Specifications

ManualsBrandsMcafee ManualsOtherOFFICE 3.1

McAfee

Endpoint Encryption for Files

and Folders

AdministrationGuide

Version3.1.3





Summary of content (135 pages)

PAGE 1
McAfee® Endpoint Encryption for Files and Folders Administration Guide Version 3.1.
PAGE 2
McAfee, Inc. McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USA Tel: (+1) 888.847.8766 For more information regarding local McAfee representatives please contact your local McAfee office, or visit: www.mcafee.com Document: Endpoint Encryption for Files and Folders Administration Guide Last updated: Monday, 16 March 2009 Product Version: 3.1.3 Copyright (c) 1992-2008 McAfee, Inc., and/or its affiliates. All rights reserved.
PAGE 3
Contents Preface ........................................................................................... 6 About This Guide ..................................................................................... Audience ................................................................................................. Conventions ............................................................................................ Related Documentation.................................................................
PAGE 4
Preface Client Registry controls ............................................................................ 85 Controlling the authentication result dialog................................................. 85 Utilities for Endpoint Encryption for Files and Folders ..................88 Troubleshooting utilities ........................................................................... 88 User mode process debugging utilities .......................................................
PAGE 5
Preface Index ..........................................................................................
PAGE 6
Preface Preface McAfee is dedicated to providing you with the best in security for protecting data on personal computers. Applying the latest technology, deployment and management of users is accomplished using simple and structured administration controls. Endpoint Encryption for Files and Folders represents a technology where we are pleased to address the security requirements for files and folders, data in transit on removable devices, and stored on NAS, SAN and network servers.
PAGE 7
Preface Conventions This guide uses the following conventions: Bold Condensed All words from the interface, including options, menus, buttons, and dialog box names. Courier The path of a folder or program; text that represents code or something the user types exactly (for example, a command at the system prompt). Italic Emphasis or introduction of a new term; names of product manuals. Blue A web address (URL); a live link.
PAGE 8
Introduction Introduction Why Endpoint Encryption for Files and Folders? All organizations have their own rules about what data is available to whom. Some information is available to all – other information is restricted and confidential. At the most basic level, most IT users are trusted to access their PC’s and use their documents; however, at a higher level – for example, at the board of directors, or within Finance, certain information (e.g.
PAGE 9
Introduction Users can work without interruption. With the exception of the initial logon to access protected data, Endpoint Encryption for Files and Folders provides complete transparent security. How Endpoint Encryption for Files and Folders Works The Endpoint Encryption for Files and Folders client encrypts folders and files according to policies determined by Endpoint Encryption Administrators. These policies are delivered by the Endpoint Encryption Server.
PAGE 10
Introduction A key feature of Endpoint Encryption for Files and Folders is the principle of containment, or persistent encryption, as it is also known. This means that the encrypted folder or file always will retain its encryption, irrespective of how it is edited, moved or copied. The file remains encrypted and secure regardless of where or how it is moved. This applies to files moved to other folders, or, USB memory sticks, floppy disks or a network share.
PAGE 11
Introduction Endpoint Encryption for Files and Folders supports three standard algorithms with various key lengths, including the Endpoint Encryption FIPS 140-2 certified AES 256 algorithm. Endpoint Encryption for Files and Folders encrypts the Windows' pagefile. This feature is automatic and cannot be configured or disabled. The pagefile is overwritten when the computer is restarted. Again, any new data being written to the pagefile is automatically encrypted.
PAGE 12
Introduction installed, the user that logs on will be forced to retrieve the proper policy assigned to him/her in the central database. If Administrators change the device policy in the Endpoint Encryption Manger, all machines using that policy will apply it when they next check for updates, i.e. authentication performed when online. The Endpoint Encryption for Files and Folders software queries the directory for any updates to its policy, and if needed downloads and applies them.
PAGE 13
Introduction • Configuring Endpoint Encryption for Files and Folders Policies • Creating and assigning Endpoint Encryption for Files and Folders keys Database Server Figure 2: Endpoint Encryption Server The Endpoint Encryption Database Server facilitates connections between Endpoint Encryption entities such as the Endpoint Encryption for Files and Folders Client and Endpoint Encryption Manger, and the central Object Directory over an IP connection (rather than the file based "local" connection).
PAGE 14
Introduction Typical information stored in the Object Directory includes: • User Configuration and Policy Configuration information • Client and administration file lists • Encryption key and recovery information • Audit trails • Secure Server Key information Connector Manager Endpoint Encryption’s directory used to keep track of security information is designed so that synchronization of details between Endpoint Encryption and other systems is possible.
PAGE 15
Introduction Manager. This executable file contains the core components and drivers needed to enable Endpoint Encryption on a user’s machine. The install set can be used on any number of PCs and contains all the data and links to install Endpoint Encryption for Files and Folders on any supported Windows platform. The executable may be deployed using any standard software distribution tool, like Microsoft System Management Server (SMS) or Novell ZenWorks.
PAGE 16
Endpoint Encryption for Files and Folders Client Software Endpoint Encryption for Files and Folders Client Software Endpoint Encryption for Files and Folders client Once the Endpoint Encryption for Files and Folders client is installed, the machine needs to restart. After re-start, the user may be forced to do a logon to retrieve the correct policy from the central database through the Endpoint Encryption Server.
PAGE 17
Endpoint Encryption for Files and Folders Client Software Encryption product icon), and the shell extension options, visible from the context menu when right-clicking files and folders. Figure 4: Context menu with Endpoint Encryption Endpoint Encryption for Files and Folders entries The content of the context menu regarding Endpoint Encryption Endpoint Encryption for Files and Folders is determined through a policy for each user.
PAGE 18
Endpoint Encryption for Files and Folders Client Software Figure 6: Endpoint Encryption system tray icon menu (Endpoint Encryption for Files and Folders only) The About Endpoint Encryption for Files and Folders… option displays the configuration data for the Endpoint Encryption for Files and Folders client in a separate window. The details of this window are presented later in this guide.
PAGE 19
Endpoint Encryption for Files and Folders Client Software Removable media Endpoint Encryption for Files and Folders can enforce encryption on removable media. However, the removable media affected must follow the following definition: “Any device that is attached to the computer and is assigned a drive letter, except for network drives, and that report itself to the operating system as ‘Removable’ .
PAGE 20
Deploying Endpoint Encryption for Files and Folders Deploying Endpoint Encryption for Files and Folders There are 7 steps you need to follow to install Endpoint Encryption for Files and Folders on your users’ computers: 1. Install the Endpoint Encryption Management Centre Follow the Installing Endpoint Encryption Manager section of the Endpoint Encryption Manager Administrator’s Guide. 2.
PAGE 21
Endpoint Encryption for Files and Folders Policy Settings Endpoint Encryption for Files and Folders Policy Settings About Endpoint Encryption for Files and Folders Policies Endpoint Encryption for Files and Folders policies control the encryption settings, encrypted areas and the available context menu options for users when using Endpoint Encryption for Files and Folders. Each installation of Endpoint Encryption for Files and Folders is linked back to a policy object in the Endpoint Encryption Manager.
PAGE 22
Endpoint Encryption for Files and Folders Policy Settings 3. Double-click it to expand its groups. 4. Either open an existing group, or create a new group by right-clicking the top node and selecting Create policy group. 5. From the open group window, right-click and select Add. 6. Enter the name for the new policy, type in an optional description if you like and select OK. Right-click options on a Policy Group Open group This option opens a window displaying the content (policies) of the group.
PAGE 23
Endpoint Encryption for Files and Folders Policy Settings Adds a new policy to the group. Rename Changes the name of the policy. This does not affect the association of the policy to other objects. Delete Deletes the selected policy. If you delete a policy, all users connected to that policy will have all restrictions removed as they were defined in the deleted policy. You will be asked if you want to permanently delete the group, otherwise it will be placed in the Endpoint Encryption Deleted objects.
PAGE 24
Endpoint Encryption for Files and Folders Policy Settings Allow explicit decrypt Enables the Decrypt… option in the user’s context menu (displayed when rightclicking a folder or file). This allows the user to manually decrypt files and folders. If a file or folder is encrypted according to a centrally set policy, the user cannot decrypt it. The option will be visible, but grayed out (inaccessible). Enable padlock icon visibility Adds padlock icons to encrypted files and folders icons.
PAGE 25
Endpoint Encryption for Files and Folders Policy Settings Show About option on system tray menu Enables the option in the system tray menu that opens a dialog about the current configuration of this instance of Endpoint Encryption for Files and Folders. Show option for unloading all keys The option Unload keys enables users to close all the keys that have been opened to access data, thus securing (locking) the system.
PAGE 26
Endpoint Encryption for Files and Folders Policy Settings NOTE: if the previous setting (Attempt logon with Endpoint Encryption for PC credentials) is enabled, the forced logon – if enabled – will happen automatically. CAUTION: For this option to work, the installation set must be created from the policy containing Disable forcing of logon on first boot.
PAGE 27
Endpoint Encryption for Files and Folders Policy Settings The Endpoint Encryption user name and the Windows user name must be identical. It is recommended to use the Endpoint Encryption ActiveDirectory Connector to accomplish this. See Step 1 in the example scenario above. Admin Level The Endpoint Encryption Management Centre administration level applied to this policy. Only Administrators with an equal or higher level will be able to change the settings.
PAGE 28
Endpoint Encryption for Files and Folders Policy Settings 2. Click the icon for File Extensions encryption. 3. Assure the category Process Specific is selected. 4. Click the Add button to add a process name. Figure 7: Process specific file extension encryption – Adding a process name 5. Enter the process name you want to enable the file extension encryption for. NOTE: Observe that you need to enter process name and the [exe] extension; i.e. notepad.exe.
PAGE 29
Endpoint Encryption for Files and Folders Policy Settings 8. Next you must add file extensions to be encrypted by the listed processes. Mark the process name and click Add. A window appears asking you to enter file extensions for the process. Figure 9: Process specific extension encryption – Adding extensions to a process 9. Enter the extension. NOTE: the encryption key is selected in the previous steps. It is not possible to change the key in this window (Select is disabled).
PAGE 30
Endpoint Encryption for Files and Folders Policy Settings Figure 10: Process specific extension encryption – Adding additional processes Figure 11: Process specific extension encryption – Adding additional extensions 30 |
PAGE 31
Endpoint Encryption for Files and Folders Policy Settings Figure 12: Process specific extension encryption – Example setup To remove or edit a listed process or an extension, highlight the object and then click the Remove or Edit buttons accordingly. About Process Specific file extension encryption Mix of keys and extensions It is possible to add as many processes and extensions as you like.
PAGE 32
Endpoint Encryption for Files and Folders Policy Settings Deleting extensions It is important to notice that deleting a file extension does not initiate any decryption of files with the particular extension. To decrypt files encrypted with a file extension encryption policy, you need to do a manual search-and-decrypt action using the corresponding context menu options from a client with Endpoint Encryption for Files and Folders installed.
PAGE 33
Endpoint Encryption for Files and Folders Policy Settings [PROFILE] = The user’s local user root directory, i.e. [SYSDRIVE:\Documents and Settings\{USER}] You may also type the UNC path for any folder residing on a network share, as well as using a mapped drive letter to identify the folder to encrypt. You may also browse the network for folders, as it is mapped and viewed from the machine hosting your instance of the Endpoint Encryption Manager.
PAGE 34
Endpoint Encryption for Files and Folders Policy Settings Edit Lets you edit a selected folder encryption item from the list, e.g. change encryption key. The image below depicts an example configuration for folder encryption, containing both a local folder as well as network folders with various notations. Figure 14: Folder encryption ‐ Example configuration Considerations on folder encryption McAfee recommends that you... • Do not encrypt entire volumes and in particular the system volume.
PAGE 35
Endpoint Encryption for Files and Folders Policy Settings When encrypting large folders on a network share through a policy, it is strongly recommended to tune the network encryption intensity. The following values are recommended: • I/O Utilization: 20% (Set in Encryption options policy section) • Bandwidth limit: 100 KB/sec. (Set in Network policy section) • Network latency: 600 ms.
PAGE 36
Endpoint Encryption for Files and Folders Policy Settings If the Make all removable media plaintext (see below) option is enabled, then any existing encrypted file on inserted removable media will be decrypted, provided the user has access to the proper encryption key. Ignore existing content on media This option is disabled by default and dictates that all existing files on attached removable media will be encrypted also.
PAGE 37
Endpoint Encryption for Files and Folders Policy Settings • Command prompt file operations (copy *, move *) • Files being created directly on removable media, e.g. when doing Save on a file from within the application, directly to the media • CD/DVD burning When enabled, the user is asked what password to use. Unless the sub-option is enabled (see below), the conversion will happen automatically with no other user intervention than asking for the password to use.
PAGE 38
Endpoint Encryption for Files and Folders Policy Settings You will find the DeviceID of a device by looking in the Windows Device Manager on a machine where the device is attached. The picture below shows an example of where to find the DeviceID. Figure 16: Finding the DeviceID for a removable media device By looking at the Properties of a particular device and the Details tab, the DeviceID may be found. First assure the correct item is selected from the drop-down menu.
PAGE 39
Endpoint Encryption for Files and Folders Policy Settings Figure 17: Identifying the DeviceID for a removable media device To add exemptions to the list, click the Add button and enter the DeviceID of the removable media device that should be exempt.
PAGE 40
Endpoint Encryption for Files and Folders Policy Settings Changes to the list of exempted DeviceIDs are done by using the Edit and Remove buttons accordingly. About Removable Media encryption Definition reminder Note again the definition of removable media defined above. In addition to this definition, floppy disk drives (FDD) and Magneto-Optical (MO) drives are supported. Free space on media When applying encryption to FDD, the floppy must contain enough free disk space to encrypt the files.
PAGE 41
Endpoint Encryption for Files and Folders Policy Settings About Multi-Session CDs/DVDs The CD/DVD encryption feature supports burning of encrypted data to plain CDs/DVDs. Disks that have plaintext data already burnt to them cannot have encrypted files added, however, if the first burning was done with enforced encryption, files can be added in later burning sessions upon which they will also be encrypted with the same key used to originally encrypt the disk.
PAGE 42
Endpoint Encryption for Files and Folders Policy Settings Automatic key loading/unloading Enable inactivity timeout If a user has successfully authenticated to a Endpoint Encryption for Files and Folders key, there is no need to again authenticate when the key is needed next. As long as the key is active (performing encryption/decryption), it will be available to the Endpoint Encryption for Files and Folders Driver.
PAGE 43
Endpoint Encryption for Files and Folders Policy Settings Allow user local keys Marking this box prepares the Endpoint Encryption for Files and Folders client to work with user local keys. As soon as this option is enabled, a recovery key must be selected. It is not possible to enable this option without selecting a proper recovery key.
PAGE 44
Endpoint Encryption for Files and Folders Policy Settings Allow import of user local keys This option allows users to import keys that have been created with Endpoint Encryption for Files and Folders by other users, i.e. sharing keys with other users that have local key management enabled. There are no restrictions to import, i.e. the users may very well import encryption keys from external users that also are using Endpoint Encryption for Files and Folders with local user key management.
PAGE 45
Endpoint Encryption for Files and Folders Policy Settings With this option, it is possible to have the original time values restored (preserved) after encryption and decryption, e.g. the Last Modified time will be reset to when the file was truly last modified, i.e. by a user. The default setting is enabled.
PAGE 46
Endpoint Encryption for Files and Folders Policy Settings If you want to enforce removable media encryption on floppy disk drives, setting this value to 80% will significantly improve the removable media encryption enforcement on these devices. However, if you want to encrypt large folders on a network share, it is recommended to set this value to 20 – 30%. Blocked Processes With this feature, it is possible to exclude certain applications from proper access to encrypted data.
PAGE 47
Endpoint Encryption for Files and Folders Policy Settings The main purpose of process blocking is to prevent encrypted data from being unintentionally exposed in plaintext; this is done by circumventing the Endpoint Encryption for Files and Folders encryption engine. One example of this is to prevent encrypted data from being uploaded to external FTP sites. By blocking the FTP process, it is not possible for the user to upload data in plaintext to an FTP server.
PAGE 48
Endpoint Encryption for Files and Folders Policy Settings didn’t halt. In addition, encrypted files will be scanned later whenever they are accessed by the user and the encryption keys are there to decrypt the data. Figure 22: List of Key Request Exclusions To add a Key Request Exclusion, click the Add button and enter the process name of the exclusion. Figure 23: Adding a Key Request Exclusion To edit the name of a Key Request Exclusion, click the Edit button.
PAGE 49
Endpoint Encryption for Files and Folders Policy Settings Enable network encryption This tick box switches network encryption on/off. If unchecked, then no encryption will be done on network shares, no matter what other encryption settings are made for the network. Also, content copied, moved or created directly on network drives will not be encrypted. The default setting is enabled. Changes to this setting require the client machine to reboot after the policy update in order for the change to take effect.
PAGE 50
Encryption keys Encryption keys About Encryption keys Encryption keys are generic purpose objects which Endpoint Encryption applications can use to encrypt information – for example, Endpoint Encryption for Files and Folders uses Key objects to protect files and folders on network, removable media and user hard disks. Encryption key administration functions You create and manage the Endpoint Encryption for Files and Folders keys from the Endpoint Encryption Manager.
PAGE 51
Encryption keys 7. Select the algorithm to be used by the key. You may select algorithm from the drop-down menu. The recommendation is to use the Endpoint Encryption FIPS 140-2 certified implementation of the AES algorithm with a key length of 256 bits. 8. When finished, select OK to create the encryption key. Right-click options on an Encryption Keys Group Open group Opens a window displaying the content (keys) of the group. Rename group Changes the name of the Keys Group.
PAGE 52
Encryption keys Delete key Deletes the selected encryption key. If you delete a key, all users connected to that policy will have all restrictions removed as they were defined in the deleted policy. You will be prompted if you want to permanently delete the group, otherwise it will be placed within Endpoint Encryption Deleted objects. See the Endpoint Encryption Manager Administration Guide for additional details on deleting objects.
PAGE 53
Encryption keys Group This dialog presents information about the Keys group. You may type in some description for the group in the field. Click Apply to save any changes. Validity This dialog sets the validity parameters for the keys within the group. Figure 25: Validity settings for an Encryption Keys group Key is enabled This option enables/disables the keys within the group. Disabled keys cannot be retrieved by users and cannot thus be used to encrypt/decrypt data.
PAGE 54
Encryption keys copy of the key. If the key could be obtained from the Database, then the local copy may be installed, or updated at the same time. If the user’s credentials are not correct, no keys are released. Remove from cache after... Causes a local cached copy of a key to be wiped from the local key cache after a certain number of days of disconnection.
PAGE 55
Encryption keys user that is assigned to the key, then that group or user can no longer manage the key. Be extra cautious if this is the only object assigned to the key; otherwise the key may become impossible to manage. Such a situation cannot be resolved. Also be very cautious when permanently deleting users. Make sure that users that are permanently deleted are not the only persons assigned to any encryption key.
PAGE 56
Encryption keys Users Please see Users section of this Guide for details on this dialog.
PAGE 57
Assigning and Updating Policies Assigning and Updating Policies Assigning policies Once you have created encryption policies, these must be assigned to the users and user groups in order to take any effect. Encryption policies are assigned to users and user groups (typically the latter) through the Endpoint Encryption Manager. If you have created your Endpoint Encryption for Files and Folders policies wisely, i.e.
PAGE 58
Assigning and Updating Policies NOTE: You can only assign one type of policy to a user group or user. I.e. a user cannot have two different Endpoint Encryption for Files and Folders policies applied. Once the policy has been assigned to the user object, users may retrieve the policy.
PAGE 59
Creating an Install Package Creating an Install Package About Install Packages Endpoint Encryption for Files and Folders is installed by running a special archive file created from the Endpoint Encryption Manager. This archive file contains all the components necessary to install the Endpoint Encryption for Files and Folders client. The Endpoint Encryption Manager compresses the files needed into a single selfcontained executable for ease of management.
PAGE 60
Creating an Install Package installation set and thus applied without the user having to logon on to the Endpoint Encryption database. Install set save location and program directory Specify the location where you want to save the installation set and then select to what program folder on the client machine that Endpoint Encryption for Files and Folders will be installed to. Uninstall password This line allows you to select an uninstall password for the Endpoint Encryption for Files and Folders client.
PAGE 61
Creating an Install Package Figure 28: Creating an Install Set After the install file has been run on a client machine and the machine restarted, it will immediately connect back to the Endpoint Encryption Server(s). When the user has logged into Windows, the Endpoint Encryption for Files and Folders authentication dialog can be set to appear – a so-called forced logon. This mandatory logon is subject to a policy setting; see the General section of this guide for details.
PAGE 62
Creating an Install Package Installing Endpoint Encryption for Files and Folders client Supported platforms • Windows 2000 Workstation SP4 with RollUp1 • Windows XP SP2 • Windows Vista • Minimum Windows Update Requirements Windows 2000: • SP4 • KB891861 (Update Rollup 1 for Windows 2000 SP4) • KB922582 Windows XP: • SP 2 • KB922582 • (or SP3) Windows Server 2003: • SP1 • KB922582 • KB930184 • KB922529 • KB910048 • (or SP2) NOTE: The Endpoint Encryption for Files and Folders
PAGE 63
Creating an Install Package 3. Execute the Install Package created by the Endpoint Encryption administrator on the target computer. This enables and installs Endpoint Encryption for Files and Folders. Note that you well may distribute the client using any software distribution tool like Microsoft® System Management Server™ (SMS) or Novell® ZenWorks™. 4. Endpoint Encryption for Files and Folders requires the client computer to restart before the client will launch.
PAGE 64
Creating an Install Package If you know precisely the file(s) that have changed for a particular upgrade, you may upgrade the file(s) individually. 1. Open the Endpoint Encryption for Files and Folders client files and identify the file(s) you want to upgrade. 2. Right-click the file to upgrade and select Upgrade. 3. Then locate the corresponding upgraded file from your Endpoint Encryption Manager Program directory, subdirectory [McAfee\Endpoint Encryption for Files&Folders]. Then finish the upgrade.
PAGE 65
Creating an Install Package 8. In the search dialog that opens, browse the system directory where you have installed the Endpoint Encryption files from the Installation CD. 9. Locate the file called SbCeFiles.ini in the SYSDRIVE:\Program Files\SBAdmin directory. 10. Open the file and assert in the Endpoint Encryption Manager log at the bottom of the Admin interface that the files are imported to your new file group. 11.
PAGE 66
Creating an Install Package Endpoint Encryption for Files and Folders authentication. If there is no connection to the Endpoint Encryption Server, the policy cannot be updated. Uninstalling Endpoint Encryption for Files and Folders To remove Endpoint Encryption for Files and Folders: 1. Ensure that a user with the context menu options Decrypt, and Search encrypted… logs on (Endpoint Encryption for Files and Folders Synchronize) to the computer.
PAGE 67
Creating an Install Package Also, when uninstalling from a Windows Vista system, there will be a (hidden) directory left behind on the client: [SYSDRIVE:\Program Data\McAfee]. Though not causing any system disturbances, this folder has to be deleted manually. Installing Endpoint Encryption Manager To install Endpoint Encryption Manager: 1. Run Setup.exe from your Installation CD or install media.
PAGE 68
Endpoint Encryption for Files and Folders client Endpoint Encryption for Files and Folders client This chapter describes the client side of Endpoint Encryption for Files and Folders and the available options. System tray icon When Endpoint Encryption for Files and Folders is installed, you will notice a new icon in the system tray – the Endpoint Encryption for Files and Folders application icon: Figure 29: Endpoint Encryption product icon This icon is the same for all Endpoint Encryption products.
PAGE 69
Endpoint Encryption for Files and Folders client About Endpoint Encryption for Files and Folders This option opens up a dialog with information about this installation of Endpoint Encryption for Files and Folders. Unload all keys This option clears all the currently open keys from memory. The next time encrypted data is accessed the user will be prompted to authenticate. Local user key management options Please see the Local user key management options section for details regarding these options.
PAGE 70
Endpoint Encryption for Files and Folders client User Web Recovery is used, then the questions entered by the user at the time of Web Recovery registration will be presented. Identification information such as department, cell phone number, nearest boss etc. may be imported to the Endpoint Encryption database from external LDAP systems, e.g. Microsoft ActiveDirectory.
PAGE 71
Endpoint Encryption for Files and Folders client For more information about setting up and configuring Endpoint Encryption Web Recovery, please see the Endpoint Encryption Manager Administration Guide, chapter about Web Recovery. Show status This entry opens a dialog presenting the ongoing activities in the Endpoint Encryption for Files and Folders client.
PAGE 72
Endpoint Encryption for Files and Folders client Synchronize Synchronizing Endpoint Encryption for Files and Folders triggers an authentication to the Endpoint Encryption database. Upon synchronization, the user’s policy is updated to reflect any changes in the Endpoint Encryption database. Also, all encryption key assignments and settings are updated. For example, the user may have been revoked access to a certain encryption key.
PAGE 73
Endpoint Encryption for Files and Folders client Create Local Key… Starts the encryption key creation wizard. Keys may be stored either on the user’s local hard disk or on a removable unit, e.g. a USB flash memory stick. The encryption keys are stored in key stores that are protected either by a password or a user digital certificate. The creation wizard allows the user to select storage location and protection method; these selections cannot be policy controlled.
PAGE 74
Endpoint Encryption for Files and Folders client In order to complete the import, the transport password must be entered. Also, the user must authenticate to the key store to which the imported key shall be saved, alternatively create a new key store. This authentication has to be done even if keys from the key store are currently loaded in the client. Rename Local Key… Start the wizard that allows the user to rename a local key.
PAGE 75
Endpoint Encryption for Files and Folders client Figure 34: Endpoint Encryption for Files and Folders– Context menu options Encrypt… If enabled for the user, this option encrypts the folder or file that is right-clicked. A dialog opens up when selecting this operation, where the user may select what key shall be used to encrypt the object. Figure 35: Endpoint Encryption for Files and Folders– Encryption key selection NOTE: If the folder/file already is encrypted (e.g.
PAGE 76
Endpoint Encryption for Files and Folders client If the folder/file is encrypted (e.g. according to a policy), the user cannot decrypt it. This is also reflected in the Decrypt context menu option being unavailable (grayed out), even if allowed in the policy. Depending on the amount of data to decrypt, there may be a bar stating the progress of the decryption. At the end of the decryption, a dialog is presented telling the result of the decryption.
PAGE 77
Endpoint Encryption for Files and Folders client This operation is very helpful before uninstalling Endpoint Encryption for Files and Folders from a computer. As no data is decrypted when uninstalling the client, any encrypted data must first be decrypted. To find this data, the Search encrypted… function is the tool to use.
PAGE 78
Endpoint Encryption for Files and Folders client Figure 38: Entering encryption password for self‐extracting file In essence, only the password used to encrypt the self-extracting file needs to be entered. As an option, the user may specify where to save the self-extracting file. The default location is the same as the location of the source file/folder. Also, the user may change the name of the self-extracting file. By default, the self-extracting file is named as its source file/folder with the *.
PAGE 79
Endpoint Encryption for Files and Folders client The self-extractor is packaged into a *.cab file as these are widely recognized in most computer environments and the likelihood to pass e-mail virus scanners increases. Otherwise, the plain *.exe is most likely to be blocked. However, proactive e-mail virus scanners may very well block also the *.cab file as they detect an *.exe hidden in the cabinet file. Thus, it may happen that e-mails sent with *.cab self-extractor attachments are blocked.
PAGE 80
Endpoint Encryption for Files and Folders client By default, the open-close-wipe option is selected. If the Extract option is selected instead, the user may select where to permanently save the unpacked and decrypted Self-Extractor. The user may browse for a suitable location with the Browse button. Figure 42: Selecting storage location for the unpacked Self‐Extractor Self-Extractors may be read on any computer running Windows 2000 and later.
PAGE 81
Endpoint Encryption for Files and Folders client CAUTION: Please observe the following regarding this option: First, in order to have Encrypt and E‐mail… available in the context menu, it must first be enabled in the user’s policy. Second, this option will only be visible when right‐clicking a file, i.e. unlike the Self‐Extractors, not on folders. The following is a step-by-step instruction to the user how to send a document as an encrypted e-mail attachment.
PAGE 82
Endpoint Encryption for Files and Folders client Identifying encrypted files and folders Figure 43: Endpoint Encryption for Files and Folders – Identify Encrypted Files Endpoint Encryption for Files and Folders can add a padlock icon to the file icon of encrypted files and folders. This is an optional policy setting, Enable padlock icon visibility. You can find out more about Endpoint Encryption for Files and Folders policies in Endpoint Encryption for Files and Folders Policies of this guide.
PAGE 83
Endpoint Encryption for Files and Folders client Accessing encrypted files Figure 44: Endpoint Encryption for Files and Folders authentication To access encrypted information, users simply open the files as they would normally. If the files are encrypted, users will be presented with a Endpoint Encryption for Files and Folders authentication screen as above.
PAGE 84
Endpoint Encryption for Files and Folders client The .cekey file When encrypting folders, either manually using the Encrypt option or when encrypted automatically following a centrally defined folder encryption policy, a small file named .cekey is written to the folder. This file basically only contains information about what key shall be used to encrypt the files stored in that particular folder. It contains the KeyID, not the key itself.
PAGE 85
Endpoint Encryption for Files and Folders client Follow target When a file that is encrypted with key A, for example, and is moved to a folder where files are encrypted with key B, then the file encrypted with key A will immediately be re-encrypted with key B. This behavior, known as follow-target-encryption requires that the user (process) transferring the file has access to both key A and key B, since the file is first decrypted (with key A) and then instantly re-encrypted (with key B).
PAGE 86
Endpoint Encryption for Files and Folders client [Options.Logon] Manual.ShowFailedRemoteConnect=Yes RequestKey.ShowFailedRemoteConnect=Yes The first entry Manual.ShowFailedRemoteConnect controls the result message display when the authentication was initiated through a manual Synchronize by the user. A parameter of “No” will display no message. The second entry RequestKey.
PAGE 87
Endpoint Encryption for Files and Folders client 8. Browse for the SbC4.INI file from step (4) and finish the import. 9. Create and deploy a new Endpoint Encryption for Files and Folders Installation Set. This Install Set will now contain a SbC4.INI file with the settings needed to show the authentication result dialog. Likewise, any file/software distribution tool may be used to deploy this individual SbC4.
PAGE 88
Utilities for Endpoint Encryption for Files and Folders Utilities for Endpoint Encryption for Files and Folders This chapter describes the various utilities that may be used together with Endpoint Encryption for Files and Folders. Troubleshooting utilities There are two tracing utilities that may be used for troubleshooting Endpoint Encryption for Files and Folders: • SbCE.log • sbceCoreTrace The SbCE.
PAGE 89
Utilities for Endpoint Encryption for Files and Folders • Communication between the Endpoint Encryption for Files and Folders client and the database • Tokens problems • Key retrieval from database and key loading • Send the log file to your McAfee representative for further analysis. Kernel and User traces Description This utility contains two logging functions, tracing what happens in the User Mode and the Driver component of Endpoint Encryption for Files and Folders respectively.
PAGE 90
Utilities for Endpoint Encryption for Files and Folders 2. SbCeShell -use_full_driver_trace 3. SbCeShell -enable_driver_trace <{complete path}\trace file name> 4. Perform the operation you want to log 5. SbCeShell -disable_driver_trace 6. SbCeShell -disable_user_mode_trace Zip the two output files and send them to your McAfee representative for analysis. The output files are: • the driver trace file specified in step 3, and • the user mode trace file called TraceFile.
PAGE 91
Utilities for Endpoint Encryption for Files and Folders Figure 46: Windows dialog for mini‐dump file • In the section named Write debugging information, enable the dump file utility by selecting the appropriate dump file to be generated from the dropdown menu. There are three types of dump files that Windows can generate: • Small memory dump • Kernel memory dump • Complete memory dump Small memory dump The Small memory dump often provides clues on what program module generated the error.
PAGE 92
Utilities for Endpoint Encryption for Files and Folders Complete memory dump The Complete memory dump is the ideal dump from an error investigation perspective as it provides a complete dump of the system RAM. Thus, it will be equal to the size of the RAM of the machine, i.e. very large on modern computers. All dump files may be considerably compressed. Please do this before sending them to your McAfee representative for further analysis.
PAGE 93
Utilities for Endpoint Encryption for Files and Folders Hanging applications Open the Task Manager and identify the frozen process that needs to be monitored. Right-click the process and select Create dump from the context menu. This will generate a full memory dump file, in the directory stated above. Instructions/syntax - Windows XP Crashing applications Follow the Process crash instructions provided on the download site: http://www.microsoft.com/downloadS/details.
PAGE 94
Utilities for Endpoint Encryption for Files and Folders 6. Wait until SBCECore.exe crashes. To know when this happens, you should look into the command prompt window. When it has crashed you should see a prompt looking like: 0:006> 7. Type the following five commands in the command prompt window and hit enter between them (observe the dot in the beginning of logopen and logclose): 1).logopen sbcedbgtrace.txt 2) g 3) kb 4) .logclose 5) q 8.
PAGE 95
Utilities for Endpoint Encryption for Files and Folders Where source must be a path to a file, either complete or relative, and destination must be either a path to an existing folder, either complete or relative, or, a complete path to a non existing destination file. When to use it This "blind copy" feature of SbCeShell is well suited for scripted back-up operations where the back-up shall stay encrypted and the back-up runs when the user is not present at the machine.
PAGE 96
The Endpoint Encryption for Files and Folders Logon The Endpoint Encryption for Files and Folders Logon The Forced Logon When Endpoint Encryption for Files and Folders is installed on the client computer and the computer has restarted, the user logging on to Windows may be forced to perform a Endpoint Encryption for Files and Folders logon (authentication), depending on the corresponding policy setting. If forced, it means that the user cannot cancel or bypass it. The authentication dialog will persist.
PAGE 97
The Endpoint Encryption for Files and Folders Logon [Options.Logon] Manual.Force.UsePrivateDesktop=No Manual.UsePrivateDesktop=No RequestKey.UsePrivateDesktop=No The first entry Manual.Force.UsePrivateDesktop controls the desktop switching when there is a forced logon after the first installation of Endpoint Encryption for Files and Folders. If the option is set to No – the logon dialog box will sit over your current desktop view.
PAGE 98
The Endpoint Encryption for Files and Folders Logon [Options.Logon] Manual.UsePrivateDesktop=No RequestKey.UsePrivateDesktop=No Manual.Force.UsePrivateDesktop=No 3. Save the changes and close the text editor. 4. Change the TXT extension to INI, ignore any system warning. The file created in step (1) shall now have a name of SbC4.INI 5. Open the Endpoint Encryption Manager and locate the Endpoint Encryption File Groups (System tab). 6.
PAGE 99
Large-scale deployment considerations Large-scale deployment considerations This chapter briefly outlines some recommendations for large scale deployments of Endpoint Encryption for Files and Folders. These are just general recommendations. For your particular environment additional recommendations may apply. Please consult your Endpoint Encryption representative if you have special considerations for your environment.
PAGE 100
Large-scale deployment considerations Make sure you have performed the name indexing before you start deploying your clients. The recommendation is to first deploy one single client and then perform a logon to the database. This single logon will initiate the name indexing to start and after that the remaining clients can be deployed. NOTE: Name indexing is not the same as database compression.
PAGE 101
Large-scale deployment considerations Tune encryption intensity for network When encrypting large folders on a network share through a policy, it is strongly recommended to tune the network encryption intensity. The following values are advised: • I/O Utilization: 30% (Set in Encryption options policy section) • Bandwidth limit: 100 KB/sec. (Set in Network policy section) • Network latency: 600 ms.
PAGE 102
Large-scale deployment considerations Exclude Endpoint Encryption for Files and Folders client program directory Irrespective of what antivirus solution is used on the clients, it is recommended to exclude the Endpoint Encryption for Files and Folders program directory from real-time antivirus scanning.
PAGE 103
Tokens Tokens This chapter addresses the different authentication tokens that are supported in Endpoint Encryption for Files and Folders. Passwords The most common authentication token is the user password. There are a number of password quality restrictions that can be imposed on the Endpoint Encryption user from the Endpoint Encryption Manager, e.g. minimum length, content, change intervals etc.
PAGE 104
Tokens When properly configured, the users can use the certificates on the supported USB authentication tokens to authenticate to Endpoint Encryption for Files and Folders. However, you may want to consider using the Generic PKI token instead when working with certificate based authentication in Endpoint Encryption for Files and Folders, see more below. Without certificates The USB authentication tokens can also be used without digital certificates.
PAGE 105
Tokens Also, for smart cards with certificates, you may want to try the Generic PKI token module available. Please see information below. With certificates (PKI) If user digital certificates are used for authentication, it requires the use of a Endpoint Encryption Connector that imports the user certificates to the Endpoint Encryption database from an external certificate repository and associates them with each Endpoint Encryption user accordingly.
PAGE 106
Tokens Endpoint Encryption Connector Manager G2 for Active Directory is necessary. For documentation about the Endpoint Encryption Connector Manager, please contact your McAfee representative. Also, be mindful that the Generic PKI token only works with Endpoint Encryption for Files and Folders and not any other Endpoint Encryption product, e.g. Endpoint Encryption for PC. Please see the documentation for other Endpoint Encryption products regarding token support for each.
PAGE 107
Tokens SbTokCSP.INI file must be done before creating any installation sets for Endpoint Encryption for Files and Folders clients that shall use the Generic PKI token. Installation steps • When first installing the Endpoint Encryption central components, ensure that you select the TOKEN: Generic PKI (CSP) Token files file group when selecting the tokens to be supported in the Endpoint Encryption database. Also make sure you select the Endpoint Encryption for Files and Folders files.
PAGE 108
Tokens it in accordance with what CSP is supported, e.g. Generic PKI token files – Siemens and import/replace the SbTokCSP.INI file For a complete description of file group management within the Endpoint Encryption database, please consult the Endpoint Encryption Manager Administration Guide, available from your McAfee representative upon request. • Then configure the Endpoint Encryption database for Endpoint Encryption for Files and Folders to match your security policy, i.e.
PAGE 109
Endpoint Encryption for Files and Folders Configuration Files Endpoint Encryption for Files and Folders Configuration Files Endpoint Encryption for Files and Folders uses several .INI files to maintain information about the configuration of various components. Some of the more important files are listed here. SbErrors.ini This file is used to increase the detail available in on-screen error messages. You can add further descriptions to errors by amending this file. SbFeatur.
PAGE 110
Endpoint Encryption for Files and Folders Configuration Files SBM.ini This is the configuration file for Endpoint Encryption authentication tokens, readers and algorithms. Typically, this file is automatically generated and populated when selecting tokens and reader file during the creation of the Endpoint Encryption for Files and Folders installation set.
PAGE 111
Endpoint Encryption for Files and Folders Program and Driver Files Endpoint Encryption for Files and Folders Program and Driver Files EXE files SBCESETUP SBCESetup.exe is the core executable in Endpoint Encryption’s packaging mechanism. It is used as an exe stub for the install package, and also handles the uninstall process. Setup takes one parameter -Uninstall which prompts it to walk through sbfiles.lst, deleting files (or marking them for deletion if they are in use) and reversing registry settings.
PAGE 112
Endpoint Encryption for Files and Folders Program and Driver Files SbCeProvider Utilities for receiving and providing encryption keys to the other parts of the client. SbDbMgr Directory communication and access control support. SbFile Endpoint Encryption File Encryptor Support. SbFileDB Directory driver for the standard Endpoint Encryption X500 type Object Directory. SbGroup Utilities for group management and support.
PAGE 113
Endpoint Encryption for Files and Folders Program and Driver Files SbCeDriverCom Utilities for controlling and running the kernel driver. DesktopIntegration Libraries for integration between Endpoint Encryption for Files and Folders and the Windows Explorer, e.g. drag-and-drop operations on encrypted files. SbCePolicyEnforcer Libraries for the enforcement of encryption policies. Install Libraries used when installing the client. KeyGenerator Libraries for generation of user local encryption keys.
PAGE 114
Endpoint Encryption for Files and Folders Program and Driver Files NotificationManager Manages and responds to notification events. This library is located in the WINDOWS\System32 folder. PolicyUpdateManager Utilities for receiving and interpretation of policy updates. PostInstall Utilities for post-installation operations. RemovableMediaEnforcer Libraries for the enforcement of removable media policies. SbCeSelfExtractorStub The libraries for the Self-Extractor functions.
PAGE 115
Endpoint Encryption for Files and Folders Program and Driver Files SbCe-POLICIES The default policy for an installation of Endpoint Encryption for Files and Folders before any policy has been retrieved and applied. If the client fails to connect to the Endpoint Encryption Server after the first restart after installation, then the content of this file will be applied (no privileges).
PAGE 116
Error Messages Error Messages Please see the file sberrors.ini for more details of these error messages. You can also find more information on error messages on our web site, www.mcafee.com. Module codes The following codes can be used to identify from which Endpoint Encryption module the error message was generated.
PAGE 117
Error Messages [5c000008] A corrupt or unexpected message was received [5c000009] Unable to load the Windows TCP/IP library (WSOCK32.
PAGE 118
Error Messages This may occur if an attempt is made to import large amounts of data into the database (e.g.
PAGE 119
Error Messages Choose a different database path [db00000a] Unable to create the database Check the path settings and make sure you have write access to the directory [db00000b] Invalid database handle [db00000c] The database is currently in use by another entity You cannot delete a database while someone is using it [db00000d] Unable to initialize the database [db00000e] User aborted [db00000f] Memory access violation [db000010] Invalid string [db000011] No default group has been defined [db000012] The grou
PAGE 120
Error Messages This usually means that your hard disks are in the process of being encrypted or decrypted. You can check the current Endpoint Encryption status from the right-click menu of the Endpoint Encryption task bar icon. [db00001f] Endpoint Encryption is still installed on this machine [db000020] Buffer too small [db000021] The requested function is not supported [db000022] Unable to update the boot sector The disk may be in use by another application or Explorer itself.
PAGE 121
Error Messages The object has been deleted from the database [db010011] License has been exceeded for this object type Check that your licenses are still valid and if not obtain further licenses if necessary [db010012] No more object id's are available for this type of object. You have run out of object ID's [db010013] Remove Error - Can't Remove Object The object is locked, or no longer exists. [db010014] Object Not Removed You are trying to restore an object which has not been deleted.
PAGE 122
Error Messages Installer program errors [15000001] Memory Error [15000002] No EXE Stub [15000003] Error reading EXE Stub [15000004] Error Creating File [15000005] Error Writing File [15000006] Error Opening File [15000007] Error Reading File [15000008] Invalid File [15000009] No More Files [1500000a] Block Data Too Large [1500000b] Decompress Failed [1500000c] Unsupported Computation [1500000d] Install Error [1500000e] Error Creating Temp Directory 122 |
PAGE 123
Technical Specifications and Options Technical Specifications and Options Language Support Endpoint Encryption Manager American English, International English, Dutch, German, Italian, Japanese, Korean, Swedish Endpoint Encryption for Files and Folders Client American English, International English, Dutch, German, Japanese, Swedish, Czech, French System Requirements Documentation that discusses appropriate hardware for typical installations of Endpoint Encryption is available from your McAfee representati
PAGE 124
Technical Specifications and Options Endpoint Encryption for Files and Folders Client • Windows 2000 SP4 with RollUp1, XP SP2, Vista SP1. Please see section Installing Endpoint Encryption for Files and Folders client for additional client OS requirements. • 256MB RAM • 5MB Free hard disk space • Pentium compatible processor • TCP/IP network connection Encryption Algorithms Endpoint Encryption supports many custom algorithms.
PAGE 125
Technical Specifications and Options DoD 5220.22-M National Industrial Security Program Operating Manual (NISPOM) January 1995, Department of Defense & Central Intelligence Agency, U.S. Government Printing Office. ISBN 0-16-045560-X.
PAGE 126
Appendix Appendix Making Endpoint Encryption for Files and Folders FIPS Compliant The following procedures must be followed to operate McAfee Endpoint Encryption for Files and Folders cryptographic module in a FIPS Approved mode: 1. McAfee Endpoint Encryption for Files and Folders must be installed using a FIPS approved algorithm. The validated version of McAfee Endpoint Encryption for Files and Folders presents AES-256 as the only option for the encryption algorithm.
PAGE 127
Appendix FIPS mode registry script The following needs to be saved to a text file with the extension “.
PAGE 128
Appendix "Path"="c:\\program files\\safeboot content encryption\\SbAlgs\\SbAlg00.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\10] "Path"="c:\\program files\\safeboot content encryption\\SbAlgs\\SbAlg01.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\11] "Path"="c:\\program files\\safeboot content encryption\\SbAlgs\\SbAlg11.
PAGE 129
Appendix Encryption\Verifier\21] "Path"="c:\\program files\\safeboot content encryption\\SbCeDesktopIntegration.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\22] "Path"="c:\\windows\\system32\\drivers\\SbCe.sys" [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\23] "Path"="c:\\windows\\system32\\drivers\\SbCeCd.
PAGE 130
Appendix [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\33] "Path"="c:\\program files\\safeboot content encryption\\SbCeProxy.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\34] "Path"="c:\\program files\\safeboot content encryption\\SbCePostInstall.
PAGE 131
Appendix “Path”=“c:\\program files\\safeboot content encryption\\SbCmaCe.dll” [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\9] “Path”=“c:\\program files\\safeboot content encryption\\SbAlgs\\SbAlg00.dll” [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\10] “Path”=“c:\\program files\\safeboot content encryption\\SbAlgs\\SbAlg01.
PAGE 132
Appendix Encryption\Verifier\20] “Path”=“c:\\program files\\safeboot content encryption\\SbCeCoreService.exe” [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\21] “Path”=“c:\\program files\\safeboot content encryption\\SbCeDesktopIntegration.dll” [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\22] “Path”=“c:\\windows\\system32\\drivers\\SbCe.
PAGE 133
Appendix [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\32] “Path”=“c:\\program files\\safeboot content encryption\\SbCeShell.com” [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\33] “Path”=“c:\\program files\\safeboot content encryption\\SbCeProxy.exe” [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\34] “Path”=“c:\\program files\\safeboot content encryption\\SbCePostInstall.
PAGE 134
Index Index A Active Directory, 14 algorithm, 13, 118, 120, 123, 126, 127 authentication, 13 C Client cekey file, 86 configuration files, 111 creating an install set, 59 Deployment, 20 Explorer Integration, 23 forced logon, 98 installation of, 61 Installation Set, 22 keyhole icon, 84 limitations, 18 overview of, 16 Program files, 113 system tray icon, 17, 69 uninstall, 66 upgrading, 63 Connector Manager overview of, 14 Context menu, 17 options in, 75 cryptography, 6 file properties tab, 84 Encryption Al
PAGE 135
Index M Microsoft, 60 N recovery, 14 Recovery, 70 registry, 113, 117 Removable Media, 35 RSA, 13 Network encryption, 48 NT Domain, 14 S O object directory, 12, 13, 14, 111, 114 SbCE.