows regedit utility.
94
WinTech and SafeTech
WinTech and SafeTech are Endpoint Encryption’s disaster recovery and diagnostic tools. Use
them only in the event of a catastrophic failure of the machine, for example, after severe hard
disk corruption, virus attack, or, a complete OS failure.
Contents
WinTech and SafeTech functions
WinTech and SafeTech functions
WinTech and SafeTech can perform the following functions.
• Decrypt the drive using information obtained from the Endpoint Encryption Manager
• Start the Endpoint Encryption Emergency Repair process
• Perform forensic analysis on encrypted data.
These tools should only be used by trained Endpoint Encryption staff. For more information,
and access to the WinTech and SafeTech Administration Guide, please contact your McAfee
representative.
95
Themes and localization
McAfee Endpoint Encryption for PC is the most flexible product of its kind in terms of localization
capabilities. It supports unlimited numbers of Pre-Boot languages and keyboards, and offers
full localized Pre-Boot on screen keyboard and automatic language detection.
Contents
Localization support
Creating your own language file
Pre-Boot language
Pre-Boot token descriptions
Windows languages
You can also restyle almost any aspect of the Pre-Boot interface, from changing colors and
graphics, to moving buttons and text on the screen.
Endpoint Encryption provides full localization and customization services, but for those interested,
the following information is provided to help you gain experience of how all the components fit
together. We provide numerous languages and graphical layouts (themes) with our product.
Readers are strongly advised to look to those while reading these sections to understand how
they work.
A tip to future theme designers - the Endpoint Encryption for PC client will synchronize any file
changes found in the [appdir]\locale and [appdir]\graphics trees into the Endpoint Encryption
pre-boot file system on every policy sync event, so, rather than making your changes and
uploading them to the Endpoint Encryption Manager, you can simply change the files directly
on a Endpoint Encryption client and perform a sync event to load them into the pre-boot. A
successful sync is not required - only an attempt.
Themes
McAfee Endpoint Encryption for PC uses graphical "Themes" to control the look and feel of the
Pre-Boot environment. These Themes are stored as "Client File" type file sets within the Endpoint
Encryption Object Directory. Only one theme can be assigned to a machine at any time.
To assign a theme to a Endpoint Encryption for PC machine, simply enable its file set from the
"Files" tab of either the machine, or machine group properties.
Themes are comprised of the following components:
96
File or Directory
Description
Graphics Graphics.ini
Master definition file for the graphical theme. This file
dictates the overall look of the theme, the button an d
window positions, and the various graphical elements
which are used for each resolution.
ENGLISH
The English language font files
640x480
Images for this resolution
800x600
1024x768
1280x960
1280x1024
1400x1050
1440x900
1440x1050
1600x1200
1680x1050
1680x1280
1920x1440
Shared
Shared images used in all modes
Locale
Language Translations. This file sets all the options re
various language and keyboard support options.
Locale.ini
The options in Local.ini determine which font sets from
Graphics.ini are used.
For information about the parameters in the Graphics.ini and Local.ini files, see the example
theme which has fully commented versions.
Keyboards
Physical Keyboard Layouts
Endpoint Encryption for PC supports many physical keyboard layouts, and also supports automatic
detection of the Windows keyboard layout in an attempt to choose the most appropriate pre-boot
layout.
Having the correct pre-boot layout selected is essential when authenticating, for example,
imagine the user has the French keyboard enabled in Windows, but has the USA keyboard
enabled in Endpoint Encryption for PC Pre-Boot.
Row 2 of the French keyboard begins "azerty…" whereas row 2 of a USA keyboard begins
"qwerty…" - so if the users password contains either "a" or "z", then they will not be able to
press the same keys in pre-boot to authenticate.
Defining and adding layouts to the Endpoint Encryption PBA
Endpoint Encryption for PC can support an unlimited number of different keyboard layouts. To
define which layouts are available, usually you simply need to select the appropriate file group
for a machine and the layout will be added.
The PBA determines which layouts are installed by considering the Locale\Locale.ini file in the
pre-boot environment. This file is synchronised along with the entire [app-dir]\locale directory
each time the machine performs a sync operation.
An example keyboard layout is defined as follows in Locale.ini:
Node
Description
;Norwegian Stub
;B5100
97
[Settings]
DefaultKeyboard=0414
[Keyboards]
0414=Keyboard.0414
043B=Keyboard.043B
[Keyboard.0414]
name=Norwegian
mapfile=0414_E.MAP
OSK=0414_OSK.XML
Defines the default keyboard if no mapping in
[LanguageIDMap] can be determined
Defines the list of possible keyboards. In this example,
two keyboards are defined (0414 and 043B), which are
described in the sections keyboard.0414 and
keyboard.043b. The definition names and section names
are arbitary, but we recommend you use the actual
keyboard ID for consistency.
This is a keyboard definition section, it describes the name
of the keyboard (displayed in the selection list), the map
file to use (stored in \Locale), and the On screen keyboard
file to use (again, stored in \locale) Instead of using the
"name" tag, you can use NameW which takes a comma
separated list of hex char codes, for example:
NameW=32,54,23,6A,43DF With NameW you can display
Unicode chars which are useful when defining double-byte
languages.
[Keyboard.043B]
name=Norwegian with Sami
mapfile=043B_E.MAP
OSK=043B_OSK.XML
[LanguageIDMap]
0414.Keyboard=0414
043B.Keyboard=043B
This section describes how the client should attempt to
map the selected Windows keyboard to the pre-boot
keyboards.
Keyboard=0414 indicates if Windows is using a keyboard
with the ID 0414, Endpoint Encryption should use the
keyboard described in [keyboards] under the definition
name 0414.
Locale.ini
Normally Language and keyboard layouts are defined within the Endpoint Encryption Database,
and each language has a locale.ini file configured as a Merge INI. This system enables
administrators to add and remove languages without having to define the exact set prior to
distribution. As all keyboards and Languages are defined in the same Locale.ini file, without
merge INIs you would have to create a locale.ini file describing the exact combination of
keyboards and locales prior to sending it to a Endpoint Encryption for PC client.
For examples of how to define a Locale.ini, see one of the supplied languages stored in the
Endpoint Encryption Manager install directory \Languages tree.
NOTE: If the language is changed in Windows, then auto detect will not work. The new language
file for preboot and keyboard should be deployed using file groups. Select the language file
from file groups and apply it to the machine or group. The machine or machine group must
then synchronize with the admin system.
The user(s) must then restart their machines. In the preboot screen they must select "Options".
This will load a menu. They must then select "Options" from this menu. From the "Options"
screen you can then specify the preboot language and the keyboard language.
Creating your own keyboard layout
Keyboard layouts are compiled from a source text file with the following structure:
Name=the keyboard name
Flags=keyboard flags
Scancode=Unicode char number, mask, keystate…
98
For example:
flags=0x8000007C
NAME=Norwegian with Sami
;---0x02=0x0031,0x009F,0x0000 ;-normal
0x02=0x0021,0x009F,0x0010 ;-shift
0x02=0x0000,0x009F,0x0009 ;-altgr
0x02=0x0031,0x009F,0x0080 ;-caps
0x02=0x0000,0x009F,0x0090 ;-shiftcaps
0x02=0x0000,0x009F,0x0019 ;-shiftaltgr
0x02=0x0000,0x009F,0x0089 ;-altgrcaps
0x02=0x0000,0x009F,0x0099 ;-shiftaltgrcaps
The keyboard map source file is comprised of the following components:
Node
Description
flags
Operational flags which control the behaviour of this
keyboard map. Defined flags include:
0x00000001 Caps is Shift
0x00000002 Shift unsets Caps
0x00000004 Acute
0x00000008 Grave
0x00000010 Circumflex
0x00000020 Umlaut (Diaresis)
0x00000040 Tilde
0x00000080 Caron
0x00000100 Apostrophe
0x00000200 Cedliia
0x00000400 Breve
0x00000800 Ogonek
0x00001000 Dotabove
0x00002000 DoubleAcute
0x00004000 Degree
0x00008000 Tonos
0x00010000 Middle Dot
0x00020000 Low Nine
0x00040000 Dialytika
0x00080000 Quotation
0x00100000 Polish Programmers Tilde
0x00200000 Ring Above
0x00400000 Macron
0x80000000 Extended Mode (should always be enabled)
Name
The keyboard name
Key definitions
Each key (scan code) behaviour is defined in a number of
entries which state the Unicode character which should
be produced. Each key may have many states (normal,
shifted, caps etc) so there may be multiple entries per key.
99
The possible states are defined with a mask (which keys
to consider) and a state (the key state itself)
The possible keys you can use in the mask and keystate
are:
RIGHT_ALT_PRESSED 0x0001
LEFT_ALT_PRESSED 0x0002
RIGHT_CTRL_PRESSED 0x0004
LEFT_CTRL_PRESSED 0x0008
SHIFT_PRESSED 0x0010
NUMLOCK_ON 0x0020
SCROLLLOCK_ON 0x0040
CAPSLOCK_ON 0x0080
ENHANCED_KEY 0x0100
So as an example, to define key 2 (the number 1 key on
a USA keyboard) you would add an entry for scan code
0x02 (the scan code of this key) followed by a number
of possible key states.
0x02=0x0031,0x009F,0x0000
Would define the number 1 key to display the char "1"
in the situation that none (keystate of 0x000) of the
modifiers capslock, shift, left-alt, right-ctrl, left-ctrl and
right-alt (0x09F) is pressed.
To define the behaviour of this key when shift alone is
pressed we use the following line:
0x02=0x0021,0x009F,0x0010
As above, if key 2 is pressed, create a quotation mark
(Unicode char 21) if shift (0x0010) is pressed out of the
combination of capslock, shift, left-alt, right-ctrl, left-ctrl
and right-alt (0x09F).
Of course, in both the cases above, the keys not
considered in the keystate must not be pressed.
The Mask defines which keys to consider, and the
keystate defines the state of each of those keys.
If you wish to create a custom keyboard map, you will need to have it compiled by Endpoint
Encryption before it can be used.
On Screen Keyboards
On-Screen keyboards provide visual representation of the physical keyboard. Each keyboard
map can be defined to provide either its own OSK, or, the system default OSK (US English).
The symbols on each key can be defined for the normal, alt, altgr, shift, caps, and ctrl states,
and also any combination of states.
OSK's are defined in Endpoint Encryption pre-boot using an XML file which controls the layout
(key spacing, number of rows etc), and the display char for each key. The OSK file
(keyboardID_OSK.XML) is usually stored in the SBFS\Locale directory.
The can be many OSK's installed, and each physical keyboard map can choose one of the
installed OSK's to display on request.
Administrators can choose to always display an OSK for the user by selecting the "always display
on-screen keyboard" option of the Machine/General properties.
NOTE: Though the OSK displays the character for each possible state, the OSK sends the scan
code and modifier (shift/alt etc) to the selected keyboard driver for conversion, so the actual
100
character printed will be a result of the keyboard driver, NOT necessarily the one displayed on
the OSK.
A Sample OSK Keyboard could be defined as follows:
<?xml version="1.0" encoding="UTF-16"?>
<keyboard>
<options col="lightgray" button_col="lightgray"
border_col="black" txt_col="black"
font="System"
down_col="blue" button_style="square"
border_width="3">
</options>
<layout id="English (US)">
<layout>
<row>
<key id="18" obey-caps="true" scancode="0x11">
<default display="w" />
<shifted display="W" />
<caps display="W" />
<alt_gr display="GR" />
<text state="alt+shift" display="AS" />
<text state="alt+shift+ctrl" display="ASC" />
<text state="shift+ctrl" display="SC" />
<text state="caps+shift" display="PS" />
<text state="altgr+ctrl" display="GC" />
</key>
<key id="19" obey-caps="false" scancode="0x056">
…
</key>
<row>
…
</row>
</layout>
</keyboard>
The following nodes should be considered:
Node
Description
Options/font
The name of the font used by this OSK. This should be
defined in graphics.ini and needs to be an OnTime Binary
font
Layout ID
The name of this OSK layout - displayed in the title bar of
the OSK
Key/ID
A decimal representation of the key - usually the decimal
scan code ID
101
Key/Obey-Caps
If this key is subject to any caps state switching, this
should be set to true.
Key/Scancode
The Scancode produced by this key
Key/default
The default display char
Key/shifted
The shifted display char
Key/caps
The caps lock state char
Key/alt_gr
The alt_gr state char
Key/text/state
The combination states for this key - The text/state
attribute takes precedence over the key/default key/shift
etc states. You can specify single states, for example
Text state="shift" display="Q"
Or combination states, for example
Text state="shift+altgr" display="%"
For any key to consider any caps behaviour, the
key/obey_caps needs to be true.
To set which OSK is displayed per keyboard map, add an "OSK=" tag to the keyboard definition
in locale.ini, for example:
[Keyboard.043B]
name=Norwegian with Sami
mapfile=043B_E.MAP
OSK=043B_OSK.XML
Node
Description
Name
The display name of the Keyboard
Mapfile
The name of the map file to use to map the key presses
to chars
OSK
The name of the OSK file to display
McAfee Endpoint Encryption for PC Language files are created from a Unicode master which
describes the text to display for each defined pre-boot message.
You can obtain a pre-boot English master text file from your Endpoint Encryption distributor.
Once translated, the file needs to be compiled by Endpoint Encryption.
Normally Language and keyboard layouts are defined within the Endpoint Encryption Database,
and each language has a locale.ini file configured as a "Merge Ini". This system enables
administrators to add and remove languages without having to define the exact set prior to
distribution. As all keyboards and Languages are defined in the same Locale.ini file, without
merge INIs you would have to create a locale.ini file describing the exact combination of
keyboards and locales prior to sending it to a Endpoint Encryption for PC client.
For examples of how to define a Locale.ini, see one of the supplied languages stored in the
Endpoint Encryption Manager install directory \Languages tree.
102
Pre-Boot language
Pre-Boot language
Endpoint Encryption for PC supports many languages, and also supports automatic detection
(Note: this is only during Endpoint Encryption activation) of the Windows Language in an attempt
to choose the most appropriate pre-boot language.
NOTE: If the language is changed in Windows, then auto detect will not work. The new language
file for preboot and keyboard should be deployed using file groups. Select the language file
from file groups and apply it to the machine or group. The machine or machine group must
then synchronize with the admin system.
The user(s) must then restart their machines. In the preboot screen they must select "Options".
This will load a menu. They must then select "Options" from this menu. From the "Options"
screen you can then specify the preboot language and the keyboard language.
The selectable languages are defined in the SBFS Locale\Locale.ini file, for example:
Node
Description
Chinese Stub ;B5100
[Settings] DefaultLanguage=0804
The default language to use if no mapping is found in the
[LanguageIDMap] section
[Languages] 0804=Lang.0804 0404=Lang.0404
The defined languages - Both the definition name and
section name are arbitrary.
[LanguageIDMap] 0804.Language=0804
0404.Language=0404 0004.Language=0804
0C04.Language=0404 0404.Keyboard=0404
0804.Keyboard=0804
The Windows language to Endpoint Encryption Pre-Boot
language map.
For example, if Windows is using the Locale 0404, then
the Pre-boot should use the definition 0404 for its
language.
Both the major and minor language can be checked, so
in this example both Windows languages 0804 and 0004
use the Endpoint Encryption pre-boot definition section
0804. If the primary variant for example 0F04 is found
in Windows, then 0004 will be used in Endpoint
Encryption
[Lang.0804] ;Name=Chinese Simplified (PRC)
NameW=,0020,0050,0052,0043,0029 ID=0804
StringFile=0804.STR FontSection=Fonts.SuperFont
This section defines a language.
The Name tag is the name displayed in the pre-boot
selection list. You can supply a NameW tag instead which
takes a comma separated list of char codes. This enables
you to set a Unicode name for the list.
The ID describes the Locale ID, this should be the ANSI
recognised ID for this languages.
The StringFile describes the actual compiled definition
file to use (stored in \locale).
The FontSection describes the section in Graphics.ini
which contains the fonts to be used for this particular
language.
Each language can use its own fonts, or can use fonts
shared by other languages.
Pre-Boot token descriptions
You can localise the token names used in the Endpoint Encryption for PC by adding a XML
definition file to the [appdir]\SBTokens\Languages directory.
The client searches for resources in the following order:
103
Windows languages
• The [appdir]\SBTokens\Languages \LanguageID directory
• The [appdir]\SBTokens\Languages \LanguageMajor directory
• The [appdir]\SBTokens\Languages directory
The definition file for each token is described in an XML file with the name Token_tokenID.xml
as follows:
Node
Description
<SbTokenInformation>
<Token type="xxxxxxxx">
The ID of the Token - see the Tokens section of this guide.
<PromptName>prompr text</PromptName>
The text to display in the login box
<ListName>list text</ListName>
The text to display in the list of tokens
</Token> </SbTokenInformation>
Windows languages
McAfee Endpoint Encryption for PC uses resource DLL's and other files to convert its Windows
components to display in alternate languages.
The client searches for resources in the following order:
• Looks to the [appdir]\Languages\LanguageID directory
• Looks to the [appdir]\Languages\LanguageMajor directory
• Looks to the [appdir]\Languages directory
• Looks to the [appdir] directory and uses built in resources
For example, on a US English system (Language ID 0409) Endpoint Encryption for PC will look
for resources in [appdir]\Languages\0409, then [appdir]\Languages\0009, then
[appdir]\Languages then [appdir]
The following components are supported for localization:
• DLL resources (Windows resources)
• SBErrors.XML (Unicode Error code descriptions)
• SBErrors.INI (ASCII Error code descriptions)
• SBClient.CHM (Help file)
• SBHelp.INI (Help file index)
104
Troubleshooting PCs
For the latest information on Endpoint Encryption issues, patches and information please see
our web site, www.mcafee.com. We maintain several sections with the latest tips from our
implementation teams, and any suggested changes and updates. You can also subscribe to an
update list which uses e-mail to keep you informed of any significant issues.
Contents
Error messages
Error messages
Please see the file sberrors.ini for more details of these error messages. You can also find more
information on error messages on our web site, www.mcafee.com.
Module codes
The following codes can be used to identify from which Endpoint Encryption module the error
message was generated.
Error Code
Module
1c00
IPC
5501
SBHTTP Page Errors
5502
SBHTTP User Web Recovery
5c00
SBCOM Protocol
5c02
SBCOM Crypto
a100
ALG
c100
Scripting
db00
Database Misc
db01
Database Objects
db02
Database Attributes
e000
Endpoint Encryption General
e001
Endpoint Encryption Tokens
e002
Endpoint Encryption Disk
e003
Endpoint Encryption SBFS
e004
Endpoint Encryption BootCode
e005
Endpoint Encryption Client
e006
Endpoint Encryption Algorithms
e007
Endpoint Encryption Users
e010
Endpoint Encryption Keys
e011
Endpoint Encryption File
105
Troubleshooting PCs
Error messages
e012
Endpoint Encryption Licenses
e013
Endpoint Encryption Installer
e014
Endpoint Encryption Hashes
e015
Endpoint Encryption App Control
e016
Endpoint Encryption Admin
1C000 IPC Errors
Code
Message and Description
[1c000001]
Timeout during IPC
[1c000002]
IPC terminated
[1c000003]
Unable to initialise IPC
[1c000004]
Unknown or unsupported function
[1c000005]
Request to send data that is too big
[1c000006]
Timeout sending data
[1c000007]
Timeout waiting for reply
[1c000008]
Out of memory
5C00 Communications Protocol
106
Code
[5c000000]
Unsupported version The server and client are not talking
the same communications protocol version
[5c000005]
Out of memory
[5c000008]
A corrupt or unexpected message was received
[5c000009]
Unable to load the Windows TCP/IP library (WSOCK32.DLL)
Check that the TCP/IP protocol is installed
[5c00000a]
Communications library not initialised This is an internal
programmatic error
[5c00000c]
Unable to create TCP/IP socket
[5c00000d]
Failed while listening on a TCP/IP socket
[5c00000e]
Unable to convert a host name to an IP address Check the
host file or the DNS settings
[5c00000f]
Failed to connect to the remote computer The computer
may not be listening or it is too busy to accept connections
[5c000010]
Failed while accepting a new TCP/IP connection
[5c000011]
Failed while receiving communications data The remote
computer may have reset the connection
[5c000012]
Failed while sending communications data
[5c000013]
Invalid communications configuration
[5c000014]
Invalid context handle
[5c000015]
A connection has already been established
[5c000016]
No connection has been established
[5c000017]
Request for an unknown function has been received
[5c000018]
Unsupported or corrupt compressed data received
[5c000019]
Data block is too big
[5c00001a]
Data of an unexpected length has been received
[5c00001b]
Message too big to be received This may occur if an
attempt is made to import large amounts of data into the
database (e.g. a file)
Troubleshooting PCs
Error messages
[5c00001c]
Unable to create thread mute
[5c00001d]
Message too big to be sent This may occur if an attempt
is made to import large amounts of data into the database
(e.g. a file)
[5c00001e]
Wrong Endpoint Encryption Communications Protocol
Version You are most likely trying to connect to a v4
Endpoint Encryption Server using a v5 Server definition
with server authentication enabled. Check that you do not
have both v4 and v5 servers running (perhaps as a service)
at the same time.
5C02 Communications Cryptographic
Code
[5c020000]
The Diffie-Hellmen data is invalid or corrupt
[5c020001]
An unsupported encryption algorithm has been requested
[5c020002]
An unsupported authentication algorithm has been
requested
[5c020003]
Unable to sign data
[5c020004]
Authentication signature is not valid
[5c020005]
Authentication parameters are invalid or corrupt
[5c020006]
Failed while generating DSA parameters
[5c020007]
No session key has been generated
[5c020008]
Unable to authenticate user
[5c020009]
Session key too big
A100 Algorithm Errors
Code
[a1000000]
Not enough memory
[a1000001]
Unknown or unsupported function
[a10000002]
Invalid handle
[a1000003]
Encryption key is too big
[a1000004]
Encryption key is too small
[a1000005]
Unsupported encryption mode
[a1000006]
Invalid memory address
[a1000007]
Invalid key data
DB00 Database Errors
Code
[db000000]
Out of memory
[db000001]
More data is available
[db000002]
The database has not been created or initialised yet Check
the database path or create a new database. To force the
new database wizard to be run, delete the SDMCFG.INI
file and restart the administration program.
[db000003]
Invalid context handle
[db000004]
The name was not found in the database
db000005]
Authentication was not successful. Check that you have
the correct token for this database
[db000006]
Unknown database
107
Troubleshooting PCs
Error messages
[db000007]
Invalid database type
[db000008]
The database could not be found. Check the database
path settings
[db000009]
Database already exists. Choose a different database path
[db00000a]
Unable to create the database Check the path settings and
make sure you have write access to the directory
[db00000b]
Invalid database handle
[db00000c]
The database is currently in use by another entity You
cannot delete a database while someone is using it
[db00000d]
Unable to initialise the database
[db00000e]
User aborted
[db00000f]
Memory access violation
[db000010]
Invalid string
[db000011]
No default group has been defined
[db000012]
The group could not be found
[db000013]
File not found
[db000014]
Unable to read file
[db000015]
Unable to create file
[db000016]
Unable to write to file
[db000017]
File corrupt
[db000018]
Invalid function
[db000019]
Unable to create mutex
[db00001a]
Invalid license The license has been modified so that the
signature is now invalid
[db00001b]
License has expired
[db00001c]
The license is not for this database Check the database
ID and ensure it is the same as the one specified in the
license. Each time you create a new database, a different
ID is generated. There is no way to change the ID of a
database.
[db00001d]
You do not have permission to access the object
[db00001e]
Endpoint Encryption is currently busy with another task.
Please wait for it to complete and try again. This usually
means that your hard disks are in the process of being
encrypted or decrypted. You can check the current
Endpoint Encryption status from the right-click menu of
the Endpoint Encryption task bar icon.
[db00001f]
Endpoint Encryption is still installed on this machine
[db000020]
Buffer too small
[db000021]
The requested function is not supported
[db000022]
Unable to update the boot sector The disk may be in use
by another application or Explorer itself. The disk may be
protected by an anti-virus program.
DB01 Database Objects
108
Code
[db010000]
The object is locked Someone else is currently updating
the same object
[db010001]
Unable to get the object ID
[db010002]
Unable to change the object's access mode Someone else
may by accessing the object at the same time. If you are
trying to write to the object while someone else has the
Troubleshooting PCs
Error messages
object open for reading, you will not be able to change to
write mode.
[db010003]
Object is in wrong access mode
[db010004]
Unable to create the object in the database The disk may
be full or write protected
[db010005]
Operation not allowed on the object type
[db010006]
Insufficient privilege level You do not have the access
rights required to access the object.
[db010007]
The object status is disabled This is usually associated
with User objects. Disabling the user's object prevents
them logging on until their account is re-enabled.
[db010008]
The object already exists
[db01000f]
The object is in use
[db010010]
Object not found The object has been deleted from the
database
[db010011]
License has been exceeded for this object type Check that
your licenses are still valid and if not obtain further licenses
if necessary
DB02 Database Attributes
Code
[db020000]
Attribute not found
[db020001]
Unable to update attribute
[db020002]
Unable to get attribute data
[db020003]
Invalid offset into attribute data
[db020004]
Unable to delete attribute
[db020005]
Incorrect attribute length
[db020006]
Attribute data required
E000 Endpoint Encryption General
Code
[e0000000]
User aborted
[e0000001]
Insufficient memory
[e0000002]
Invalid date/time
[e0000010]
Invalid date/time. Clock is reporting a time before 1992
or after 2038.
E001 Tokens
Code
[e0010000]
General token error
[e0010001]
Token not logged on
[e0010002]
Token authentication parameters are incorrect
[e0010003]
Unsupported token type
[e0010004]
Token is corrupt
[e0010005]
The token is invalidated due to too many invalid logon
attempts
[e0010006]
Too many incorrect authentication attempts
[e0010007]
Token recovery key incorrect
109
Troubleshooting PCs
Error messages
[e0010010]
The password is too small
[e0010011]
The password is too large
[e0010012]
The password has already been used before. Please choose
a new one.
[e0010013]
The password content is invalid
[e0010014]
The password has expired
[e0010015]
The password is the default and must be changed.
[e0010016]
Password change is disabled
[e0010017]
Password entry is disabled
[e0010020]
Unknown user
[e0010021]
Incorrect user key
[e0010022]
The token is not the correct one for the user
[e0010023]
Unsupported user configuration item
[e0010024]
The user has been invalidated
[e0010025]
The user is not active
[e0010026]
The user is disabled
[e0010027]
Logon for this user is not allowed at this time
[e0010028]
No recovery key is available for the user
[e0010030]
The algorithm required for the token is not available
[e0010040]
Unknown token type
[e0010041]
Unable to open token module
[e0010042]
Unable to read token module
[e0010043]
Unable to write token module
[e0010044]
Token file not found
[e0010045]
Token type not present
[e0010046]
Token system class is not available
[e0018000]
Sony Puppy requires fingerprint
[e0018001]
Sony Puppy requires password
[e0018002]
Sony Puppy not trained
E002 Endpoint Encryption Disk
110
Code
[e0000002]
Invalid date/time
[e0020000]
No more data is available
[e0020001]
No more data is available
[e0020002]
Unsupported disk driver function
[e0020003]
Invalid disk driver request
[e0020004]
Disk request buffer too small
[e0020005]
Unsupported encryption algorithm
[e0020006]
Unknown disk number
[e0020007]
Error reading disk sector
[e0020008]
Error writing disk sector
[e0020009]
Unable to get disk partition information
[e002000a]
Endpoint Encryption disk information not present
[e002000b]
Not enough space for the Endpoint Encryption disk
information
[e002000c]
The Endpoint Encryption disk information is invalid
Troubleshooting PCs
Error messages
[e002000d]
Sector not valid for Endpoint Encryption disk information
use
[e002000e]
Sector chain is invalid
[e002000f]
Sector chain type incorrect
[e0020010]
Sector chain sequence number incorrect
[e0020011]
Sector chain checksum invalid
[e0020012]
Crypt state information too big for available space
[e0020013]
Crypt list full
[e0020014]
Crypt range too big.
[e0020015]
Attempt to crypt while in power fail state not allowed
[e0020016]
Attempt to crypt in-progress I/O
[e0020017]
Error communicating with Endpoint Encryption disk driver
[e0020018]
Endpoint Encryption disk driver not present
[e0020019]
Unsupported disk driver version
[e002001a]
No encryption has been key set
[e002001b]
Unable to find the system boot disk
[e002001c]
Unknown message slot
[e002001d]
Message slot data too large
[e002001e]
Unable to lock floppy disk driver for access
[e002001f]
Unable to access floppy disk
[e0020020]
The boot disk type is not supported
[e0020021]
Access to driver not permitted
E003 Endpoint Encryption SBFS
Code
[e0030001]
The SafeBot File System is already mounted
[e0030002]
Unable to mount the Endpoint Encryption File System
[e0030003]
Unable to unmount the Endpoint Encryption File System
[e0030004]
The Endpoint Encryption File System is not mounted
[e0030005]
Error reading Endpoint Encryption File System sector
[e0030006]
Error writing Endpoint Encryption File System sector
[e0030007]
Endpoint Encryption File System too fragmented
[e0030008]
Endpoint Encryption File System size invalid
[e0030009]
Error creating Endpoint Encryption File System host file
[e003000a]
Error reading Endpoint Encryption File System host file
[e003000b]
Error writing Endpoint Encryption File System host file
[e003000c]
Error setting Endpoint Encryption File System host file
pointer
[e003000d]
Unable to locate sectors corresponding to the Endpoint
Encryption File System host file
[e003000e]
No host driver found for the Endpoint Encryption File
System
E004 Boot Code Image
Code
[e0040001]
Unable to open boot code image file
[e0040002]
Error reading boot code image file
111
Troubleshooting PCs
Error messages
[e0040003]
Boot code image file too big
[e0040004]
Error creating boot code image host file
[e0040005]
Error reading boot code image host file
[e0040006]
Error writing boot code image host file
[e0040007]
Error setting boot code image host file pointer
[e0040008]
Unable to locate boot code image host file sectors
[e0040009]
No host driver found for boot code image file
[e004000a]
Unhandled instruction
[e004000b]
Invalid instruction
[e004000c]
Protected mode General Protection Fault
E005 Client
112
Code
[e0050001]
Endpoint Encryption Client not activated
[e0050002]
The Endpoint Encryption Client is already activated
[e0050003]
The Endpoint Encryption Client activation is already in
progress
[e0050004]
The wrong version of the Endpoint Encryption Client is
currently active
[e0050005]
Unable to save original MBR
[e0050006]
Disk Manager not open
[e0050007]
Unable to load MBR copy
[e0050008]
Unable to load the Endpoint Encryption MBR
[e005000a]
Too many work items to perform encryption.
[e005000b]
Endpoint Encryption MBR invalid
[e005000c]
Endpoint Encryption Client sync failed to start
[e005000d]
Endpoint Encryption Client sync already in progress
[e005000e]
Key not available to the Endpoint Encryption Client
[e005000f]
The recovery key is incorrect
[e0050010]
Failed to start cryption
[e0050011]
Cryption already in progress
[e0050012]
The hard disk key is incorrect
[e0050013]
The machine configuration is corrupt or invalid
[e0050014]
Unable to load string data
[e0050015]
String data is invalid
[e0050016]
Incorrect user logon
[e0050017]
The isolation period has expired
[e0050018]
A possible virus has been detected
[e0050019]
Recovery data is invalid
[e005001a]
Recovery file version unsupported
[e005001b]
Invalid recovery command
[e005001c]
Invalid recovery type
[e005001d
Recovery data not found
[e005001d]
Client not initialized for emergency boot
[e0050020]
Unable to open the client data store
[e0050021]
The client data store is not open
[e0050022]
The client data store already exists
Troubleshooting PCs
Error messages
[e0050023]
Error creating client data store
[e0050024]
Unable to create client data store directory
[e0050025]
Client data store in use
[e0050026]
Unable to delete client data store
[e0050027]
The client data store is corrupt
[e0050028]
Unsupported client data store version
[e0050030]
Client data store object not found
[e0050031]
Client data store object not open
[e0050032]
Client data store object not exclusive
[e0050033]
Client data store object ID invalid
[e0050034]
Client data store object ID already exists
[e0050035]
Unable to create client data store object directory
[e0050036]
Client data store object name already exists
[e0050037]
Unable to read client data store object name
[e0050038]
Unable to write client data store object name
[e0050040]
Unable to remove client data store object
[e0050041]
Client data store attribute not found
[e0050042]
Client data store attribute not open
[e0050043]
Unable to open client data store attribute
[e0050044]
Unable to create client data store attribute
[e0050045]
Unable to read client data store attribute
[e0050046]
Unable to write data store attribute
[e0050047]
Client data store attribute version incorrect
[e0050048]
Client data store attribute corrupt
[e0050049]
Invalid size of client data store attribute
[e005004a]
Access denied to client data store attribute
[e0050060]
Upgrade of client is not possible
[e0050061]
Upgrade old SbFs is invalid
[e0050062]
Upgrade old SbFs not found
[e0050063]
Upgrade old SbFs drive not found
[e0050064]
Upgrade, unable to read old SbFs
[e0050065]
Upgrade, old machine configuration invalid
[e0050066]
Upgrade, invalid user data.
[e0050067]
Upgrade, user directory version invalid
[e0050068]
Upgrade, invalid user directory
[e0050069]
Upgrade, unable to get original MB
[e005006a]
Upgrade, unable to get audit data
E006 Algorithms
Code
[e0060001]
Unknown encryption algorithm
[e0060002]
Unable to install pre-boot encryption algorithm module
[e0060003]
Error relocation 16-bit encryption algorithm code
[e0060004]
Error initializing 16-bit encryption algorithm module
[e0060005]
16-bit encryption algorithm module invalid
113
Troubleshooting PCs
Error messages
E007 Readers
Code
[e0070001]
Unknown reader type
[e0070002]
Unable to open reader module
[e0070003]
Unable to read reader module
[e0070004]
Unable to write reader module
[e0070005]
Reader failure
[e0070006]
Unable to create reader context
[e0070007]
Invalid reader parameter
[e0070008]
Reader not present
[e0070009]
Reader timeout
[e007000a]
Reader sharing violation
[e007000b]
Token not present in reader
[e007000c]
Reader protocol mismatch
[e007000d]
Reader communications error
[e007000e]
Token not powered in reader
[e007000f]
Token not reset in reader
[e0070010]
Token removed from reader
E008 Users
Code
[e0080001]
User configuration invalid or corrupt
[e0080002]
User information field index invalid
[e0080003]
User has no hard disk encryption key
E010 Keys
Code
[e0100001]
Encryption key too big
[e0100002]
Encryption key size invalid
E011 Files
Code
[e0110001]
[e0110002]
Unable to open file
[e0110003]
Error reading file
[e0110004]
Error writing file
[e0110005]
Error setting file pointer
[e0110006]
Error getting file size
E012 Licences
114
Code
[e0120001]
License invalid
[e0120002]
License expired
[e0120003]
License is not for this database
Troubleshooting PCs
Error messages
[e0120004]
License count exceeded
E013 Installer
Code
[e0130002]
No installer executable stub found
[e0130003]
Unable to read installer executable stub
[e0130004]
[e0130005]
Error writing file
[e0130006]
Error opening file
[e0130007]
Error reading file
[e0130008]
Installer file invalid
[e0130009]
No more files to install
[e013000a]
Install archive block data too large
[e013000b]
Install archive data not found
[e013000c]
Install archive decompression failed
[e013000d]
Unsupported installer archive compression type
[e013000e]
Installation error
[e013000f]
Unable to create temporary directory
[e0130010]
Error registering module
E014 Hashes
Code
[e0140001]
Insufficient memory
[e0140002]
Error opening hashes file
[e0140003]
Error reading hashes file
[e0140004]
Hashes file invalid
[e0140005]
Unable to create hashes file
[e0140006]
Error writing hashes file
[e0140007]
Hashes file is not open
[e0140008]
Hashes file data invalid
[e0140009]
Hashes file data too big
[e014000a]
User aborted
E015 Application Control
Code
[e0150001]
Insufficient memory
[e0150002]
Application control invalid parameter
[e0150003]
Error communicating with application control driver
[e0150004]
Application control driver not installed
[e0150005]
Error opening application control log file
[e0150006]
Invalid hashes object list
E016 Administration Center
Code
[e0160001]
Invalid plugin information
115
Troubleshooting PCs
Error messages
xxH: BIOS
If Endpoint Encryption’s boot loader detects a hardware error from the BIOS, it reports the
standard error code in the format “Endpoint Encryption ?? Error code H??”
The following list of codes may be reported:
116
Code
01H
Invalid function call
02H
Address mark not found
03H
Disk is write protected
04H
Sector not found
05H
Reset failed (hard disk)
06H
Diskette has been changed
07H
Drive parameter activity failed (hard disk)
08H
DMA overrun
09H
DMA attempted across 64K boundary
0AH
Bad sector flag detected (hard disk)
0BH
Bad track detected (hard disk)
0CH
Unsupported track or invalid media
0DH
Invalid number of sectors for Format (hard disk)
0EH
Control data address mark detected (hard disk)
0FH
DMA arbitration level out of range (hard disk)
10H
Uncorrectable CRC or ECC error on read
11H
ECC corrected data error (hard disk)
20H
Disk controller failure
31H
No media in drive
32H
Drive does not support media type
40H
Seek failed
80H
Timeout (disk not ready)
AAH
Drive not ready
B0H
Volume not locked in drive (INT 13 extensions)
B1H
Volume locked in drive (INT 13 extensions)
B2H
Volume not removable (INT 13 extensions)
B3H
Volume in use (INT 13 extensions)
B4H
Lock count exceeded (INT 13 extensions)
B5H
Valid eject request failed (INT 13 extensions)
BBH
Undefined error (hard disk)
CCH
Write fault (hard disk)
E0H
Status register error (hard disk)
FFH
Sense failed (hard disk)
Technical specifications and options
The following options are available from Endpoint Encryption but may not be included on your
install CD, or be appropriate for your version of Endpoint Encryption. Please contact your
Endpoint Encryption representative for information if you wish to use one of these optional
components.
Contents
Tokens
System requirements
Encryption Algorithms
Endpoint Encryption supports many custom algorithms. Only one algorithm can be used in a
Endpoint Encryption Enterprise.
Algorithm performance is based on the “PassMark” rating which gives an overall indication of
system performance. All tests were performed on a K6-II-300 machine running NT4.0. This test
platform has a PassMark of 20.7. The closer to this figure an algorithm gets, the less the impact
of Endpoint Encryption on the user. Faster machines will achieve correspondingly faster passmark
ratings, but the percentage difference between them will be comparable.
RC5-12 (FASTEST)
CBC Mode, 1024 bit key, 12 rounds, 64 bit blocks. PassMark 20.7 (100%)
RC5-18
CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks, PassMark 20.7 (100%)
The 18 round RC5 variant is designed to prevent the theoretical “Known Plaintext” attack.
AES-FIPS (FIPS 140-2 Approved) - RECOMMENDED
CBC Mode, 256 bit key, 128 bit blocks, PassMark 19.3 (93%). This algorithm is approved for
FIPS 140-2 use.
Smart Card Readers
The following smart card readers are supported.
PCMCIA Smart Card Readers
• SCR243 / SCR201 and compatibles such as HP DC350B, ActivIdentity and others)
• PCMCIA smart card reader.
See http://www.scmmicro.com/security/SCR243.html for more information.
117
Tokens
• SCR201 and compatibles such as PCSR and Cisco PCMCIA readers
Generic USB CCID Smart Card Reader and compatibles
This module provides support for the following devices:
• Universal CCID USB smart card reader support (supports all industry standard CCID readers)
• Dell D620 Integrated Smart Card Reader
• Gemplus GemPC430 USB Smart Card Reader
• Omnikey 3121 USB Smart Card Reader
• ACR38 USB Smart Card Reader
USB Smart Card Reader non CCID
Mako DT3500 Desktop smart card reader with USB Interface.
PCI Smart Card Readers
• HP 6400 Integrated Smart Card Reader
• Dell D610/810 Integrated Smart Card Reader
Tokens
Please see the Using Tokens with Endpoint Encryption for PC chapter for further information.
For the latest list of authentication methods using smart cards, tokens, fingerprint readers
please consult your McAfee representative.
Language support
Client
Pre-Boot Languages (auto detect)
Arabic Czech Chinese (Simplified) Chinese (Traditional)
Dutch English (United Kingdom) English (United States)
Estonian German Hungarian
Italian Japanese Korean Polish Portuguese Russian Slovak
Republic Swedish Spanish Turkish
Pre-Boot Keyboards (auto detect)
Arabic 101
118
Greek 319
Arabic 102
Greek 220 Latin
Arabic AZERTY
Greek 319 Latin
Belgian Comma
Hebrew
Belgian Period
Hungarian
Canadian Multilingual
Italian
Canadian French
Icelandic
Canadian French Legacy
Irish
Chinese Bopomofo
Japanese
Chinese ChaiJei
Kazakh
Croatian
Korean
Czech (Czech Republic)
Latin American
Czech (QWERTY)
Norwegian
Czech (Programmers)
Norwegian with Sami
Danish
Polish 214
Dutch
Polish Programmers
System requirements
English (United States)
Portuguese Brazil
English (United Kingdom)
Portuguese Portugal
English (US International)
Romanian
English (UK Extended)
Russian
Estonian French (Belgium)
Russian Typewriter
French (France)
Slovak
French (Canada)
Slovak QWERTY
French (Swiss)
Slovenian
Finnish
Spanish (Spain)
Gaelic
Spanish (International)
German (Standard)
Spanish Variant
German (IBM)
Swedish
Greek
Swiss German
Greek Latin
Thai Kedmanee
Greek 220
Turkish F
Turkish Q
US Dvorak
Most of the keyboard layouts also support On-Screen representations.
Please note – other languages are available on request. We are continuously updating our
language translations and encourage feedback from our users.
Windows Languages (auto detect)
English (United Kingdom)
English (United States)
System requirements
Implementation documentation discussing appropriate hardware for typical installations of
Endpoint Encryption is available from your representative.
Client
• Microsoft Windows 2000 Professional, XP Professional, Windows Server 2003, Vista 32-bit
(all versions), Vista 64-bit (all versions)
• 128 MB RAM, or OS Minimum specification
• 5-35 MB Free hard disk space depending on localization and number of desired users)
• Pentium compatible processor, multi-processor (up to 32 way), dual-core and hyper threading
processors, Pentium-compatible processors such as AMD processors.
• For remote administration, a TCP/IP network connection is required.
119
Appendix
This chapter highlights and explains the legal notices, open source license, and FIPS compliat
details.
Contents
Legal notices
Open source components license details
Legal notices
McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com
McAfee, SafeBoot and/or other noted McAfee related products contained herein are registered
trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries.
McAfee Red in connection with security is distinctive of McAfee brand products. Any other
non-McAfee related products, registered and/or unregistered trademarks contained herein is
only by reference and are the sole property of their respective owners. © 2013 McAfee, Inc.
All rights reserved.
Your rights to install, run, copy, reproduce, distribute or make any other use of the accompanying
software is subject to your license agreement with McAfee, Inc. If you have any questions,
please review your software license or contact your McAfee representative.
McAfee SafeBoot products make use of the following third party open source technologies:
• ZLIB, a general compression library
• OpenSSL/OpenSSLeay - a general SSL/PKI communications library
• OpenLDAP - a general LDAP library
Communications Layer - ZLIB
License
/* zlib.h -- interface of the 'zlib' general purpose compression library version 1.2.8, April 28th
, 2013
Copyright (C) 1995-2013 Jean-loup Gailly and Mark Adler.
This software is provided 'as-is', without any express or implied warranty. In no event will the
authors be held liable for any damages arising from the use of this software.
Permission is granted to anyone to use this software for any purpose, including commercial
applications, and to alter it and redistribute it freely, subject to the following restrictions:
120
Appendix
• The origin of this software must not be misrepresented; you must not claim that you wrote
the original software. If you use this software in a product, an acknowledgment in the product
documentation would be appreciated but is not required.
• Altered source versions must be plainly marked as such, and must not be misrepresented
as being the original software.
• This notice may not be removed or altered from any source distribution.
Jean-loup Gailly [email protected]
Mark Adler [email protected]
Communications Layer and LDAP Connector - OpenSSL/OpenSSLEAY
LICENSE ISSUES
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License
and the original SSLeay license apply to the toolkit.
See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses.
In case of any license issues related to OpenSSL please contact [email protected].
OpenSSL License
/*
====================================================================
Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
• Redistributions of source code must retain the above copyright notice, this list of conditions
and the following disclaimer.
• Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
• All advertising materials mentioning features or use of this software must display the following
acknowledgment:
• This product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit. (http://www.openssl.org/)
• The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote
products derived from this software without prior written permission. For written permission,
please contact [email protected].
• Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear
in their names without prior written permission of the OpenSSL Project.
• Redistributions of any form whatsoever must retain the following acknowledgment:
• This product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit (http://www.openssl.org/)
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
121
Appendix
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young ([email protected]). This
product includes software written by Tim Hudson ([email protected]).
Original SSLeay License
Copyright (C) 1998-2011 Eric Young ([email protected]) All rights reserved.
This package is an SSL implementation written by Eric Young ([email protected]).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions
are ahe ared to. The following conditions apply to all code found in this distribution, be it the
RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with
this distribution is covered by the same copyright terms except that the holder is Tim Hudson
([email protected]).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be
removed. If this package is used in a product, Eric Young should be given attribution as the
author of the parts of the library used.
This can be in the form of a textual message at program startup or in documentation (online
or textual) provided with the package.
• Redistributions of source code must retain the copyright notice, this list of conditions and
the following disclaimer.
distribution.
acknowledgement:
• This product includes cryptographic software written by Eric Young ([email protected])
NOTE: The word 'cryptographic' can be left out if the rouines from the library being used
are not cryptographic related.
• If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgement:
• This product includes software written by Tim Hudson ([email protected])
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `ÀS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The licence and distribution terms for any publically available version or derivative of this code
cannot be changed. i.e. this code cannot simply be copied and put under another distribution
licence [including the GNU Public Licence.]
122
Appendix
Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved. This software is not subject to
any license of the American Telephone and Telegraph Company or of the Regents of the
University of California. Permission is granted to anyone to use this software for any purpose
on any computer system, and to alter it and redistribute it, subject to the following restrictions:
• The author is not responsible for the consequences of use of this software, no matter how
awful, even if they arise from flaws in it.
• The origin of this software must not be misrepresented, either by explicit claim or by omission.
Since few users ever read sources, credits must appear in the documentation.
• Altered versions must be plainly marked as such, and must not be misrepresented as being
the original software. Since few users ever read sources, credits must appear in the
documentation.
• This notice may not be removed or altered.
Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.
This software is not subject to any license of the American Telephone and Telegraph Company
or of the Regents of the University of California. Permission is granted to anyone to use this
software for any purpose on any computer system, and to alter it and redistribute it, subject
to the following restrictions:
• The author is not responsible for the consequences of use of this software, no matter how
awful, even if they arise from flaws in it.
• The origin of this software must not be misrepresented, either by explicit claim or by omission.
Since few users ever read sources, credits must appear in the documentation.
• Altered versions must be plainly marked as such, and must not be misrepresented as being
the original software. Since few users ever read sources, credits must appear in the
documentation.
• This notice may not be removed or altered.
LDAP Connector - OpenLDAP
Copyright (c) 1994
The Regents of the University of California. All rights reserved. Redistribution and use in source
and binary forms, with or without modification, are permitted provided that the following
conditions are met:
distribution.
acknowledgement:
• This product includes software developed by the University of California, Berkeley and
its contributors.
• Neither the name of the University nor the names of its contributors may be used to endorse
or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS `ÀS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
123
Appendix
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@(#)COPYRIGHT 8.1 (Berkeley) 3/16/94
LDAP Connector
Copyright (c) 1994
The Regents of the University of California. All rights reserved.
distribution.
acknowledgement:
• This product includes software developed by the University of California, Berkeley and
its contributors.
• Neither the name of the University nor the names of its contributors may be used to endorse
or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS `ÀS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@(#)COPYRIGHT 8.1 (Berkeley) 3/16/94
LDAP Connector - The OpenLDAP Public License
Version 2.0.1, 21 December 1999. Copyright 1999, The OpenLDAP Foundation, Redwood City,
California, USA. All Rights Reserved.
Redistribution and use of this software and associated documentation ("Software"), with or
without modification, are permitted provided that the following conditions are met:
• Redistributions of source code must retain copyright statements and notices. Redistributions
must also contain a copy of this document.
distribution.
• The name "OpenLDAP" must not be used to endorse or promote products derived from this
Software without prior written permission of the OpenLDAP Foundation. For written
permission, please contact [email protected].
124
Appendix
• Products derived from this Software may not be called "OpenLDAP" nor may "OpenLDAP"
appear in their names without prior written permission of the OpenLDAP Foundation.
OpenLDAP is a trademark of the OpenLDAP Foundation.
• Due credit should be given to the OpenLDAP Project (http://www.openldap.org/).
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS `ÀS
IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Making Endpoint Encryption for PC FIPS Compliant
The following procedures must be followed to operate McAfee Endpoint Encryption for PCs
cryptographic module in a FIPS Approved mode:
• The module software must be operating in “FIPS” mode. This is done by setting the FIPS
registry key value from 0 (disabled) to 1 (enabled). The first step is to create a FIPS registry
script (see Appendix A for details). Once the file is created right-click on the newly created
.reg file and select Merge from the drop down menu.
• To verify that the registry has been updated properly the user must install a registry editor
and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Verifier
and verify the value of FipsMode equals 1.
• All application databases and external media on the device where McAfee Endpoint Encryption
for PCs has been installed MUST be fully encrypted. This is performed by setting the module’s
internal memory encryption parameter to Encrypt Entire Device.
• The PC used to run McAfee Endpoint Encryption for PCs Client must be built using production
grade components and configured in a single operator mode. To do this, the following
operating system services must be disabled:
• Fast user switching
• Terminal services
• Remote registry service
• Secondary logon service
• Telnet service
• Remote desktop and Remote assistance services
Creating the FIPS enable script
The following needs to be saved to a text file with the extension “.reg” and then merged into
the registry as a requirement for installing the module in a FIPS-compliant mode of operation:
REGEDIT4
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Verifier]
"FipsMode"=dword:00000001
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Verifier\1]
125
Appendix
"Path"="c:\\windows\\system32\\drivers\\SafeBoot.sys"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Verifier\2]
"Path"="c:\\windows\\system32\\drivers\\SbAlg.sys"
126
Index
A
adding users 27
algorithms 8
appendix 120
audit
viewing 14
audit events 60
auditing 60
authentication 29
Encryption
data protection 7
Pre-Boot Authentication 7
Endpoint Encryption 7, 8, 10, 46, 51, 52
EEPC 7
removing 52
upgrading 51
Endpoint Encryption Manager 46
ePO 10
error messages 105
eToken 18
exe files 92
B
biometric key
using 25
Boot 54
boot protection 29
C
client 10
client auditing 54
client software 53
client system 8
common criteria 75
configuration files 77
configuring systems 27
conventions used in this guide 10
creating install set 27
creating systems 27
F
file group function
setting 41
File Groups 40
file properties
setting 42
file update 44
files
deleting 42
exporting 42
fingerprint reader 23, 24, 26
setting 24
using 26
forcing synchronization 27
G
group configuration
resetting to group configuration 14
D
Deploy sets 40, 46
disk encryption 7
dll files 92
documentation
typographical conventions 10
documentation for products, finding 11
driver files 92
driver support 18
H
hash generator 74
using 74
hash group 72
hash sets 72
using 72
I
E
EAL4 mode 75
EE client
removing 51
EE Configuration Manager 54
EE Manage
installing 13
EE Manager 13
EE Monitor 53
EE Server 53
EE Tool Tray 53
EEPC 14, 18, 27, 40
user policies 14
EEPC setup 24
Install package 46
install set
selecting 47, 48
Installing EEPC 50
K
KnowledgeBase, Technical Support ServicePortal 11
L
language file
creating 102
language sets 40
127
Index
Legal notices 120
local recovery 68, 69
performing 69
local recovery questions
configuring 69
localization 96
locking machine 27
logon 29, 55
Logon 54
logon features 57
M
machine
creating 27
deleting 27
exporting 27
importing 27
renaming 27
machine groups 29
machine properties 27
management 10
master directory
selecting 49
McAfee ServicePortal, accessing 11
N
new file
copying 44
new files
importing 42
O
object directory 8, 53, 54
offline
install 47, 48
offline package installs 50
offline recovery 64
online install 47, 48
online package installs 50
online recovery 71
open source 120
P
password
changing 55
forcing password change 14
policies 13
pre-boot 13
Pre-Boot
client 8
Pre-Boot language 103
Pre-Boot token 103
program files 92
puppy support
installing EE 24
R
recovery 29
recovery code 64
128
recovery option
selecting 64
Registry file 44
Removing EEPC 50
requirements, operating system 11
requirements, software 11
requirements, system 11
RSA session 53
S
SafeTech 95
screen saver 29, 53
ServicePortal, finding product documentation 11
show status 53
Sign-On 55
smart card 18
specification 117, 118
algorithm 117
tokens 118
SSO details 14
stored value tokens 19
synchronize 53
sys files 93
system requirements
client 119
systems
recovering 63
T
Technical Support ServicePortal
at McAfee 11
themes 96
themes and localization 96
token 14, 18
creating 14
resetting 14
token compatibility 21
token operation 18
tokens 18, 19
crypt only 19
transport directory
importing 48
troubleshooting 105
trusted applications 72
U
Upgrading EEPC 50
users
recovering 63
V
viewing audit 27
W
Windows languages 104
Windows logon 58
WinTech 95
WinTech and SafeTech functions 95

Endpoint Encryption for PC 5.2.13 Administration

Transcription

Similar documents

Covata Safe Share

“More” Mohawk

GoAnywhere Director

STINGER – Mini TCDL Surface Terminal Equipment - L

SomaLogic CVD 2º Risk Panel Flyer for Drug Developers

Pijn op de borst op de 1e hulp

Security Revisited: What can we learn from