endpoint encryption manager administration guide

McAfee® Endpoint Encryption Manager

Administration Guide

Version 5.2.5

McAfee, Inc.

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USA

Tel: (+1) 888.847.8766

For more information regarding local McAfee representatives please contact your local McAfee office, or visit:

www.mcafee.com

Document: Endpoint Encryption Manager Administration Guide Last updated: Tuesday, 30 March 2010

Copyright (c) 1992‐2010 McAfee, Inc., and/or its affiliates. All rights reserved.

McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non‐McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners.

Contents

Preface ........................................................................................... 6 About this guide ............................................................................................. 6

Audience ................................................................................................. 6 Conventions ............................................................................................ 7 Related Documentation ............................................................................. 7 Acknowledgements .................................................................................. 7 Contacting Technical Support .................................................................... 7

Introduction ................................................................................... 8 Why Endpoint Encryption? ......................................................................... 8 Design Philosophy .................................................................................... 8 How Endpoint Encryption Solutions Work .................................................... 8 Objects, Entities, and Attributes explained. ................................................. 9 The Endpoint Encryption Components ........................................................ 10

Installing Endpoint Encryption Manager ....................................... 14 Upgrading the Endpoint Encryption Manager .............................................. 14

Endpoint Encryption Manager Interface ........................................ 15 Administration Level ................................................................................ 15 Starting Endpoint Encryption Manager ....................................................... 16 Groups of Users, Machines and other Objects ............................................. 16 Audit Trails. ........................................................................................... 18

The Endpoint Encryption Object Directory .................................... 19 The Object Directory Structure ................................................................. 19 Object locking ........................................................................................ 20

Creating and Configuring Users .................................................... 21 User Administration Functions .................................................................. 22 User configuration Options ....................................................................... 23 Setting User Administrative Privileges ........................................................ 35 Some Example Administration Structures ................................................... 36

Tokens .......................................................................................... 38

File Groups and Management ........................................................ 40 Setting file group functions ...................................................................... 41 Importing new files ................................................................................. 41 Exporting Files ........................................................................................ 41 Deleting Files.......................................................................................... 41 Setting File Properties ............................................................................. 41

Auditing ........................................................................................ 44 Introduction ........................................................................................... 44 Common Audit Events ............................................................................. 44

Managing Object Directories ......................................................... 49 Managing Connections ............................................................................. 49 Adding a new directory connection ............................................................ 49

Endpoint Encryption Server .......................................................... 51 Installing the Endpoint Encryption Server Program ...................................... 51 Creating a new Server ............................................................................. 51 Starting The Endpoint Encryption Server for the first Time ........................... 52

Server Configuration ............................................................................... 53 Starting the Endpoint Encryption Server as a Service .................................. 53 Using Server / Client Authentication .......................................................... 53 Connecting to a new Endpoint Encryption Server ........................................ 54 Checking a Server’s Status Remotely ........................................................ 54 Using Restricted User ID's for Servers ....................................................... 54

Keys .............................................................................................. 56 About Keys ............................................................................................ 56 Key Administration Functions ................................................................... 56 Key Configuration Options ........................................................................ 57

Policies ......................................................................................... 59 About Policies ......................................................................................... 59 Policy Administration Functions ................................................................. 59 Assigning a policy object to a user ............................................................ 60 Assigning a policy object to a machine ....................................................... 60

Endpoint Encryption Connector Manager ...................................... 62 Adding and Removing Connector Instances ................................................ 62

NT Connector (NTCon) .................................................................. 64 Summary of connected attributes ............................................................. 64 General Options ...................................................................................... 65 Group Mappings ...................................................................................... 65 User Information ..................................................................................... 66

LDAP Connector (LDAPCon) .......................................................... 67 Summary of connected attributes ............................................................. 67 General Options ...................................................................................... 68 Group Mappings ...................................................................................... 70 Using Binary Data Attributes .................................................................... 74 LDAP Browser from Softerra ..................................................................... 74

Active Directory Connector (ADCon) ............................................. 76 Summary of connected attributes ............................................................. 76 General Options ...................................................................................... 77 Group Mapping ....................................................................................... 80 User Information ..................................................................................... 82

Endpoint Encryption webHelpdesk Server..................................... 86 About Endpoint Encryption HTTP Server ..................................................... 86 webRecovery .......................................................................................... 86 Remote Password Change ........................................................................ 87 Pre-Requisites ........................................................................................ 87 Password Expiration Warning .................................................................... 88

Activating Endpoint Encryption webHelpdesk ............................... 89 Installing a SSL Certificate ....................................................................... 89 Configuring the webHelpdesk Server ......................................................... 90 Configuring webRecovery ......................................................................... 92

Recovering Users using webHelpdesk ........................................... 93 With Challenge-Response ......................................................................... 93 By Directly Changing their Password ......................................................... 95

User self recovery - webRecovery .................................................................... 96 Registering for webRecovery .................................................................... 96 Recovery using webRecovery.................................................................... 98

License Management .................................................................. 101

Common Criteria EAL4 Mode Operation ...................................... 103

Algorithm Certificate Numbers ................................................................ 104

Tuning the Object Directory ........................................................ 106 The Name Index ................................................................................... 106 About Name Indexing ............................................................................ 106 Enabling and Configuring Name Indexing: ................................................ 106 Enabling Directory Compression .............................................................. 107

Endpoint Encryption Configuration Files ..................................... 109 sbnewdb.ini .......................................................................................... 109 sberrors.ini .......................................................................................... 109 sbhelp.ini ............................................................................................. 109 sbadmin.ini .......................................................................................... 109 sbfeatur.ini .......................................................................................... 109 sbfiledb.ini ........................................................................................... 109 dbcfg.ini .............................................................................................. 109 sdmcfg.ini ............................................................................................ 110 SBServer.ini ......................................................................................... 111 sbconmgr.ini ........................................................................................ 111 Cmsettings.ini ...................................................................................... 112 LDAPCon Manual Settings ...................................................................... 112 LDAPCon / ADCon Manual Settings .......................................................... 112 SBHTTP.ini ........................................................................................... 112 EXE Files .............................................................................................. 114 DLL Files .............................................................................................. 114 SYS Files .............................................................................................. 114 srg files ............................................................................................... 114

Error Messages ........................................................................... 115 Module codes ....................................................................................... 115 5501 Web Server Page Errors ................................................................. 116 5502 Web Server User Web Recovery ...................................................... 117 5C00 Communications Protocol ............................................................... 117 5C02 Communications Cryptographic ...................................................... 119 C100 Scripting Errors ............................................................................ 120 DB00 Database Errors ........................................................................... 121 DB01 Database Objects ......................................................................... 124 DB02 Database Attributes ...................................................................... 125 E000 Endpoint Encryption General .......................................................... 125 E001 Tokens ........................................................................................ 125 E012 Licences....................................................................................... 127 E013 Installer ....................................................................................... 127 E014 Hashes ........................................................................................ 128 E016 Administration Center .................................................................... 129

Technical Specifications and Options .......................................... 130 Encryption Algorithms ........................................................................... 130 Smart Card Readers .............................................................................. 130 Tokens ................................................................................................ 130 Language Support ................................................................................. 131 System Requirements............................................................................ 131

Index .......................................................................................... 133

Preface

6 |

Preface The team at McAfee is dedicated to providing you with the best in security for

protecting data on personal computers. Applying the latest technology, deployment

and management of users is enhanced using simple and structured administration

controls.

The Endpoint Encryption Manager and associated products are designed to protect

your mobile data on PCs, PDAs and across networks.

Through the continued investment in technology and the inclusions of industry

standards we are confident that our goal of keeping Endpoint Encryption at the

forefront of data security will be achieved.

About this guide This document will aid corporate security administrators in the correct implementation

and deployment of the Endpoint Encryption Manager. Although this guide is complete

in terms of setting up and managing Endpoint Encryption systems, it does not attempt

to teach the topic of "Enterprise Security" as a whole.

Readers should refer to the Administration Guides for individual Endpoint Encryption

products, such as the Endpoint Encryption for PC, for specific information.

Audience This guide was designed to be used by qualified system administrators and security

managers. Knowledge of basic networking and routing concepts, and a general

understanding of the aims of centrally managed security is required.

For information about cryptography topics, readers are advised to consult the following

publications: -

Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition, Bruce

Schneier, Pub. John Wiley & Sons; ISBN: 0471128457

Computer Security, Deiter Gollman, Pub. John Wiley and Sons; ISBN: 0471978442

Security in Computing, Charles P. Pfleeger, Pub Prentice Hall PTR; 3 edition; ISBN

0130355488

Preface

| 7

Conventions This guide uses the following conventions:

Bold Condensed All words from the interface, including options, menus, buttons, and dialog box names.

Courier The path of a folder or program; text that represents something the user types exactly (for example, a command at the system prompt).

Italic Emphasis or introduction of a new term; names of product manuals.

Blue A web address (URL); a live link.

Note Supplemental information; for example, an alternate method of executing the same command.

Caution Important advice to protect your computer system, enterprise, software installation, or data.

Related Documentation The following materials are available from our web site, http://www.mcafee.com, and

from your Endpoint Encryption Distributor:

• Endpoint Encryption Manager Administration Guide (this document)

• Endpoint Encryption for PC Administration Guide

• Endpoint Encryption for Files and Folders Administration Guide

• Port Control Administration Guide

• Endpoint Encryption for PC Quick Start Guide

• Endpoint Encryption for Files and Folders Quick Start Guide

Acknowledgements Endpoint Encryption’s Novell NDS Connector and LDAP Connectors make use of

OpenLDAP (0www.openldap.org) and OpenSSL (1www.openssl.org). Due credit is given

to these organizations for their free API’s.

Contacting Technical Support Please refer to www.mcafee.com for further information.

http://www.openssl.org/�

http://www.mcafee.com/�


Introduction

8 |

Introduction Why Endpoint Encryption? Around 1,000,000 laptops go missing each year, causing an estimated 4 billion USD

worth of lost data. Is your data safely stored? Ever thought about the risks you run for

your company and your clients? The Endpoint Encryption product range was developed

with the understanding that often the data stored on a computer is much more

valuable than the hardware itself.

Design Philosophy The Endpoint Encryption product range enhances the security of devices by providing

data encryption and a token-based logon procedure using, for example a Smart Card,

Fingerprint or USB Key. McAfee also has optional File and Media encryption programs

(VDisk, File Encryptor and Endpoint Encryption for Files and Folders), as well as

hardware VPN solutions further enhancing the security offered. Endpoint Encryption

supports all current Microsoft Operating Systems, and also common PDA platforms:

• Microsoft Windows 7

• Microsoft Windows 2000 through SP4

• Microsoft Windows XP through SP3 (32bit only)

• Microsoft Windows 2003 through SP2 (32bit only)

• Microsoft Vista 32bit and 64bit (all versions)

• Microsoft Pocket Windows 2002 and 2003

• Microsoft Windows Mobile 5.0/6.0/6.1

• Palm OS 3.5 through 5.4

All Endpoint Encryption products are centrally managed through a single system,

which supports scalable implementations and rich administrator control of policies.

How Endpoint Encryption Solutions Work

Management

Every time a Endpoint Encryption protected system starts, and optionally every time

the user initiates a dial-up connection or after a set period of time, Endpoint

Encryption tries to contact its Object Directory. This is a central store of configuration

information for both machines and users, and is managed by Endpoint Encryption

Administrators. The Object Directory could be on the user’s local hard disk (if the user

is working completely stand-alone), or could be in some remote location and accessed

Introduction

| 9

over TCP/IP via a secure Endpoint Encryption Server (in the case of a centrally

managed enterprise).

Endpoint Encryption applications query the directory for any updates to their

configuration, and if needed download and apply them. Typical updates could be a new

user assigned to the machine by an administrator, a change in password policy, or an

upgrade to the Endpoint Encryption operating system or a new file specified by the

administrator. At the same time Endpoint Encryption uploads details like the latest

audit information, any user password changes, and security breaches to the Object

Directory. In this way, transparent synchronization of the enterprise becomes possible.

Objects, Entities, and Attributes explained. The Endpoint Encryption database stores information about users, machines, servers,

PDAs etc in collections called "objects" - from an internal point of view it does not

matter to Endpoint Encryption what an "object" represents, only the information it

contains. So an object representing a user, say "John Smith", and an object

representing a machine, for example "Johns Laptop" both contain information about

encryption keys, account status and administration level.

Within the object are collections of configuration data called "attributes", again the

same type of attribute may exist across many object types. To take our previous

example of John and his laptop, the details of the encryption keys, user status and

administration level would all be stored as separate attributes.

Entities are applications within the Endpoint Encryption system. Because of the

generality of the "object" design, all Endpoint Encryption applications also have some

generality about them, for instance the entity representing the Endpoint Encryption

client, and the entity representing the Endpoint Encryption Server, both authenticate

to the Object Directory in the same way - as an "object" which could be a machine or

user - which it is does not matter. This generality is mainly hidden from users and

administrators, but because of this core design, you will find that many Endpoint

Encryption related functions and tasks are common between users, machines and

entities.

Introduction

10 |

The Endpoint Encryption Components

Endpoint Encryption Manager

Figure 1. Endpoint Encryption Manager

The most important component of the Endpoint Encryption enterprise is the Endpoint

Encryption Manager, the administrator interface. This utility allows privileged users to

manage the enterprise from any workstation that can establish a TCP/IP link or file link

to the Object Directory. Typical procedures that the Endpoint Encryption Administrator

handles are: -

• Adding users to machines

• Configuring Endpoint Encryption protected machines

• Creating and configuring users

• Revoking users logon privileges

• Updating file information on remote machines

• Recovering users who have forgotten their passwords

• Creating logon tokens such as smart cards for users

Endpoint Encryption Server

The Endpoint Encryption Server facilitates connections between entities such as the

client, the Endpoint Encryption Manager and the central Object Directory over an IP

connection (rather than the file based "local" connection). The server performs

Introduction

| 11

authentication of the entity using DSA signatures, and link encryption using the Diffie-

Hellman key exchange and bulk algorithm line encryption. This ensures that

"snooping" the connection cannot result in any secure key information being disclosed.

The server exposes the Object Directory via fully routed TCP/IP, meaning that access

to the Object Directory can be safely exposed to the Internet / Intranet, allowing

clients to connect wherever they are. As all communications between the Server and

client are encrypted and authenticated, there is no security risk in exposing it in this

way.

There is a unique PDA Server which provides similar services to PDAs such as

Microsoft Pocket Windows and PalmOS devices. More information about this can be

found in later chapters.

Endpoint Encryption Object Directory

The Endpoint Encryption Object Directory is the central configuration store for

Endpoint Encryption for PC and is used as a repository of information for all the

Endpoint Encryption entities. The default directory uses the operating systems file

system driver to provide a high performance scalable system which mirrors an X500

design. Alternative stores such as LDAP are possible – contact your Endpoint

Encryption representative for details. The standard store has a capacity of over 4

billion users and machines.

Typical information stored in the Object Directory includes:

• User Configuration information

• Machine Configuration information

• Client and administration file lists

• Encryption key and recovery information

• Audit trails

• Secure Server Key information

Introduction

12 |

Endpoint Encryption for PC Client

Figure 2. Endpoint Encryption Client

The Endpoint Encryption for PC client software is largely invisible to the end user. The

only visible part is an entry in the user’s tool tray (the Endpoint Encryption icon).

Clicking on this icon allows the user to lock the PC with the screen saver (if the

administrator has set this option there one is selected). Right-clicking on the monitor

allows them to perform a manual synchronization with their Object Directory, or,

monitor the progress of any active synchronization.

Normally the Endpoint Encryption client attempts to connect to its home server or

directory each time the machine boots, or, establishes a new dial-up connection.

During this process, any configuration changes made by the Endpoint Encryption

administrator are collected and implemented by the Endpoint Encryption client. In

addition, information such as the last audit logs are uploaded to the directory.

Endpoint Encryption PDA Server

The Endpoint Encryption PDA Server facilitates connections between entities such as

the Endpoint Encryption client, the Management Center and the central Object

Directory over an IP connection (rather than the file based "local" connection). The

server performs authentication of the entity using DSA signatures and link encryption

using Diffie-Hellman key exchange and bulk algorithm line encryption. This ensures

that "snooping" the connection cannot result in any secure key information being

disclosed.

Note: The default port for PDA Server is 5557.

The server exposes the Object Directory via fully routed TCP/IP, meaning that access

to the Object Directory can be safely exposed to the Internet / Intranet, allowing

clients to connect wherever they are. As all communications between the server and

Introduction

| 13

client are encrypted and authenticated, there is no security risk in exposing it in this

way.

Endpoint Encryption for Mobile

Endpoint Encryption for Mobile provides authentication and crypt services for mobile

devices. Every time you activate it you are prompted to enter a secure, recoverable

password or pin.

As with Endpoint Encryption for PCs, every time you activate, or dock a PDA device

protected with Endpoint Encryption it tries to communicate with its home Endpoint

Encryption PDA Server and set its security profile - again, set from the Endpoint

Encryption Manager.

Endpoint Encryption File Encryptor

By right clicking on a file, users can elect to encrypt it using various keys. Files can be

encrypted with other Endpoint Encryption users’ keys, and/or passwords.

Once protected in this way the file can be sent elsewhere, for example via e-mail, or

on a floppy disk, without the risk of disclosure.

When the file needs to be used, it just needs to be double clicked, a password or login

prompt will be presented for authentication, if correct the file will be decrypted.

The File Encryptor also has an option to create an RSA key pair for recovery – if the

password to a file is lost, then the file can still be recovered using the correct recovery

key.

Endpoint Encryption Connector Manager

Endpoint Encryption’s directory used to keep track of security information is designed

so that synchronization of details between Endpoint Encryption and other systems is

possible. The Connector Manager is a customizable module which enables data from

systems such as X500 directories (commonly used in PKI infrastructures) to propagate

to the Endpoint Encryption Object Directory. Using this mechanism, it's possible to

replicate details such as a user’s account status between the Endpoint Encryption

Manager and other directories. Current connector options include LDAP, Active

Directory, and a NT Domain Connector. For information on these components, see

your Endpoint Encryption representative.

Installing Endpoint Encryption Manager

14 |

Installing Endpoint Encryption Manager

NOTE: Readers unfamiliar with Endpoint Encryption should follow the Endpoint Encryption Quick Start

Guide for the product you are installing, before tackling any of the topics in this guide. The Quick Start

guides provide an overview of setting up an Endpoint Encryption enterprise.

Endpoint Encryption Manager is the administration part of Endpoint Encryption and is

the core tool for managing all Endpoint Encryption aware applications. If this is the

first time you have installed an Endpoint Encryption application, then please read the

Quick Start Guide for that application. You will find this either on your Endpoint

Encryption download.

Install Endpoint Encryption Manager by running the appropriate setup.exe from the

Endpoint Encryption CD. You should run this first on the machine which you want to be

the “master” or administrators machine. If you have a multi-language CD, select the

language (for example, English) you want to install.

The Endpoint Encryption Manager will now install on your machine. Follow the on-

screen prompts to install the software, you may be prompted to select a language,

smart card reader, and encryption algorithm. Once completed you may need to restart

your system.

The Endpoint Encryption Manager suite adds some items to your start menu:

Endpoint Encryption Manager starts the Endpoint Encryption Manager; Endpoint

Encryption Server starts the communication server which provides encrypted links

between clients and the configuration. You may also have icons for the Endpoint

Encryption Connector manager.

After rebooting, run the Endpoint Encryption Manager program. A wizard will walk you

through the creation of a new Endpoint Encryption directory. If you have an existing

Object Directory in your network, you can connect to it by canceling the wizard and

manually configuring a connection. For information on this procedure please see

Managing Object Directories.

Upgrading the Endpoint Encryption Manager 1. Download the Endpoint Encryption Manager software from the McAfee

download site.

2. Run the setup file and complete the upgrade. See the Endpoint Encryption

Update and Migration Guide (contained in the download) for more detail.

Endpoint Encryption Manager Interface

| 15


The Endpoint Encryption Manager allows certain classifications of user to manage and

interact with the backend Object Directory. Users and machines can perform certain

tasks and change certain details within the directory, depending upon their assigned

"Administration Privilege", and administrative rights.

Administration Level Each object in the directory has a certain "administration privilege" with a range of

between 1 (lowest) to 32 (root administrator), no object except the root administrator

can change the attributes of an object of its privilege or above, but some attributes

can be read regardless. This mechanism stops low privilege users from changing their

own configuration, and protects high-level administrators from the activities of lower

levels.

The recommended assigned privileges are:

User Classification Administration Level

Root Administrator 32

Other Administrators 10

Normal Users 1

Normal Machines 1

NOTE: As there are no objects with a privilege above 32, all level 32 objects are treated equally and

without restraint (except delete rights). This means that any top‐level admin can edit the properties of any

other top‐level admin. However, a level 32 administrator with limited admin functions cannot add those

restricted functions to another level 32 administrator. For this reason it is recommended that general

Endpoint Encryption administrators use accounts with a privilege below 32, and the master (or root)

administrator account should be used only in extreme circumstances.

In addition to this rule, extra restrictions on what administration processes an

individual may use can be set when they are created, for instance the ability to add

users may be blocked, as may be the ability to create install sets.


16 |

This gives the ability to create high-privilege users with no admin abilities - these

users cannot be administered or recovered by lower privilege users although the lower

level users may have access to the administration functions.

Starting Endpoint Encryption Manager Endpoint Encryption Manager communicates with the Object Directory and requests a

user authentication on start-up, which it uses to connect to an Object Directory. Users

and administrators authenticate using their Endpoint Encryption credentials, so if they

usually use a smart card to login to Endpoint Encryption, they will need the same card

to access Endpoint Encryption Manager.

NOTE: for details on setting up connections to directories, see Managing Object Directories.

There is no real limit to the number of concurrent Endpoint Encryption sessions that

can be connected to each directory, either directly or via an Endpoint Encryption

Server. In the case of two administrators updating an objects configuration at the

same time, the last one to click Save overrides all others. The limiting factor is the

hardware supplying access to the directory, i.e. the network and server speed.

Groups of Users, Machines and other Objects Within the Endpoint Encryption Directory, objects are "grouped" in order to simplify

configuration. For example, in a large corporate with many departments, the Endpoint

Encryption administrator may choose to create groups of machines based on their

physical location - for instance "Sales" and "Helpdesk". The configuration of these two

groups would be similar, but not identical - for instance, the "Sales" group of PCs may

not synchronize with the Object Directory so often, and the "Helpdesk" PCs would not

be receiving some sales-related database information.

To facilitate configuration at group level, two types of group can be created:

Controlled Groups

Members of configuration-controlled groups cannot have their core configuration

altered on a member-by-member basis (non-core items include machine description

for instance). All changes have to be made at group level, and immediately affect all

members of the group. When an object is moved into a controlled group, it

immediately loses its individuality and inherits the group’s properties.

Controlled groups are used where it is not necessary or desirable to have many

individual objects with their own configurations, for example an administrator may

choose to enforce a strict security policy which must be adhered to. In this situation

then there is no scope for objects to have individual configurations. Another use is


| 17

where a collection of machines needs to have their configurations synchronized as

one. For example, if there was a controlled group of 200 machines with the property of

Endpoint Encryption enabled set as false, if the option was enabled at group level,

this change would affect each machine in the group. Each machine would

automatically enable Endpoint Encryption the next time it synchronized with the

directory.

Free Groups

Free groups have no master control; objects inherit the properties of the group when

they are created, but this configuration is stored individually for the object and can be

altered at any time. Existing objects moved into a free group do not inherit any group

properties; they simply retain their own configurations. Changing the group

configuration only effects new objects created within the group, it does not affect

existing objects.

One Group for each object type is defined as the default. Unless otherwise specified

this is the group which new Objects (machines, users etc) appear under and inherit

their initial attributes. This group may or may not be configuration controlled, and is

displayed in bold type in the object tree. To set the default group, select it and use the

right-click menu option Set as Default Group.

Finding Objects

You can search the object trees by either typing into the Find box on the tool bar of

Endpoint Encryption Manager, or, by using the Filter or Find by ID options from the

Objects Menu.

Finding orphaned objects using Group Scan

The Group Scan feature within the Groups drop down menu allows you to scan

through any group and identify missing objects, e.g. machines, users, etc.

1. Select a group from the Users, System, Policies, or Devices tabs.

2. Click the Groups option from the menu bar.

3. Click Group Scan.

4. Select a group from the drop down list.

5. Click Ok. This will begin a search across the selected group for orphaned

objects. The report output will appear in the bottom right pane.


18 |

Audit Trails. Endpoint Encryption audits to most types of object. To view the current audit, select

the object in question and use the right-click menu option View Audit. Audit trails

can be exported as comma delimited files for use in other applications.

The ability for a user to be able to view another user’s audit is a function of their

relative administration level, and their View Audit administration right. It is

recommended that not all users are given this permission.

The Endpoint Encryption Object Directory

| 19


Endpoint Encryption stores all its configuration and security information in a central,

generic data store referred to as the Object Directory. This store resembles a tree-

based modular, object-structured directory, similar in design to an X500 directory. The

Endpoint Encryption Configuration Manager on the protected machine periodically

checks this store via a connection manager (the Directory Manager) to see if there are

any changes to apply, and delivers any updates necessary in return. The directory

stores information for the configuration of users, machines etc in logical Objects

containing data blocks ("attributes").

The Object Directory Structure The Object Directory manages three levels of information, object type, actual Objects,

and attributes. This can be viewed as a correlation of a file or directory system. The

top level has the various object classifications, user, group, and machine. Below this

level is the individual Objects, for example, in the case of the user tree, there would

be Objects containing the attributes for users. For each object there are many

attributes, e.g. account status, private key and password.

NOTE ‐ Supported accessible Objects are Users, Machines, Servers, Files, Directories, and Groups. Endpoint

Encryption makes no distinction between the different types of object at the management and access level.

Only the Attributes stored within them differ. This independence greatly increases the speed the object

store can work at.

There is no requirement for any particular type of directory within as long as the

directory engine can support the minimum layout. All data sources are viable, e.g.

ODBC, Access, LDAP, DAP, X500 etc.

Endpoint Encryption ships with two directory drivers, one, a high performance file

system based driver for large corporate users, and a small single-file "transport"

directory driver designed for single use and disconnected deployment. For information

on porting Endpoint Encryption's backend directory to an alternate system, please

contact your McAfee Services representative.

A simple pictorial layout of the directory structure could be explained thus:

Root Directory

|

Users-------Machines-------Groups-------Servers--------Files (Object Classes)

|

User.0-----User.1-----User.2-----User.3-.. User.n (User level)

|


20 |

Attrib.0----Attrib.1-----Attrib.2------Attrib.n (Attributes containing

Configuration information)

This structure mirrors an X500 directory, and allows fast access to attributes and

modification (adding new attributes, new object classes etc) without significant effort.

Object locking To prevent problems where two or more processes try to access the same data

simultaneously, only one process can have write permission to an Object at any time.

Normally an object such as a user is only locked during the actual write process, if

there is a conflict in locks, one process will wait for the other to release. This usually

takes only a few seconds. In the standard file managed directory, object locking is

provided by the operating system itself.

Creating and Configuring Users

| 21


Figure 3. Creating New Users

New users can be created in Endpoint Encryption Manager by selecting the group they

need to be in, and using the menu option Create User. You can also create users

automatically using a connector to another directory, such as Active Directory, or an

automated script. Please see the Endpoint Encryption Connector Manager chapter, or,

the Endpoint Encryption Scripting Tool Users Guide.

The new user’s logon id and recovery information about them can be entered. The

user’s password or token is inherited from the group, and can be set or generated at

this point.

The fields of information are used to identify the user in case of a helpdesk issue, such

as the user forgetting their password. The helpdesk and user can see the majority of

these fields, but some may be defined as "hidden from user" - in this example, the

field Group Access is one of those. Hidden fields can only be seen by administrators

with a higher privilege than the user, or the root administrator.

This gives the helpdesk operator the ability to ask the user a question to validate their

identity. For more information on recovery, see the Recovery chapters of your product

administrators’ guide.

Once created, the user assumes the configuration of the group they were created in. If

this group is "controlled", then only a few options are available to be configured on a

user-by-user basis. If the group is "Free" then although the user assumes the

properties of the group on creation, the parameters can then be set individually

afterwards.


22 |

User Administration Functions

Create Token

Creates a new Token for the selected user - this could be a soft (password) token, or a

hard token such as a smart card or eToken.

NOTE: In the case of hard tokens, creating the token does not necessarily set the user to actually use that

token. This must be accomplished separately from the user’s Token properties page.

Reset Token

Resets the token authentication to the default. In the case of the soft (password)

token resets the password to 12345.

NOTE: Some hard tokens may not be able to be reset using Endpoint Encryption ‐ for example Datakey

Smart Cards. In this case contact the manufacturer of your token to determine the correct re‐use

procedure.

Set SSO Details

Sets the Single-Sign-On details for the user. For more information on SSO see the

Endpoint Encryption for PC Administration Guide.

Force Password Change at Next Logon

Forces the user to change their password at their next logon. This policy option applies

to both the Endpoint Encryption Manager and all compatible applications, such as

Endpoint Encryption for PC.

View Audit

Displays the audit for the user.

Reset (All) to Group Configuration

Resets the configuration of the user, or all the users in the group, to the groups

configuration.

Create Copy

Creates a new object based on the selected object.

Properties

Displays the properties of the selected object.


| 23

User configuration Options

General

Figure 4. User Options ‐ General

User ID

The user ID of a given user is the system-wide identifier that Endpoint Encryption uses

internally to keep track of the user. This number is unique within the Object Directory

and is displayed for technical support purposes. The user’s recovery screens also show

this number.

Auto-boot users

Special user ids containing the tag “$autoboot$” with a password of “12345” (or set by

administrators) can be used to auto-boot a Endpoint Encryption Endpoint Encryption

for PC protected machine. This option is useful if an auto boot of a machine is needed,

for example when updating software using a distribution package such as SMS or

Zenworks. This ID should be used with caution though, as it effectively bypasses the

security of Endpoint Encryption.

You can find out more about the “$autoboot$” user from the Endpoint Encryption for

PC Administration Guide.

Enabled

Shows whether the user account is enabled or not. The enabled status is always user

selectable.

Once a machine has synchronized, it checks the user account list to ensure that the

currently logged on user is still valid (because they logged on at boot time before the

network and Object Directory was available). Users with disabled accounts (or users


24 |

who have been removed from the user list) will find the screen saver will activate and

they will be unable to log in.

NOTE: If you want to force a Endpoint Encryption machine to synchronize (and hence immediately stop the

user from accessing the machine), you can use the force sync option of the machines right‐click menu to

force an update. For more information see the Endpoint Encryption for PC Administration Guide.

Valid From / Until

Sets the period that this account is valid until. Once the period has past, the user will

no longer be able to log on. If the user is logged on while the account expires, the will

NOT be automatically logged off the system (but if they reboot, or the screen saver

activates, they will not be able to log on again).

Both Valid From and Valid Until settings can be made. This enables the

administrator to set up accounts that self-activate sometime in the future and/or

expire at some fixed point (e.g. for contracted employees with a fixed term contract

starting and expiring on a given day).

Change Picture

Allows the administrator to set a picture for the user. The picture aids the helpdesk in

the identification of a user when doing a challenge/response password reset. The

imported picture can be any size bitmap image.

User Defined Labels (Information Fields)

When a user is created several fields of information may be set to aid the helpdesk

identify the user during the recovery process. For a full description of the use of these

fields see Creating Users, and Recovering Users and Machines.


| 25

Password Parameters

Figure 5. User Configuration ‐ Password Parameters

Force Change if "12345"

Ticking this option prevents users from continuing to use the Endpoint Encryption

default password of "12345". If this password is ever used, for instance after

recovering a user, it must be changed before Endpoint Encryption will allow the

operating system to boot. The force password change mechanism is also supported in

the Windows Screen Saver.

Prevent Change

Disables the Change Password option on the Endpoint Encryption boot screen, and

on the directory login screen.

Enable Password History

Endpoint Encryption records previous passwords, and stops the user repeating old

passwords when they are forced to change them.

The maximum number of previous passwords that can be saved is limited by the

user’s token, typically a password token can remember 19 previous passwords,

whereas a smart card token only 10. Passwords are added to the history list when the

user sets them, so the default password (“12345”) may be used ONCE again, as is not

added to the history list when a user is created .

Special smart card scripts can be made available which increase the maximum history

count beyond 10, at the expense of the time needed to log in. For information on

these scripts please contact your Endpoint Encryption representative.

Require Change After


26 |

Forces the user to change their password after a period of days.

Warn

Warns the user that their password will expire a set number of days in advance of

their password change.

Timeout password

When logging on, the user has three attempts to present Endpoint Encryption with a

correct password. If the user fails, then a "lockout" period of 60 seconds commences.

The user cannot log in while this period is in force, and if they reboot the PC, the

period starts again.

Once the period has expired, the user is allowed further logon attempts, which the

time period between each logon doubling, i.e.

• 1st incorrect attempt No lockout

• 2nd incorrect attempt No lockout

• 3rd incorrect attempt 60 seconds lockout

• 4th incorrect attempt 120 seconds lockout

• 5th incorrect attempt 4 min lockout.

• 9th incorrect attempt 64 min lockout

64 minutes is the maximum lockout period that may be set.

Invalidate Password after

After a sequence of incorrect passwords, Endpoint Encryption can disable the user’s

account. To log on again once this has happened, the user will need to call their

Endpoint Encryption helpdesk for a password reset. The number of incorrect

passwords that have to be entered before this occurs is normally 10, but can be set as

needed.


| 27

Password Template

Figure 6. User Configuration ‐ Password Template

Password Length

Sets the expected length of the user’s password between two extremes.

Recommended settings are a minimum length of 5 characters, and a maximum length

of 40 characters.

Enforce Password Content

Enforcing content in password forces the user to pick more secure passwords, but also

reduces the number of possible passwords the user can select from. Content is not

case sensitive. The following options can be set :-

Alpha

A minimum number of characters from the range a-z and A-Z.

Alphanumeric

A minimum number of non-symbol chars from the range a-z, A-Z, and 0-9.

Numeric

Numbers only, from the range 0-9.

Symbols

!"£$%^&*()_+{}~@:><,./ :;@'~#<,>.?/¬¦`[], and other non alpha and non

numeric characters.

Content restrictions force the user to be more particular when they change their

password. Depending upon the selected options, passwords, which are related, will not

be accepted. The following restrictions can be set:


28 |

No Anagrams

"wordpass" is not acceptable after a password of "password".

No palindromes

The passwords "1234321", "asdsa" etc are unacceptable.

No Sequences

"password2" after "password1" is unacceptable, as are passwords such as “aaaaaa”

and “111111”.

No Simple Words

Allows an administrator-defined dictionary to be set containing forbidden passwords.

You can create this dictionary using a unicode text editor. Place each forbidden word

on its own line in the file. Name the file TrivialPWDs.dat and place it in your client

install set in the [appdir]\SBTokens\Data folder. The password “password” is

excluded by default.

Can’t Be User Name

Prevents users from using their user name as their password.

Windows content rules

Mirrors the standard Windows password content rule. For passwords to be accepted

they must contain at least 3 of the following:

• Lower case letters

• Upper case letters

• Numbers

• Symbols and special characters


| 29

Token Type

Figure 7. User Configuration ‐ Token Selection

Sets the token for a given user / group of users. The list of available tokens is created

from the token modules installed in the Object Directory. For information on particular

token options, please see the Tokens chapter.

Some tokens may be incompatible with other options - for instance, you cannot use

the Floppy Disk token if the users floppy disk access is disabled, set to read only, or

set as Encrypted.

Assigning a token to a user does not necessarily mean they will be able to log into a

machine – for example giving a user a smart card does not mean their machine has a

smart card reader, or the software needed to drive such a reader.

NOTE: When you change a user’s token, Endpoint Encryption automatically brings up the token creation

wizard. You need to remember to create Soft Tokens even though they’re just passwords.

Recovery Key

You can reset a user’s password, or change their token type using the recovery

process – this involves the user reading a small “challenge” of 18 characters from the

machine to an administrator, then typing in a larger “response” from the

administrator.

The recovery key size defines the exact length of this code exchange. The range of

options of the recovery key is dependent apron the maximum key size of the

algorithm in use. A key size of “0” disables the user recovery system.

Allow web-based self recovery


30 |

You can prevent a password-only user from registering for web recovery by selecting

this option.

Administration Rights

Figure 8. User Configuration ‐ Administration Rights

Administration Level

The administration level of a given user defines their Administration Scope. Users can

only work with directory objects (machines, other users etc) below their own level,

thus a level 2 user can only administer users of level 1. All users are by default

created at level 1, and are therefore unable to administer each other. The user who

first created the directory is created at level 32, and can therefore administer any

other object in the directory.

NOTE: A special case exists for the highest level of user (“root users”), allowing them to administer at level

32.

Administration Functions

Options in the administration functions box select what administrative options are

available to a given user / group of users.

When creating a new user, the administration rights of the creator are reflected to the

new user.

Most administration functions are obvious but the following may require more

explanation:

• Users/Allow Administration – controls a user’s right to start administration

systems such as the Endpoint Encryption Manager or Connector Manager. If


| 31

this option is removed for all users, the management environment will be

unavailable.

Logon Hours

Figure 9. User Configuration ‐ Logon Hours

Endpoint Encryption can prevent a user from accessing any machine during particular

time periods. In the example above, the user "John Smith" can access any machine

his account has been allocated to during the hours of 9am - 5pm any day. If the

Force user to logoff box is not ticked, restricting the logon hours of a user does not

prevent them continuing to use a machine out of hours if they were logged on when

the restriction comes into force, however it does prevent them logging on after this

time, for instance at a screen saver prompt.

Devices

This is used by Endpoint Encryption for PC only. Please see the Endpoint Encryption for

PC Administration Guide.

Application Control

This policy is used by Endpoint Encryption for PC only. Please see the Endpoint

Encryption for PC Administration Guide


32 |

Policies

Figure 10. Policies

Endpoint Encryption can control other systems through the Policies Interface. You can

define the actual parameters of a policy through its entry on the System Tree, and

assign which policies are enforced for a particular user, or group of users, from the

policies tab. For more information on policies see the Policies chapter.

Add / Remove

Click Add or Remove to associate a policy with a user. You can only associate one

policy of each type with a user.

Bindings

Figure 11. Connector Bindings


| 33

The Endpoint Encryption Connectors use the bindings specified for a user to match

their Endpoint Encryption account with their account on an alternate system. When a

connector creates a new Endpoint Encryption user, it automatically fills in the binding

tabs to make the association. It is possible though to connect one, or many users

created in Endpoint Encryption to a connected account, by manually editing the

bindings list.

For information on the correct system tag to use for a given connector, please see the

Endpoint Encryption Connector Manager chapter and those after it.

Local Recovery

The Local Recovery option allows the user to reset a forgotten password by answering

a set of security questions.

The full list of security questions is set by the administrator using the Endpoint

Encryption Manager. Note: Endpoint Encryption contains a generic set of questions.

When the user first sets up their local recovery feature they will be prompted to select

a number of questions and provide the answers to them. These form the basis for

their local self recovery feature.

Setting Local Recovery for a user name or user group

Using Endpoint Encryption Manager, the administrator assigns the local recovery

option to the user’s logon, or, to a user group. The local recovery options are available

from the user logon or group Properties screen. See below.

Figure 12 ‐ Setting the Local Recovery options

Enable Local Recovery


34 |

Selecting this check box will set Local Recovery for the specified user or user group.

Require ? questions to be answered

This option determines how many questions the user must select to perform a Local

Recovery.

Allow ? logons before forcing user to set answers

This option determines how many times a user can logon without setting their Local

Recovery questions and answers.

Add

The Add button will load the Local Self Recovery Question dialog box and allow you

to create a new question. You can also specify the language that question should be in

and the minimum number of characters the user must specify when configuring the

answer to this question.

Remove

The Remove button will remove a selected question from the list.

Edit

The Edit button will allow you to edit the configuration of a selected question.

Apply

The Apply button will save any changes that have been made.

Restore

The Restore button will undo your changes and restore the Local Recovery options to

the previous settings (providing you have not clicked the Apply button).

See the Endpoint Encryption for PC Administrators Guide or the Help File for the user

local recovery procedures.


| 35

Administration Groups

Figure 13 ‐ Administration Groups

The groups which an administrator can manage can be restricted – this gives the

ability to create high privilege administrators who can only work a particular

population of users and machines – for instance departmental administrators. You can

specify all group types for the restriction, so you can also create administrator

accounts that have the ability to manage only servers, certain groups of users, or

certain groups of machines.

When group restrictions are in place, the users’ view of the database is restricted to

only the groups specified.

Leaving the admin groups box empty gives the account admin capability throughout

the Object Directory.

When an administrator with group restrictions creates a new user, the group

restrictions are reflected into the new users properties. If the new user also inherits

groups from their group membership, these too will be set.

NOTE: Do not restrict the administrative scope of the root administrator or you may not be able to make

configuration changes in the future.

Setting User Administrative Privileges Endpoint Encryption has a powerful and flexible administration structure. You can set

three conditions that must be met before a user can perform an administration task:

Administration Level


36 |

This must be higher than the object you are trying to administer, or in the case of top-

level objects (level 32), must also be level 32.

Groups

If there are any groups specified for administration, the object you are trying to

administer must be in one of the groups.

Administration Functions

The feature or command you are trying to use must be enabled in you Admin Rights

list

If all these conditions are met then the user will be able to perform the function. Using

a selection of these features enables certain administration hierarchies to be created.

We advise that the minimum administration rights are given to each user, to prevent

unauthorized configuration of the security. By delegating responsibility, administration

can become a simple task.

Some Example Administration Structures

Example 1. Top-down administration.

• Root User – level 32.

• Master Administrator(s) – Level 30, no other restrictions.

• Sub Admin(s) – Level 20, no other restrictions.

• Users – Level 1, all rights removed.

In this scenario there is a simple top-down chain of administration.

Example 2. Tree administration.

• Root User – Level 32

• Enterprise Administrator(s) – Level 30, no other restrictions.

• Department A Administrator(s) – Level 20, restricted to user and machine

groups in department A only. Rights for server management removed.

• Department B Administrator(s) – Level 20, restricted to user and machine

groups in department B only. Rights for server management removed.

• Department A Users – Level 1, all rights removed.

• Department B Users – Level 1, all rights removed.

In this scenario, the departmental administrators are prevented from managing each

other’s department by the group restriction. Administrators are also prevented from


| 37

adding any of their users to machines in the other department by the same

mechanism. Only the Enterprise Administrator(s) can start or manage Endpoint

Encryption Servers.

Example 3. Function / Department Administration.

• Root User – Level 32

• Enterprise Administrator – Level 30, no other restrictions.

• Server Manager – Level 30, groups restricted to servers only, Rights

restricted to managing servers only.

• Department A Administrator – Level 20, restricted to user and machine

groups in department A only. Rights for server management removed.

• Department B Administrator – Level 20, restricted to user and machine

groups in department B only. Rights for server management remove.

• Department A Users – Level 1, all rights removed.

• Department B Users – Level 1, all rights removed.

In this scenario, there are additional accounts for the Server Manager – a person

responsible for keeping the Endpoint Encryption Server running. Their account has no

ability to manage users or logon to clients. There could also be other accounts with the

ability to add/remove users (for example used by the personnel department).

Tokens

38 |

Tokens The Endpoint Encryption Manager and connected applications support many different

types of logon token, for example passwords, smart cards, fingerprint readers and

others. Before a user can use a non-password token, you must ensure any machine

they are going to use has been suitably prepared.

Supported Smart Cards and Tokens

The link below contains the supported smart cards and tokens:

https://kc.mcafee.com/corporate/index?page=content&id=pd20895

Hardware Device Support

Ensure the machine has the appropriate Windows drivers for the hardware tokens it

needs to support, for example, if you intend to use Aladdin eTokens you need to install

the Aladdin eToken RTE (Run Time Environment).

If you intend to use smart cards, you need to ensure that a Endpoint Encryption

supported smart card reader is installed, along with its drivers – for example the

Mako/Infineer LT4000 PCMCIA smart card reader must be installed.

In both cases, the appropriate device drivers are available either direct from the

manufacturer, or from the Endpoint Encryption install CD in the Tools directory.

Endpoint Encryption Application Support

Once you have installed hardware support for the devices, you can enable software

support for them. See the dedicated product administration guide for details how to

enable tokens for that particular product.

Assign the token to the user and create it.

From the user’s Token properties pane, select the token you want that user to log in

with. Endpoint Encryption will prompt you to insert the token and will create the

appropriate data files on it.

If all steps are followed, when you install Endpoint Encryption, or after the machines

synchronize, users will be able to log in using their new token.

Upek Fingerprint Reader

1. The Upek Protector Suite QL software must be installed and configured on the

client machine. The software can be found on the McAfee Endpoint Encryption

https://kc.mcafee.com/corporate/index?page=content&id=pd20895�

Tokens

| 39

Tools download. Please consult your McAfee representative for further

information.

2. From the Endpoint Encryption Manager:

• Create a file group for the Upek token and import the token files:

SbTokenUpek.dll and SbTokenUpek.dlm.

• The Upek file group must be assigned to the machine or machine group.

• The fingerprint reader must be assigned to a user or a user group. See the

user or user group Properties Tokens screen.

3. The user logs onto the client machine using the Upek token module in

password mode.

4. The user will be presented with a dialog which will ask them to register their

fingerprints with Endpoint Encryption; the user configures the fingerprint

reader to work with one or more of their fingerprints.

5. From then on the user will need to authenticate to Endpoint Encryption with

their fingerprint instead of a password.

File Groups and Management

40 |


Figure 14. Endpoint Encryption File Groups

The Endpoint Encryption Manager uses central collections of files, called Deploy Sets

to manage what versions of files are used many Endpoint Encryption applications. For

information on a particular applications support for File Groups, please see the

Administration Guide.

When Endpoint Encryption Manager is installed, it automatically adds the entire

standard Endpoint Encryption administrator files into the file groups and also may

create language sets, for example "English Language". An INI files, ADMFILES.INI

determines the contents of the core groups. INI files such as these can be edited to

allow custom collections of files to be quickly imported and then applied using the

Import file list menu option. For more information on ADMFILES.ini see the Endpoint

Encryption Configuration Files chapter.

Other file sets created as standard include those to support login tokens (such as

smart card readers, and USB Key tokens).


| 41

Setting file group functions

Figure 15. File Group Content

You can specify the function of a file group by right-clicking it and selecting its

properties. Some file selection windows, for example, the file selector for machines,

only display certain classes of file group (in this example, those marked as Client

Files).

Importing new files New files can be imported one by one into an existing deploy set using the Import

files menu option (right-click menu). Simply select the file, Endpoint Encryption will

then import it into the directory, and add it to the deploy set.

Exporting Files You can export a file group, or an individual file back to a directory. This may be

useful, for example if you have an out of date administration system driver and there

is an updated file in the Object Directory.

Deleting Files You can delete individual files from a file set. With connected applications this usually

results in the deletion of the file from their local directory at the next synchronization

event.

Setting File Properties To see the properties of a file, right click on the file in question and select Properties.

Two screens of information are available.


42 |

Figure 16. File Properties, File Information

The name of the file is the actual name, which will be used when deploying the file on

the remote machine. The ID is the Object Directory object ID used as a reference for

the file from the client PC. The version number is an incremental version of the file.

When the file is updated, the version is incremented. This is used by the clients to

check whether an update is needed. Other information such as the name of the user

who imported the file and its size may be shown.

Figure 17. File Properties, Advanced

File Types

Set the type of the file.

File Location

Set the destination directory for the file.


| 43

Operating System

Because some files are only applicable to some operating system(s), the target

operating system(s) for the file must be selected. This is to prevent Windows NT

drivers being installed on Windows 98 machines, or windows 9x registry files being run

on Windows 2000 servers.

Appid

If you are installing file which is shared between multiple Endpoint Encryption

applications, you can specify this applications ID. This prevents one application from

installing files shared by another.

Update

Specify when Endpoint Encryption should update the file.

Auditing

44 |

Auditing Introduction The Endpoint Encryption Manager audits user, machine, and server activity. By right-

clicking on a object in the Endpoint Encryption Object Directory, you can select the

view audit function.

Audit trails are uploaded to the central directory by both the Administration Center

and connected Endpoint Encryption Applications such as Endpoint Encryption for PC

and Endpoint Encryption for Files and Folders.

The permission to view or clear an audit log can be controlled on a user or group

basis. Both the administration level and administration function rights are checked

before allowing access to a log. For more information on setting these permissions see

the Creating and Configuring Users chapter.

Audit trails can be exported to a CDF file by using the Audit menu option, or by right-

clicking the trail and selecting Export. Also, the entire audit of the directory can be

exported using the Endpoint Encryption Scripting Tool – for information on this option

please contact your McAfee representative.

The Object Directory audit logs are open-ended, i.e. they continue to grow indefinitely,

but can be cleared on mass again using SBAdmCL.

Common Audit Events The text displayed in the audit log will depend on your localization and language

settings. The following table lists the common events and their ID codes for the

American English version of Endpoint Encryption. Many events can appear at multiple

places, for example the Login Successful event will be logged both in the user

account doing the login, and the machine being logged into simultaneously.

You can find out about product specific events from its dedicated administration guide

– for example to find out about Endpoint Encryption for PC events, refer to the

Endpoint Encryption for PC Administration Guide.

Information Events Description Event

Audit cleared 01000000

Boot started 01000001

Auditing

| 45

Description Event

Boot complete 01000002

Booted non‐secure 01000003

Backwards Date Change 01000005

Booted from floppy 01000004

Token battery low 01000010

Power fail 01000011

A virus was detected 01000013

Synchronization Event 01000014

Add group 01000082

Add object 01000083

Delete group 01000084

Delete object 01000085

Import object 01000086

Export object 01000087

Export configuration 01000088

Update object 01000089

Import file set 01000090

Create token 01000091

Reset token 01000092

Export key 01000093

Recover 01000094

Create database 01000095

Reboot machine 01000096

Auditing

46 |

Description Event

Move Object between groups 01000098

Rename Object 01000099

Server started 010000C0

Server stopped 010000C1

Try Events Description Event

Logon attempt 02000001

Change password 02000002

Forced password change 02000003

Recovery started 02000016

Database logon attempt 02000081

Logon successful 04000001

Password changed successfully 04000002

Boot once recovery 04000016

Password reset 04000017

Password timeout 04000018

Lockout recovery 04000018

Change token recovery 04000019

Screen saver recovery 0400001A

Database logon successful 04000081

Logon failed 08000001

Password change failed 08000002

Auditing

| 47

Description Event

Password invalidated 08000005

Recovery failed 08000017

Database logon failed 08000081

Machine configuration expired Undefined

A virus was detected Undefined

Succeed Events Description Event

Logon successful 04000001

Password changed successfully 04000002

Boot once recovery 04000016

Password reset 04000017

Password timeout 04000018

Lockout recovery 04000018

Change token recovery 04000019

Screen saver recovery 0400001A

Database logon successful 04000081

Failure Events Description Event

Logon failed 08000001

Password change failed 08000002

Password invalidated 08000005

Machine configuration expired 08000012

Recovery failed 08000017

Auditing

48 |

Description Event

Database logon failed 08000081

Managing Object Directories

| 49

Managing Object Directories All Endpoint Encryption Manager connected applications require a connection and

logon to an Object Directory. The Endpoint Encryption logon screen provides an

interface to manage these connections, whether they are direct to local directories or

through Endpoint Encryption servers.

The logon system automatically remembers the last token which was used, and

displays that interface to the user – if you want to log on with a different token, for

instance a smart card, or fingerprint scan, simply cancel the login box and select a

different token from the token selection list.

Managing Connections You can add and remove directory connections by clicking Cancel on the Endpoint

Encryption Manager Login box, then selecting Edit Connections on the Select Your

Login Method dialog.

Figure 18. Endpoint Encryption Database Connections

The Endpoint Encryption Database Connections window lists the currently

configured directory locations and types. Local directories are accessed directly;

remote directories are accessed through a Endpoint Encryption server. Where

authentication parameters for the directory connection have been imported, the

connection appears with a tick.

Adding a new directory connection Click Add to create a new connection. If you are going to access the directory directly,

for example in the case of the Endpoint Encryption file directory, it is stored on your

local machine, or on an accessible network drive, select the Local option from the

Managing Object Directories

50 |

connection type dropdown list. If the directory has an Endpoint Encryption server

supplying its information, use the Remote option.

Remote Directories

Description

Type a description for the directory - this is used to identify the directory in the list.

Server Address

Supply the address or DNS name of the server, and the port it is running on.

Server Port

Set the port the server should communicate on. The default is 5555.

Authenticate

Server authentication prevents a malicious "rogue" server masquerading as a valid

Endpoint Encryption server, by forcing DSA key checking between the server and

Endpoint Encryption application. If the key the server returns is invalid, the Endpoint

Encryption application will refuse to connect to the server and inform the user of a key

mismatch.

When adding a new server, if you elect to create an authenticated link, you will be

promoted to provide a key file (.spk file). You can obtain this key from an existing

connected administrator by asking them to right-click on the server definition in the

Endpoint Encryption Manager, and choose Export Public Key.

NOTE: If you are authenticated to a directory, you can add alternate Endpoint Encryption server

connections to this directory to the list by simply right clicking on the server’s directory entry in the system

tree, and selecting Add to Directories. This process sets up the connection in advance and adds all the key

information if available.

Local Directories

Local directories (accessed without a Endpoint Encryption server) need a UNC or

mapped drive data path (or a file location in the case of a file directory) and a

description. Endpoint Encryption servers ALWAYS use a local directory - you cannot

chain one server onto another.

The default driver for Endpoint Encryption’s Directory is sbfiledb.dll.


| 51


Figure 19. The Endpoint Encryption Server

The Endpoint Encryption Server provides a secure communication interface between

the Object Directory , and other components, such as Endpoint Encryption Manager,

Endpoint Encryption for PC Client, and Endpoint Encryption Directory Synchronizer,

over a TCP/IP link.

Installing the Endpoint Encryption Server Program The Endpoint Encryption Server is installed as part of the Endpoint Encryption Manager

setup. You can install multiple servers attached to one directory, simply install a new

copy of Endpoint Encryption Manager, and manually configure the connection to the

existing directory by canceling the Object Directory creation wizard, and setting up a

new local or remote connection in the subsequent logon box.

Creating a new Server Before The Endpoint Encryption Server can start, an entry for it must be created in a

Endpoint Encryption Object Directory . This entry/object contains the server’s public

and private key set, configuration and other parameters.


52 |

Figure 20. Creating a new Endpoint Encryption Server Object

To create a new server object, you can either use the New Server option to create a

new server in the System/Endpoint Encryption Servers tree using Endpoint Encryption,

or you can use the "create" button on the Endpoint Encryption Server startup screen

shown after authenticating to the Object Directory. Both procedures follow the same

path.

Creating a new Endpoint Encryption Server object, automatically adds the definition to

the local directories list. The next time you perform a directory logon, you will be able

to choose to log on to the new Server.

Starting The Endpoint Encryption Server for the first Time Once the object for the server has been created the program SBServer.exe may be

run. The first task is to log in to the local Object Directory. For information on how to

set up directory connections, see Managing Object Directories. Once the directory has

been selected, and a logon id and password supplied, a prompt to select the object is

displayed. From this dialog, a new server definition can be created, or an existing ID

selected. The definition selected controls the startup parameters for the server, and

the authentication keys it will use.

Figure 21. Selecting the Endpoint Encryption Server Object to use for configuration


| 53

Server Configuration The Endpoint Encryption Server obtains its configuration from three places.

The local file sdmcfg.ini supplies the location and type of Object Directory the server

should connect to. It also supplies the logon ID and password to use in case of an

automated start. This file is shared between all the Endpoint Encryption entities.

The server's object within the Object Directory specified in sdmcfg.ini supplies the port

the server should speak on, and its public and private key information.

The local file sbserver.ini supplies the id of the object in the local Object Directory that

the server uses for its port, etc. It also specifies whether the user should be prompted

to select an id each time the server starts.

Starting the Endpoint Encryption Server as a Service In Windows 2000 you can start the Endpoint Encryption Server as a true service. To

do this, select the Start as service option from the server menu. You will need to

supply a user ID and password for the server to use for subsequent starts.

The Endpoint Encryption Server stores the user’s authentication key in sbserver.ini for

use in subsequent logons. This is not the user’s password, but could give a hacker a

method of attacking the Object Directory.

TIP: You can stop certain user accounts being used to start servers as services by removing their

administration privilege Start Server as service.

Using Server / Client Authentication Endpoint Encryption clients exchange highly sensitive information with their respective

Servers, and rely on their server for their configuration, including details of what

drives should be encrypted.

One possible way around the Endpoint Encryption security would be to substitute an

organization’s Endpoint Encryption server and Object Directory, with a "Rogue" server

which told Endpoint Encryption protected machines to decrypt their hard drives.

To prevent this kind of attack, the Endpoint Encryption Server generates a public-

private key set on install. The public part of the key is distributed on install to the

clients, who then use it to verify the private key on the server each time they

communicate with it.

With this mechanism if the server is substituted by re-routing the network traffic or

DNS name for instance, the clients will recognize the change and refuse to

communicate.


54 |

Setting up the Endpoint Encryption Server / Endpoint Encryption authentication

Once an Endpoint Encryption server has been created and started, its public key may

be exported from the Object Directory as a file. This key file can be freely distributed

or placed in a publicly accessible repository - for instance on a web site.

To extract a Server key from the Object Directory, simply select the server from the

server tree, and use the Export public key option. The resulting .sky file can then be

freely distributed. To import the information into a directory connection use the

Advanced button on the login screen. For information on this process see Managing

Object Directories.

NOTE: If the Object Directory selected during the creation of a deploy set already has authentication

configured, then this information will be automatically included within the deploy set.

Connecting to a new Endpoint Encryption Server Once a server has been created it appears in the Object Directory system tree. If this

server was created by someone else in the Endpoint Encryption enterprise, you can

still add this server to the local list of Endpoint Encryption servers used in the login

dialog by selecting the Add to Directories option. This creates a new entry in the

local list, and if necessary downloads the server’s public key information. For more

information see Managing Object Directories.

Checking a Server’s Status Remotely You can check the status of an Endpoint Encryption Server listed in the Object

Directory by right-clicking its object, and selecting Get Status. If the server is online

and responsive, it will return its current status in the system log.

NOTE: the active connections list will always show 1 more than the current user / machine connections, due

to the connection by Endpoint Encryption to get the status.

Using Restricted User ID's for Servers Although any valid user id can start an Endpoint Encryption server, the access yielded

to it by the Object Directory is a reflection of that user’s directory permissions.

For instance if a very low admin privilege user starts the Endpoint Encryption Server,

then high level users and machines will not receive any configuration updates because

their admin level exceeds that which can be accessed by the Endpoint Encryption

Server. For this reason the Endpoint Encryption Server should usually only be started

by uses with very high, or the highest, level admin rights.


| 55

For practical reasons it is often not the master Endpoint Encryption administrator who

starts the Endpoint Encryption Server - usually the corporate server managers have

this responsibility. It would not be good security for the master accounts to be given

out to any users except those directly involved with the Endpoint Encryption

parameters.

To overcome this conflict of interests - full access to the objects with no administrative

ability - Endpoint Encryption allows you to create very high privilege users with no

administrative ability - we will term these Service Accounts.

Service Accounts Parameters

Service accounts are created in the same way as normal users. We recommend they

be created in their own group Service Accounts.

The following parameters can be set to yield an account useless for login on to PCs.

With these parameters the only use for the account is as a login to the Object

Directory.

Passwords

Prevent Change set

Require Change disabled

Admin Rights

Administration Level 30

All rights cleared except Start as Service

Devices

No access to any devices

Token

Password Only

WARNING – Remember not to add any “service accounts” or the group you create them in to machines.

Keys

56 |

Keys About Keys Keys are generic purpose objects which other Endpoint Encryption-Aware applications

can use to encrypt information, for example, Endpoint Encryption for Files and Folders

uses Key objects to protect files and folders on network and user hard disks.

Key Administration Functions

Create New Key

This function creates a new Key. You can select the keys name, which algorithm it will

use, and enter a description of the key to aid in its identification.

To create a new policy:

1. Navigate to the System tab of the object tree.

2. Find the key provider.

3. Double-click it to expand its groups.

4. Either open an existing group, or create a new group by right-clicking the top

node and selecting Create Key Group.

5. From the open group window, right-click and select Create New Key.

6. Enter the name for the new key, select an algorithm, and select OK.

Rename Key

This option changes the name of a key – this does not affect the association of keys to

users, or the protection of data. Only the human-readable name is changed.

Delete Key

This option deletes a key from the system.

To delete a key:

1. Find the key from the Keys node of the System tab within the object tree.

2. Right-click the key and select Delete.

NOTE: If you permanently delete a key, all data protected with that key will be permanently lost; however,

you can restore the key if it has been backed up.

Keys

| 57

Reset to group configuration

Sets the properties of a key to be those of its group. This includes the user list

assigned to the key.

Reset to group configuration (exclude users)

Sets the properties of a key to be those of its group excluding the key’s user list.

Properties

Displays the properties of a key.

Key Configuration Options

Information

Displays information about the key

Description

A text description of the key, this can be used to identify the purpose or use of the

key.

Validity

You can specify when a key is valid until, and whether it can be cached on users’ local

systems

Key is Enabled

Tick to make the key accessible to users – if the key is disabled, then all requests for

this key (and therefore all data protected by it) will be denied.

Expiry

You can specify a date where the key will be valid until. After this date access to the

key (and therefore access to data protected by it) will be denied.

Caching

Allow keys to be cached locally

Enables local caching of the key. Normally keys are obtained on access from the

network Endpoint Encryption Key Server. This means that the only way to access

protected data is to have a good connection to the corporate Key Server.

If you need data to be available to users offline, for example when they are working

disconnected from the network, you can allow local caching of a particular key.

Each time a key is requested, the user must authenticate against a Endpoint

Encryption Key Server to obtain a fresh copy of the key. If the Key Server is not

Keys

58 |

accessible then the user authenticates against a local key cache and queries it for a

copy of the key. If the key could be obtained from the Key Server, then the local copy

may be installed, or updated at the same time. If the user’s credentials are not

correct, no keys are released.

Remove from cache after..

Causes a local cached copy of a key to be wiped from the local key cache after a

certain number of days of disconnection. This prevents users obtaining keys, then

continuing to use them for extended periods of time without validating their

credentials against the central Endpoint Encryption Key Server. You can use this

option to ensure that if you make changes to the validity or user list of cacheable

keys, that these changes are enforced within a certain period of time.

Users

You can restrict access to keys to certain users by adding them to the keys user list.

When the list is empty, any user who has valid Endpoint Encryption credentials can

obtain the key. Once one or more users are added to the list though, ONLY those

users can obtain, or administer the key. This prevents general Endpoint Encryption

administrators from being able to access sensitive data.

NOTE: You can restrict what administration functions regarding keys (add key, delete key, properties etc) by

setting a users administration rights. See the Administration Rights section for more information.

Restrict Access To

Defines the user list for a key. If the list is empty, then any user can access the key. If

one or more users are added then ONLY they can access or administer the key.

Minimum Admin Level Required

You can specify the minimum admin level required to access a key. This parameter is

enforced in ADDITION to the restricted user lists. If you add a user to the user list,

and also set an admin level, then if the user does not match or exceed the level they

will not be able to access the key. For more information on admin levels see the

Administration Rights section.

Policies

| 59

Policies About Policies Endpoint Encryption can manage other systems and applications from the main

Administration console. Each additional application provides a Policy system which

allows the parameters for the application to be defined – for example the Endpoint

Encryption for Files and Folders policy provider integrates into the Endpoint Encryption

Database, and allows you to set the functions and parameters for the Endpoint

Encryption for Files and Folders system.

You can assign policies to most kinds of Endpoint Encryption supported object, such as

users, machines, PDAs etc – wherever appropriate for the individual policy type. You

can assign policies to both individual objects (such as users), and also to groups of

objects (such as groups of machines).

Policy Administration Functions

Add Policy

You can create any number of policies of each type. You should create policies to fulfill

an organizational or functional need – for example a policy for a role within your

organization, such as Management Team, for example.

To create a new policy:

1. Navigate to the Policies tab of the object tree.

2. Find the Policy provider you want to create a new policy for – for example

Endpoint Encryption for Files and Folders Policies.

3. Double-click it to expand its groups.

4. Either open an existing group, or create a new group by right-clicking the top

node and selecting Create Policy Group.

5. From the open group window, right-click and select Add.

6. Enter the name for the new policy, and select OK.

Rename Policy

Changes the name of the policy. This does not affect the association of the policy to

other objects.

Policies

60 |

Delete Policy

If you delete a policy, all users of that policy will receive the “Default” policy instead

the next time they update.

To delete a policy:

1. Find the policy from the Policies tab of the object tree.

2. Right-click the policy and select Delete.

Create Installation Set

To install a policy object, some types allow you to create an installation set directly

from the Endpoint Encryption database for that application – for example, to install

Endpoint Encryption you can create an Install EXE direct from the policy object.

Reset to Group Configuration

Resets the properties in the selected policy to those of its group.

Create Copy

Creates a copy of a policy object based on the selected one.

Properties

Opens the properties of the selected group or object.

For more information about Endpoint Encryption. See the Endpoint Encryption

Endpoint Encryption for Files and Folders Administration Guide.

Assigning a policy object to a user 1. Open the users Properties window.

2. Move to the Policies properties type in the properties list.

3. Click the Add button.

4. Select the policy you want to associate with that user.

5. Click Ok.

You can normally only assign one policy of each type to any particular object, for

example one Endpoint Encryption for Files and Folders policy, per user.

Assigning a policy object to a machine 1. Open the machine Properties window.

2. Move to the Policies properties type in the properties list.

Policies

| 61

3. Click the Add button.

4. Select the policy you want to associate with that machine.

5. Click Ok.

You can normally only assign one policy of each type to any particular object, for

example one Asset policy per machine.


62 |


The Connector Manager is responsible for managing the correlation of information

between the Endpoint Encryption Object Directory and another data source. This

remote source may be another Object Directory, or may be some disparate system

(for example an X500 directory over LDAP, or an NT Domain). The Connector Manager

is a set of customizable routines that can be used to quickly implement the desired

synchronization functions.

Figure 22. Connector Manager

The Connector Manager tools are supplied pre-configured to provide Endpoint

Encryption directory to alternate systems such as NT Domains, Active Directory, and

Novell Netware NDS as a uni-directional process.

Support for alternate data stores are implemented on a customer basis. To discuss

synchronization with other data stores please contact your McAfee representative.

Adding and Removing Connector Instances You can add connectors to the Manager Tree simply by right-clicking the root node

(Endpoint Encryption Connector Manager).

Add Connector

Creates a new connector instance. You can select from the available connector types,

and give the connector a unique name.


| 63

Delete Connector

Deletes the selected connector from the tree. Any connected users will become

“orphaned”, unconnected to any alternate system.

Rename Connector

You can rename a connector to a more descriptive name.

Service Mode

The Connector Manager uses the Windows Scheduled Task Service to run individual

connectors at preset times and intervals. This happens automatically – you do not

need to run a special version of the connector manager.

Scheduled tasks are enabled from the moment they are created.

Schedule and Log

Each connector has a schedule and log controlled through the Connector Manager. You

can add periodic events to the schedule to control when each connector performs its

activity. You can also set repeat intervals for the tasks.

To set the schedule for a connector, or change its log settings, simply click its name in

the connector tree.

The activity of the connector is logged centrally to the Connector Manager. You can

also specify that the log should be appended to a file as it is created.

Running Connectors Interactively

You can run a connector interactively from the run now tab. The connector will output

a progress log of its activities.

Error Messages

For information on error messages generated by the Connector Manager, or one of its

connectors – please see the Error Messages chapter.

NT Connector (NTCon)

64 |

NT Connector (NTCon) The NT connector is designed to populate the Endpoint Encryption user list from an

existing NT Domain. By specifying a server to synchronize with, the connector mines

the domain user list, creating Endpoint Encryption user accounts for those domain

users not found.

If a domain user account is deleted or disabled, the connector makes the appropriate

change to the Endpoint Encryption user account for that user.

The NT Connector needs to be run on either an NT4.0 Domain Server, or a Windows

2000 server / workstation, and needs access to the Endpoint Encryption Object

Directory.

Summary of connected attributes Domain user name

Used to create new Endpoint Encryption users. Also used in the Endpoint Encryption

user-binding tab to maintain a connection to the domain user. If the domain user is

deleted, the Endpoint Encryption user is either deleted or disabled depending upon the

state of the Disable Users Only box.

WARNING: If you delete an Endpoint Encryption user account, no files protected by only that Endpoint

Encryption user id will be recoverable. We recommend you disable users only, and delete them manually.

Domain User Status

The Endpoint Encryption user status mirrors the domain user status. Either enabled or

disabled.

Domain User Logon Hours

The Endpoint Encryption user logon hours are set to match the domain users.

Password Change

The ability to change the password is reflected in the Endpoint Encryption user

account.

Full name

The domain user full name field is placed in the Endpoint Encryption user’s field list.

Description

The domain user description is placed in the Endpoint Encryption user’s field list.

Valid until


| 65

The expiry date of the domain account is placed in the Endpoint Encryption user valid

until field.

Group Membership

On creation, logic can be applied to determine which group the new Endpoint

Encryption user is created in (if at all).

General Options NT Server

Specify the server you want to obtain the user list from. You can use the local

machine, or specify a domain server. Click the Servers button to obtain a list of

machines accessible from this station.

Disable Users Only

If a user is deleted from the domain, their matched Endpoint Encryption account can

be either deleted or disabled.

WARNING: If you delete a Endpoint Encryption user account, no files protected by only that Endpoint

Encryption user id will be recoverable. We recommend you disable users only, and delete them manually.

Use Configuration Checksum

The connector can store a checksum of the domain configuration in the domain user

comment. This negates the need to read the entire configuration each time a sync on

the user occurs.

To use this option you need to run the connector on a primary or backup domain

controller – you cannot use this option on a remote server.

Throttling

You can specify a delay between checking each user account to make the

synchronization process more network-friendly.

NOTE: The domain password for a user account is not available for Endpoint Encryption, each new user will

be created with the default password of “12345” – you should ensure that all Endpoint Encryption groups

which receive new users from the NT Connector have the Change password if default attribute set.

Group Mappings To ease the configuration of many synchronized domain users, you can map them to

different Endpoint Encryption user groups based on their domain membership. As each

domain account is checked, the NT Group Name fields are compared with the domain


66 |

users’ memberships. The first match found causes NT Connector to create the user in

the specified Endpoint Encryption user group.

By pre-creating Endpoint Encryption user groups with specific machine access and

attributes, you can effectively synchronize a domain user list into Endpoint Encryption

and have minimal configuration work left.

For example, if the following group mappings were specified:

NT group name Endpoint Encryption group name

Domain Admins NT Domain Admins

Domain Guests NT Domain Guests

Sales NT Domain Sales

Domain Users NT Domain Users

A domain user with memberships of Domain Admins and Sales would be placed in the

Endpoint Encryption user group NT Domain Admins. A user with membership to

Domain Users and Sales would be placed in NT Domain Sales as it is listed first.

If you clear the Add user to default group tick box, and the NT user being checked

does not belong to any of the specified groups, they will not be synchronized into the

Endpoint Encryption directory.

User Information You can specify which Endpoint Encryption information fields receive information from

the domain account comment and description. You can also select the default behavior

when new users are created.

LDAP Connector (LDAPCon)

| 67

LDAP Connector (LDAPCon) LDAPCon is an optional connector designed to populate the Endpoint Encryption user

list from an existing LDAP Protocol 1-3 Directory server. By specifying the directory to

synchronize with, the connector mines the directory, creating Endpoint Encryption user

accounts for directory users who meet certain pre-defined criteria. For information on

purchasing these connectors please contact your McAfee representative.

If a directory user account is deleted or disabled, the connector makes the appropriate

change to the Endpoint Encryption user account for that user. You can also make

decisions to globally disable users based on any attribute using the excluded users

function.

The v4.2.12+ versions of the LDAP Connector can also use certificates stored in the

AD to create users who can logon to Endpoint Encryption applications using Smart

Cards and eTokens. These “crypt-only” tokens do not have to be initialized for use

with Endpoint Encryption, as the PKI certificates stored on them can be used without

any initialization.

LDAPCon can run on Windows 2000, XP and Vista. It requires network access to both

an Endpoint Encryption Server, and the directory server itself.

Summary of connected attributes User name

Used to create new Endpoint Encryption users. Various directory attributes can be

used to create the Endpoint Encryption user name. If the user is deleted, the Endpoint

Encryption user is either deleted or disabled depending upon the state of the Disable

Users Only box.

WARNING: If you delete an Endpoint Encryption user account, no files protected solely by that Endpoint

Encryption users’ key will be recoverable. We recommend you disable users only, and delete them

manually.

User Status

The Endpoint Encryption user status mirrors the directory user status. Either enabled

or disabled.

User Logon Hours

The Endpoint Encryption user logon hours are set to match the directory users.

Password Change


68 |


account.

Information Fields

Up to 10 fields of information from the directory can be placed in the Endpoint

Encryption user’s field list.

Valid until

The expiry date of the directory account is placed in the Endpoint Encryption user valid

until field.

Group Membership

Logic can be applied to determine which group the new Endpoint Encryption user is

created in (if at all). Also, if certain changes happen to the directory user, their

Endpoint Encryption group can be set to change accordingly.

General Options

Connection Details

Connection Name

A text description for this incident of the connector.

Host

The IP address, or DNS Name of the directory server you wish to connect to.

Port

The TCP/IP port that the target directory is publishing on. This is usually 389 or 636

for secure connections.

Use Secure Connection

This option is used to get full access to the directory. You may have to obtain a

certificate from your directory manager. Use the Certificate button to point the

connector to the appropriate .DER file.

Protocol Version

The LDAP Protocol version your directory supports – this is usually Version 3.


This option allows you to specify a secure connection. It will change the port number

to 636 (note: this is configurable). The Certificate... button will also activate and you

can browse and select the right certificate from the Microsoft Certificate store.


| 69

Certificates are generated for particular users. Microsoft has removed the ability to

specify a user logon in this instance; the encryption and logon is determined by the

certificate.

Anonymous Login

If your directory supports anonymous login, check this box, otherwise complete the

Logon Credentials section.

User DN

Enter the full distinguished name for the administrator’s account.

Password

Enter and confirm the password for the account you specified in the User DN field.

Search Settings

Base DN

The base distinguished name for the section of the directory this instance of the

connector is to work with. You can set the Base DN to a sub-branch of your directory if

you need to limit the scope of the connector.

Object Filter

Enter an appropriate filter to restrict the connectors view of objects in the directory.

The default filter:

(&(objectClass=User)(!objectClass=Computer))

Restricts the view to directory objects that are of a class User and not of a class

Computer.

If you only need to synchronize a small segment of users from your directory to

Endpoint Encryption, you can specify a detailed Object Filter – this will make the

process more efficient by forcing the connector only to look at the users which are

“interesting” to it. For example, to restrict the connectors view to users of the group

Endpoint Encryption only, you could use a query like:-

(&(objectClass=user)(!objectClass=computer)(memberOf=CN=McAfee,OU=Uk,DC=cbi,DC=com))

Wherever you specify a search query, you must use the full parameters as accepted

by the directory, so in the example above the memberOf parameter must match

exactly that shown in the user. You can use an LDAP browser to see the correct

attribute details.

Timeout


70 |

Specify the connection timeout for your directory.

Entry Limit

Specify the maximum number of objects to synchronize – this setting is useful when

you need to test the behavior of the connector. For production use, set it to 0

(unlimited). Some directory servers may not accept this parameter.

Referrals

If your directory uses referrals, you can enable this feature in the connector.

Search Depth

You can limit the scope of the connector by reducing the section of the directory that

is searched for users.

Monitor Changes

If your directory supports change logging, you can enable monitoring to enhance the

performance of the connector. This sets up an asynchronous search on the directory

server which reports when leafs are updated.

Search Groups

You can specify a list of DN’s for group objects in your directory which contain

members you wish to include in this connectors scope of operation. Search Groups

takes precedence over the object filter specified in the Search Settings pane.

Attribute Types

Binary data attributes must be defined in this list before they can be used by the

connector.

You can also specify which attributes to substring search. By default, the entire value

of an attribute is considered significant by specifying it for substring search you can

allow sub-values to be significant.

For example, in the DN “CN= McAfee,CN=COM,FN=Fred” if substring searching is

enabled for DN, then “CN=COM” is a valid match.

Group Mappings

Group Mapping Information

To ease the configuration of many synchronized directory users, you can map them to

different Endpoint Encryption user groups based on some attribute in their directory

object. As each directory account is checked, the specified attributes are compared

with the table set in the Group Mapping tab. The first match found per user causes


| 71

the LDAPCon to create or assign the user in the specified Endpoint Encryption user

group.

You can create new entries by double-clicking the table, by right-clicking an entry you

can change its order, edit, or delete it.


attributes, you can effectively synchronize a directory user list into Endpoint

Encryption and have minimal configuration work left.


Directory Organizational Unit (attribute value)

Endpoint Encryption group name

Directory service Attribute

OU=R&D R&D distinguishedName

OU=Sales Sales distinguishedName

OU=Support Techsup distinguishedName

OU=Management MT distinguishedName

A directory user with memberships of Sales and Support would be placed in the

Endpoint Encryption user group Sales as that clause comes first in the list.

By specifying the No Mapping Exists behavior you can select one of four options:

1. Use a defined group

2. Create a new group based on an existing Endpoint Encryption group,

generating the name from an attribute of the user (such as their DN).

3. Add the user to the default group

4. Ignore, Remove, Disable or Recycle the user

NOTE: If you map based on the value of a binary data type attribute, you need to properly define and

escape the data. For information on this process.

User Mapping

The LDAPCon has the ability to map up to 10 fields of information from the directory

into the Endpoint Encryption Directory. A typical use of this feature would be security

question-answer sessions to aid validation of a remote user. To add a new entry either

double click, or right click on the input table.


72 |

If the directory attributes mapped to these Endpoint Encryption fields change, then the

users’ Endpoint Encryption account will be updated accordingly.

New Users Password

When a new account is created in the Endpoint Encryption directory, the password will

be set to the option specified. If you set the account to a random password, the user

will need to be “recovered” or the account manually set to a known password before

the user will be able to authenticate to Endpoint Encryption.

Removal Behavior

You can choose to either :

• Remove users from Endpoint Encryption if their account is removed from the

directory.

• Disable them only.

• Ignore this event.

NOTE: If you choose to remove users from Endpoint Encryption, no data protected solely with their

personal Endpoint Encryption key will be retrievable.

New Users Token

If you are using certificates, via for example Microsoft Certificate Server, you can allow

your users to login to Endpoint Encryption using their existing Certificate Token, for

example an Activcard, eToken, or Setec token. For information about the supported

tokens please see the Tokens chapter of this guide.

Select from the list of installed tokens which one to create for the user. You can also

decide the behavior if there is no valid certificate for the user.

Search Endpoint Encryption for User Binding

Traditionally the connector searches the directory for all users which match the set

criteria. By selecting this option the search for users will be disabled, and the

connector will expect to find the users pre-existing in the Endpoint Encryption

directory. The connector will search for users with a binding which matches its

identifier, and will only process those users.

You can use the Search Endpoint Encryption option to process directories which

contain a large population of “uninteresting users”. If you can pre-seed the Endpoint

Encryption directory with the names of the users, and appropriate binding information

(for example using the scripting tool) you can greatly streamline the process.


| 73

User Attributes

The User Bindings tab is used to correlate the directory attributes to the Endpoint

Encryption Directory. The attributes specified on this tab should not need changing

unless the directory is set up in a non-standard way.

Binding Attribute

The non-changing unique identifier for the user. This should be an item that is unique

for that user, and unlikely to change for the existence of this account despite changes

in surname or group membership

Endpoint Encryption User name

An attribute used to create the Endpoint Encryption user name

NOTE – Endpoint Encryption user id’s are limited to 256 characters; you should not use an attribute that is

likely to exceed this length.

Change Attribute

The directory attribute containing the account change stamp.

Logon Hours

The directory attribute containing the User Logon Hours information.

Account Control

The directory attribute containing the user account disabled/enabled information.

Account Expires

The directory attribute containing the account expiry date.

Delay between each user

You can stifle the bandwidth that this connector consumes by putting a delay between

each user synchronization.

Excluded Users

You can specify a selection of attributes to check to globally exclude a series of users

from the synchronization process.

You can also optionally disable existing Endpoint Encryption users that are bound to

the excluded users.

Revocation Check

If you are using certificates to authenticate your users, you can enable revocation

checking to ensure that if certificates are revoked, the user is denied access to


74 |

Endpoint Encryption. Specify the appropriate LDAP parameters for your published

revocation list, and the behavior the connector should follow when revoking users.

Using Binary Data Attributes In some circumstances you may want to use binary attributes to perform matching

and group associations in the LDAPCon. The values for such attributes cannot be

directly entered into the connector fields; they must be entered as escaped

sequences.

To determine what values to add, use your LDAP Browser to view the data in the

directory, for example:

In this schema, the attributes objectGUID and objectSid are binary attributes. If you

wanted to manually link an existing Endpoint Encryption user to this directory user

connecting via their objectGUID, you would need to assign the binding attribute to

objectGUID in the Endpoint Encryption user’s User Bindings properties, and add a

binding to LDAPConnector.username in their Endpoint Encryption profile which

matched the escaped attribute value, and also define the attribute objectGUID as a

binary data type in the Attribute Types list in general options.

Figure 15‐23. Connector Binding with Escaped Value

LDAP Browser from Softerra When configuring the LDAPCon, it is highly desirable to view the Netware Directory in

its unadulterated, raw, LDAP state. To do this we strongly recommend the free tool

LDAP Browser from Softerra (4http://www.ldapbrowser.com). This tool may be found

on your Endpoint Encryption CD, or included on the Endpoint Encryption Enterprise CD

in the Tools directory.


| 75

Connecting to your Directory using LDAP Browser

To connect LDAP Browser to your directory, you will need to know its IP or DNS name,

and have a valid administrative account to access the data with.

Create a new entry in LDAP Browser, for your directory server, you may not need to

enter a Base DN, but will need the full distinguished name for your administration

account.

Once you have successfully connected to your Netware Directory, you can start

browsing the information to check the appropriate fields to use for the LDAPCon.

Choosing the correct fields for Synchronization

The exact settings used in any particular installation of LDAPCon are particular to each

installation; in most cases the default settings are appropriate for general use,

although some customization can be performed, especially when considering custom

user to Endpoint Encryption group mapping, and custom exclusion of users.

In the case of the user whose properties are listed above, it can be seen that there are

multiple objectClass attributes – these could be used to make a decision on their

mapping to Endpoint Encryption groups (by using the Group Information fields).

Also, it can be seen that any of the attributes cn, givenName, sn could be used to

populate the Endpoint Encryption Username, although some of these may result in

collisions with other similarly named users.

Attributes such as groupMembership or securityEquals could also be used to map

a user to a group, or to exclude a particular user from the synchronization process.

NOTE: the distinguishedName attribute is treated as a special case when matching values – any fragment of

the value can be matched. All other attributes are matched on their entire value. This attribute may not be

displayed in a browser window, but exists internally.

Active Directory Connector (ADCon)

76 |

Active Directory Connector (ADCon) ADCon is an optional connector designed to populate the Endpoint Encryption user list

from an existing Microsoft Active Directory. By specifying an Active Directory to

synchronize with, the connector mines the directory, creating Endpoint Encryption user

accounts for Active Directory users who meet certain pre-defined criteria, and

continuously updating their policy to mach that stored in the AD. For information on

purchasing ADCon please contact your McAfee representative.

If an Active Directory user account is deleted or disabled, the connector makes the

appropriate change to the Endpoint Encryption user account for that user. You can also

make decisions to globally disable users based on any attribute using the excluded

users function.

The v4.2.12+ versions of the Active Directory Connector can also use certificates

stored in the AD to create users who can logon to Endpoint Encryption applications

using Smart Cards and eTokens. These “crypt-only” tokens do not have to be

initialized for use with Endpoint Encryption, as the PKI certificates stored on them can

be used without any initialization.

ADCon can run on Windows 2000, XP and Vista. It requires network access to both an

Endpoint Encryption Server, and the Active Directory itself.

Summary of connected attributes Active Directory User name

Used to create new Endpoint Encryption users. Various Active Directory attributes can

be used to create the Endpoint Encryption user name. If the Active Director user is

deleted, the Endpoint Encryption user is either deleted or disabled depending upon the

state of the Disable Users Only box.

WARNING: If you delete an Endpoint Encryption user account, no files protected solely by that Endpoint

Encryption user s’ key will be recoverable. We recommend you disable users only, and delete them

manually.

Active Directory User Status

The Endpoint Encryption user status mirrors the Active Directory user status. Either

enabled or disabled.

Active Directory User Logon Hours

The Endpoint Encryption user logon hours are set to match the Active Directory users’


| 77

Password Change


account.

Information Fields

Up to 10 fields of information from the Active Directory can be placed in the Endpoint

Encryption user’s field list.

Valid until

The expiry date of the Active Directory account is placed in the Endpoint Encryption

user valid until field.

Group Membership

Logic can be applied to determine which group the new Endpoint Encryption user is

created in (if at all). Also, if certain changes happen to the Active Directory user, their

Endpoint Encryption group can be set to change accordingly.

General Options

Connection Details

Connection Name

A text description for this incident of the connector.

Host

The IP address, or DNS Name of the Active Directory Server you wish to connect to.

Port

The TCP/IP port that the target Active Directory is publishing on. This is usually 389.

Protocol Version

The LDAP Protocol version your Active Directory connector supports – this is usually

Version 3.


This option allows you to specifiy a secure connection. It will change the port number

to 636 (note: this is configurable).

Anonymous Login

If your Active Directory supports anonymous login, check this box, otherwise complete

the Logon Credentials section. The account name you use to authenticate to the AD


78 |

must have full view access of the full set of user attributes you want to synchronize

with.

User DN

Enter the full distinguished name for the AD administrator’s account, or the account

you intend to use the connector with. You can find this by contacting your AD

Administrator. You can also specify the user name in a fully qualified AD format, for

example, [email protected].

Password

Enter and confirm the password for the account you specified in the User DN field.

Search Settings

Search Settings define which AD users are visible to the connector, decisions as to

whether to process these users are made in Group Settings described later on in this

chapter.

You can also use Search Groups to define which users the connector processes, for

more information, see the next section.

NOTE: Either Search Settings, or Search Groups can be used, they cannot be used together. Search Groups

takes precedence.

Base DN

The base distinguished name for the section of the directory this instance of the

connector is to work with. You can set the Base DN to a sub-branch of your Active

Directory if you need to limit the scope of the connector.

Object Filter

Enter an appropriate filter to restrict the connectors view of objects in the directory.

The default filter:

(&(objectClass=User)(!objectClass=Computer))

Restricts the view to directory objects that are of a class User and not of a class

Computer.

If you only need to synchronize a small segment of users from the AD to Endpoint

Encryption, you can specify a detailed Object Filter – this will make the process more

efficient by forcing the connector only to look at the users which are “interesting” to it.

For example, to restrict the connectors view to users of the group Endpoint

Encryption only, you could use a query like:-


| 79

(&(objectClass=user)(!objectClass=computer)(memberOf=CN=

McAfee,OU=Uk,DC=cbi,DC=com))

Wherever you specify a search query, you must use the full parameters as accepted

by the AD, so in the example above the memberOf parameter must match exactly that

shown in the user. You can use an LDAP browser to see the correct attribute details.

Timeout

Specify the connection timeout for your Active Directory.

Entry Limit

Specify the maximum number of objects to synchronize – this setting is useful when

you need to test the behavior of the connector. For production use, set it to 0

(unlimited). Some versions of Active Directory may not accept this parameter.

Referrals

If your Active Directory uses referrals, you can enable this feature in the connector.

Search Depth

You can limit the scope of the connector by reducing the section of the directory that

is searched for users.

Monitor Changes

If your Active Directory supports change logging, you can enable monitoring to

enhance the performance of the connector. This sets up an asynchronous search on

the Active Directory server which reports when leafs are updated. The Active Directory

search monitoring cannot take account of complex Object Filters, if you need to

specify more criteria than the default to prevent the monitor returning unwanted

users, you can edit the Connector Manager Settings file manually, adding entries in

the following section:

UserValid0.DSAttrib=objectClass

UserValidity0.AttribVal=user

UserValid1.DSAttrib=objectCategory

UserValidity1.AttribVal=CN=Person

UserValid2.DSAttrib=memberOf

UserValidity2.AttribVal='full memberOf attribute'


80 |

Search Groups

Search Groups define which AD users are visible to the connector, decisions as to

whether to process these users are made in Group Settings described later on in this

chapter.

You can also use Search Settings to define which users the connector processes, for

more information, see the previous section.

NOTE: Either Search Settings, or Search Groups can be used, they cannot be used together. Search Groups

takes precedence.

With Search Groups you can specify the DN’s of a list of group objects from your AD.

The connector will then retrieve all the members from the specified groups (and any

groups contained within), then individually process the derived user list.

This method can be more efficient that the Search Settings method if the population

of users which are needed to be synchronized are defined in a small number of

groups. If the users can be identified through another attribute, or are all within

certain OU’s, Search Settings may be more appropriate.

NOTE: Search Groups can only be used with true LDAP Groups (i.e. objects containing “members”. You

cannot use this method with OU’s.

Attribute Types

Binary data attributes must be defined in this list before they can be used by the AD

connector.

You can also specify which attributes to substring search. By default, the entire value

of an attribute is considered significant; by specifying it for substring search you can

allow sub-values to be significant.

For example, in the DN CN= McAfee,CN=COM,FN=Fred ; if substring searching is

enabled for DN, then CN=COM is a valid match.

Group Mapping

Group Information

To ease the configuration of many synchronized Active Directory users, you can map

them to different Endpoint Encryption user groups based on some attribute in their

directory object. As each Active Directory account is checked, the specified attributes

are compared with the table set in the Group Mapping tab. The first match found per


| 81

user causes the ADCon to create or assign the user in the specified Endpoint

Encryption user group.

You can create new entries by double-clicking the table, by right-clicking an entry you

can change its order, edit, or delete it.


attributes, you can effectively synchronize an Active Directory user list into Endpoint

Encryption and have minimal configuration work left.


Active Directory Organizational Unit (attribute value)

Endpoint Encryption group name

Directory service Attribute

OU=R&D R&D distinguishedName

OU=Sales Sales distinguishedName

OU=Support Techsup distinguishedName

OU=Management MT distinguishedName

An Active Directory user with memberships of Sales and Support would be placed in

the Endpoint Encryption user group Sales as that clause comes first in the list.

You can use any attribute of the user to map, for example their DN, or a group

membership.

By specifying the No Mapping Exists behavior you can select one of four options:

• Use a defined group

• Create a new group based on an existing Endpoint Encryption group,

generating the name from an attribute of the user (such as their DN).

• Add the user to the default group

• Ignore, Remove, Disable or Recycle the user

NOTE: If you map based on the value of a binary data type attribute, you need to properly define and

escape the data.


82 |

User Information

User Mapping

The ADCon has the ability to map up to 10 fields of information from the Active

Directory into the Endpoint Encryption Directory. A typical use of this feature would be

security question-answer sessions to aid validation of a remote user. To add a new

entry either double click, or right click on the input table.

If the Active Directory attributes mapped to these Endpoint Encryption fields change,

then the users’ Endpoint Encryption account will be updated accordingly.

New Users Password

When a new account is created in the Endpoint Encryption directory, the password will

be set to the option specified. If you set the account to a random password, the user

will need to be “recovered” or the account manually set to a known password before

the user will be able to authenticate to Endpoint Encryption.

Removal Behavior

You can choose to remove users from Endpoint Encryption if their account is removed

from the Active Directory, disable them only, or ignore this event.

NOTE: If you choose to remove users from Endpoint Encryption, no data protected solely with their

personal Endpoint Encryption key will be retrievable.

New Users Token

If you are using certificates, via for example Microsoft Certificate Server, you can allow

your users to login to Endpoint Encryption using their existing Certificate Token, for

example an Activcard, eToken, or Setec token. For information about the supported

tokens please see the Tokens chapter of this guide.

Select from the list of installed tokens which one to create for the user. You can also

decide the behavior if there is no valid certificate for the user.

Search Endpoint Encryption for User Binding

Traditionally the connector searches the directory for all users which match the set

criteria. By selecting this option the search for users will be disabled, and the

connector will expect to find the users pre-existing in the Endpoint Encryption

directory. The connector will search for users with a binding which matches its

identifier, and will only process those users.

You can use the Search Endpoint Encryption option to process directories which

contain a large population of “uninteresting users”. If you can pre-seed the Endpoint


| 83

Encryption directory with the names of the users, and appropriate binding information

(for example using the scripting tool) you can greatly streamline the process.

User Attributes

The User Bindings tab is used to correlate the Active Directory attributes to the

Endpoint Encryption Directory. The attributes specified on this tab should not need

changing unless the Active Directory is set up in a non-standard way.

Binding Attribute

The non-changing unique identifier for the user. This should be an item that is unique

for that user, and unlikely to change for the existence of this account despite changes

in surname or group membership

Endpoint Encryption User name

An attribute used to create the Endpoint Encryption user name

NOTE: Endpoint Encryption user id’s are limited to 256 characters; you should not use an attribute that is

likely to exceed this length.

Change Attribute

The Active Directory attribute containing the account change stamp.

Logon Hours

The Active Directory attribute containing the User Logon Hours information.

Account Control

The Active Directory attribute containing the user account disabled/enabled

information.

Account Expires

The Active Directory attribute containing the account expiry date.

Delay between each user

You can stifle the bandwidth that this connector consumes by putting a delay between

each user synchronization.

Excluded Users

You can specify a selection of attributes to check to globally exclude a series of users

from the synchronization process.

You can also optionally disable existing Endpoint Encryption users that are bound to

the excluded users.


84 |

Revocation Check

If you are using certificates to authenticate your users, you can enable revocation

checking to ensure that if certificates are revoked, the user is denied access to

Endpoint Encryption. Specify the appropriate LDAP parameters for your published

revocation list, and the behaviour the connector should follow when revoking users.

Using Binary Data Attributes

In some circumstances you may want to use binary attributes to perform matching

and group associations in the ADCon. The values for such attributes cannot be directly

entered into the connector fields; they must be entered as “escaped” sequences.

To determine what values to add, use your LDAP Browser to view the data in the

Active Directory.

In this schema, the attributes objectGUID and objectSid are binary attributes. If you

wanted to manually link an existing Endpoint Encryption user to this Active Directory

user connecting via their objectGUID, you would need to assign the binding attribute

to objectGUID in the Endpoint Encryption user’s User Bindings properties, and add

a binding to ADConnector.username in their Endpoint Encryption profile which

matched the escaped attribute value, and also define the attribute objectGUID as a

binary data type in the Attribute Types list in general options.

LDAP Browser from Softerra

When configuring the ADCon, it is highly desirable to view the Active Directory in its

unadulterated, raw, LDAP state. To do this we strongly recommend the free tool, LDAP

Browser, from Softerra (6http://www.ldapbrowser.com). This tool may be found on

your ADCon CD, or, included on the Endpoint Encryption Enterprise CD in the Tools

directory.

Connecting to your Active Directory using LDAP Browser

To connect LDAP Browser to your active directory, you will need to know its IP or DNS

name, and have a valid administrative account to access the data with.

Create a new entry in LDAP Browser, for Microsoft Active Directory, you may not need

to enter a Base DN, but will need the full distinguished name for your administration

account.

Typical properties of an Active Directory connection are:

Once you have successfully connected to your Active Directory, you can start browsing

the information to check the appropriate fields to use for the ADCon.


| 85

Choosing the correct fields for Synchronization

The exact settings used in any particular installation of ADCon are particular to each

installation; in most cases the default settings are appropriate for general use,

although some customization can be performed, especially when considering custom

user to Endpoint Encryption group mapping, and custom exclusion of users.

In the case of the user whose properties are listed above, it can be seen that there are

multiple memberOf attributes – these could be used to make a decision on their

mapping to Endpoint Encryption groups (by using the Group Information fields).

Also, it can be seen that any of the attributes userPrincipalName, sn,

sAMAccountName, name, givenName, or cn could be used to populate the

Endpoint Encryption Username, although some of these may result in “collisions”

with other similarly named users.

Attributes such as memberOf or distinguishedName could also be used to map a

user to a group, or to exclude a particular user from the synchronization process.

NOTE: the distinguishedName attribute is treated as a special case when matching values – any fragment

of the value can be matched. All other attributes are matched on their entire value.

Endpoint Encryption webHelpdesk Server

86 |


Endpoint Encryption webHelpdesk Server allows Endpoint Encryption administrators

and users to perform password reset functions (The Endpoint Encryption Challenge

Response system) via a web interface.

About Endpoint Encryption HTTP Server

Figure 24. webHelpdesk / webRecovery

The normal recovery interface requires the administrator to have access to a Endpoint

Encryption Manager console. In some environments this may not be practical; in this

case the Endpoint Encryption webHelpdesk Server can be used to present the same

recovery interface via a web browser.

webRecovery A further enhancement available with the Endpoint Encryption webHelpdesk Server, is

the ability for users to reset their own passwords - this is an optional service which

allows, after pre-registering, users to drive the challenge/response system themselves

simply by providing the correct answers to a selection of pre-registered questions.


| 87

Figure 25. webRecovery Registration Questions

The Endpoint Encryption webHelpdesk server is a dedicated SSL (Secure Sockets

Layer) web server, customised to prevent against known web server hacking attacks.

It is stand-alone and does not require Microsoft IIS, or any other web services to be

installed on the hosting computer.

Remote Password Change As a final option, you can also change a users password directly within the Endpoint

Encryption database using the Reset User’s Password option. This allows

administrators to set new passwords for other administrators and users, without going

through the recovery process.

Pre-Requisites To install this component, you will need a pre-configured Endpoint Encryption Manager

at version 4.2 or above. You can check the version of Endpoint Encryption you are

using through “Help/About/Modules”.

Endpoint Encryption HTTP Server is designed to function on Windows 2000/XP only

and does not use any other internet services. We strongly advise that Microsoft IIS is

not used on the same computer as a Endpoint Encryption Manager system or database

for security reasons.


88 |

Because Endpoint Encryption webHelpdesk Server uses HTTPS. You will need to

provide it with a suitable SSL certificate. You can purchase one of these from Endpoint

Encryption, or from other certificate vendors.

Password Expiration Warning The Web Helpdesk administration and support passwords will not expire without a

prior warning. The time of this warning can be set in the User → Properties →

Passwords screen of the Endpoint Encryption Manager.

Activating Endpoint Encryption webHelpdesk

| 89


Once installed you can start the Endpoint Encryption webHelpdesk server with the

following command prompt command or from the services manager:

sbhttp -startservice

The service can be correspondingly stopped either using the system service manager,

or

sbhttp -stopservice

The service will not start correctly until you have installed an SSL certificate.

Installing a SSL Certificate You must install a SSL certificate before the server will run correctly, to do this use

Microsoft’s MMC console: Start Run MMC and add a Certificates plugin to the

Endpoint Encryption HTTP Server service on Local Computer. Import a Server

Authentication certificate into the Personal certificate store for the service. If you

are using a Endpoint Encryption certificate, you can also import the Endpoint

Encryption root CA cert into the Trusted Root Certification Authorities store, either

for the Endpoint Encryption service, Local Computer, or Local User.

1. Open the MMC Console, Start Run MMC.

2. Click File and then Add/Remove Snap-in…

3. Click Add from the Standalone tab.

4. Select Certificates from the Add Standalone Snap-in dialog. This will add

the Certificates option to the Console. See screenshot overleaf.

5. Click the Endpoint Encryption HttpServer\Personal option and then select

the Certificates folder inside it.

6. Right-click in the right hand pane and select All Tasks followed by Import.

7. Browse until you find the certificate files (*.cer, *.crt, *.pfx).

8. Click the Place all certificates in the following store option

(EndpointEncryptionHttpServer\Personal).

9. Click Next followed by Finish to add the certificate.

10. Follow the same procedure for other certificates.


90 |

If the certificate you are using is allocated to the same machine name that you are

running the server on, once you have installed it you can restart the service using one

of the following commands or the system service manager:

net start “Endpoint Encryption HTTP Server” sbhttp -startservice

If the certificate has a different name then the server will not start and will log a

Certificate Not Found error. You can edit the section

[Configuration] Server.Ssl.CertName=Name of the cert

In the file SBHTTP.ini to point to the Machine name registered in the cert.

Endpoint Encryption ships with an evaluation server certificate with the name

“127.0.0.1.pfx” and password “12345” which can be found in the Tools directory of

your Endpoint Encryption CD. You can purchase a full cert from CBI, or use one from a

third party certificate provider.

NOTE ‐ if you use a mismatched site/machine/cert name, then users and administrators will be warned that

the certificate is invalid every time they access the recovery web site.

Configuring the webHelpdesk Server Once you have installed the program, added a certificate, and restarted the service,

you can log on to the webHelpdesk server and configure it to talk to a Endpoint

Encryption Object Directory, or edit SBHTTP.ini directly. The address is

https://127.0.0.1 or 7https://server dns name.

The server uses the same connection details as Endpoint Encryption administrator, any

connection type specified in the login box for Endpoint Encryption can be used.

To configure the connection, click the Administrators section link and then click

Configure Endpoint Encryption HTTP Server. You will need to login with a user id

which has Endpoint Encryption Start Server as Service rights.


| 91

Figure 26. Configuring the Endpoint Encryption HTTP Server

Server Name

A logical name used to identify the server

Port

The port the server should expose the interface on (usually 443)

Server Certificate Name

The machine name specified in the SSL certificate.

Log File

A path/name for the server diagnostic log.

Logon Timeout

A time (in minutes) to keep inactive Administrator connections authenticated for

(usually 5 minutes).

WARNING: when you configure the webHelpserver you will need to close the browser and restart the

webRecovery server for the changes to take effect.


92 |

Configuring webRecovery

Figure 27. Configuring webRecovery

You configure the user webRecovery server via its web interface. You can specify a

number of questions (1-10) to be registered, and the number to be answered to

authenticate the user for self recovery. The questions can be changed by editing the

SBWebRec.ini file. The user name and password you log in to configure webRecovery

are stored in sbwebrec.ini and used for future sessions.

NOTE: You must log in to webRecovery at least one to set up its initial parameters – if you do not, users will

not be able to reset their password and will receive db010010 Object Not Found messages.

WARNING: when you configure the webHelpserver you will need to close the browser and restart the

webRecovery server for the changes to take effect.

Questions and Answers are stored as pairs in the users Endpoint Encryption profile so

you can safely change the questions at any time. This will not prevent users with out

of date questions from recovering their password.

Recovering Users using webHelpdesk

| 93

Recovering Users using webHelpdesk Warning: webHelpdesk cannot be used for resetting or changing the pin codes of smart cards.

With Challenge-Response After navigating in to the helpdesk operators section of the web helpdesk, choosing

either to reset an Endpoint Encryption, or a pocket Endpoint Encryption system, and

logging in using their Endpoint Encryption id and password, the operator is presented

with the webHelpDesk User Challenge screen.

Figure 28. webHelpdesk Challenge Screen

The helpdesk operator enters the challenge from the users screen (the user reads it to

the helpdesk operator over the telephone), and selects the action they want to

perform, for example Reset User’s Password followed by the Next button.

Reset User’s Password

Selecting this action will reset a user’s forgotten password.

Unlock User

This option will unlock a user whose account has become locked.

Change Token


94 |

This option allows you to change the authentication token for the user. Choose

from the drop down list.

4.2 SP1 + Create Token

This action allows you to create a token for version 4.2 of Endpoint Encryption

(SafeBoot).

Boot Machine Once

This option will reboot the machine.

Cancel Screen Saver

This action will cancel the Endpoint Encryption screen saver.

Bypass Preboot Authentication

This action will skip the authentication option and log the user into Windows.

The user can then change their Windows password and allow the

synchronization and single-sign-on processes to follow through.

Figure 29. webHelpdesk response screen

If the challenge was entered correctly, a response page is displayed which gives the

operator the correct recovery code to read out to the user which will perform the

selected operation (in this case, reset their password to “12345”). The page also

displays user information which can be used to check the authenticity of the user: The


| 95

helpdesk operator can ask the user, e.g. What is your mother’s maiden name? and

then check the answer.

Various Endpoint Encryption applications, such as Endpoint Encryption for Files and

Folders, Endpoint Encryption for PC etc can be recovered using this system.

By Directly Changing their Password From the main page, select the Reset User’s Password button. You will then be

forced to authenticate using your normal Endpoint Encryption administrator ID and

Password.

You will next be presented with a simple form which allows you to specify a user id,

and their new password (and password confirmation). As long as the administrator

performing the change has greater admin rights than the user being reset, the new

password will be applied.

Figure 30. webRecovery Reset Password


96 |

User self recovery - webRecovery

Figure 31. webRecovery main screen

The webRecovery interface allows users to reset their own forgotten passwords for

Endpoint Encryption on PCs once they have pre-registered with the service. Users

register a variable number of answers to pre-set questions, they are required to recall

the correct answers to authenticate themselves to get their password reset. It is not

as secure as the helpdesk driven recovery service, as it’s quite possible for users to

enter simple or trivial information for their recovery questions, but has the advantage

that it can operate 24x7 without human interaction.

Registering for webRecovery Before users can reset their own passwords, they must register a number of questions

and answers that they use to prove their identity to the system using the recovery

interface. They must also have the Allow webRecovery option ticked in their Token

properties. See the Creating and Configuring Users chapter.

After clicking the Register button, users need to log in with their current Endpoint

Encryption ID and Password


| 97

Figure 32. webRecovery Registration

NOTE: If Users do not know their password at this time, they will have to call their Endpoint Encryption

helpdesk and get their password reset using one of the helpdesk driven mechanisms.


98 |

Figure 33. webRecovery registration questions

Once they have registered their preferred questions and answers, they are free to use

the recovery service if they forget their password.

Recovery using webRecovery To use the webRecovery service, the user who has forgotten their password simply

access the HTTP Server via a web terminal, perhaps in an internet Café, and clicks the

Reset Password button. They then enter the challenge that is displayed on their

Endpoint Encryption screen.


| 99

Figure 34. webRecovery challenge screen

If the challenge is correct, they will be asked to enter the correct answers for a

selection of their registered questions, and if these are correct, the user is presented

with the response to type back into their Endpoint Encryption boot screen.

Figure 35. webRecovery answers screen


100 |

Figure 36. webRecovery Response Screen

License Management

| 101

License Management The Endpoint Encryption directory is licensed in terms of number of allowed users,

number of allowed machines, and license file expiry dates. You can view the current

license status of your directory by using the file/license information option. The

summary boxes at the bottom of the screen indicate the current active license count.

Any expired or invalid licenses are not included, although they may still be shown in

the license list.

Figure 37. License information

Multiple license files can be added to the list using the Add button, but each file can

only be added once.

License Restrictions

License files can have many restrictions built in:

Number of Users

Restricts the maximum number of users that can be managed.

Number of Machines

Restricts the maximum number of machines that can be managed.

Number of PDA Devices

Restricts the maximum number of CE Machines that can be managed.

Directory locked

Some license files can be locked to only work on a particular directory. If you re-create

your directory, you will need to obtain a new license file.

Expires

License Management

102 |

Some license files expire after a certain time period.

Exclusive

License files marked as exclusive do not co-exist with other license files. Only one

exclusive license file can be used at any time. If you import two exclusive license files,

only the first one will be effective.

Addons

Extra components such as SBAdmCL, Connectors, and other utilities may require

additional license code. The names of the additional components licensed will be

displayed in this field.

You may have received an extra license file with your copy of Endpoint Encryption – if

so you can import it into the directory using the Add button.

If you need more licenses, you can save the current information out of your directory

using the Save button – this creates a text file which you can fax or e-mail to your

McAfee representative. They can obtain all the details required to create new extended

licenses from this information.

You may also want to save the license file information to help you order replacement

files in the event of a drive crash.

Common Criteria EAL4 Mode Operation

| 103


CESG in the United Kingdom, has certified the following products to EAL4

• Endpoint Encryption for PC

To apply this standard to your implementation of Endpoint Encryption, you need to

ensure the following criteria are met:-

Administrator Guidance

• Endpoint Encryption must be installed using the Endpoint Encryption AES

(FIPS) 256bit Algorithm.

• Administrators must enforce the following Policy Settings.

- A minimum password length of 5 characters or more.

- Disabling of accounts after 10 or less invalid password attempts.

- All data and operating system partitions on the machines where Endpoint

Encryption client has been installed MUST be fully encrypted. You can

check the conformance to this issue by viewing the Endpoint Encryption

client status window – if any drives are highlighted in red then they are

not fully encrypted.

- Administrators must enforce use of the Endpoint Encryption Secure Screen

Saver Mode.

- Use of Autoboot Mode is prohibited.

- Machine and User recovery key sizes must be non-zero

(Machine/Encryption properties and User/Token properties).

• To comply with CC regulations, these policy settings must be applied before

installing any clients.

• There must be a system in place for maintaining secure backups that are

separately encrypted or physically protected to ensure data security is not

compromised through theft of or unauthorised access to backup information.

• Backups should be regular and complete to enable system recovery in the

event of loss or damage to data as a result of the actions of a threat agent and

to avoid vulnerability through being forced to use less secure systems.


104 |

• Users (including administrators) must protect all access credentials, such as

passwords or other authentication information in a manner that maintains IT

security objectives.

• Customers implementing a Endpoint Encryption enterprise must ensure that

they have in place a database of authorized TOE-users along with user-specific

authentication data for the purpose of enabling administrative personnel to

verify the identity of a user over a voice-only telephone line before providing

them with support or initiating recovery. Endpoint Encryption provides the

means to display personal information such as the users ID number as part of

the User Information Fields – but any other appropriate system is

acceptable.

• Administrators should ensure their users are fully trained in the use of the

Endpoint Encryption for PC Client software as described in the chapter Client

Software of the Endpoint Encryption for PC Administration Guide, and should

remind them of the security procedures detailed in the User Guidance Below.

User Guidance

• Users must maintain the confidentiality of their logon credentials, such as

passwords and tokens.

• Users must not leave an Endpoint Encryption protected PC unattended in a

logged on state, unless it is protected by the secure screen saver.

• Users must be informed of the process that they need to go through in order

that they may contact their administrator in the event of needing to recover

their PC if they forget their password or their user account becomes disabled.

Common Criteria EAL4 Certificate

You can find the official recognition of this certification on CESG’s website:

8http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=1

52&id=336

Algorithm Certificate Numbers

AES

Cert 21 and 170 ECB(e/d; 256); CBC(e/d; 256); CFB8(e/d; 256)

9http://csrc.nist.gov/cryptval/aes/aesval.html


| 105

SHA1

Cert 71 and 254

1http://csrc.nist.gov/cryptval/shs/shaval.htm

DSA/DSS

DSS cert 53 and 112 Sig(ver) Mod(all)

1http://csrc.nist.gov/cryptval/dss/dsaval.htm

RNG

Cert 15 AES, DSA., SHA, RNG on AMD Athalon XP, Windows XP SP1, PentiumIII

Windows 2000

http://csrc.nist.gov/cryptval/rng/rngval.html

DES

Cert 145 CBC(e/d); CFB( 8 bits;e/d)

http://csrc.nist.gov/cryptval/des/desval.html

http://www.openldap.org/�

http://www.openssl.org/�

Tuning the Object Directory

106 |

Tuning the Object Directory The Name Index To improve object name-to-id lookup and license validation, Endpoint Encryption

contains an extra "Name Index" ability which can be enabled to improve performance

on object directories with large numbers of users (>3000) or high levels of

synchronous activity (more than 10 simultaneous administration connections).

If your Endpoint Encryption object directory server is showing high or constant hard

disk access, with a low CPU usage, you may also benefit from enabling name caching.

About Name Indexing Most lookup events in the Endpoint Encryption object directory are performed by

object id - for instance when a machine synchronizes, it navigates directly to its

attributes via a unique object id. This mechanism holds true for the majority of activity

over the directory.

When a user logs in through, for instance the file encryptor, or Administration console,

the directory infrastructure performs a name-to-id lookup, this involves trawling the

object directory to find the the user object with a name attribute which matches the

one requested. Also when a new object is created a trawl of the entire database is

initiated to check that the new user/machine etc is unique.

The Name Index creates a "shortcut" to name-to-id lookup by periodically creating

indexes of the name/id attributes of all objects in the directory. Once created, all

lookups pass through the cache for resolution - as the Cache is much smaller than the

directory this leads to dramatic increases of performance, mainly through better use of

the operating system file cache. As a side-effect, the name index also speeds up

counting objects in the database (part of license validation).

Enabling and Configuring Name Indexing: The Name Index is controlled through the file dbcfg.ini stored in the root of the

object directory (normally the sbdata directory). The index files are stored in the root

of each object type.

The following sections should be in dbcfg.ini:

[NameIndex]

Enabled=Yes

More details about the dbcfg.ini file, and further tuning options can be found in the

Endpoint Encryption Configuration Files chapter.


| 107

Performance Tests:

These tests are approximate indications of the benefits of the Name Index running on

a 5000 user database. They were performed using a login id which was at the end of

the database (worst case scenario).

Name Index Enabled

Task 1 Bucket 16 Buckets 64 Buckets 256 Buckets

Create User +455% +460% +500% +400%

As you can see from the table above, enabling the Name Index drastically improves

the performance of the enumeration functions. The exact parameters to use for any

particular database / server combination depend largely upon the memory and cache

functions of the server itself. As a rough guide, CBI consultants have found that tuning

the bucket number to give cache files not exceeding 64KB has proved optimal.

If you require performance tuning for your object database, please consider a

consultancy visit as “tinkering” with the Endpoint Encryption object database can

result in loss of users and machines.

Enabling Directory Compression To reduce the number of files stored in an Object Directory, a special mode can be

enabled which uses a single attribute file instead of the numerous files created within

a standard sbfiledb structures. Using a single file has the following advantages /

disadvantages:-

Advantages Disadvantages

The OD uses less disk space because there is a reduced number of files, therefore the cluster size overhead is reduced. A reduction in disk space of a factor of 10 can be expected.

The size of the actual data in the OD increases due to header overheads in the attribute files.

Entire objects are cached, not just the most recent opened attribute files leading to a ‐theoretical‐ increase in performance if frequent large updates

Resilience to corruption is reduced as all the object attributes are in one file, whereas before resilience was gained by splitting them up into multiple files.


108 |

Advantages Disadvantages

take place.

The reduced number of files makes handling the OD for backups and replication easer, and faster.

Name‐to‐id resolution time is increased unless the Name Index mode (UK4005) is also enabled.

If frequent small updates take place, or infrequent updates, overall database performance will drop.

Migrating to a compressed directory

All local connections to a compressed object database must go through a sbfiledb.dll

which has the compression code - You cannot mix connections as the previous drivers

do not understand the compressed attributes.

You can enable compression on an existing database, in such a way as either only new

objects will be created compressed, or in self-compress mode where each object gets

compressed as it is written to. CBI can provide a tool to entirely compress an Object

Directory, or compress only a branch of it.

Enabling and Configuring Directory Compression

Dbcfg.ini file from the root of the object directory needs the following section added:-

[Attribs] ; If this option is set to "yes" then all new objects created will use the ;compressed format Singlefile=Yes ;If this option is set to "yes" then all existing uncompressed objects which are updated ;will be converted to the new compressed format at that time. AutoConvert=yes

Performance Notes

No performance change has been noted between identical compressed and

uncompressed databases up to 5000 users. There may be some benefit on servers

with exceptionally high amounts of memory. With large (>10000) databases,

performance may well drop when using the compressed directory mode.

Endpoint Encryption Configuration Files

| 109


Endpoint Encryption uses many .ini files to maintain information about the

configuration of various components. Some of the more important files are listed here.

sbnewdb.ini Used to customize the creation of Endpoint Encryption Object Directories. The

sbnewdb file contains instructions as to creating custom groups, setting the default

user id and password, and other instructions related to the location of the directory.

sberrors.ini Used to increase the detail available in on-screen error messages. You can add further

descriptions to errors by amending this file.

In 5.1 and beyond, you can substitute the Unicode file SBErrors.XML in place of

SBErrors.ini to give localized translations of the error messages.

sbhelp.ini Used to match on-screen windows to their help file sections.

sbadmin.ini This file controls the tree layout and behavior of SBAdmin.exe - you can modify it to

display certain nodes of the database on tabs other than the defaults.

sbfeatur.ini Controls the feature set available to Endpoint Encryption. This file is digitally signed by

the Endpoint Encryption team and must not be modified.

sbfiledb.ini SBFileDB controls the locking behavior of local running database connections.

[LockOptions] Timeout=time in 100ths of a second (3000) Sleep=time in 1000ths of a second (10)

dbcfg.ini This file controls the global database behavior - for this reason it is stored not in the

application directory, but in the root of the file database. For more information on

dbcfg.ini, see the Tuning the Object Directory chapter.

[NameIndex]


110 |

Enabled=No ; the time we wait for the lock on the index file to become available ; in 100ths of a second (default is 30 seconds). LockTimeout=3000 ; the time we wait before re-trying locking of the index file ; in 1000th of a second. LockSleep=10 ; the number of "buckets" into which the hash of the name is split HashCount=16 ; the minimum space to allocate per object name MinEntrySize=16 ; the time (in seconds) for which the index will be used before it is ; automatically re-created (default is 30 minutes). A value of zero means ; that it never expires. LifeTime=1800 [Attribs] ; if set to "Yes", all the attributes will be stored in a single TLV file ; rather than individual ones. SingleFile=No ; if this is set to "Yes", then when objects are opened for writing all the ; attribute are automatically converted to a single file. Otherwise only ; new objects will use the single file. AutoConvert=No [Tracking] ; if set to "Yes", then all changes to attributes will be recorded e.g. for ; possible use with a replication system. AttributeChanges=No ; if set to "Yes", the whenever an object is modified, that fact is recorded ; in a single file. This file could then be used to determine which objects ; have changed since a certain time by reading only a single file. ObjectChanges=No [idassignment] ;firstid= hex number starting point for ALL objects ;lastid= hex number

sdmcfg.ini Used by the Endpoint Encryption Client to control the connection to the Object

Directory. There may be many connections listed in the file, the multi-connection

behavior is controlled through scm.ini.

[Databases]

Database1=192.168.20.57 The ip address for the remote server. This can


| 111

be a DNS name.

[Database1] Description=SH-DELL-W2K IsLocal=No Authenticate=Yes Port=5555

ServerKey=… The public key for the remote Server. This is used to stop a hacker putting a rogue server in place and intercepting the traffic.

ExtraInfo=… Padding for the serverkey.

SBServer.ini This SBServer.ini is used to store the credentials by the server in service mode. You

can adjust the maximum number of connections the Endpoint Encryption server will

accept and the behavior when the maximum is reached.

By default, the maximum is 200 connections. When the limit has been reached, it can

behave in one of two ways: either it simply stops accepting connections or it accepts

connections and then immediately closes them. Because Windows maintains a queue

of 5 pending connections, the first 5 connections after the maximum is reached will be

held in the queue until the number of connections has dropped below the maximum.

Thus, when in (the default) Accept At Max=No mode, those 5 will not timeout at the

client end and the client will appear to hang until a connection becomes free. In the

Accept At Max mode, the client will fail with a communications error.

[Connections] Max=200 AcceptAtMax=No

sbconmgr.ini Used to define the active connectors displayed in the Connector Manager, for example

[Connectors] SBNTCON=SBNTCON.DLL [Authentication] DatabaseId=1 ObjectType=0x00000001 ObjectId=0x00000001 Key=000000000000000000000000000000000000000000000000000000000000000006557FB28C5A226BB8BF634A68EE75DE2C4010DD1E143D9BC29808C5E5C3A729838DD1D1E0B032D6C2A015BD8B1AAF5DC2D1E3F58D37A41F29AF5DC108EB03D4418D95316CCC84EE2881DCBE0012C6F705F6A6D5063C2D0BEB87897C2A9AC318D659


112 |

C712E99D515DB18E567218CC2B1520EBD6119095674C9C215BA329521CFE2000000000000000000000000000000000000000A6 [Manager] LastFile=G:\Program Files\SBAdmin\CmSettings.ini ;the check interval (ms) defines how often the connector manager looks for an updated cmsettings.ini file. CheckInterval=500

Cmsettings.ini Used to define the parameters associated with each individual connector.

The settings contained in this file are usually maintained by the connector manager

application. Only manual settings are documented below.

LDAPCon Manual Settings SearchAttribs=objectClass,uid,cn,givenName

Limits the attributes that a directory search returns. Normally all attributes are

returned. This can affect the performance of the directory server if many are not

wanted.

LDAPCon / ADCon Manual Settings CaseSensitive=0 / 1

Switches on and off case sensitive attribute searches. The default value is 1 (searches

are case sensitive)

SBHTTP.ini Configuration for the main webServer

[Configuration] ; The port on which the server listens for connections. The default is 443 ; which is the standard HTTPS port. Server.Port=443 ; Optional log file to record server activity. If no name is specified here, ; then no logging will occur (the default). Server.Log.FileName= ; Flags that control what is logged if logging is enabled. This is a 32-bit ; hex number. The following bits are used: ; ; Bit 0 (value=1) = Log request headers ; Bit 1 (value=2) = Log request data (e.g. form results) ; Bit 3 (value=4) = Log response headers ; ; The default is a value of "5" which logs request and response headers, but ; no request data. ; Server.Log.Flags=00000005


| 113

; Specifies the name of the Subject field of the certificate the server ; should use for SSL connections. The certificate must reside in the server's ; private store (SbHttpServer service store). If this is not specified, the ; network name of the computer is used. ;Server.Ssl.CertName= ; ; Specifies the period of inactivity (in minutes) after a logged on user is ; automatically logged off. Server.Logon.Timeout=5 [Strings] ; ; These are strings that the server can display. Use the "|" character to ; specify a new line. ; Server.String.1=Web Server Server.String.2=The challenge you entered was not correct. Please try again. Server.String.3=The recovery action you selected was not valid. Pleast try again. Server.String.4=The requested URL "%s" was not found. [Page.Handlers] ; ; This section lists all the optional page handlers that will get loaded ; by the web server. The left side should start with "Handler." and the right ; side is the name of the DLL to load. ; Handler.CeRecovery=SBCEDEV.DLL Handler.WebRecovery=SBWEBREC.DLL

SBwebRec.ini

Configuration for webRecovery

[Configuration] Register.Questions.Required=5 Recover.Questions.Asked=3 Database.User.Id=00000001 Database.User.Key=… Recover.Attempts.Max=3 Recover.Attempts.Timeout=3600 [Strings] String.1=The challenge you entered was not correct. Please try again. String.2=Some of your answers were not correct. Please try again. [Questions] Question1=What is your favorite color? Question2=What is your pet's name? Question3=Who is your favorite musician? Question4=What is a memorable date? Question5=What is your date of birth? Question6=What is your favorite place? Question7=Who is your favorite actor? Question8=What is your favorite film? Question9=What is your favorite song? Question10=What is your favorite food?


114 |

The questions used can be changed at any time without affecting current registered

users. Endpoint Encryption Manager Program and Driver Files

EXE Files

SBAdmin.exe

Main Endpoint Encryption Manager Executable

DLL Files

sbalgxx

Utility Encryption algorithm module.

SYS Files

SBALG.SYS

Endpoint Encryption’s device driver crypto algorithm module.

srg files

Endpoint Encryption registry files

These are standard regedit files which are processed into the registry by Endpoint

Encryption, without using the windows regedit utility.

Error Messages

| 115

Error Messages Please see the file sberrors.ini for more details of these error messages. You can also

find more information on error messages on our web site, 1www.mcafee.com.

Please note that many of these error codes are not designed to ever be shown – they

are mentioned for completeness. This kind of error is termed an “Assertion” - a place

in our software where we ensure a number of conditions are true before continuing,

even though the design does not allow for a specific case where the conditions could

not be true.

As the code and design does not expect such errors to be generated, resolving them

involves working through the context of the issue – without knowing the steps

required to reproduce the error it would not be possible to conclude how the system

managed to arrive at the error state.

Module codes The following codes can be used to identify from which Endpoint Encryption module

the error message was generated.

Error Code Module

1c00 IPC

5501 SBHTTP Page Errors

5502 SBHTTP User Web Recovery

5c00 SBCOM Protocol

5c02 SBCOM Crypto

a100 ALG

c100 Scripting

db00 Database Misc

db01 Database Objects

db02 Database Attributes

e000 Endpoint Encryption General


Error Messages

116 |

Error Code Module

e001 Endpoint Encryption Tokens

e002 Endpoint Encryption Disk

e003 Endpoint Encryption SBFS

e004 Endpoint Encryption BootCode

e005 Endpoint Encryption Client

e006 Endpoint Encryption Algorithms

e007 Endpoint Encryption Users

e010 Endpoint Encryption Keys

e011 Endpoint Encryption File

e012 Endpoint Encryption Licenses

e013 Endpoint Encryption Installer

e014 Endpoint Encryption Hashes

e015 Endpoint Encryption App Control

e016 Endpoint Encryption Admin

5501 Web Server Page Errors Code Message and Description

[55010000] URL not found

[55010001] Invalid parameter encoding

[55010002] Invalid parameter

[55010003] Missing parameter

[55010004] Not logged on

[55010005] No user challenge has been provided

Error Messages

| 117

Code Message and Description

[55010006] Unable to get configuration

[55010007] Unable to set configuration

[55010008] Incorrect user challenge

[55010009] Invalid recovery action

[5501000a] Reparse required

5502 Web Server User Web Recovery Code Message and Description

[55020000] Permission to use web recovery is denied

5C00 Communications Protocol Code Message and Description

[5c000000] Unsupported version

The server and client are not talking the same communications protocol version

[5c000005] Out of memory

[5c000008] A corrupt or unexpected message was received

[5c000009] Unable to load the Windows TCP/IP library (WSOCK32.DLL)

Check that the TCP/IP protocol is installed

[5c00000a] Communications library not initialised

This is an internal programmatic error

[5c00000c] Unable to create TCP/IP socket

[5c00000d] Failed while listening on a TCP/IP socket

[5c00000e] Unable to convert a host name to an IP address

Check the host file or the DNS settings

Error Messages

118 |


[5c00000f] Failed to connect to the remote computer

The computer may not be listening or it is too busy to accept connections

[5c000010] Failed while accepting a new TCP/IP connection

[5c000011] Failed while receiving communications data

The remote computer may have reset the connection

[5c000012] Failed while sending communications data

[5c000013] Invalid communications configuration

[5c000014] Invalid context handle

[5c000015] A connection has already been established

[5c000016] No connection has been established

[5c000017] Request for an unknown function has been received

[5c000018] Unsupported or corrupt compressed data received

[5c000019] Data block is too big

[5c00001a] Data of an unexpected length has been received

[5c00001b] Message too big to be received

This may occur if an attempt is made to import large amounts of data into the database (e.g. a file)

[5c00001c] Unable to create thread mute

[5c00001d] Message too big to be sent

This may occur if an attempt is made to import large amounts of data into the database (e.g. a file)

[5c00001e]

Wrong Endpoint Encryption Communications Protocol Version

You are most likely trying to connect to a v4 Endpoint Encryption Server using a v5 Server definition with server authentication

Error Messages

| 119


enabled.

Check that you do not have both v4 and v5 servers running (perhaps as a service) at the same time.

5C02 Communications Cryptographic Code Message and Description

[5c020000] The Diffie‐Hellmen data is invalid or corrupt

[5c020001] An unsupported encryption algorithm has been requested

[5c020002] An unsupported authentication algorithm has been requested

[5c020003] Unable to sign data

[5c020004] Authentication signature is not valid

[5c020005] Authentication parameters are invalid or corrupt

[5c020006] Failed while generating DSA parameters

[5c020007] No session key has been generated

[5c020008] Unable to authenticate user

[5c020009] Session key too big

A100 Algorithm Errors Code Message and Description

[a1000000] Not enough memory

[a1000001] Unknown or unsupported function

[a10000002] Invalid handle

[a1000003] Encryption key is too big

[a1000004] Encryption key is too small

[a1000005] Unsupported encryption mode

Error Messages

120 |


[a1000006] Invalid memory address

[a1000007] Invalid key data

C100 Scripting Errors Code Message and Description

[c1000001] Invalid Argument

[c1000002] Missing Parameter

There is a required parameter missing

[c1000003] Missing Value

[c1000004] Machine Already In Group

[c1000005] Database Not Found

[c1000006] User Already In Group

[c1000007] Wrong Group Type

[c1000009] Wrong Database Capabilities

Usually only returned when the database does not have ID assignment support. The standard Endpoint Encryption database includes this feature.

[c1000009] Parameter Needed

You must enter one of the required parameters, for example user or group name.

[c100000a] Parameter Positive

You must specify a positive value for this parameter.

[c100000b] Unsupported Connection Type

[c100000c] No Admin Name Specified

[c100000d] No Admin Password Specified

Error Messages

| 121


[c100000e] Unknown Authentication Type

[c100000f] No Connection Reference

[c1000010] Unknown Connection

[c1000011] Mutex Creation Failed

Caused when there are insufficient system resources in the host OS to create another mutex

[c1000012] Command Skipped

[c1000013] No Command Specified

[c1000014] Unknown Command

[c1000015] No User ID specified

[c1000016] No User Key Found

[c1000017] No Key File

No key file was specified

[c1000018] Key File Not Found

The authentication key file specified as UserIDKeyFile was not found

DB00 Database Errors Code Message and Description

[db000000] Out of memory

[db000001] More data is available

[db000002] The database has not been created or initialised yet

Check the database path or create a new database. To force the new database wizard to be run, delete the SDMCFG.INI file and restart the administration program.

[db000003] Invalid context handle

Error Messages

122 |


[db000004] The name was not found in the database

db000005] [Authentication was not successful.

Check that you have the correct token for this database

[db000006] Unknown database

[db000007] Invalid database type

[db000008] The database could not be found. Check the database path settings

[db000009] Database already exists.

Choose a different database path

[db00000a] Unable to create the database

Check the path settings and make sure you have write access to the directory

[db00000b] Invalid database handle

[db00000c] The database is currently in use by another entity

You cannot delete a database while someone is using it

[db00000d] Unable to initialise the database

[db00000e] User aborted

[db00000f] Memory access violation

[db000010] Invalid string

[db000011] No default group has been defined

[db000012] The group could not be found

[db000013] File not found

[db000014] Unable to read file

[db000015] Unable to create file

Error Messages

| 123


[db000016] Unable to write to file

[db000017] File corrupt

[db000018] Invalid function

[db000019] Unable to create mutex

[db00001a] Invalid license

The license has been modified so that the signature is now invalid

[db00001b] License has expired

[db00001c] The license is not for this database

Check the database ID and ensure it is the same as the one specified in the license. Each time you create a new database, a different ID is generated. There is no way to change the ID of a database.

[db00001d] You do not have permission to access the object

[db00001e] Endpoint Encryption is currently busy with another task. Please wait for it to complete and try again.

This usually means that your hard disks are in the process of being encrypted or decrypted. You can check the current Endpoint Encryption status from the right‐click menu of the Endpoint Encryption task bar icon.

[db00001f] Endpoint Encryption is still installed on this machine

[db000020] Buffer too small

[db000021] The requested function is not supported

[db000022] Unable to update the boot sector

The disk may be in use by another application or Explorer itself. The disk may be protected by an anti‐virus program.

Error Messages

124 |

DB01 Database Objects Code Message and Description

[db010000] The object is locked

Someone else is currently updating the same object

[db010001] Unable to get the object ID

[db010002] Unable to change the object's access mode

Someone else may by accessing the object at the same time. If you are trying to write to the object while someone else has the object open for reading, you will not be able to change to write mode.

[db010003] Object is in wrong access mode

[db010004] Unable to create the object in the database

The disk may be full or write protected

[db010005] Operation not allowed on the object type

[db010006] Insufficient privilege level

You do not have the access rights required to access the object.

[db010007] The object status is disabled

This is usually associated with User objects. Disabling the user's object prevents them logging on until their account is re‐enabled.

[db010008] The object already exists

[db01000f] The object is in use

[db010010] Object not found

The object has been deleted from the database

[db010011] License has been exceeded for this object type

Check that your licenses are still valid and if not obtain further licenses if necessary

Error Messages

| 125

DB02 Database Attributes Code Message and Description

[db020000] Attribute not found

[db020001] Unable to update attribute

[db020002] Unable to get attribute data

[db020003] Invalid offset into attribute data

[db020004] Unable to delete attribute

[db020005] Incorrect attribute length

[db020006] Attribute data required

E000 Endpoint Encryption General Code Message and Description

[e0000000] User aborted

[e0000001] Insufficient memory

[e0000002] Invalid date/time

[e0000010] Invalid date/time. Clock is reporting a time before 1992 or after 2038.

E001 Tokens Code Message and Description

[e0010000] General token error

[e0010001] Token not logged on

[e0010002] Token authentication parameters are incorrect

[e0010003] Unsupported token type

[e0010004] Token is corrupt

[e0010005] The token is invalidated due to too many invalid logon attempts

Error Messages

126 |


[e0010006] Too many incorrect authentication attempts

[e0010007] Token recovery key incorrect

[e0010010] The password is too small

[e0010011] The password is too large

[e0010012] The password has already been used before. Please choose a new one.

[e0010013] The password content is invalid

[e0010014] The password has expired

[e0010015] The password is the default and must be changed.

[e0010016] Password change is disabled

[e0010017] Password entry is disabled

[e0010020] Unknown user

[e0010021] Incorrect user key

[e0010022] The token is not the correct one for the user

[e0010023] Unsupported user configuration item

[e0010024] The user has been invalidated

[e0010025] The user is not active

[e0010026] The user is disabled

[e0010027] Logon for this user is not allowed at this time

[e0010028] No recovery key is available for the user

[e0010030] The algorithm required for the token is not available

[e0010040] Unknown token type

[e0010041] Unable to open token module

Error Messages

| 127


[e0010042] Unable to read token module

[e0010043] Unable to write token module

[e0010044] Token file not found

[e0010045] Token type not present

[e0010046] Token system class is not available

[e0018000] Sony Puppy requires fingerprint

[e0018001] Sony Puppy requires password

[e0018002] Sony Puppy not trained

E012 Licences Code Message and Description

[e0120001] License invalid

[e0120002] License expired

[e0120003] License is not for this database

[e0120004] License count exceeded

E013 Installer Code Message and Description

[e0130002] No installer executable stub found

[e0130003] Unable to read installer executable stub

[e0130004] Unable to create file

[e0130005] Error writing file

[e0130006] Error opening file

[e0130007] Error reading file

Error Messages

128 |


[e0130008] Installer file invalid

[e0130009] No more files to install

[e013000a] Install archive block data too large

[e013000b] Install archive data not found

[e013000c] Install archive decompression failed

[e013000d] Unsupported installer archive compression type

[e013000e] Installation error

[e013000f] Unable to create temporary directory

[e0130010] Error registering module

E014 Hashes Code Message and Description

[e0140001] Insufficient memory

[e0140002] Error opening hashes file

[e0140003] Error reading hashes file

[e0140004] Hashes file invalid

[e0140005] Unable to create hashes file

[e0140006] Error writing hashes file

[e0140007] Hashes file is not open

[e0140008] Hashes file data invalid

[e0140009] Hashes file data too big

[e014000a] User aborted

Error Messages

| 129

E016 Administration Center Code Message and Description

[e0160001] Invalid plugin information

Technical Specifications and Options

130 |

Technical Specifications and Options The following options are available from Endpoint Encryption but may not be included

on your install CD, or be appropriate for your version of the Endpoint Encryption

Manager. Please contact your McAfee representative for information if you wish to use

one of these optional components.

Encryption Algorithms Endpoint Encryption supports many custom algorithms. Only one algorithm can be

used in an Endpoint Encryption Enterprise.

RC5-12

CBC Mode, 1024 bit key, 12 rounds, 64 bit blocks

The RC5-12 algorithm is compatible with the Endpoint Encryption 3.x algorithm.

RC5-18

CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks

The 18 round RC5 variant is designed to prevent the theoretical “Known Plaintext”

attack.

AES-FIPS (FIPS 140-1 Approved) - RECOMMENDED

CBC Mode, 256 bit key, 128 bit blocks

This algorithm is approved for FIPS 140-1 use.

Smart Card Readers The following smart card readers are supported.

• Any Windows supported smart card reader

• All PC/SC Smart Card Readers

Tokens

Smart Cards

For the latest list of authentication methods using smart cards, tokens, fingerprint

readers please consult your McAfee representative.


| 131

Language Support

Endpoint Encryption Manager

Czech, Dutch, English (United States), English (United Kingdom), French, Japanese,

Korean, Portuguese (Brazil)

System Requirements Implementation documentation discussing appropriate hardware for typical

installations of Endpoint Encryption is available from your representative. The

following specifications should be considered appropriate for evaluation deployments

only.

Endpoint Encryption Database Server

• Windows NT4.0sp6a, 2000, XP, 2003, Vista 32bit (all versions), Vista 64bit (all

versions)

• 256MB Or OS Minimum RAM, 1024MB recommended.

• 200MB Free hard disk space

• Pentium compatible processor, multi-way (up to 32 processors),

Hyperthreading, Dual Core and AMD processors are supported.

• For remote administration a TCP/IP network connection with a static DNS

name / ip address is required.

• This configuration is considered appropriate for evaluation systems only. For

production systems, please contact your McAfee representative for enterprise

implementation documentation.

Administration

• Windows NT4.0sp6a, 2000, XP, 2003, Vista 32bit (all versions), Vista 64bit (all

versions)

• 256MB or OS Minimum RAM

• 40MB free hard disk space

• Pentium compatible processor, multi-way (up to 32 processors),

Hyperthreading, Dual Core and AMD processors are supported.

• For remote administration, a TCP/IP network connection is required.


132 |

SFDBBack

• All versions of Windows (IE4.0 with Offline Browsing Pack required for

Windows 95 and NT4.0sp6a)

Active Directory Connector

• Windows NT4sp6a, Windows 2000, Windows XP, Windows 2003, Vista 32bit

and Vista 64bit.

• Requires read/write access to v3+ Active Directory.

Novell Netware / LDAP Connector

• Windows NT4sp6a, Windows 2000, Windows XP, Windows 2003, Vista 32bit

and Vista 64bit

• Novell eDirectory 8.6.x with Novell Server 7.x.

• Future versions of Novell are expected to function.

NT Connector

• Windows NT4.0sp6a, Windows 2000, Windows XP, Windows 2003, Vista 32bit,

Vista 64bit.

• Domain account access for Windows 2000+.

NOTE: The NT connector must be installed on a PDC or BDC on Windows NT4.0.

Index

| 133

Index

A

Account Validity, 24, 65, 68, 77 Active Directory, 13, 62, 67, 68, 69, 70, 71, 72, 73, 74, 75,

76, 77, 78, 79, 80, 81, 82, 83, 84, 132 Organizational Units, 71, 81

ADCon, 67, 71, 74, 75, 76, 81, 82, 84, 85 admin rights, 15, 54 Administration

level, 15 priviledge, 15 privleges, 35 rights, 15

Administration Function, 36 Administration Level, 30, 35, 55 algorithm, 11, 14, 29, 104, 114, 130

maximum key size, 29 Attributes

explained, 9 Audit Trails

viewing, 18 Auditing, 44 authentication, 11, 13, 16, 49, 50, 52, 53, 54 Authentication

client/server, 53 Auto‐boot users

autoboot user, 23

B

backup, 65 Base DN, 69, 75, 78, 84

C

cache, 107 CE Server, 11, 13 chipdrive. See Towitoko Client

overview of, 12 compressed

Object Directory, 108 connecting to databases, 49 connecting to NT Domains, 64 Connector

Bindings, 32, 33, 73, 74, 83, 84

Connector Manager, 62 overview of, 13 user bindings to, 33

Controlled Groups. See groups cryptography, 6 Cryptography

encryption, 13

D

DAP, 19 Databases

adding a new connection, 49 managing, 49

decrypt, 53 Default Password, 22, 23, 25, 65, 90, 94 deploy, 41, 54 disable, 26, 64, 65, 67, 72, 73, 76, 82, 83 disabling users. See Users distibguished name(s), 69, 78 distinguished name, 69, 75, 78, 84 DNS, 50, 53, 110, 131 DNS Name, 68, 77 DSA, 11, 50

E

enabling users. See Users Encryption

algorithms, 130 Encryption Algorithm, 11, 14, 29, 114, 130 Encryption Algorithms

RC5, 130 Endpoint Encryption CE Server, 11, 13 Endpoint Encryption Components

File Encryptor, 8 VDisk, 8

Endpoint Encryption Server connecting to a new, 54 overview of, 10 restricting user id's for, 54

Entities explained, 9

error codes, 109, 115 error messages, 115 excluded users, 67, 73, 76, 83

Index

134 |

F

File Encryption overview of, 13

File Encryptor, 8 file group management, 40 Files

deleting and exporting, 41 importing new, 41 ini files, 109 program and driver files, 114 properties, 41

force sync, 24

G

Group mappings, 65, 70, 80 groups, 16, 17, 22, 35, 36, 37, 40, 46, 65, 66, 70, 71, 75, 80,

81, 85, 109 Groups

administration of, 35 controlled vs free, 16 free, 17 of users and machines, 16

H

hidden fields. See Users hours. See Users

I

IP Address, 9, 10, 11, 51, 68, 75, 77, 84, 131

L

language support, 131 LDAP, 11, 13, 19, 62

Base DN, 69, 75, 78, 84 Object Filter, 69, 78, 79 Protocol Version, 68, 77 Referrals, 70, 79 User DN, 69, 78

LDAP Browser, 74, 75, 84 Licence Files

adding, 101 expiry of, 102 restrictions, 101

local databases, 50 logon hours, 31, 64, 67, 76

M

mapping groups. See Group mappings, See Group mappings, See Group mappings

Microsoft, 76, 84, 87, 89 Microsoft Active Directory, 67, 76

N

Name Index, 106 Network Name, 68, 77 NT Domain, 13 NT Domains ‐ connecting to, 64

O

object change log, 70, 79 object directory, 8, 9, 10, 11, 12, 13, 14, 15, 16, 19, 23, 29,

35, 41, 42, 44, 49, 51, 52, 53, 54, 55, 62, 64, 90, 106, 107, 108, 110

Objects explained, 9 locking of, 20

Offline Browsing Pack, 132

P

Password Default, 22, 23, 25, 65, 90, 94

passwords, 10, 13, 25, 26, 27, 28, 29 Reset, 24, 26, 86, 96, 97

Passwords, 25 history, 25

Pentium, 131 performance, 11, 19 Performance

Object Directory, 107 Pocket Endpoint Encryption, 93 Pocket Windows

2002, 11 privileges, 10, 15 public / private keys, 53

Q

quick start guide, 7

R

RC5, 130 recovery, 11, 13, 21, 23, 24, 29 referrals, 70, 79

Index

| 135

registry, 43, 114 RSA, 11, 13

S

SafeBoot Server overview of, 12

SBAdmCL, 44, 102 schedule, 63 scheduling synchronisations, 63 Server

creating a, 51 Server

Endpoint Encryption CE Server, 13 Server

starting a, 52 Server

configuration of, 53 Server

starting as a service, 53 service, 53, 55, 63, 71, 81, 86, 89, 90, 96, 98, 113 Service Accounts, 55 SFDBBack, 132 Smarty, 130 system requirements, 131

T

TCP/IP, 9, 10, 11, 51, 131

towitoko chipdrive, 130

U

user dn, 69, 78 user status, 9, 64, 67, 76 Users

administration level, 30 creating new, 21 disable, 64, 65, 67, 76 Disabling, 64, 65, 67, 76 enabling and disabling, 23 Excluding, 67, 73, 76, 83 hidden fields, 21 logon hours, 31 logon id, 21 password parameters, 25

W

Windows 2000, 43, 64 Windows CE, 11

X

X500, 11, 13, 19, 20, 62

endpoint encryption manager administration guide

Documents