endpoint encryption for pc administration guide

160
McAfee ® Endpoint Encryption for PC Administration Guide Version 5.2.5

Upload: michael-soe

Post on 24-Mar-2015

4.302 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: Endpoint Encryption for PC Administration Guide

McAfee® Endpoint Encryption for PC

Administration Guide 

Version 5.2.5 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

   

Page 2: Endpoint Encryption for PC Administration Guide

McAfee, Inc. 

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USA 

Tel: (+1) 888.847.8766 

For more information regarding local McAfee representatives please contact your local McAfee office, or visit: 

 

www.mcafee.com 

 

 

 

 

 Document: Endpoint Encryption for PC Administration Guide  

 

 

 

 

 

Copyright (c) 1992‐2010 McAfee, Inc., and/or its affiliates. All rights reserved.  

 

McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products.  Any other non‐McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners. 

 

 

Page 3: Endpoint Encryption for PC Administration Guide

Contents

Preface ........................................................................................... 1 Using this guide ............................................................................................. 1 

Audience ................................................................................................. 1 Conventions ............................................................................................ 1 

Welcome ......................................................................................... 2 About This Guide ..................................................................................... 2 Audience ................................................................................................. 2 Related Documentation ............................................................................. 3 Acknowledgements .................................................................................. 3 Design Philosophy .................................................................................... 3 Contacting Technical Support .................................................................... 3 

Introduction ................................................................................... 4 Why Endpoint Encryption for PC? ............................................................... 4 

How Endpoint Encryption for PC Works ............................................................. 4 Protection ............................................................................................... 4 

Management ................................................................................................. 5 The Object Directory ................................................................................ 5 Objects, Entities, and Attributes explained. ................................................. 6 

The Endpoint Encryption Components ............................................................... 6 Endpoint Encryption Manager .................................................................... 7 Endpoint Encryption Server ....................................................................... 7 Endpoint Encryption Object Directory ......................................................... 8 Endpoint Encryption for PC Client ............................................................... 8 Endpoint Encryption File Encryptor ............................................................. 9 Endpoint Encryption Connector Manager ..................................................... 9 Install and Deployment ............................................................................ 10 

Installing the Endpoint Encryption Manager ................................. 11 

Endpoint Encryption for PC User Policies ...................................... 12 User Administration Functions ......................................................................... 12 

Create Token .......................................................................................... 12 Reset Token ........................................................................................... 12 Set SSO Details ...................................................................................... 12 Force Password Change at Next Logon ....................................................... 12 View Audit ............................................................................................. 12 Reset (All) to Group Configuration ............................................................. 12 Create Copy ........................................................................................... 13 Properties .............................................................................................. 13 

User configuration Options ............................................................................. 13 General ................................................................................................. 13 Devices.................................................................................................. 14 Application Control .................................................................................. 15 

Using Tokens with Endpoint Encryption for PC ............................. 16 Supported Smart Cards and Tokens .......................................................... 16 General Token Operation. ........................................................................ 16 Stored Value Tokens ............................................................................... 17 Certificate, or “Crypt Only” tokens ............................................................ 17 Other Types Of Token .............................................................................. 19 Token Compatibility ................................................................................ 19 Specific Token Notes ............................................................................... 19 Sony Puppy Fingerprint Reader ................................................................. 22 Aladdin eToken 64KB............................................................................... 24 

Page 4: Endpoint Encryption for PC Administration Guide

SafeNet IKEY 2032 .................................................................................. 24 Endpoint Encryption Phantom USB Biometric Key ........................................ 24 Upek Fingerprint Reader .......................................................................... 26 

Creating and Configuring Machines .............................................. 27 Machine Administration Functions (right-click menu) ................................... 27 Machine Configuration Options.................................................................. 29 

File Groups and Management ........................................................ 42 Setting file group functions ...................................................................... 43 Importing new files ................................................................................. 43 Exporting Files ........................................................................................ 43 Deleting Files.......................................................................................... 44 Setting File Properties ............................................................................. 44 

Adding components to a Machine ................................................. 46 

Using Endpoint Encryption as a File Deploy System ...................... 47 Example - Copying a new file to the desktop .............................................. 47 

Creating an Install Package .......................................................... 49 Selecting the Group / Machine .................................................................. 49 Select the Install Set type ........................................................................ 49 Online Installs ........................................................................................ 50 Offline Installs ........................................................................................ 50 Importing a Transport Directory ................................................................ 51 Summary of Offline Install set contents ..................................................... 51 Select the Master Directory ...................................................................... 52 Set install options and create the set ......................................................... 53 

Installing, Upgrading, and Removing Endpoint Encryption for PC . 54 Offline Package Installs ............................................................................ 54 Online Package Installs ............................................................................ 54 Removing / Uninstalling Endpoint Encryption Client ..................................... 54 Upgrading Endpoint Encryption from previous versions. ............................... 55 

Client Software ............................................................................. 57 The Tool Tray Icon .................................................................................. 57 Client Auditing ........................................................................................ 58 Boot and Logon Process ........................................................................... 58 Endpoint Encryption Screen Saver ............................................................. 59 Windows Sign-On and Logon Mechanisms. ................................................. 59 Changing the Password ............................................................................ 59 Section 508: Logon Accessibility ............................................................... 59 

Windows Sign-on and SSO ............................................................ 61 Windows Logon Features ......................................................................... 61 How Windows Logon works ...................................................................... 62 

Auditing ........................................................................................ 64 Introduction ........................................................................................... 64 Common Audit Events ............................................................................. 64 Try Events ............................................................................................. 66 Succeed Events ...................................................................................... 67 Failure Events ......................................................................................... 67 

Recovering Users and Machines .................................................... 69 Offline Recovery ..................................................................................... 69 Local Recovery ....................................................................................... 72 User Local Recovery Procedures ................................................................ 74 Online Recovery ...................................................................................... 75 

Page 5: Endpoint Encryption for PC Administration Guide

Trusted Applications ..................................................................... 76 Hash Sets .............................................................................................. 76 Hash Set Properties ................................................................................. 77 File Hashes ............................................................................................ 77 Using Hash Sets ...................................................................................... 78 

Hash Generator ............................................................................. 79 Introduction ........................................................................................... 79 Using Hash Generator .............................................................................. 79 

Common Criteria EAL4 Mode Operation ........................................ 80 Algorithm Certificate Numbers .................................................................. 81 

Endpoint Encryption Configuration Files ....................................... 83 sbgina.ini ............................................................................................... 83 sberrors.ini ............................................................................................ 91 sbhelp.ini ............................................................................................... 92 sbfeatur.ini ............................................................................................ 92 scm.ini .................................................................................................. 92 defscm.ini .............................................................................................. 93 sdmcfg.ini .............................................................................................. 93 TrivialPwds.dat ....................................................................................... 94 Bootcode.ini ........................................................................................... 94 BootManager.INI .................................................................................... 94 Errors.XML ............................................................................................. 95 AutoBoot.ini ........................................................................................... 95 SbClientFileSet.ini ................................................................................... 95 SBWinLogonOpts.XML .............................................................................. 95 SBCP.INI ............................................................................................... 95 

Endpoint Encryption Program and Driver Files .............................. 97 EXE Files ................................................................................................ 97 DLL Files ................................................................................................ 97 SYS Files ................................................................................................ 98 Other Files ............................................................................................. 99 

WinTech and SafeTech ................................................................ 100 

Themes & Localization ................................................................ 101 Themes ............................................................................................... 101 Keyboards ............................................................................................ 102 Pre-Boot Language ................................................................................ 110 Pre Boot Token Descriptions ................................................................... 113 Windows Languages .............................................................................. 113 

Troubleshooting PCs ................................................................... 115 

Error Messages ........................................................................... 116 Module codes ....................................................................................... 116 1C000 IPC Errors .................................................................................. 117 5C00 Communications Protocol ............................................................... 117 5C02 Communications Cryptographic ...................................................... 119 A100 Algorithm Errors ........................................................................... 120 DB01 Database Objects ......................................................................... 122 DB02 Database Attributes ...................................................................... 123 E000 Endpoint Encryption General .......................................................... 124 E001 Tokens ........................................................................................ 124 E002 Endpoint Encryption Disk ............................................................... 126 E003 Endpoint Encryption SBFS .............................................................. 127 E004 Boot Code Image .......................................................................... 128 E005 Client .......................................................................................... 129 E006 Algorithms ................................................................................... 132 E007 Readers ....................................................................................... 132 

Page 6: Endpoint Encryption for PC Administration Guide

E008 Users .......................................................................................... 133 E010 Keys ............................................................................................ 133 E011 Files ............................................................................................ 133 E012 Licences....................................................................................... 134 E013 Installer ....................................................................................... 134 E014 Hashes ........................................................................................ 135 E015 Application Control ........................................................................ 135 E016 Administration Center .................................................................... 136 xxH: BIOS ........................................................................................... 136 

Technical Specifications and Options .......................................... 138 Encryption Algorithms ........................................................................... 138 Smart Card Readers .............................................................................. 138 Tokens ................................................................................................ 139 Language Support ................................................................................. 139 System Requirements............................................................................ 141 

Appendix .................................................................................... 143 Legal Notices: ...................................................................................... 143 Open Source Components License Details ................................................ 143 Making Endpoint Encryption for PC FIPS Compliant ................................... 150 

Index .......................................................................................... 152 

Page 7: Endpoint Encryption for PC Administration Guide

Preface

| 1

Preface

Using this guide This guide describes the administration functions of McAfee Endpoint Encryption for

PC.

Audience This guide is intended for administrators of Endpoint Encryption for PC.

Conventions This guide uses the following conventions:

Bold Condensed All words from the interface, including options, menus, buttons, and dialog box names.

Courier The path of a folder or program; text that represents something the user types exactly (for example, a command at the system prompt).

Italic Emphasis or introduction of a new term; names of product manuals.

Blue A web address (URL); a live link.

Note Supplemental information; for example, an alternate method of executing the same command.

Caution Important advice to protect your computer system, enterprise, software installation, or data.

 

   

Page 8: Endpoint Encryption for PC Administration Guide

Welcome

2 |

Welcome The team at McAfee is dedicated to providing you with the best in security for

protecting data on personal computers. Applying the latest technology, deployment

and management of users is enhanced using simple and structured administration

controls.

Endpoint Encryption for PC represents the latest addition to the McAfee family and

incorporates functionality not found in earlier versions. This new edition of Endpoint

Encryption for PC features a new dimension in IT security incorporating many new

enterprise level options, including automated upgrades, file deployment, flexible

grouping of users and centralized user management. In addition, user’s credentials

can be imported and synchronized with other deployment systems.

Through the continued investment in technology and the inclusions of industry

standards we are confident that our goal of keeping Endpoint Encryption at the

forefront of data security will be achieved.

About This Guide This is designed to aid corporate security administrators in the correct implementation

and deployment of Endpoint Encryption for PC. Although this guide is complete in

terms of setting up and managing Endpoint Encryption systems, it does not attempt to

teach the topic of "Enterprise Security" as a whole.

Readers unfamiliar with Endpoint Encryption should follow the appropriate sections of

the Endpoint Encryption for PC Quick Start Guide which walks through setting up a

Endpoint Encryption enterprise before tackling any of the topics in this guide.

Audience This guide was designed to be used by qualified system administrators and security

managers. Knowledge of basic networking and routing concepts, and a general

understanding of the aims of centrally managed security is required.

McAfee can only contribute to information security within your organization as part of

a coherent and well-implemented organizational security policy.

For information about cryptography topics, readers are advised to consult the following

publications:

Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition, Bruce

Schneier, Pub. John Wiley & Sons; ISBN: 0471128457

Computer Security, Deiter Gollman, Pub. John Wiley and Sons; ISBN: 0471978442

Page 9: Endpoint Encryption for PC Administration Guide

Welcome

| 3

Security in Computing, Charles P. Pfleeger, Pub Prentice Hall PTR; 3 edition; ISBN

0130355488

Related Documentation The following materials are available from our web site, www.mcafee.com, and from

your Endpoint Encryption Distributor:

• Endpoint Encryption for PC Administration Guide (this document)

• Endpoint Encryption Manager Administration Guide

• Endpoint Encryption for PC Quick Start Guide

• WinTech and SafeTech Administration Guide

• Endpoint Encryption Update and Migration Guide

Acknowledgements McAfee’s Novell NDS Connector and LDAP Connectors make use of OpenLDAP

(1www.openldap.org) and OpenSSL (2www.openssl.org). Due credit is given to these

organizations for their free API’s.

Design Philosophy Unlike other security systems, Endpoint Encryption for PC does not prevent access to

specific files, or in any way alter the way the PCs and PDAs are used.

Contacting Technical Support Please refer to www.mcafee.com for further information.

Page 10: Endpoint Encryption for PC Administration Guide

Introduction

4 |

Introduction Why Endpoint Encryption for PC? Around 1,000,000 laptops go missing each year, causing an estimated 4 billion USD

worth of lost data. Is your data safely stored? Ever thought about the risks you run for

your company and your clients? Endpoint Encryption for PC was developed with the

understanding that often the data stored on a computer is much more valuable than

the hardware itself.

McAfee’s product range enhances the security of devices by providing data encryption

and a token-based logon procedure using, for example, a Smart Card via a USB,

PCMCIA, serial or parallel reader. Endpoint Encryption also has optional File and Media

encryption programs (VDisk, File Encryptor and Endpoint Encryption for Files and

Folders). Endpoint Encryption for PC supports the following Microsoft Operating

Systems:

• Microsoft Windows 7

• Microsoft Windows 2000 through SP4

• Microsoft Windows XP through SP3 (32bit only)

• Microsoft Windows 2003 through SP2 (32bit only)

• Microsoft Vista 32bit and 64bit (all versions)

• Microsoft Pocket Windows 2002 and 2003

NOTE: For end users, Endpoint Encryption allows users to work as usual, including the

security and network services. Apart from the initial Logon, Endpoint Encryption for PC

offers completely transparent security.

How Endpoint Encryption for PC Works

Protection Endpoint Encryption protects the user’s PC by simply taking control of the hard disk

from the operating system. The Endpoint Encryption for PC driver encrypts every piece

of data written to the disk; it also decrypts every piece of information read off the

disk.

If an unauthorized application broke through the Endpoint Encryption barrier and read

the disk directly, it would find only encrypted data, even in the Windows swap file and

temporary file areas.

Page 11: Endpoint Encryption for PC Administration Guide

Introduction

| 5

If a Data Recovery agency tried to retrieve information from a Endpoint Encryption-

protected hard drive, without access to the Endpoint Encryption System via the

passwords or recovery information there is no way of accessing this data – total

security.

Endpoint Encryption installs a mini-operating system on the user’s hard drive, this is

what the user sees when they boot the PC. Endpoint Encryption looks and feels like

Microsoft Windows, with mouse and keyboard support, moveable windows, etc. This

Endpoint Encryption OS is completely contained and does not need to access any other

files or programs on the hard disk, and is responsible for allowing the user to

authenticate with a password, or, a token such as a smart card.

Once the user has entered the correct authentication information, the Endpoint

Encryption operating system starts the crypt driver in memory and boots the protected

machine’s original operating system. From this point on the machine will look and

behave as if Endpoint Encryption was not installed. The security is invisible to the

user: the only readable data on the hard disk will be the Endpoint Encryption

operating system; the encryption key for the hard drive is itself protected with the

user’s authentication key. The only possible way to defeat Endpoint Encryption is to

either guess the hard disk encryption key (a one in 2256 chance with the AES256

algorithm), or to guess the user’s password.

On PDAs such as Pocket Windows and PalmOS, Endpoint Encryption installs

applications and drivers to provide authentication and encryption services. Endpoint

Encryption can protect memory cards, internal databases (such as e-mail and contact

lists), and provides secure, manageable authentication services.

Management

The Object Directory The Object Directory is a central store of configuration information for all machines,

servers, policies and users. It is managed by Endpoint Encryption Administrators using

the Endpoint Encryption Manager.

Each time an Endpoint Encryption protected device boots, it will try and connect with

the Object Directory; optionally, every time the user initiates a dial-up connection, or,

after a set period of time, the Endpoint Encryption protected machine will attempt to

contact the Object Directory. The Object Directory is accessed over TCP/IP via a

secure Endpoint Encryption Server (in the case of a centrally managed enterprise).

The Endpoint Encryption protected machine queries the Object Directory for any

updates to its configuration; when the updates are found they are downloaded to the

Page 12: Endpoint Encryption for PC Administration Guide

Introduction

6 |

client machine. Typical updates could be a new user assigned to the machine by an

administrator, a change in password policy, an upgrade to the Endpoint Encryption

operating system, or, a new file specified by the administrator. At the same time,

Endpoint Encryption uploads details like the latest audit information, e.g. any user

password changes and security breaches to the Object Directory, thus allowing

transparent synchronization of the enterprise system.

Objects, Entities, and Attributes explained. Endpoint Encryption for PC stores information about users, machines, servers, policies,

etc in collections called "objects"; from the perspective of the Endpoint Encryption

system, it does not matter what an object represents, only the information it contains

- therefore, an object representing a user, e.g. "John Smith", and an object

representing a machine, e.g. "Johns Laptop", would both contain information about

encryption keys, account status and administration level.

Within the object are collections of configuration data called Attributes. Again, the

same type of attribute may exist across many object types. Using the previous

example of John and his laptop, the details of the encryption keys, user status and

administration level would all be stored as separate attributes.

Entities are applications within the Endpoint Encryption system. Because of the

generality of the object design all Endpoint Encryption applications also have some

generality about them, for example, the Entity representing the Endpoint Encryption

client and the Entity representing the Endpoint Encryption Server. Both authenticate to

the Object Directory in the same way - as an "object" which could be a machine or

user. This generality is mainly hidden from users and administrators, however,

because of this core design, you will find that many Endpoint Encryption related

functions and tasks are common between users, machines and entities.

The Endpoint Encryption Components

Page 13: Endpoint Encryption for PC Administration Guide

Introduction

| 7

Endpoint Encryption Manager

 

Figure 1. Endpoint Encryption Manager Interface 

The most important component of the Endpoint Encryption enterprise is the Endpoint

Encryption Manager, the administrator interface. This utility allows privileged users to

manage the enterprise from any workstation that can establish a TCP/IP link or file link

to the Object Directory. Typical procedures that the Endpoint Encryption Administrator

handles are:

• Adding users to machines

• Configuring Endpoint Encryption protected machines

• Creating and configuring users

• Revoking users logon privileges

• Updating file information on remote machines

• Recovering users who have forgotten their passwords

• Creating logon tokens such as smart cards for users

Endpoint Encryption Server The Endpoint Encryption Server facilitates connections between entities such as the

client and Endpoint Encryption Manager, and the central Object Directory over an IP

connection (rather than the file based "local" connection). The server performs

authentication of the entity using DSA signatures, and link encryption using the Diffie-

Page 14: Endpoint Encryption for PC Administration Guide

Introduction

8 |

Hellman key exchange and bulk algorithm line encryption. This ensures that

"snooping" the connection cannot result in any secure key information being disclosed.

The server exposes the Object Directory via fully routed TCP/IP, meaning that access

to the Object Directory can be safely exposed to the Internet / Intranet, allowing

clients to connect wherever they are. As all communications between the Server and

client are encrypted and authenticated there is no security risk in exposing it in this

way.

There is a unique PDA Server which provides similar services to PDAs such as

Microsoft Pocket Windows and PalmOS devices. More information about this can be

found in later chapters.

Endpoint Encryption Object Directory The Endpoint Encryption Object Directory is the central configuration store for

Endpoint Encryption for PC and is used as a repository of information for all the

Endpoint Encryption entities. The default directory uses the operating systems file

system driver to provide a high performance scalable system which mirrors an X500

design. Alternative stores such as LDAP are possible – contact your Endpoint

Encryption representative for details. The standard store has a capacity of over 4

billion users and machines.

Typical information stored in the Object Directory includes:

• User Configuration information

• Machine Configuration information

• Client and administration file lists

• Encryption key and recovery information

• Audit trails

• Secure Server Key information

Endpoint Encryption for PC Client The Endpoint Encryption for PC client software is largely invisible to the end user. The

only visible part is an entry in the user’s tool tray (the Endpoint Encryption icon).

Clicking on this icon allows the user to lock the PC with the screen saver (if the

administrator has set this option there one is selected). Right-clicking on the monitor

allows them to perform a manual synchronization with their Object Directory, or,

monitor the progress of any active synchronization.

Page 15: Endpoint Encryption for PC Administration Guide

Introduction

| 9

Normally the Endpoint Encryption client attempts to connect to its home server or

directory each time the machine boots, or, establishes a new dial-up connection.

During this process, any configuration changes made by the Endpoint Encryption

administrator are collected and implemented by the Endpoint Encryption client. In

addition, information such as the last audit logs are uploaded to the directory.

Endpoint Encryption File Encryptor By right clicking on a file, users can elect to encrypt it using various keys. Files can be

encrypted with other Endpoint Encryption users’ keys, and/or passwords.

Once protected in this way the file can be sent elsewhere, e.g. via e-mail or a floppy

disk, without the risk of disclosure.

When the file needs to be used, it just needs to be double clicked; a password or login

prompt will be presented for authentication. If they are authenticated correctly, the

file will be decrypted.

The File Encryptor also has an option to create an RSA key pair for recovery – if the

password to a file is lost, then the file can still be recovered using the correct recovery

key.

Endpoint Encryption Connector Manager

Figure 2. Endpoint Encryption Connector Manager 

Endpoint Encryption’s object directory keeps track of security information. It is

designed so that synchronization of details between Endpoint Encryption and other

systems is possible.

Page 16: Endpoint Encryption for PC Administration Guide

Introduction

10 |

The Connector Manager is a customizable module which enables data from systems

such as X500 directories (commonly used in PKI infrastructures) to propagate to the

Endpoint Encryption Object Directory. Using this mechanism, it is possible to replicate

details such as a user’s account status between Endpoint Encryption for PC and other

"directories".

Current connector options include LDAP, Active Directory, and a NT Domain Connector.

For information on these components, contact your Endpoint Encryption

representative, or, see the Endpoint Encryption Manager Administration Guide.

Install and Deployment Endpoint Encryption is installed on users PCs by running small deploy sets created by

the Endpoint Encryption Manager. This executable file contains the core components

and drivers needed to enable Endpoint Encryption on a user’s machine.

With the increasing necessity of install mechanisms which do not involve end users,

and software industries striving to make the cost of ownership and implementation of

products as small as possible, Endpoint Encryption for PC utilizes "smart-update" type

technology.

With this mechanism, only a small amount of code needs to be placed on the client

machine to facilitate installation. The remaining code modules are downloaded on

demand from either central Endpoint Encryption Servers (in the case of a network

install), or from a local compressed directory (in the case of a standalone PC). With

network connected machines, this gives the additional benefit of being able to update

Endpoint Encryption files simply by updating the data stored in the Object Directory.

Endpoint Encryption’s file deploy mechanism can also be used to "push" other files to

Endpoint Encryption protected machine, for instance virus databases can be stored in

the central Endpoint Encryption directory, when it needs updating a Endpoint

Encryption administrator upgrades the central copy. All Endpoint Encryption protected

machines notice the change and automatically download the new file. This deploy

mechanism can also be used to make registry changes on remote machines and can

even execute files.

Page 17: Endpoint Encryption for PC Administration Guide

Installing the Endpoint Encryption Manager

| 11

Installing the Endpoint Encryption Manager

NOTE: If you are unfamiliar with Endpoint Encryption, you should follow the Endpoint Encryption for PC 

Quick Start Guide which describes setting up an Endpoint Encryption enterprise. Please read the Quick Start 

guide before tackling any of the topics in this guide. You will find this in your Endpoint Encryption box, or, 

on your Endpoint Encryption CD. 

The Endpoint Encryption Manager is the administration tool for managing all Endpoint

Encryption aware applications.

Install it by running the appropriate setup.exe from the Endpoint Encryption CD or

download. You should run this first on the machine that will be the “master” or

administrators machine.

The Endpoint Encryption Manager will now be installed on your machine. Follow the

on-screen prompts to install the software: you may be prompted to select a language,

a smart card reader, and encryption algorithm. For more information on these options

please see the Encryption Manager Administration Guide. Once completed you may

need to restart your system.

The Endpoint Encryption Management suite adds some items to your start menu:

Endpoint Encryption Manager which starts the management console; the Database

Server which starts the communication server and provides encrypted links between

clients and the configuration.

After rebooting, run the Endpoint Encryption Manager program. A wizard will walk you

through the creation of a new Endpoint Encryption directory. If you have an existing

Object Directory in your network, you can connect to it by cancelling the wizard and

manually configuring a connection.

For more information on the Endpoint Encryption Manager please see the Endpoint

Encryption Manager Administration Guide.

Page 18: Endpoint Encryption for PC Administration Guide

Endpoint Encryption for PC User Policies

12 |

Endpoint Encryption for PC User Policies

The following sections describe the Endpoint Encryption specific parameters.

User Administration Functions

Create Token This option creates a new Token for the selected user - this could be a soft (password)

token or a hard token such as a smart card or eToken. See the Token Operation

chapter for more information.

In the case of hard tokens, creating the token does not necessarily set the user to

actually use that token. This must be accomplished separately from the user’s Token

properties page.

Reset Token This option resets the token authentication to the default. In the case of the soft

(password) token resets the password to 12345.

Some hard tokens may not be able to be reset using Endpoint Encryption, for

example, Datakey Smart Cards. In this case contact the manufacturer of your token to

determine the correct re-use procedure.

Set SSO Details This option sets the Single-Sign-On details for the user. For more information on SSO

see the Windows Logon Features chapter.

Force Password Change at Next Logon This option Forces the user to change password at their next logon.

View Audit This option displays the audit for the user - for more information see the Auditing

chapter.

Reset (All) to Group Configuration This option resets the configuration of the users, or, all the users in the group, to the

groups configuration.

Page 19: Endpoint Encryption for PC Administration Guide

Endpoint Encryption for PC User Policies

| 13

Create Copy This option creates a new object based on the selected object.

Properties This option displays the properties of the selected object.

User configuration Options

General

Figure 3. User Options ‐ General 

Auto-boot users

The special user id “$autoboot$”, with a password of “12345”, can be used to auto-

boot a Endpoint Encryption protected machine. This option is useful if an auto-boot of

a machine is required, for example, when updating software using a distribution

package such as SMS or Zenworks. However, this ID should be used with caution as it

effectively bypasses the security of Endpoint Encryption.

Enabled

This option shows whether the user account is enabled or not. The enabled status is

always user selectable.

When an Endpoint Encryption for PC protected system synchronizes with the Endpoint

Encryption Manager, it checks the user account list to ensure that the currently logged

on user is still valid (because they logged on at a boot time before the network and

Object Directory were available).

Page 20: Endpoint Encryption for PC Administration Guide

Endpoint Encryption for PC User Policies

14 |

Users with disabled accounts, or users who have been removed from the user list, will

find their workstation will lock and they will be unable to log in.

NOTE: If you want to force an Endpoint Encryption machine to synchronize (and hence immediately stop 

the user from accessing the machine), you can use the "force sync" option to force an update. See the Force 

Synchronization chapter. 

Devices

Figure 4. User Configuration ‐ Devices 

Floppy Disk Access

Users can be prevented from accessing the floppy disk or, from writing to it. You can

also elect to allow only encrypted floppy disks: in this situation the user must format

their own disks, which only they can then use. Note: the disk is encrypted with the

user’s personal key.

Ports

Endpoint Encryption can attempt to block access to the serial and/or parallel ports.

This blocking is implemented after the operating system has booted. Therefore, if the

machine has a serial mouse, it will still function. Likewise a printer connected to the

parallel port will still function. This option is designed to stop users adding serial and

parallel devices AFTER the machine has booted.

NOTE: The McAfee Port Control product provides granular device access by allowing you to take detailed 

control of the devices which are available to your users. 

Page 21: Endpoint Encryption for PC Administration Guide

Endpoint Encryption for PC User Policies

| 15

Application Control

Figure 5 User Configuration ‐ Application Control 

Endpoint Encryption includes an innovative application blocking system which can be

used to restrict what code can actually be run by a user. For more information on this

feature see the Trusted Applications chapter.

List Contains Untrusted Applications

This option allows you to specify files in the listed file hash sets that should be blocked

(untrusted). All unlisted executable files will be permitted to execute code (trusted).

List Contains Trusted Applications

This option allows you to specify files in the listed file hash sets that will be permitted

to execute code (trusted). All unlisted executable files will be blocked (untrusted).

Enable Blocking of Untrusted Applications

This option blocks code from executing untrusted applications. If this option is not set,

then any code can run. This is a debugging option.

Enable Logging of Executed Applications

This option makes a record of files that try to execute code. A status message

indicating whether the file is trusted or not, is written to the SBAPPLOG.TXT file. This

feature is useful for debugging trusted application file sets.

Page 22: Endpoint Encryption for PC Administration Guide

Using Tokens with Endpoint Encryption for PC

16 |

Using Tokens with Endpoint Encryption for PC

Endpoint Encryption supports many different types of logon token, for example

passwords, smart cards, Aladdin eToken, and others. Before a user can use a non-

password token, you must ensure any machine they are going to use has been

suitably prepared.

Supported Smart Cards and Tokens The link below contains the supported smart cards and tokens:

https://kc.mcafee.com/corporate/index?page=content&id=pd20895

General Token Operation.

Hardware Device Support

Ensure the machine has the appropriate Windows drivers for the hardware tokens it

needs to support. For example, if you intend to use Aladdin eTokens you need to

install the Aladdin eToken RTE (Run Time Environment).

If you intend to use smart cards, you need to ensure that a Endpoint Encryption

supported smart card reader is installed, along with its drivers – for example the

Mako/Infineer LT4000 PCMCIA smart card reader must be installed.

In both cases, the appropriate device drivers are available either direct from the

manufacturer, or from the Endpoint Encryption install CD in the \Tools directory.

Endpoint Encryption for PC Driver Support

Once you have installed hardware support for the devices, you can enable software

support for them: from the machine, or machine group Properties window, select

the “Files” properties pane and tick the appropriate options for the tokens you want

the machine, or group of machines, to support, e.g. if you want the machines to

support eTokens, select the “eToken PRO Client Token” file group. To support the

Mako/Infineer Smart Card reader, select “Infineer Smart Card Reader” file set.

NOTE: You should also note that some USB key tokens are in fact a combined USB Smart Card reader and 

USB Device in one unit, therefore, you need to add USB CCID Smart Card reader support to your Endpoint 

Encryption for PC clients for them to work. See the Token Compatibility section later in this chapter for 

information on the tokens which are of this nature.  

Page 23: Endpoint Encryption for PC Administration Guide

Using Tokens with Endpoint Encryption for PC

| 17

Assign the token to the user and create it.

From the user’s Token properties pane, select the token you want that user to log in

with. Endpoint Encryption will prompt you to insert the token and will create the

appropriate data files on it.

If all steps are followed, when you install Endpoint Encryption, or after the machines

synchronize, users will be able to log in using their new token.

NOTE: When learning how to use Endpoint Encryption, we advise you always leave at least one password‐

only user assigned to machines in case you make a mistake when setting up token support. 

Stored Value Tokens Endpoint Encryption can store user keys on certain tokens, such as smart cards or

USB keys such as the Aladdin eToken.

Storage tokens host around 1KB of data unique to the Endpoint Encryption

environment and user, on each token. They are configured within the Endpoint

Encryption Manager for the specific user before they can be used.

Tokens offer the following advantages over passwords:

• The users key is not stored on the users machine, and is protected from brute

force attack by the microprocessor of the token

• The same token can be used to authenticate to many systems

• Tokens can be used for other physical purposes, for example door access

systems

Certificate, or “Crypt Only” tokens Endpoint Encryption can leverage your investment in PKI and tokens to allow users to

authenticate using their certificates. This can be quite advantageous in the corporate

environment for the following reasons:

• Leverage investment in PKI and existing tokens

• Tokens do not need to be provisioned specifically for Endpoint Encryption

• Users can login to Windows etc using their PKI certificates

• Revocation of certificates denies access to Endpoint Encryption-protected PCs

By using one of Endpoint Encryption’s certificate connectors, you can quickly make

your Endpoint Encryption enterprise aware of all certificate-holding users, and can

allow them to be allocated to computers using Endpoint Encryption for PC without

having to create new smart cards or other forms of token for them to use.

Page 24: Endpoint Encryption for PC Administration Guide

Using Tokens with Endpoint Encryption for PC

18 |

Endpoint Encryption has been tested with the following tokens and PKI environments –

more tokens and PKIs are being developed so if your environment is not listed, please

contact your Endpoint Encryption representative for the latest information.

You can use any token with any PKI.

How Certificate Tokens Work

Certificate tokens leverage the unique one-way properties of public-key encryption: a

piece of data can be encrypted for a user, using some public information, but cannot

be subsequently decrypted with that same information.

Endpoint Encryption uses the information stored in the public certificate store of a PKI

to look up users and encrypt their unique key with the public key stored in their

certificate. This online process is handled transparently by one of the Endpoint

Encryption Connectors.

Once encrypted, Endpoint Encryption stores the information within its policy store, and

makes it available to all Endpoint Encryption-aware applications: for example, with

Endpoint Encryption for PC, the user’s key encrypted with their public key is stored on

each machine the user is assigned to. When a user tries to login, Endpoint Encryption

sends their encrypted user key to their token and asks it to be decrypted using the

private key stored on the token. The actual decryption happens securely within the

microprocessor of the token and only after the user has supplied the correct token PIN

or password. This ensures the user’s decryption key (private key) never has to leave

the token.

Once decrypted, the resulting user key can be used to authenticate the user.

You can see from this process that there is no need for Endpoint Encryption to have

prior experience, or to have stored anything on the users token. All the information

Endpoint Encryption needs to prepare the system can be obtained online through the

PKI certificate server.

Certificate Connectors

Setting up Certificate tokens is the responsibility of the Endpoint Encryption Certificate

connectors – these are available for both Active Directory and LDAP systems, and

more information on configuring them can be found in the Endpoint Encryption

Manager Administration Guide, in the Active Directory Connector and LDAP Connector

chapters.

The connectors can search AD and LDAP directories for users, and create them in

Endpoint Encryption based on certain criteria. The connectors can also monitor CRL

Page 25: Endpoint Encryption for PC Administration Guide

Using Tokens with Endpoint Encryption for PC

| 19

lists for revoked certificates, and also automatically handle the rollover of certificates

on expiry.

Other Types Of Token There are other types of token also supported by Endpoint Encryption, such as

Biometric and Cognometric tokens. For more information on these tokens please

contact the manufacturer or your distributor

Other Tokens Supported in Endpoint Encryption for PC:

• Sony Puppy Biometric Reader (http://www.sony.co.jp/puppy/)

• RealUser Passfaces (5http://www.realuser.com)

• Infineon Embedded TPM Chip

• Security Chip: TPM (TCG V1.2) with Infineon Package versions: InfineonTPM

Professional Package V2.5 and InfineonTPM Professional Package V2.5 SP1

• Upek Fingerprint Reader

Token Compatibility Endpoint Encryption supports many tokens, but due to the pre-boot nature of Endpoint

Encryption for PC, not all tokens are supported in all environments. If you have a

specific token requirement, please contact your Endpoint Encryption representative for

the latest information. Please also see the token overview spreadsheet. Contact your

McAfee representative for further details.

Some USB key tokens are a combined USB Smart Card reader and USB Device in one

unit. You therefore need to add USB CCID Smart Card reader support to your Endpoint

Encryption for PC clients, to enable them to work.

Specific Token Notes

RSA SID800 USB Token

Storage token supported pre-boot. This token requires firmware 1.01.33 or higher.

ActivIdentity Smart Cards and USB Keys

These modules support ActivIdentity 64K v1 (card profile S4), ActivIdentity 64K v2

(card profile O4) and ActivIdentity 64K v2C (card profile S4 Cards. You can choose to

use the card in Stored Value mode, or Certificate mode. The Tested ActivIdentity

ActivKeys are AAK300 version (product code ZFG-3007-AB).

Page 26: Endpoint Encryption for PC Administration Guide

Using Tokens with Endpoint Encryption for PC

20 |

Infineon Embedded TPM Chip

The Infineon Trusted Platform Module (TPM) on Fujitsu PCs can be used as a token for

Endpoint Encryption allowing:

• Authentication to Endpoint Encryption Manager

• Pre-Boot Authentication

• Screensaver Authentication

NOTE: If you use TPM as a token for Endpoint Encryption Manager, ensure that the UserID is not used on 

any other PC with a TPM. If it is, it will be locked to that PC from then on. 

The embedded TPM chip, in its simplest form, can be envisaged as a smart card

physically attached to the motherboard of the PC. The TPM (Trusted Platform Module)

can perform similar cryptographic operations to PKI smart cards, such as encryption,

decryption, key generation, signing of data etc.

With the Endpoint Encryption TPM module, the TPM chip is used to secure a users

logon credentials. This means once initialized the users unique secret key is removed

from the Endpoint Encryption environment and secured by the TPM chip. The user

from this stage onwards will only be able to login to that particular machine.

Conversion from password mode to TPM mode is automatic and occurs as soon as the

user uses their account on a TPM protected machine. From activation onwards, that

Endpoint Encryption user will only be able to log into the machine on which the TPM

chip holds their keys.

Pre-Requisites for Endpoint Encryption Pre-Boot TPM Support

• Endpoint Encryption

• PC with Infineon TPM Chip installed (TCG Spec. Version 1.2)

Endpoint Encryption's TPM module also requires that the TPM be "initialized". This

involves creating the Endorsement Key, Storage Root Key and setting an Owner

password. If this is not done, Endpoint Encryption will find the TPM and try to convert

the user to use it at first logon, but the operation will fail and the user will not be able

to logon.

• Infineon TPM Professional Package (Version 2.5)

• Infineon TPM Professional Package (Version 2.5 SP1)

The TPM initialization process is performed by the Infineon software after you install it.

The TPM Chip must be enabled in the BIOS on the target PC.

Page 27: Endpoint Encryption for PC Administration Guide

Using Tokens with Endpoint Encryption for PC

| 21

The TPM has to be enabled in the BIOS (which it is not by default). Until it is enabled,

it is essentially not present as far as Endpoint Encryption and Infineon software is

concerned. If you try to install the Infineon software with TPM disabled, it will warn

you that the "Infineon TPM not found" and abort the install (exactly as it does on

machines without a TPM).

Endpoint Encryption has been tested with the following TPM Components:

• Infineon TPM Professional Package v2.5 HF2

- Chip State = Enabled

- Owner State = Initialized

- User State = Initialized

• Trusted Platform Module

- TCG Spec. Version = 1.2

- Vendor = Infineon Technologies AG

- Chip Version = SLB 9635 TT 1.2 (41313100) FW Version = 1.00 FW

ROM CRC = 0x4028

• TPM Device Driver

- File name = ifxtpm.sys (x86)

- Version = 1.80.0002.00 built by: WinDDK

• TPM Device Driver Library

- File name = IFXTPM.dll

- Version = 2.50.0771.00

Configuring the TPM on the target PC

The following instructions detail how to enable TPM support for a user on a target PC:

1. From the system tray double-click the TPM icon or from Start All

Programs Infineon Security Platform solution Manage Security

Platform.

2. Click on the User Settings tab.

3. Click on the Basic User Password Change button.

4. Follow the on screen instructions to register password for the TPM.

5. When you have successfully created the TPM password, exit the application.

Page 28: Endpoint Encryption for PC Administration Guide

Using Tokens with Endpoint Encryption for PC

22 |

Endpoint Encryption for PC setup

1. Install Endpoint Encryption for PC with TPM support.

2. Login to the Endpoint Encryption Manager.

3. Click on Devices and from Endpoint Encryption Machine Groups add a

new machine group.

4. Right click on the machine group and select Properties.

5. Click on the Files icon and select TPM Machine Chip. Apply these settings.

6. Click on the Users tab and create an Endpoint Encryption user

7. Right click on the new Endpoint Encryption user and select Properties.

8. Assign an Infineon Embedded TPM Chip to the user and apply these settings

(Note: the Configure option does not apply to the Puppy token).

9. Assign the user to the machine group.

10. Create an install set from the machine group.

Installing Endpoint Encryption with TPM

1. Install Endpoint Encryption on the client PC using the newly created install

set.

2. Reboot and synchronize with the Endpoint Encryption database.

3. Login to the Pre-Boot authentication using the default password “12345”.

4. When prompted to change the password, select the same password as the

Basic User password for the TPM.

5. After the PCs next boot, the password for the TPM will be the TPM Basic

User password.

6. Reboot the machine and logon at PBA by selecting the Sony Puppy token.

Recovery

When a user password recovery is performed Endpoint Encryption will reset the

password to the default ‘12345’ and will allow the user to login. The user will be

prompted to change the password. Select a new password and ensure that you change

the TPM password to the new one before rebooting the PC.

Sony Puppy Fingerprint Reader The Sony Puppy can be used as a token for Endpoint Encryption allowing:

Page 29: Endpoint Encryption for PC Administration Guide

Using Tokens with Endpoint Encryption for PC

| 23

• Authentication to Endpoint Encryption Manager

• Pre-Boot Authentication

• Screensaver Authentication

The Puppy allows two mode of operation: Fingerprint or Password. This means that if a

user fails to login using their fingerprint, they can do so using their password.

Requirements to use Sony Puppy with Endpoint Encryption

1. Puppy Suite Enterprise / Personal - v2.1 or later

2. Sony Puppy device (FIU-810-N03)

3. Endpoint Encryption V5.0

The following instructions detail how to enable Sony Puppy Support for a user. For this

you will need to have a new Sony Puppy or Reset an exsiting one using the Sony

Puppy Administration Tools.

Step 1. Setup the Sony Puppy Fingerprint Reader

1. Install the Sony Puppy software - SC-API 810 setup (Basic).

2. Plug the Sony Puppy finger-print reader into an available USB Port.

3. Click Start All Programs FIU-810 tools User Manager

4. Follow the on screen instructions to register a User Name and Fingerprint /

Password for the device.

5. When you have successfully created the Sony Puppy User and registered

your fingerprint(s) exit the application.

Step 2. Endpoint Encryption for PC setup

1. Install Endpoint Encryption for PC with Sony Puppy support.

2. Login to the Endpoint Encryption Manager.

3. Click on Devices and from Endpoint Encryption Machine Groups, add a

new machine group.

4. Right click on the Machine Group and select Properties.

5. Click on the Files icon and select Sony Puppy Client Files.

6 Apply these settings.

7. Click on the Users tab and create a Endpoint Encryption user (Keep a note

of the UserID).

Page 30: Endpoint Encryption for PC Administration Guide

Using Tokens with Endpoint Encryption for PC

24 |

8. Right click on the new Endpoint Encryption user and select Properties.

9. Assign a Puppy token to the User and apply these settings. (Note: the

configure option does not work with the Puppy token).

10. Assign the user to the machine group.

11. Create an install set from the machine group.

Step 3. Installing Endpoint Encryption with Puppy Support

1. Install Endpoint Encryption for PC on the client using the newly created

install set.

2. Once installed, start SbPuppytrainer.exe from the default Endpoint

Encryption directory.

3. Select Train Puppy from the menu. The logon screen will appear.

4. Select Use Endpoint Encryption Username and enter the User ID and

Password of the Endpoint Encryption user and click the Logon with

Password button. You will be asked to verify your fingerprint.

5. Place your finger on the reader and it should verify OK. The training is

complete. You may Reboot the machine and logon at PBA by selecting the

Sony Puppy token.

Aladdin eToken 64KB Tokens with id 0x0514 and 0x0600 are supported. Tokens 0x050c are no longer

supported as they are discontinued by Aladdin.

This token module requires Aladdin RTE 3.65 to be installed.

SafeNet IKEY 2032 Requires the v3.4.7 drivers as available from 6www.safenet.com. The Windows update

drivers do not function. This token is supported in Storage Mode only.

Endpoint Encryption Phantom USB Biometric Key The Endpoint Encryption Phantom is a combined USB storage + Biometric

authentication token. To use it for Endpoint Encryption for PC Pre-Boot:

Step 1.

Create a user and assign their finger within the USB Phantom by running

SMCforUSB.exe (this is the USB Management utility):

1. Create user

Page 31: Endpoint Encryption for PC Administration Guide

Using Tokens with Endpoint Encryption for PC

| 25

2. Enroll user i.e. register finger

3. Assign a partition to the user

Step 2.

1. From the Endpoint Encryption Manager create a user account for the user

name created in step 1.

2. Assign Endpoint Encryption for USB token to user (default token is password)

Note: The default in EEPC is to create a default password of 12345.

Step 3.

Define the Machine Policy which should include file sets:

• Endpoint Encryption for PC client files

• READER: USB CCID smart card

• TOKEN V5x: Endpoint Encryption for USB Phantom client files

Step 4.

Create online installation set note: assign user or user group to the machine as part of

machine policy.

Step 5.

Install Endpoint Encryption for PC on the client computer.

After the second reboot, the client should see the preboot authentication screen. This

will have the password and Endpoint Encryption for USB token options.

Step 7.

Select Endpoint Encryption for USB which should generate a Endpoint Encryption

Biometric challenge screen:

1. Attach USB phantom to PC.

2. Swipe enrolled finger on USB Phantom

3. Tick the box for user listed Provide User Name.

The standard Endpoint Encryption logon screen should appear which will require the

SAME user name to be entered as the one registered with the USB Phantom. At this

point you will need to enter the default Endpoint Encryption password of 12345 which

will marry the Endpoint Encryption for PC client with the USB phantom. This step has

completed the integration of Endpoint Encryption for PC with the USB phantom.

The PC should now boot into Windows. After rebooting the client you will be prompted

to authenticate via the USB Phantom biometric reader.

Page 32: Endpoint Encryption for PC Administration Guide

Using Tokens with Endpoint Encryption for PC

26 |

Upek Fingerprint Reader Before the Upek fingerprint reader can be used as an authentication device the

following steps must be performed:

1. The Upek Protector Suite QL software must be installed and configured on the

client machine. The software can be found on the McAfee Endpoint Encryption

Tools download. Please consult your McAfee representative for further

information.

2. From the Endpoint Encryption Manager:

• Create a file group for the Upek token and import the token files:

SbTokenUpek.dll and SbTokenUpek.dlm. See the File Groups and

Management chapter for further information.

• The Upek file group must be assigned to the machine or machine group.

• The fingerprint reader must be assigned to a user or a user group. See the

user or user group Properties Tokens screen.

3. The user logs onto the client machine using the Upek token module in

password mode.

4. The user will be presented with a dialog which will ask them to register their

fingerprints with Endpoint Encryption; the user configures the fingerprint

reader to work with one or more of their fingerprints.

5. From then on the user will need to authenticate to Endpoint Encryption with

their fingerprint instead of a password.

Page 33: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

| 27

Creating and Configuring Machines The Object Directory contains a unique record for every machine attached to it. When

Endpoint Encryption installs, it creates a record either directly in the Object Directory

or in a transfer directory for later inclusion – this “object” contains the machine’s

encryption key, hard drive geometry, and secure configuration.

Each user machine periodically tries to connect to its parent directory to check that its

local configuration matches the centrally defined one. If there are any differences, the

local machine reconfigures itself to match. You can change any aspect of the

machine’s configuration centrally; these changes get applied to the machine the next

time it synchronizes.

Machines normally create their own object in the directory when Endpoint Encryption

first installs, this happens automatically if you use a Group Install Set (see the

Creating an Install Package chapter), but you can pre-create a “placeholder” object for

the machine, set a unique custom configuration for it, and then create an install set for

that object only.

Users are assigned to machines and machine groups. When the machine synchronizes

it compares its local user list with that in its Object Directory entry. Any changes are

made in real time, including disabling the current user if their account status becomes

removed or disabled.

Machine Administration Functions (right-click menu)

Create Machine

The Create Machine option creates a new “placeholder” machine definition. If in the

future a new machine with the same network name tries to install itself into the group,

it will take over the placeholder object and use the configuration set within it.

Rename

This option changes the Endpoint Encryption name of the machine.

This does not affect the machines network name which can be seen from the General

Properties page.

Page 34: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

28 |

Delete

This option deletes the machine entry – you will be given the opportunity to

“Permanently Delete” the machine, or to move the machine to the Recycle Bin (where

it can be later restored, if necessary).

Import Machines

This option imports a machine definition into the group - This definition could be from

a machine created using an Offline Install (see Offline Package Installs for further

information) or from an export from another database.

Export Configuration

This option exports the configuration information for a machine (.sdb file) which can

be used for diagnostic or troubleshooting tasks or for import into an alternate

database.

Create Install Set

Creates a package of all the files and configuration needed to install Endpoint

Encryption - for more information, see Installing, Upgrading and Removing Endpoint

Encryption for PC.

Force Synchronization

You can elect to force a machine (or group of machines), which are online to perform

immediate configuration synchronization. You would perhaps do this if you have

removed a user from a group (or disabled them) and it is imperative that they are

disabled immediately, or a user has a configuration issue that needs resolving.

To do this, select the machine (or machine group) in question, and use the "Force

Synchronization" option from the window menu or right-click menu. The Endpoint

Encryption Manager sends a short message to the machine in question (using its

stored DNS or IP address) telling it to perform an immediate synchronization to update

its policies.

If you "Force Sync" a machine that is not online, or refuses the request because

Endpoint Encryption is no longer installed, an error message is generated. If Endpoint

Encryption is already in the process of performing a configuration change on the

remote machine, the sync request is ignored.

Reboot Machine

You can select the “Reboot Machine” option to attempt to reboot one or many

machines – this sends a message to the machines in question telling them to perform

Page 35: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

| 29

an immediate shutdown. Users may not be given enough time to save their work, so

this feature should be used with caution.

You can configure the messages and timeout of the reboot option by editing the

SCM.ini file, as explained in Endpoint Encryption Configuration Files chapter of this

guide.

There are some instances when Windows will prevent remote rebooting of a system,

e.g. while the screen-saver is active.

Lock Machine

You can remotely activate the screen saver on a given machine by using the “Lock

Machine” command. Both machines and groups of machines can be locked in this way.

Add Users

You can add a number of users to a collection of machines using this option – You can

select the machine, or combination of machines you want to add users to from a group

or search window.

View Audit

This option displays the audit for the machine. For more information see the Auditing

chapter.

Reset to Group Configuration

Resets the configuration of the Machine, or all the machines in the group, to the

groups configuration. Optionally, it sets the user list to match the group user list.

Create Copy

Creates a new object based on the selected object.

Properties

This option displays the properties of the selected object.

Machine Configuration Options The following configuration options can be set for machines, or groups of machines.

Machine Groups

Description

You can enter a text description for a machine group, such as the physical location of

the machines.

Page 36: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

30 |

General

Figure 6. Boot Protection and General Options 

Boot Protection

The status of Endpoint Encryption can be set in one of four modes. Both the desired

and current protection status is shown.

Disabled – Endpoint Encryption is installed and listening, but is not securing

the computer. You can change the status to another mode and this will be

reflected at the next synchronization

Enabled – Endpoint Encryption is protecting the machine, and requiring users

to logon.

Remove – Endpoint Encryption will decrypt and uninstall itself at the next

synchronization

Remove and Reboot – as above, with the addition that Endpoint Encryption

will automatically reboot the machine after uninstalling.

Removed – Endpoint Encryption is no longer installed on the machine, and its

entry can be deleted from the directory.

Note: If you select Remove and let the machine uninstall Endpoint Encryption, remember to delete the 

entry from the directory, or, set the protection back to Enable before re‐installing Endpoint Encryption. If 

you forget this, then as soon as the new install connects, it will remove itself again.  

Description

This field allows you to enter a text description of the machine, such as its

specification, model or physical location.

Page 37: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

| 31

Network Name

The machines logical network name - you can find and filter the Machine tree for the

machines name using the “Object/Filter” option.

Options

Windows Logon

Require Endpoint Encryption Logon – Endpoint Encryption takes control of the

normal windows logon screen, and screen saver logon. Users will be prompted for

their Endpoint Encryption for PC credentials.

Attempt automatic Windows Logon – Endpoint Encryption tracks the user’s

Windows id, password and domain, and presents these automatically to windows logon

boxes. This mechanism means once the user has authenticated to Endpoint Encryption

at the boot screen, they do not need to enter any more passwords for Windows.

NOTE: If the user’s Windows credentials are different from their Endpoint Encryption for PC credentials, 

Endpoint Encryption stores the windows credentials the first time they are used. It may take two reboots 

before the single sign on becomes active. 

Require Endpoint Encryption re-logon – If the user logs out of Windows, Endpoint

Encryption will control the login box for the next login.

Automatically logon as boot user – If there are no stored Windows credentials for

the user, Endpoint Encryption tries to login to Windows with the user’s Endpoint

Encryption credentials.

Endpoint Encryption logon component always active – If selected, the Endpoint

Encryption login component is kept active on the machine even if all the other options

are disabled. This means that it can be reactivated mid-session during synchronization

with the Object Directory. If all options are deactivated, the Endpoint Encryption logon

component can only be reactivated after a reboot.

Set Endpoint Encryption Password to Windows Password – If the Windows and

Endpoint Encryption login passwords differ, Users will be prompted to set the Endpoint

Encryption password to the Windows password. Also, if the user changes their

password in Windows, their Endpoint Encryption password will be set to match.

Must Match Windows user name – If a users Endpoint Encryption and Windows

user ID’s do not match, no SSO credentials will be stored for the user if this option is

enabled. This prevents an administrators Windows credentials being associated with a

normal user’s Endpoint Encryption account in the case that the normal user logged in

at pre-boot, but then an administrator authenticated to Windows.

Page 38: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

32 |

Booting

Allow Booting from the hard disk – If disabled, users will have to boot the machine

with a machine bootable token such as a Endpoint Encryption Floppy Disk. This adds

the additional security in that the machine is inaccessible without the token. NOTE:

This option is not available with Endpoint Encryption version 4.1 or later.

Virus Protection

Enable MBR Virus protection – Endpoint Encryption monitors boot sector activity,

and prevents any program writing to it. Endpoint Encryption also monitors the bios

signature to further prevent boot viruses.

NOTE: If you have this option enabled and you move a protected hard disk between two machines, 

Endpoint Encryption will detect this as a possible virus and prevent the machine being used until a virus 

reset has been performed. For information on this procedure, see the chapter on WinTech and SafeTech. 

Miscellaneous

Do not display previous user name – Hides the ID of the last logged on user in all

Endpoint Encryption logon dialogs, and changes the “Incorrect Password” and

“Unknown User ID” error messages to a generic message.

Reject Suspend/Hibernate Requests – This option stops the machine from

entering hibernation mode. Note: this option is not supported in Vista.

Disable Checking for T - This option switches off the $autoboot$ user support on

this machine. If the machine has many users assigned, this option can speed up the

boot time.

Do not lock after AutoBoot is removed – normally Endpoint Encryption locks the

workstation if the current logged in user is removed, or disabled, as part of a

synchronization event. This is to prevent the machine being used in the event that

there is no current user. Switching this option on stops the autolock happening if the

$autoboot$ user is removed, and may be useful in the case of automated software

updates.

Allow AutoBoot user to be managed locally – enables support for the “-

disablesecurity” and “-reenablesecurity” options of the Endpoint Encryption

Automation library – for more information on these options see the SBAdmCL Users

Guide.

Disable Clearing of status log – Prevents users from clearing the Client side status

log.

Page 39: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

| 33

Always display On-screen keyboard – Forces the pre-boot to always display a

clickable on screen representation of the keyboard. This option is of most benefit to

TabletPC users.

Enable Boot Disk Compatibility – Some machines have BIOS code which mounts

USB disks as physical drives. This is an unusual mode of operation and means that

after Endpoint Encryption has finished it’s authentication, Windows will hang trying to

access the drive through the BIOS physical interface (because Endpoint Encryption is

also a 32 bit platform, it unloads all BIOS drives when it finishes). This option forces

the low-level Endpoint Encryption drivers to block access to disks other than the boot

disk meaning Windows will not detect these USB drives until the USB stack is

initialized. An alternate solution would be to unplug all USB drives before booting the

machine.

Always enable pre-boot USB support – This option forces the Endpoint Encryption

pre-boot code to always initialize the USB stack. Normally this option should not be

enabled as Endpoint Encryption will dynamically enable USB on demand.

Do Not Lock Workstation if no User is Authenticated – This option will stop the

client manager from locking the workstation after a synchronization if it finds there is

no current Endpoint Encryption user logged on, e.g. after the first synchronization

during the install or if the Endpoint Encryption user that is currently logged on is

removed.

Do Not Lock Workstation if User is Disabled – This prevents the client manager

from locking the workstation after a synchronization if the currently logged on

Endpoint Encryption user is disabled.

Encryption

Page 40: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

34 |

Figure 7. Setting Drive Encryption 

Before a machine has first synchronized with the Object Directory, or in the case of

the properties of a machine group, the Object Directory does not know what drives

and partitions are available to be encrypted. The Endpoint Encryption Manager

provides the ability to specify any partition name and elect to encrypt it.

Once the machine has synchronized, only the partitions present on it will be shown.

You can specify one of three encryption modes – “Full” encrypts the entire partition,

“Partial” encrypts only the first 10% of the drive, “None” leaves the drive in plain text

with no security. The “Last Reported Setting” can be used to verify if the machine has

applied recent configuration changes.

The “Last Reported Setting” for a drive is the exact state of encryption the last time

the machine reported to the Database.

NOTE: Partial encryption is designed to encrypt the directory structure and file allocation table on FAT 

drives – it does not stop a competent hacker reassembling file data from the drive.  

Encryption Mode

The Encryption Mode drop down menu lets you specify an encryption type for all drives

in a machine group:

Manually select the drives to encrypt

This option allows you to manually select the encryption type for each drive

using the Full, Partial or None buttons.

Never encrypt any drives

This option ensures no drives in the machine group will be encrypted.

Automatically encrypt all drives partially

This option will set all drives in the machine group to be partially encrypted.

Automatically encrypt all drives fully

This option will set all drives in the machine group to be fully encrypted.

Recovery key

You can boot a machine, or close the Endpoint Encryption screen saver without logging

on using the recovery process – this involves the user reading a small “challenge” of

18 characters from the machine to an administrator, then typing in a larger “response”

from the administrator. The recovery key size defines the exact length of this code

Page 41: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

| 35

exchange. For more information see the Recovery Key chapter. A recovery key size of

“0” disables the machine recovery system.

Removable Devices

You can configure Endpoint Encryption for PC to also encrypt removable drives such as

USB/Firewire hard disks, Flash drives etc. Normally, Endpoint Encryption for PC only

protects physically attached hard disks, for example, IDE or SCSI hard disks. This is

because Endpoint Encryption for PC is related to the machine, not the user – it’s

impossible to share drives encrypted with Endpoint Encryption for PC between

different machines. If you need to share data amongst users and machines, please

consider using Endpoint Encryption for Files and Folders.

• Manually Select – Normally removable drives will not be show in the

encryption list. Selecting this option makes them visible.

• Always Encrypt – Forces encryption of removable drives.

• Never Encrypt – Prevents Endpoint Encryption from attaching its drivers to

removable disks – this is the default option.

Users

Figure 8. Allowed Users 

You can add groups of users, and individual users, to a machine (or machine group).

Either drag and drop the user(s) from the user tree into the machine properties User

tab, or, use the “user picker” to select them. Although Endpoint Encryption supports

many hundreds of users on a single machine, we STRONGLY recommend that the

actual number of users assigned is minimized to the fewest possible. Every user added

to a machine is another possible account for a hacker to gain entry. There is no

Page 42: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

36 |

purpose in adding entire departments of users to laptops which are used by only one

person.

Auto-boot users

Special user IDs containing the name “$autoboot$” with a password of “12345” can be

used to auto-boot a protected machine. This option is useful if an auto boot of a

machine is needed; for example, when updating software using a distribution package

such as SMS or Zenworks. These IDs should be used with caution however, as they

effectively bypass the security of Endpoint Encryption.

Any ID containing the string “$autoboot$” can be used, for example, “my$autoboot$”,

“$autoboot$123” etc.

By using more than one ID, you can improve database performance if many machines

are synchronizing the $autoboot$ account at the same time.

The process for creating an $autoboot$ user is:

1. Create the user.

2. Uncheck the Force password change at next logon.

3. Click the Devices tab.

4. Right-click the machine group (or machine, if preferred), and select

Properties.

5. Ensure the Disable checking for AutoBoot option is unchecked.

6. Ensure the Allow AutoBoot user to be managed locally and Allow

AutoBoot to be cancelled options are checked.

7. Click the Apply button to save these options.

The AutoBoot user is now ready. For further explanation of steps 5 and 6 see the

General section of Machine Configuration Options chapter.

You can also change the default password for the $autoboot$ accounts, to do so see

the section Autoboot.ini in Endpoint Encryption Configuration Files.

WARNING: It is quite possible to create a machine, or machine group, with no users assigned.  If this 

configuration is deployed then no one will be able to log on to that machine. To resolve this issue, use the 

recovery “boot once” procedure, add some users to the machine in question, and then synchronize it again 

to update the configuration.  

Page 43: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

| 37

Figure 9. Client Warning Text 

Security Warning

Text displayed to the user in the Endpoint Encryption login box.

Recovery Message

Text displayed to the user when they select the “Recover” button. This may include

information such as their help desk telephone number.

Synchronization Settings

Figure 10. Synchronization Settings 

Page 44: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

38 |

Endpoint Encryption machines try to keep their local configuration the same as their

central directory configuration; they do this by periodically synchronizing changes with

the Object Directory. The default behavior is to synchronize on boot, but further

options can be set.

Automatically Resynchronize

Endpoint Encryption tries to contact the Object Directory every specified number of

minutes. If the directory cannot be contacted, the sync sleeps until the next period.

Allow Local Resynchronization

By right clicking on the Endpoint Encryption tool tray icon, the user can force a

synchronization event by selecting the Synchronize option. This feature can be

disabled.

Resynchronize when RAS connection is detected

This option causes a synchronization event to occur if the user dials up to the internet

/ intranet. Endpoint Encryption checks for new RAS (Remote Access Service)

connections every second.

Synchronize time with directory

This option sets the local machine time to the time of the server / directory it is

synchronizing with. If the user’s machine is in a different time zone to the server, the

correct local time will be set as long as their time zone is correct.

WARNING: This option is useful when logon hour restrictions are in place – without this time check the 

user could set their system clock back to gain extra hours of machine use. 

Disable Synchronization of Files

This option stops Endpoint Encryption monitoring file group changes and deploying

updates to the remote machines.

Allow remote controlled synchronization

This option allows an administrator initiate a synchronization event using the “Force

Sync” option. The Endpoint Encryption client sends its IP address to the Object

Directory each time it connects to enable the communication channel. The

communication port can be set between 0 and 65535. Note: The client IP will appear

in the Address field within the Synchronize settings screen of the machine’s Properties

screen.

Disable Access if not synchronized…

Page 45: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

| 39

If a machine does not connect to its server within the specified number of days, then

all accounts will become disabled. This option prevents users continuing to use

machines offline from the Endpoint Encryption Object Database for extended periods

of time. Also, if a machine is stolen or lost, you can be assured that it will disable itself

after the timeout has passed.

Delay Sync at boot for…

You can specify an optional offset and random offset for the initial boot sync. This may

speed up the machine, and will also ensure any network load created by “9am

syndrome” is distributed over a longer period of time. You can set a value of Zero for

the delay time, this disables the initial synchronization.

The synchronization settings take effect once Endpoint Encryption has connected and

picked up its policy from the central object directory. You can pre-set the parameters

that Endpoint Encryption will use while it is trying to establish the initial first time

connection through settings in the file SCM.ini. More information on this file can be

found in Endpoint Encryption Configuration Files.

Files

Figure 11. Client File Groups 

Select which groups of files need to be deployed to the machine. Typically the

Endpoint Encryption Client File group is deployed, along with optional token and

language files.

Some file groups may not be displayed in the list - Only file groups with the property

“Client File Sets” will be show.

Page 46: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

40 |

You can add your own file groups for deployment to the Endpoint Encryption Object

Database – see the following chapter for more information.

If your Endpoint Encryption user account has group permissions set, Some file groups

assigned to the machine may be outside your control - in this case they will be marked

as locked groups. To gain the ability to change them, remove any “Group”

administration restrictions on your account.

Screen Saver

Figure 12. Screen Saver Properties 

Enable Secure Screen Savers

Endpoint Encryption will take control over all screen savers, providing secure

authentication services. On Windows 2000, and XP, the “Windows Logon” options also

need to be configured.

Allow user access…

This option allows the user to change the local screen saver properties.

Run screen saver if token is removed…

If the current user’s token supports dynamic removal, e.g. a smart card or eToken,

then the screen saver will be activated if they remove the token from the machine.

Set Endpoint Encryption screen saver as default

This option sets the current selected screen saver to be the Endpoint Encryption

Screen Saver.

Allow logon of administrators…

Page 47: Endpoint Encryption for PC Administration Guide

Creating and Configuring Machines

| 41

This option allows administrators with accounts on machines greater than the specified

admin level to unlock a screen saver that has locked by a different user. If this option

is not set, then only the user who locked the machine can unlock it.

Set screen saver inactivity…

This option sets the timeout period for the screen saver.

Boot

Figure 13 ‐ Boot Properties 

Boot Manager

Enable boot Manager

Switches on the built in pre-boot partition boot manager. Users can select which

primary partition on the hard disk they wish to boot.

You can control the display of the partitions which the user can select to via the file

“bootmanager.ini”. For information about this file, see the Endpoint Encryption

Configuration Files chapter of this guide.

Auto select After... seconds

This option allows you to select a period, which once it has expired, will cause the boot

manager to select the last used partition.

Graphics Mode

This menu allows you to specify the screen resolution for a machine or machines

within a group. The default option is “Default Graphics Mode” which supports

resolutions up to 1024x768. Note: if the selected mode is not supported on the

machine it will fall back to the default mode.

Page 48: Endpoint Encryption for PC Administration Guide

File Groups and Management

42 |

File Groups and Management

Figure 14. Endpoint Encryption File Groups 

Endpoint Encryption for PC uses central collections of files, called Deploy Sets, to

manage what versions of files are used on remote Endpoint Encryption clients. When

an administrator updates a file in the central directory, all machines attached to that

Deploy Set automatically collect the new version of the file from the directory the next

time they synchronize. This mechanism can be used to update Endpoint Encryption

clients to future versions, or to manage any file on a Endpoint Encryption protected

machine - for instance, updating a virus database, or, a new version of an application.

You can assign multiple file sets to be used on each machine. Typically two are used,

the first for the core Endpoint Encryption files, the second for the language files. All

assigned sets are processed in the same way.

When the Endpoint Encryption Manager is installed, it automatically adds the entire

standard Endpoint Encryption administrator and client files into two core file groups:

Administration Center Files and Endpoint Encryption for PC 5 Client Files; it

also may create language sets, for example, English Language; two INI files -

ADMFILES.INI for the administrator files (determines the contents of the core groups)

and SBCLIENTFILESET.INI for the client files. These INI files can be edited to allow

custom collections of files to be quickly imported and then applied using the "Import

Page 49: Endpoint Encryption for PC Administration Guide

File Groups and Management

| 43

file list" menu option. For more information on ADMFILES.ini and SbClientFileSet.ini,

see the Endpoint Encryption Configuration Files chapter of this guide.

Other file sets created as standard include those to support login tokens, such as

smart card readers, and USB Key tokens.

Setting file group functions

Figure 15. File Group Content 

You can specify the function of a file group by right-clicking it and selecting its

properties. Some file selection windows, for example the file selector for machines,

only display certain classes of file group (in this example, those marked as “Client

Files”).

Importing new files New files can be imported one by one into an existing deploy set using the "Import

files" menu option. Simply select the file. The Endpoint Encryption Manager will then

import it into the directory and add it to the deploy set. The default options for the file

mean that those machines using this deploy set it will NOT automatically receive a

download when they synchronize. This chapter contains further information on how to

achieve this. You can also import File Sets, for instance, to add a new option to the

Endpoint Encryption database.

Exporting Files You can export a file group, or an individual file back to a directory. This may be

useful, for example if you have an out of date administration system driver and there

is an updated file in the Object Directory.

Page 50: Endpoint Encryption for PC Administration Guide

File Groups and Management

44 |

Deleting Files You can delete individual files from a file set. In this case all machines that are

maintaining a link to the file through association will delete it from their local directory

at the next synchronization event.

Clients maintain a link to a particular file via its object id, not its name. If you delete a

file and re-import it, its id changes, clients will still delete the original and download

the new copy.

Setting File Properties To see the properties of a file, right click on the file in question and select "Properties".

Two screens of information are available: File Information and Advanced.

The name of the file is the actual name, which will be used when deploying the file on

the remote machine. The ID is the Object Directory object ID which is used as a

reference for the file from the client PC.

The version number is an incremental version of the file. When the file is updated, the

version is incremented. This is used by the clients to check whether an update is

needed. Other information such as the name of the user who imported the file and its

size may be shown.

Figure 16. File Properties, Advanced 

File Types

Sets the type of the file.

Operating System

Page 51: Endpoint Encryption for PC Administration Guide

File Groups and Management

| 45

Because some files are only applicable to some operating system(s), the target

operating system(s) for the file must be selected. This is to prevent Windows NT

drivers being installed on Windows 98 machines, or windows 9x registry files being run

on Windows 2000 servers.

App ID

If you are installing file which is shared between multiple Endpoint Encryption

applications, you can specify this applications ID. This prevents one application from

installing files shared by another.

Update

Specify when Endpoint Encryption should update the file.

Page 52: Endpoint Encryption for PC Administration Guide

Adding components to a Machine

46 |

Adding components to a Machine To add new options, such as tokens, smart card readers, or other ancillary files to an

existing machine, or group of machines, simply check the desired options on their

Files tab.

Some combinations of options may be incompatible – for further information please

visit our web site, www.mcafee.com.

Page 53: Endpoint Encryption for PC Administration Guide

Using Endpoint Encryption as a File Deploy System

| 47

Using Endpoint Encryption as a File Deploy System

Endpoint Encryption’s internal file update mechanism can be used to synchronize any

file on an Endpoint Encryption protected machine.

When the Endpoint Encryption client performs synchronization, it compares its internal

file revision list with the revision of the files in the Object Directory. If any files have

been superseded (or are in the directory list but not in the local list), the Endpoint

Encryption downloads them.

The file type assigned in the Object Directory determines what happens to a file when

it is downloaded. The action can be summarized simply:

• Endpoint Encryption Registry File: Processed into registry

• Windows Registry File: Processed into registry using RegEdit

• Pre/post Installation Executable: Copied to specified location and Run either

before or after Endpoint Encryption.

• Any other file: Copied to specified location

Example - Copying a new file to the desktop This example shows how to set up a new text file that will be copied to the user’s

desktop when they synchronize.

Step 1. Checking the File Group settings

From the properties of the machine (or controlled machine group) you want to update,

check which file groups are assigned. The default file group is EEPC1: Endpoint

Encryption for PC 5.1.2 Client Files. You can create new file groups specifically for

your custom files and assign them to machines if you so wish.

Step 2. Adding the new text file

1. Select the file group from step 1, and then use the Import Files option (right-

click inside the File Group window).

2. Select the new file you want to import, for example, "message.txt". Once

imported, select the new file and go to its Advanced Properties box.

Because we are importing a "Known" file type, the file location will be set

automatically to [appdir]. We will override this with the location we want to send the

file to, in this case c:\windows\desktop. We also want this file to be deployed on all

operating systems, so we check all the boxes.

Page 54: Endpoint Encryption for PC Administration Guide

Using Endpoint Encryption as a File Deploy System

48 |

Figure 17. Setting the new text file permissions. 

Now, next time the machine synchronizes, it will notice the new file, and download it

into its c:\windows\desktop directory. If the file was defined as a type of Endpoint

Encryption or Windows Registry file, it would be applied. If it was marked as an

"Installation Executable", it would be run.

You can test this behavior by forcing the machine to resynchronize using either the

"Force Sync" option from the Endpoint Encryption Manager, or from the Endpoint

Encryption client tool tray Icon right-click menu.

The file "message.txt" should appear on the desktop, and the status window of the

client should reflect the change.

More information on the Endpoint Encryption file deployment mechanism can be found

in the File Groups and Management chapter.

Page 55: Endpoint Encryption for PC Administration Guide

Creating an Install Package

| 49

Creating an Install Package Endpoint Encryption client is installed by running a special archive file created from the

Endpoint Encryption Manager. This archive file contains all the components necessary

to install Endpoint Encryption.

The Endpoint Encryption Manager compresses the files needed into a single self-

contained executable for ease of management. Deploy sets can be created for Machine

groups, and individual machines for both fully online, and temporary offline situations.

This chapter deals with creating the install package, for information on how to apply it,

see the Installing, Upgrading and Removing Endpoint Encryption for PC chapter.

Selecting the Group / Machine The First step in creating an install set is to select the object you want to create the

set for, e.g. an individual machine or a machine group. Install sets created for a

machine can only be used to install that one machine - the target PC always takes the

database entry the install set was created for. Sets created for groups of machines can

be used to install any number of machines in that group - each machine looks in the

deployed group for its name - if found it uses that object. If not, it creates a new

object based on its network name.

Select the Install Set type

Figure 18. Creating an Installation Set 

For the second step you need to determine whether you expect the machine to be

online or offline at the time of install.

Page 56: Endpoint Encryption for PC Administration Guide

Creating an Install Package

50 |

Online Installs Online installations expect the master Object Directory (the directory the administrator

is currently connected to) to be available via the LAN during the install process. Once

Endpoint Encryption for PC is installed, after the next boot, Endpoint Encryption will

contact the Object Directory and download all the configuration and object data for the

machine and users.

If a "placeholder" object for the machine name exists (a machine object created, but

not installed), it will use the configuration stored in that object. If no placeholder

exists, the machine will obtain its configuration from the machine group that the install

set was created for.

If the machine name is already used in the directory, and the existing machine is not a

“placeholder”, the new machine will append a four digit number to the end of its name

and install. For example, where a machine called “JSMACHINE” already exists, an

object “JSMACHINE0001” will be created.

NOTE: By editing the file scm.ini on the client before Endpoint Encryption is activated (i.e. after setup, 

but before the first reboot) the group can be changed.   

Offline Installs If the machine is expected to be disconnected from the Endpoint Encryption Server

during the install, an "offline" install set can be created. In this case a "transport

directory" containing the necessary objects and configuration data will be included in

the deploy set. After local configuration, the transport directory will need to be re-

imported into the master directory before the machine can be recovered.

Selecting an Offline install mode allows the additional choice to include the "individual

objects" in the transport directory. If they are included, then all users and machines in

the set will be deployed with the transport directory (and therefore will be available

immediately, even before the machine connects back to the master directory). If they

are not included, then there will be no login prompt until the machine has performed

its first connection and brought down its user list.

NOTE: Until the transport directory containing the machine’s completed configuration is imported back 

into the master directory, no connection or configuration of the client can be performed. Also, in the case 

where the offline install set was created from a group, it will not be possible to recover the machine until it 

has successfully synchronized with its master database. In the case where the offline install set was created 

for an individual machine, or in the case of users, synchronization is not necessary for the machine to be 

recovered. 

Page 57: Endpoint Encryption for PC Administration Guide

Creating an Install Package

| 51

Importing a Transport Directory The Transport directory is a file called sbxferdb.sdb, and can be found in the

directory the Endpoint Encryption client is installed into. To import the details in this

directory back into the master, select the machine group you want to contain the

entries, and use the Import Machines right-click option. This brings the keys and

configuration from the machine into the master database, giving the ability to

synchronize with, reconfigure, and recover the machine.

Summary of Offline Install set contents

Machine Group Sets

An Install set created from a machine group can contain the following items:

• The Machine Group object.

• User objects assigned to the group, and user objects assigned to machines in

that group.

If the group contains machines, the following items are included in the set:

• Individual Machine objects (live or placeholder).

• User objects assigned to the individual machines.

Individual Machine Sets

The following items are included:

• The machine object.

• Users assigned to that machine.

Page 58: Endpoint Encryption for PC Administration Guide

Creating an Install Package

52 |

Select the Master Directory

Figure 19. Selecting the Master Object Directory 

Step 3 involves selecting the final Object Directory that the new client will

communicate with to synchronize configuration details. The default is the directory

that the administrator is currently using, but could be any directory the administrator

has access to. Usually the clients will access the Object Directory via a Endpoint

Encryption server, rather than locally.

Connections via a Endpoint Encryption Server have the category type called Remote.

You can specify multiple connection points for machines, if you have more than one

server defined.

You can also change the order that the client will look for servers, and enable

automatic random selection of servers by using the wizard.

NOTE: For information on setting up a Endpoint Encryption Server, see the Endpoint Encryption Manager 

Guide. 

Page 59: Endpoint Encryption for PC Administration Guide

Creating an Install Package

| 53

Set install options and create the set

Figure 20. Saving the Install Set 

In Step 4, you specified the location the completed install file will be saved to; also,

the directory on the client you wish Endpoint Encryption to be installed into.

Two options for the "visibility" of the set-up process can be set. Silent installs, for

example, do not give the user any visible display of the install process and are used in

automatic deployment environments, such as Microsoft SMS.

After the install file has been run on a client machine, it needs to be restarted before

Endpoint Encryption can be activated. An automatic restart option is included,

however, be aware if ”perform installation silently” and “automatically restart

machine” are enabled, the machine will restart with no user intervention - this may

cause users to lose work, for example, if they have open documents when this

process occurs.

Page 60: Endpoint Encryption for PC Administration Guide

Installing, Upgrading, and Removing Endpoint Encryption for PC

54 |

Installing, Upgrading, and Removing Endpoint Encryption for PC

Running an “Install Package” created by the Endpoint Encryption administrator on the

target machine enables and installs Endpoint Encryption for PC.

For information on creating install packages see the Creating an Install Package

chapter.

Offline Package Installs Create the install file as per the Creating an Install Package chapter; selecting Offline

install, and including the users and machines required. Run the package on the target

client and let it reboot.

Once restarted, you must retrieve the file sbxferdb.sdb which needs to be imported

back into the master directory. For information on this procedure see the Creating an

Install Package chapter.

Once the transport directory has been imported into the master database; if there is a

network connection between the client and a Endpoint Encryption Server, you will be

able to remotely manage the machine. If you do not retrieve the transport directory,

then you will not be able to recover or reconfigure the machine.

If your machines are unable to connect to the master database after install, for

example, and you are working in a permanently disconnected environment, you may

want to retrieve the .sdb file AFTER encryption has finished – the status of encryption

will then be properly reflected in the master database. In the case of machines which

connect to the master database after offline install, this property will be automatically

updated during the sync process.

Online Package Installs Create an Online install package as per the Creating an Install Package chapter.

Simply run this file on the target machine(s). Once they have installed and rebooted,

they will contact one of the Endpoint Encryption Servers specified and create their

directory entries.

Removing / Uninstalling Endpoint Encryption Client You can specify four modes of operation for Endpoint Encryption in the machine’s

General properties page. For full details of these modes per the General section.

Page 61: Endpoint Encryption for PC Administration Guide

Installing, Upgrading, and Removing Endpoint Encryption for PC

| 55

To disable Endpoint Encryption, i.e. put it into a mode where it is applying no

protection but can be easily re-enabled, set the machine status to Disable. You can

then at a future time set the status to Enable and Endpoint Encryption will re-apply

the protection specified.

To completely remove Endpoint Encryption, select either Remove or Remove and

Reboot – Endpoint Encryption Client will perform the action after the next

synchronization event.

Upgrading Endpoint Encryption from previous versions. Where 5.x is mentioned, version Endpoint Encryption 5.1 and above should be

assumed.

Upgrading Endpoint Encryption 4.2 Clients to 5.x

Please see the Endpoint Encryption Update and Migration Guide.

Upgrading existing 5.x clients to a later service pack or patch version

To upgrade between service pack or patch levels, for example, from v5.0 to v5.1 you

can create a new file set in the Endpoint Encryption Object Directory.

1. Update your database and administration system as described in chapter 8 of

the Endpoint Encryption Manager Administration Guide.

2. Create a new file group for the new 5.x files.

3. You have to set the File Group Properties to Client files to have it available

under the Files section in the machine properties. Therefore right-click the file

group, choose Properties Content and check the Client Files box. In

case of new language file groups you need to check client files and language

as properties.

4. Right-click the new group and select Import File Set. Select the file

SBClientFileSet.ini from the administration system directory (usually

c:\program files\sbadmin).

5. Deselect the Endpoint Encryption 5.x Client Files file set from the

machines you wish to upgrade, and select Endpoint Encryption 5.1x Client

Files instead. During the next synchronization, the machine will download the

latest files and code and apply the upgrade.

WARNING: The deselection of all old Endpoint Encryption file groups and the selection of all new 

Endpoint Encryption file groups MUST be done at the same time, e.g. if you deselect the Endpoint 

Page 62: Endpoint Encryption for PC Administration Guide

Installing, Upgrading, and Removing Endpoint Encryption for PC

56 |

Encryption 4.x Client Files and the English (British) KB/Language file group without selecting the new 

Endpoint Encryption 5.x Client File groups then you risk corrupting your client. 

If you have other options selected, such as the File Encryptor, or Token modules, be

sure to also deselect the v4 modules, and select the appropriate 5.x versions of these

as well.

6. For each machine you want to upgrade, deselect the machines current client

file set, and select the new 5.x file set you created in step 2.

Removing Endpoint Encryption 5.x from a machine

1. Set Endpoint Encryption to either Remove or Remove and Reboot from the

machines General properties. The next time the machine synchronizes with

the database it will remove all encryption and authentication; it will then

uninstall the Endpoint Encryption program files. If you simply want to disable

the Endpoint Encryption protection, set the Client to Disable instead.

If the machine is unable to synchronize, perhaps because of a network or Windows

issue, you can still remove Endpoint Encryption by performing an emergency SafeTech

removal followed by the Sbsetup –Uninstall command from the Endpoint

Encryption program files directory.

2. Set Endpoint Encryption to either Remove or Remove and Reboot from the

machines General properties. The next time the machine synchronizes with

the database, it will remove all encryption and authentication,

3. Now, uninstall the Endpoint Encryption program files. If you simply want to

disable the Endpoint Encryption protection, set the Client to Disable instead.

If the machine is unable to synchronize, perhaps because of a network or Windows

issue, you can still remove Endpoint Encryption by performing an emergency SafeTech

removal, followed by the Sbsetup –Uninstall command from the Endpoint

Encryption program files directory.

Page 63: Endpoint Encryption for PC Administration Guide

Client Software

| 57

Client Software The Endpoint Encryption Client connects to its Object Directory, or configuration store,

which may be on the same machine, a network drive, or, via the Endpoint Encryption

Server. It does this every time the machine boots and optionally at set time intervals

or when a RAS session is initiated.

Once connected to the directory, the Endpoint Encryption client uploads the latest

audit and password changes to the directory, and if necessary downloads any

configuration changes specified centrally.

The Tool Tray Icon The only user-visible part of Endpoint Encryption is the “Endpoint Encryption Monitor”

icon in the user’s tool-tray. By double-clicking the icon users can start the system

screen saver (which may be protected by Endpoint Encryption). By right-clicking it

they can select one of four actions.

Activate Screen Saver

The default action when the Endpoint Encryption tray icon is clicked is to bring up a

password protected screen saver.

Show Status

The configuration process within Endpoint Encryption is largely transparent to the

user. The only evidence of Endpoint Encryption working can be found from the status

menu available from Endpoint Encryption's tool tray icon

Figure 21. Endpoint Encryption Client Status Window 

The Status window displays any on-going configuration tasks (such as encryption

processes) and status messages from the last directory connection.

Page 64: Endpoint Encryption for PC Administration Guide

Client Software

58 |

Synchronize

Endpoint Encryption tries to establish connection with its directory during the boot

process. In a situation where the directory is unavailable, for example - a notebook

user who is connecting via dial-up networking, the user can establish a connection at

any time, and select the Synchronize option to connect to a remote directory and

collect / upload changes.

For details of the supported functions within the Endpoint Encryption client, please see

the User and Machine configuration sections in the Endpoint Encryption Manager

Administration Guide, and also this guide.

Client Auditing User events are audited locally and then transferred to the Object Directory as part of

the synchronization process. For more information on the events tracked see the

chapter on Auditing.

Boot and Logon Process The Endpoint Encryption for PC boot screen allows the user to select a login method

(one of the available tokens), and then provide authentication credentials such as a

user id and password. If the user can provide the correct details, the Endpoint

Encryption boot code starts the transparent hard drive decryption process, loads the

original MBR and executes it.

When the operating system starts, the Endpoint Encryption Configuration Manager

(SCM) runs and performs a logon to the operating system (if SSO is enabled). It then

attempts to contact the Object Directory using the Directory Manager - this can be

local or remote via a Endpoint Encryption Server and re-validates the user against any

changes that have been made between the last validation. Following this SCM

downloads and applies any configuration updates. This could include new user

accounts.

If the Object Directory validation is successful (i.e. no administrator has deleted or

disabled the users account) the Windows startup completes, and the Endpoint

Encryption icon is loaded into the tool tray to allow the user to run the screen saver,

validate with the server, display status etc.

After a period of inactivity or a power event, SCM activates the screen saver locking

the user.

If the user logs out of the operating system, they may be required to authenticate to

Endpoint Encryption when they log back into windows.

Page 65: Endpoint Encryption for PC Administration Guide

Client Software

| 59

Endpoint Encryption Screen Saver The Endpoint Encryption for PC Client includes a simple logo screen saver. You can use

any screen saver written to the Microsoft Screen Saver standards on the system,

Endpoint Encryption will still protect the logon of them using the standard Endpoint

Encryption logon window.

NOTE: You can change the logo displayed in the screen saver by adding a file called “logo.bmp” to the 

Windows directory. You can also deploy logo.bmp using the File Update technology built into Endpoint 

Encryption. You may find extra graphics on your Endpoint Encryption CD in the “tools” directory. 

Users can start the screen saver through any of the normal Windows mechanisms, or

by double-clicking on the Endpoint Encryption tool tray icon.

Windows Sign-On and Logon Mechanisms. Endpoint Encryption includes many options to reduce the numbers of passwords users

have to remember. These options are used to ensure that when the user changes their

Windows password, their Endpoint Encryption password is changed to the same. This

happens without user interaction.

Changing the Password The Endpoint Encryption for PC password can only be changed in the pre-boot

environment. To change the password:

1. Restart the PC.

2. Enter the current user ID and password in the login dialog.

3. Tick the change box, and click OK.

4. Follow the on-screen prompts to change the password.

Section 508: Logon Accessibility US legislation 508 requires that information technology is accessible to people with

disabilities. To comply with 508 the pre-boot logon needs to be accessible by blind or

partially sighted people.

There are a limited range of sounds which enable access to the basic logon. Other

options, e.g. About and Recovery screens are not accessible.

As the user tabs (or shitf-tabs) between controls, the pre-boot will emit various beep

sequences to indicate where they are. Other beep sequences will be used when an

error is displayed, when password timeouts are displayed and when a logon is

successful.

Page 66: Endpoint Encryption for PC Administration Guide

Client Software

60 |

The sequences are:

User name field: beep

Password field: beep-beep

Change password checkbox: beep-pause-beep

OK button: beep-pause-beep-beep

Cancel button: beep-pause-beep-beep-beep

Token selection list: beep-beep-beep-beep

Error: beep-pause-beep-beep-pause-beep

Password timeout: beep-beep-beep-beep-beep

Logon successful: beep-beep-beep

Page 67: Endpoint Encryption for PC Administration Guide

Windows Sign-on and SSO

| 61

Windows Sign-on and SSO Endpoint Encryption can ease the logon process for users by doing the Windows logon

for them, as well as taking responsibility for screen saver logons and re-logon

requests. The features available can be configured by clicking on the “General” icon of

a machine or machine group object.

Windows Logon Features Require Endpoint Encryption Logon – Endpoint Encryption takes control of the

normal windows logon screen, and screen saver logon. Users will be prompted for

their Endpoint Encryption credentials rather than their Windows Credentials.

Attempt automatic Windows Logon – Endpoint Encryption tracks the users

Windows id, password and domain, and presents these automatically to windows logon

boxes. This mechanism means once the user has authenticated to Endpoint Encryption

at the boot screen, they do not need to enter any more passwords for Windows.

If the user’s Windows id and password are different from their Endpoint Encryption id

and password, Endpoint Encryption stores the windows credentials the first time they

are used. It may take two boots before the single sign on becomes active.

Require Endpoint Encryption re-logon – If the user loges out of Windows,

Endpoint Encryption will control the login box for the next login.

Automatically logon as boot user – If there are no stored Windows credentials for

the user, Endpoint Encryption tries to login to Windows with the user’s Endpoint

Encryption credentials.

Endpoint Encryption logon component always active – If selected, the Endpoint

Encryption login component is kept active on the machine even if all the other options

are disabled. This means that it can be reactivated mid-session during synchronization

with the Object Directory. If all options are deactivated, the Endpoint Encryption logon

component can only be reactivated after a reboot.

Set Endpoint Encryption Password to Windows Password – If the Windows and

Endpoint Encryption login passwords differ, Users will be prompted to set the Endpoint

Encryption password to the Windows password. This option also captures the Windows

Change Password event, and again, sets the users Endpoint Encryption password to

match.

If you are using this option, it is important to ensure that the password template and

quality rules in Endpoint Encryption are identical, or more lenient than those in

Page 68: Endpoint Encryption for PC Administration Guide

Windows Sign-on and SSO

62 |

Windows, otherwise a failed password change may occur and the user will be reset to

“12345”.

Must Match Windows User Name – This option ensures the SSO details are only

captured in the situation that the user’s Endpoint Encryption and Windows IDs match.

If they are different, no SSO details will be stored.

How Windows Logon works Endpoint Encryption intercepts the Windows Logon mechanism, using a “Pass through

Shim Gina” on Windows NT, 2000 and XP, and a Credential Provider on Vista. On

Windows 2000, and XP operating systems a custom .ini file (SBGINA.INI) is used to

help Endpoint Encryption analyze the logon screen and paste the credentials into the

correct boxes on screen.

In Windows VISTA Microsoft has replaced the original MSGINA (Graphical Identification

and Authentication) with a new method called Microsoft Credential Provider. Endpoint

Encryption has modified the Single Sign On architecture and implemented a Credential

Provider to communicate with Windows. We display each of the Endpoint Encryption

Tokens as a potential logon method. If you logon to Endpoint Encryption, you will be

asked for your Windows credentials only for the first time and Endpoint Encryption will

store the Windows Credentials securely within Endpoint Encryption. On subsequent

logon events, Endpoint Encryption will use the stored Windows credentials to logon.

You can find out more about Microsoft Vista Credential Providers from the Microsoft

MSDN Website:

8http://msdn.microsoft.com/msdnmag/issues/07/01/CredentialProviders/default.aspx

For more information on Endpoint Encryption ini files, see the Endpoint Encryption

Configuration Files chapter of this guide. Also, see the Endpoint Encryption

Configuration Files chapter of this guide SBGina.ini if you wish to enable smartcard

based Single-Sign-On to Microsoft. Note: this feature is not supported under Vista.

First Boot

The first time a user starts their newly Endpoint Encryption protected machine,

Endpoint Encryption authenticates them at boot time. If successful, the operating

system starts.

Normally they would next presented with a Windows logon – if the Endpoint

Encryption Windows Logon architecture is fully activated, Endpoint Encryption will

automatically present the user’s stored SSO id and password to windows. If these

details are accepted, Endpoint Encryption stores a record of these credentials in a

special encrypted area of the user’s profile. If Windows fails the SSO credentials, for

Page 69: Endpoint Encryption for PC Administration Guide

Windows Sign-on and SSO

| 63

example, if they have not been set, Windows displays the standard login box and the

user is forced to enter their Windows id and password.

Again, once a valid login has taken place, Endpoint Encryption stores the correct

credentials in the user’s encrypted profile, which are uploaded to the central Object

Directory on the next synchronization.

Second Boot

The second and subsequent times the user starts the machine, they login to the

Endpoint Encryption boot screen, then Endpoint Encryption supplies the stored

Windows credentials to the Windows login box.

Failed Windows Password

If/When the Windows Logon credentials become invalid, for instance if the user

changes their windows password on another system, or has it reset by an

administrator, the automatic login will fail and the standard Windows login box will

appear. Once again, once a successful login has occurred, the correct details are

stored encrypted in the user profile and uploaded on synchronization with the central

Object Directory.

Re Logon

If a user chooses to “log off” windows, they would normally expect to see the standard

Windows logon box. Endpoint Encryption takes control of this in the same way as the

initial logon screen, forcing the next user to login with their Endpoint Encryption

credentials.

If you want to logon to Windows using a different account than your stored

credentials, they simply cancel the default login window, then clear the “Automatically

logon to Windows” box.

Once cleared, simply select the token you want to login with.

Setting and Changing a users SSO details

You can pre-set or change the SSO details associated with a user by right-clicking

their object and selecting “Set SSO Details”.

Page 70: Endpoint Encryption for PC Administration Guide

Auditing

64 |

Auditing Introduction Endpoint Encryption Endpoint Encryption for PC audits user, machine, and server

activity. By right-clicking on an object in the Endpoint Encryption Object Directory, you

can select the view audit function.

Audit trails are uploaded to the central directory each time a machine synchronizes.

Until that time the audit is cached internally in the encrypted Endpoint Encryption file

system. In SB4.1.1 and above, the last 3000 entries are cached locally; when the

limit is reached the oldest 300 entries are culled. The local audit will retain

approximately 2 years of normal operation before culling begins.

The permission to view or clear an audit log can be controlled on a user or group

basis. Both the administration level and administration function rights are checked

before allowing access to a log. For more information on setting these permissions see

the 12chapter.

Audit trails can be exported to a CDF file by using the “Audit” menu option, or by

right-clicking the trail and selecting “Export”. Also, the entire audit of the directory can

be exported using the “SBAdmCL” tool. For information on this option please contact

your Endpoint Encryption representative.

The Object Directory audit logs are open-ended, i.e. they continue to grow indefinitely,

but can be cleared on mass again using SBAdmCL.

Common Audit Events The text displayed in the audit log will depend on your localization and language

settings. The following table lists the common events and their ID codes for the

American English version of Endpoint Encryption. Many events can appear at multiple

places, for example the “Login Successful” event will be logged both in the user

account doing the login, and the machine being logged into simultaneously.

Information Events Description  Event 

Audit cleared  01000000 

Boot started  01000001 

Boot complete  01000002 

Page 71: Endpoint Encryption for PC Administration Guide

Auditing

| 65

Description  Event 

Booted non‐secure  01000003 

Backwards Date Change  01000005 

Booted from floppy  01000004 

Token battery low  01000010 

Power fail  01000011 

A virus was detected  01000013 

Synchronization Event  01000014 

Crypt Start  01000015 

Crypt End  01000016 

Add group  01000082 

Add object  01000083 

Delete group  01000084 

Delete object  01000085 

Import object  01000086 

Export object  01000087 

Export configuration  01000088 

Update object  01000089 

Import file set  01000090 

Create token  01000091 

Reset token  01000092 

Export key  01000093 

Recover  01000094 

Create database  01000095 

Page 72: Endpoint Encryption for PC Administration Guide

Auditing

66 |

Description  Event 

Reboot machine  01000096 

Move Object between groups  01000098 

Rename Object  01000099 

Server started  010000C0 

Server stopped  010000C1 

Table 1. Information Audit Events 

Try Events Description  Event 

Logon attempt  02000001 

Change password  02000002 

Forced password change  02000003 

Recovery started  02000016 

Database logon attempt  02000081 

Logon successful  04000001 

Password changed successfully  04000002 

Boot once recovery  04000016 

Password reset  04000017 

Password timeout  04000018 

Lockout recovery  04000018 

Change token recovery  04000019 

Screen saver recovery  0400001A 

Database logon successful  04000081 

Logon failed  08000001 

Password change failed  08000002 

Page 73: Endpoint Encryption for PC Administration Guide

Auditing

| 67

Description  Event 

Password invalidated  08000005 

Recovery failed  08000017 

Database logon failed  08000081 

Machine configuration expired  Undefined 

A virus was detected  Undefined 

Table 2. Try Audit Events 

Succeed Events Description  Event 

Logon successful  04000001 

Password changed successfully  04000002 

Boot once recovery  04000016 

Password reset  04000017 

Password timeout  04000018 

Lockout recovery  04000018 

Change token recovery  04000019 

Screen saver recovery  0400001A 

Database logon successful  04000081 

Table 3. Succeed Audit Events 

Failure Events Description  Event 

Logon failed  08000001 

Password change failed  08000002 

Password invalidated (too many incorrect attempts) 

08000005 

Page 74: Endpoint Encryption for PC Administration Guide

Auditing

68 |

Description  Event 

Machine configuration expired  08000012 

Recovery failed  08000017 

Database logon failed  08000081 

Table 4. Failure Audit Events 

Page 75: Endpoint Encryption for PC Administration Guide

Recovering Users and Machines

| 69

Recovering Users and Machines You can recover users using the Endpoint Encryption Manager, WebHelpdesk, or the

procedure documented below. For information on recovery via the Endpoint Encryption

Center WebRecovery and WebHelpdesk options, please see the Endpoint Encryption

Manager Administration Guide.

Warning: Recovery cannot be used for resetting or changing the pin codes of smart cards.  

Offline Recovery Resetting a remote user’s password or replacing their logon token if it has been lost

requires a challenge/response procedure to be followed. The user starts their machine,

cancels any logon dialogues that may appear; they must then click Options in the

bottom left-hand part of the screen followed by the Recovery option from the menu.

This process can be used at the boot screen, windows logon, or screen saver logon.

 

Figure 22. The user selects Machine Recovery or User Recovery 

After (optionally) entering their user name, a set of codes is displayed on the user’s

screen. The user needs to telephone their helpdesk and read the codes to the

administrator. The user code is time based, and unique to the user and machine.

Page 76: Endpoint Encryption for PC Administration Guide

Recovering Users and Machines

70 |

Figure 23. Starting the recovery process 

The administrator must log into the Endpoint Encryption Manager and select any

machine group. This will activate the Recovery button options on the toolbar and the

top menu. The administration should then click the Recovery button. Note: there is no

need to find the correct user beforehand.

The administrator will be prompted to enter the user code in the wizard, and if correct

will be given the opportunity to check the user’s profile if the administrator has

sufficient access rights to recover the user (based on their level and group

memberships). The administrator should use this opportunity to validate the user by

asking them questions based on the hidden information stored in their account. Only if

successful should the helpdesk actually allow the user’s password to be reset.

If the administrator is happy that the user on the telephone is legitimate, they can

proceed with the next step in recovery.

Page 77: Endpoint Encryption for PC Administration Guide

Recovering Users and Machines

| 71

Figure 24. Selecting the recovery option 

The administrator selects the option they want to perform. If a user name was entered

a user recovery proceeds, if no user name was entered, then a machine recovery can

be performed.

Boot Once - The machine boots with no user logged in.

Unlock Screen Saver – The screen saver is cleared.

Reset the user’s password – The user’s password is reset to the token default. The

user can then change this to a new password – This option will not function if the user

is disabled due to too many invalid passwords – to resolve this issue see “Change

Token”.

NOTE: Some tokens do not support password resets through Endpoint Encryption, examples of this include 

the DataKey Smartcard, RSA Smartcard, and Aladdin eToken Pro. For information on how to reset the 

password on these devices contact the appropriate manufacturer.  

To recover an Endpoint Encryption user who has forgotten their password in this case, either issue them 

with a new token, or temporarily switch them to use a password using the “Change Token” recovery option. 

Unlock a disabled user – If a user account is marked as disabled in the object

database, it can be temporarily activated using this option. When the machine

synchronizes with the Object Directory, the account will be re-disabled if their security

profile in the Directory still indicates this.

Create Token – If supported by the token, this option allows administrators to

remotely create a new token for the user to replace a lost one. The Endpoint

Encryption Password login always supports remote recreation. For further information

on other tokens see the Using Tokens with Endpoint Encryption for PC.

Page 78: Endpoint Encryption for PC Administration Guide

Recovering Users and Machines

72 |

Change the user’s token to – Changes or resets the user’s token to the one

specified. The administrator needs to have pre-generated the token for the user. If a

user has invalidated their password account through too many invalid attempts,

changing their token to “password only” recreates their “soft token” and allows them

to enter the default password again.

WARNING: If you change a user’s token using this method, remember that next time their machine 

synchronizes with the Endpoint Encryption directory, their token will be set to whatever is specified in their 

user properties stored currently in the database. If you want the change to be permanent remember to set 

their token type in the user properties window. 

Figure 25. User’s recovery code 

The final step is to read the recovery code back to the user. The length of this code is

controlled by their token recovery key set in the user’s “token” properties, or in the

case of a machine, the recovery key set in the encryption properties.

The user simply enters the code line by line into the pre-boot dialog. Each line is check

summed. Once the code has been entered, the elected action will occur.

Local Recovery The Local Recovery option allows the user to reset a forgotten password by answering

a set of security questions.

The full list of security questions is set by the administrator using the Endpoint

Encryption Manager. Note: Endpoint Encryption contains a generic set of questions.

When the user first sets up their local recovery feature they will be prompted to select

a number of questions and provide the answers to them. These form the basis for

their local self recovery feature.

Page 79: Endpoint Encryption for PC Administration Guide

Recovering Users and Machines

| 73

Setting Local Recovery for a user name or user group

Using Endpoint Encryption Manager, the administrator assigns the local recovery

option to the user’s logon, or, to a user group. The local recovery options are available

from the user logon or group Properties screen. See below.

Figure 26 ‐ Setting the Local Recovery options 

Enable Local Recovery

Selecting this check box will set Local Recovery for the specified user or user group.

Require ? questions to be answered

This option determines how many questions the user must select to perform a Local

Recovery.

Allow ? logons before forcing user to set answers

This option determines how many times a user can logon without setting their Local

Recovery questions and answers.

Add

The Add button will load the Local Self Recovery Question dialog box and allow you

to create a new question. You can also specify the language that question should be in

and the minimum number of characters the user must specify when configuring the

answer to this question.

Remove

The Remove button will remove a selected question from the list.

Page 80: Endpoint Encryption for PC Administration Guide

Recovering Users and Machines

74 |

Edit

The Edit button will allow you to edit the configuration of a selected question.

Apply

The Apply button will save any changes that have been made.

Restore

The Restore button will undo your changes and restore the Local Recovery options to

the previous settings (providing you have not clicked the Apply button).

User Local Recovery Procedures

Configuring your Local Recovery Questions

The Local Recovery option allows the user to reset a forgotten password by answering

a set of security questions. The user must configure these questions, i.e. provide the

answers to a selected set of questions. In the event that the user forgets their

password they can run a local self recovery to gain access to their machine.

When the user logs on, they will be prompted to specify a set of questions and

answers; this exercise is performed once only.

1. Enter your username and password at the logon screen.

2. From the Local Recovery Enrollment screen, select a question from the

drop down list.

3. Enter the answer to the question into the Answer box.

4. Click Next.

5. Repeat this process until you have answered all the questions. Note: the

Endpoint Encryption administrator will determine how many questions you

need to answer.

6. When you have answered all the questions click the Finish button. Local

Recovery is now set.

Performing a Local Recovery

These are the steps the client user must follow to perform a local self recovery.

1. At the preboot screen, cancel the Endpoint Encryption Logon.

2. Click the Options button on the preboot screen.

3. Click Recovery from the menu followed by Local Recovery.

4. Enter your username into the User name field and click Next.

Page 81: Endpoint Encryption for PC Administration Guide

Recovering Users and Machines

| 75

5. Enter the answer to each question in turn, clicking the Next button to move

forward.

6. Enter a new password and confirm it.

7. Click the OK button to complete the process.

8. Select the Password Only Token option from the preboot screen.

9. Enter your username and new password to logon.

Online Recovery If a user’s machine is online when they forget their password or lose their token,

simply create a new token for them in the Endpoint Encryption directory, and force

sync their machine to make the appropriate change.

You can reset a user’s password by simply generating a new password token for them.

Page 82: Endpoint Encryption for PC Administration Guide

Trusted Applications

76 |

Trusted Applications Endpoint Encryption’s client has the capability to restrict which applications and code

users will be allowed to run. Using this mechanism, you can restrict access for a few

users to certain applications, or, prevent users running any applications that are not

pre-defined.

With this system you can apply untrusted control, for example, to prevent access to

pre-defined tools such as “regedit.exe” for all but administrators. With untrusted

control, unknown applications are allowed to run - known applications are blocked.

You can also apply trusted control where ONLY pre-defined code can run, and

unknown control is blocked. This is useful, for example, when you want to restrict an

entire build image so it becomes impossible for users to run any application other than

the ones distributed in the “gold build”.

Endpoint Encryption application control takes effect once a user has logged into

Windows – it does not affect code run in the context of booting the operating system.

To prevent applications and code being run at this stage Endpoint Encryption

recommends appropriate operating system security settings be used, for example,

disallowing device driver updates etc.

Hash Sets The first step in applying application control to Endpoint Encryption users is to create

sets of “hashes” for the code modules using the Endpoint Encryption Hash Generator

(see the Hash Generator chapter).

A hash set contains a unique digital signature for each file in the scope of the set. This

digital signature is unique to the file – no two files will ever have the same signature.

When Endpoint Encryption applies control to applications, it calculates the “hash” of

the code (.exe file, .dll etc) that the user is trying to run, and compares it to the list of

hashes applied to the user. The actual location of the code does not matter, only its

content - so, if a user moves a restricted application to another directory, it will still be

blocked.

After creating a hash set for the files or directories containing the sample code

modules you can create an “Endpoint Encryption Hashes Group” in the Endpoint

Encryption database to contain them. Within the group, create new hashes objects to

contain your hash sets created previously.

Page 83: Endpoint Encryption for PC Administration Guide

Trusted Applications

| 77

Figure 27. Hash Group 

Hash Set Properties

General

Hash Count

Displays the number of file hashes stored in this object. You can remove duplicates

using the File Hashes/Compact function.

Description

A text description of this hash set – for example its source.

File Hashes Import

Allows you to import one or many hash sets created with the Endpoint Encryption

Hash Generator into this hash object.

Export

Saves the contents of this hash object as a hash set.

Compact

Removes duplicate entries from this hash object – As Endpoint Encryption Application

Control is driven by the hash (or digital signature) of a file, not its location, only one

entry per file is required.

Remove

The option removes a single file entry from this hash object.

WARNING: You can add entries only by importing hash files. 

Page 84: Endpoint Encryption for PC Administration Guide

Trusted Applications

78 |

Using Hash Sets After creating hash sets, you can assign both hash objects, and hash groups to users

through their “application control” properties.

You can specify one of two modes of application control – “Untrusted” and “Trusted”:-

Untrusted

In the case of untrusted control, if the hash is known then the code is prevented from

running.

Trusted

In the case of trusted control, if the code is know it is allowed to run, whereas all

unknown code is blocked.

These options can be summarized in the following table:

  Known Applications   Unknown Applications 

Untrusted Application Control 

Optionally Blocked  Allowed 

Trusted Application Control 

Allowed  Optionally Blocked 

Table 5. Trusted Application Logic 

You can also set whether to actually block the untrusted code, or to simply log it for

future analysis – this option (log with no blocking) is useful when debugging hash sets

which do not block appropriately.

Page 85: Endpoint Encryption for PC Administration Guide

Hash Generator

| 79

Hash Generator Introduction Endpoint Encryption Hash Generator creates “Hash Sets” for use with the application

control feature of Endpoint Encryption. For more information on application control,

see the Using Hash Sets section.

The generator creates MD5 hashes of the selected files and packages them into an

Endpoint Encryption hash set (HSH file).

Using Hash Generator Open the Hash Generator by selecting Start McAfee Endpoint Encryption

Manager Endpoint Encryption File Hash Generator.

After selecting the output file name, add the files (or folders) you want to include in

the hash set. Finally, select Hash – the specified HSH file will be generated.

The progress window shows the activity. Once completed, you can import the resultant

hash set into your Endpoint Encryption directory.

Page 86: Endpoint Encryption for PC Administration Guide

Common Criteria EAL4 Mode Operation

80 |

Common Criteria EAL4 Mode Operation

CESG in the United Kingdom, has certified the following products to the standard

EAL4:

• Endpoint Encryption for PC Client

To apply this standard to your implementation of Endpoint Encryption, you need to

ensure the following criteria are met:

Administrator Guidance

• Endpoint Encryption must be installed using the Endpoint Encryption AES

(FIPS) 256bit algorithm.

• Administrators must enforce the following Policy Settings

- A minimum password length of 5 characters or more

- Disabling of accounts after 10 or less invalid password attempts

- All data and operating system partitions on the machines where

Endpoint Encryption client has been installed MUST be fully encrypted.

You can check the conformance to this issue by viewing the Endpoint

Encryption client status window – if any drives are highlighted in red

then they are not fully encrypted.

- Administrators must enforce use of the Endpoint Encryption Secure

Screen Saver Mode

- Use of “Autoboot Mode” is prohibited

- Machine and User recovery key sizes must be non-zero

(Machine/Encryption properties and User/Token properties)

To comply with CC regulations, these policy settings must be applied before installing

any clients.

• There must be a system in place for maintaining secure backups that are

separately encrypted or physically protected to ensure data security is not

compromised through theft of, or unauthorized access to, backup information.

• Backups should be regular and complete to enable system recovery. This is

essential in the event of loss or damage to data as a result of the actions of a

threat agent and to avoid vulnerability through being forced to use less secure

systems.

Page 87: Endpoint Encryption for PC Administration Guide

Common Criteria EAL4 Mode Operation

| 81

• Users (including administrators) must protect all access credentials, such as

passwords or other authentication information in a manner that maintains IT

security objectives.

• Customers implementing a Endpoint Encryption enterprise must ensure that

they have in place a database of authorized TOE-users along with user-specific

authentication data for the purpose of enabling administrative personnel to

verify the identity of a user over a voice-only telephone line before providing

them with support or initiating recovery. Endpoint Encryption provides the

means to display personal information such as the users ID number as part of

the “User Information Fields” – but any other appropriate system is

acceptable.

• Administrators should ensure their users are fully trained in the use of the

Endpoint Encryption for PC Client software as described in the Client Software

chapter of this guide, and should remind them of the security procedures

detailed in the User Guidance Below.

User Guidance

• Users must maintain the confidentiality of their logon credentials, such as

passwords and tokens.

• Users must not leave a Endpoint Encryption protected PC unattended in a

logged on state, unless it is protected by the secure screen saver.

• Users must be informed of the process that they need to go through to contact

their administrator in the event that they need to recover their PC, if, for

example, they forget their password, or, their user account becomes disabled;

this could be through the actions of the administrator or repeated incorrect

login attempts.

Common Criteria EAL4 Certificate

You can find the official recognition of this certification on CESG’s website:

http://www.cesg.gov.uk/products_services/iacs/cc_and_itsec/media/certreps/

CRP227.pdf

Algorithm Certificate Numbers

AES

Cert 21 and 170 ECB(e/d; 256); CBC(e/d; 256); CFB8(e/d; 256)

1http://csrc.nist.gov/cryptval/aes/aesval.html

Page 88: Endpoint Encryption for PC Administration Guide

Common Criteria EAL4 Mode Operation

82 |

SHA1

Cert 71 and 254

1http://csrc.nist.gov/cryptval/shs/shaval.htm

DSA/DSS

DSS cert 53 and 112 Sig(ver) Mod(all)

1http://csrc.nist.gov/cryptval/dss/dsaval.htm

RNG

Cert 15 AES, DSA., SHA, RNG on AMD Athalon XP, Windows XP SP1, PentiumIII

Windows 2000

1http://csrc.nist.gov/cryptval/rng/rngval.html

DES

Cert 145 CBC(e/d); CFB( 8 bits;e/d)

http://csrc.nist.gov/cryptval/des/desval.html

Page 89: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

| 83

Endpoint Encryption Configuration Files

Endpoint Encryption uses many .ini files to maintain information about the

configuration of various components. Some of the more important files are listed here.

sbgina.ini Used by the Endpoint Encryption for PC client to control the Windows logon

mechanism. SBGina.ini contains the references used to populate the user id, password

and domain boxes of a login dialog, and also the id of the Ok button.

The Trace option is an aid to implementing SSO to further dialogs. If this option is set

to "Yes", then information about every window that is created during the logon

process is output to the defined trace file.

If you want to activate smart card based single sign on with the possibility to pass

through the smart card PIN to Windows you will need to add the [Smartcard] section

as specified in the example below:

[Global] ;Version 5110 ; ; This option is an aid to implementing SSO to further dialogs. If this option ; is set to "Yes", then information about every window that is created when ; a logon dialog is expected is saved to the file specified (or "LOGONWND.TXT" ; if not supplied). Note the file will always be in the SafeBoot directory. ; Trace.LogonWindowInfo=No Trace.FileName=LOGONWND.TXT ; ; This is an option (NT only) that controls the behaviour of SafeBoot's Gina ; when unlocking a locked workstation. The possible values are ; ; SbOnly = only a SafeBoot logon is used (the default) ; ; SbWindowsSso = a SafeBoot logon is required then SSO is atempted ; to the original Gina. ; ;Option.UnlockWorkstationMode=SbOnly ; ; This options (NT only) controls the ability of the user to cancel the ; Windows SSO attempt from the SafeBoot logon dialog. Possible values are ; ; Yes - Allows the user to cancel the SSO attempt (the default) ;

Page 90: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

84 |

; No - Prevents the user from cancelling the SSO attempt ; ;Option.AllowSsoCancel=Yes ; ; These options control how the user names are treated when they are compared. ; The UPN (User Principal Name) format is of the form [email protected]. To ; successfully compare the user names, the format needs to be the same for ; both the Windows and SafeBoot names. ; ; Note that Windows will always supply the user name to the SafeBoot Gina ; module as a user name and domain name (i.e. not DNS name). ; ; If the DetectUPN option is set to "Yes", then SafeBoot will attempt if the ; user names are in UPN format by looking for an "@" character. If this is ; set to any other value, SafeBoot will not manipulate the user names in any ; way. ; ; Examples:- ; ; SB user name = "[email protected]" ; Windows user name = "user" ; Windows domain = "domain" ; ; Comparision will be between SB="user" and Win="user". ; ; SB user name = "user" ; Windows user name = "[email protected]" ; Windows domain = "domain" ; ; Comparision will be between SB="user" and Win="user". ; ; SB user name = "[email protected]" ; Windows user name = "[email protected]" ; Windows domain = "domain" ; ; Comparision will be between SB="user" and Win="user". ; ;Option.Username.DetectUPN=Yes [SmartCard] ; ; This option enables looking for smart cards used for Windows logon. It ; can be either "On" or "Off". If this is set to "On", the SB Gina will ; attempt to detect the presence of a smart card and allow the user to ; choose to logon with the smart card or with the standard user name and ; password. ; ;Enabled=Off ; ; If the smart card check is enabled, then this option can be used to force ; the use of smart cards or the standard password. This can be "Off" to ; automatically determine which to use, "Pin" to force the use of a smart ; card or "Pwd" to force the use fo a smart card. ; ;Force=Off ; : This options controls the number of seconds the gina will wait for the ; user to decide which logon method to use (smart card or password). If this ; is set to a zero, then the user will not be prompted at all.

Page 91: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

| 85

; ;TimeoutSecs=5 ; ; This option controls whether the SafeBoot SSO detsils are updated when ; the user logs on with a smart card. If this is set to "No", then the SSO ; details are not changed if the user logs on with a smart card. This will ; prevent the smart card PIN being used as to automatically logon to Windows. ; ;EnableSso=Yes ; ; If this option is set to "Yes", then if a smart card is inserted when ; a user logs off and back on again, the SafeBoot logon will not be displayed ; even if it is set to do so in the configuration. If a smart card is not ; present, then the SafeBoot logon will be displayed. ; ;DontSbRelogonIfSc=No [Windows.NT.Logon] ; ; Lists all the sections that contain information about the logon windows for ; the NT derived versions of Windows (NT4/2000/XP). ; ; The keys should be of the form "Window" with an incrementing number appended. ; The sections are checked in incrementing numerical order. The numbering ; cannot contain any gaps. ; Window1=MSGina.NT4.LogonDialog Window2=MSGina.W2K.LogonDialog Window3=MSGina.XP.LogonDialog Window4=MSGina.WIN2003.LogonDialog Window5=NWGina.NT.LogonDialog Window6=NWGinaJP.NT.LogonDialog Window7=FSSGina.XP.LogonDialog Window8=CSGina.W2K.LogonDialog Window9=CSCOGina.W2K.LogonDialog Window10=ODYGINA.W2K.LogonDialog Window11=PRM_GINA.XP.LogonDialog Window12=IPASS.XP.LogonDialog Window13=TRYIT.XP.LogonDialog [Windows.NT.Locked] ; ; Lists all the sections that contain information about the workstation locked ; logon windows for the NT derived versions of Windows (NT4/2000/XP). ; ; The keys should be of the form "Window" with an incrementing number appended. ; The sections are checked in incrementing numerical order. The numbering ; cannot contain any gaps. ; Window1=MSGina.XP.LockedDialog Window2=FSSGina.XP.LockedDialog [Windows.9x.Logon] ; ; Lists all the sections that contain information about the logon windows for ; the Windows 9x versions of Windows (95/98/ME). ;

Page 92: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

86 |

; The keys should be of the form "Window" with an incrementing number appended. ; The sections are checked in incrementing numerical order. The numbering ; cannot contain any gaps. ; Window1=MSNP.9x.LogonDialog Window2=NWNP.9x.LogonDialog window3=NWNPJP.9x.LogonDialog ;---------------------------------------------------------------------------- ; The logon window definition sections for NT/W2K/XP ; [MSGina.NT4.LogonDialog] ; ; The operating system version to which this section applies. You can specify ; the value of "Any" for either field (which is the default if not specified). ; OS.MajorVersion=4 OS.MinorVersion=Any ; ; The original DLL to which this section applies. If the name is not ; specified or set to "Any", all original DLLs match. If any part of the ; for digit file version is set to "x", then then all values for that ; component are matched (e.g. 4.1.0.x). ; OrigDll.Name=MSGINA.DLL OrigDll.FileVersion=x.x.x.x ; ; Specifies information about the window that we can use to indentifiy it. ; For both the class and title, setting a value of "Any" will match any ; window. Starting the value with a "*" means the remainder of the value ; is treayed as a substring, and hence if it occurs anywhere in the window ; title/class it is matched. Otherwise the whole value must match (case ; insensitive). ; Window.Title=Any Window.Class=#32770 ; ; The control identifiers of controls that are used by the SSO module to ; simulate logons. ; Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1453 Dlg.CtrlId.Password=1454 Dlg.CtrlId.Domain=1455 ; ; Optional entries which list up to 10 IDs that must come before the ID ; specified above and up to 10 IDs that must come after. The IDs are specified ; as a comma-seperated list. ; ;Option.CtrlId.OK.Preceeding=1,2,3 ;Option.CtrlId.OK.Following=5,6,7 ;Option.CtrlId.UserName.Preceeding=1,2,3 ;Option.CtrlId.UserName.Following=5,6,7

Page 93: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

| 87

;Option.CtrlId.Password.Preceeding=1,2,3 ;Option.CtrlId.Password.Following=5,6,7 ;Option.CtrlId.Domain.Preceeding=2204,2203 ;Option.CtrlId.Domain.Following=5,6,7 ; ; If this is set to "Yes" then the user/password fields are captured from the ; dialog box rather than using the values supplied by the original gina. ; Option.CaptureFromDlg=Yes ; ; These options define how text is entered into the various fields when ; simulating a logon. Mode 0 sets the text directly into the controls, while ; mode 1 sends characters one at a time (simulating pressing keys) and mode 2 ; selects from a combo box. ; Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [MSGina.W2K.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=0 OrigDll.Name=MSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [CSCOGINA.W2K.LogonDialog] ;This section for Ciscos Gina for Windows 2000 which is the same as the standard one, but ;has a different extention. OS.MajorVersion=5 OS.MinorVersion=0 OrigDll.Name=CSCOGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [ODYGINA.W2K.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=0 OrigDll.Name=ODYGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1

Page 94: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

88 |

Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [PRM_GINA.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=1 OrigDll.Name=PRM_GINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [CSGina.W2K.LogonDialog] ;This section for Ciscos Gina for Windows 2000 which is the same as the standard one, but ;has a different extention. OS.MajorVersion=5 OS.MinorVersion=0 OrigDll.Name=CSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [MSGina.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=01 OrigDll.Name=MSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [IPASS.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=1 OrigDll.Name=ipgina.dll Window.Title=Any

Page 95: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

| 89

Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 ;this one just trys the standard settings... [TRYIT.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=1 OrigDll.Name=Any Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [MSGina.XP.LockedDialog] OS.MajorVersion=5 OS.MinorVersion=01 OrigDll.Name=MSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1953 Dlg.CtrlId.Password=1954 Dlg.CtrlId.Domain=1956 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [MSGina.WIN2003.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=02 OrigDll.Name=MSGINA.DLL Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1502 Dlg.CtrlId.Password=1503 Dlg.CtrlId.Domain=1504 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 [NWGina.NT.LogonDialog] OS.MajorVersion=Any OS.MinorVersion=Any OrigDll.Name=NWGINA.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any

Page 96: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

90 |

Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1202 Dlg.CtrlId.Password=1204 Dlg.CtrlId.Domain=1001 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=2 Option.CtrlId.UserName.Preceeding=1201 Option.CtrlId.Password.Preceeding=1203 Option.CtrlId.Domain.Preceeding=2204,2203 [NWGinaJP.NT.LogonDialog] OS.MajorVersion=Any OS.MinorVersion=Any OrigDll.Name=NWGINA.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=3002 Dlg.CtrlId.Password=3004 Dlg.CtrlId.Domain=1001 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=2 [FSSGina.XP.LogonDialog] OS.MajorVersion=5 OS.MinorVersion=01 OrigDll.Name=FSSGINA.DLL Window.Title=Any Window.Class=Any Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=0 Dlg.CtrlId.Password=1001 Dlg.CtrlId.Domain=0 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=2 [FSSGina.XP.LockedDialog] ;This Section for Macnica specifc FSS Gina OS.MajorVersion=5 OS.MinorVersion=01 OrigDll.Name=FSSGINA.DLL Window.Title=Any Window.Class=Any Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=0 Dlg.CtrlId.Password=1001 Dlg.CtrlId.Domain=0 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=2

Page 97: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

| 91

;---------------------------------------------------------------------------- ; The logon window definition sections for Win9x/ME ; [MSNP.9x.LogonDialog] OS.MajorVersion=4 OS.MinorVersion=Any OrigDll.Name=MSNP32.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=21 Dlg.CtrlId.Password=23 Dlg.CtrlId.Domain=25 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=0 [NWNP.9x.LogonDialog] OS.MajorVersion=4 OS.MinorVersion=Any OrigDll.Name=NOVELLNP.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1202 Dlg.CtrlId.Password=1204 Dlg.CtrlId.Domain=1001 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=0 [NWNPJP.9x.LogonDialog] OS.MajorVersion=4 OS.MinorVersion=Any OrigDll.Name=NOVELLNP.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=3002 Dlg.CtrlId.Password=3004 Dlg.CtrlId.Domain=1001 Option.CaptureFromDlg=Yes Option.EntryMode.UserName=0 Option.EntryMode.Password=1 Option.EntryMode.Domain=0

sberrors.ini This file is used to increase the detail available in on-screen error messages. You can

add further descriptions to errors by amending this file.

Page 98: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

92 |

sbhelp.ini This file is used to match on-screen windows to their help file sections.

sbfeatur.ini This file controls the feature set available to Endpoint Encryption. This file is digitally

signed by the Endpoint Encryption team and must not be modified.

scm.ini Configuration manager file, controls options such as which directory to connect to, and

which group to install into.

[Install] GroupID=the ID of the group this machine will relate to [Databases] DatabaseID1=1 TryLastGoodFirst=Yes LastGoodConnection=1 [Uninstall] Sbsetup.exe=sbsetup.exe

You can specify the maximum number of lines to hold in the SCMLOG.txt file using the

following parameters. If scmlog reaches a size of beyond 10,000 lines, performance of

your machine can suffer.

[Log] MaxSize=number of KB keep in log (128). PurgeSize=number of KB to delete when log reaches MaxSize (16).

You can specify the pre-configuration connection behavior by setting the following

parameters

[Defaults] ;this section defines settings that apply before the SafeBoot is ;actually active on the machine. BootSynchDelay=0 ; delay before synching on boot in minutes RandSynchDelay=0 ; an extra max random delay to synch in minutes SynchInterval=0 ; time between automatically retrying synch

You can turn on tracing of the Endpoint Encryption client with the following section.

Trace is output to SBCM.log in the same directory of the application.

[Debug] Trace=1 ;Trace activity, 1 = on, 0 = off

You can set a message to be displayed and a timeout when an administrator performs

a remote shutdown of the client (using the machine/Reboot menu option).

[Reboot] Message=some text to display Timeout=10 (seconds)

Page 99: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

| 93

[disk] Sbfs.defaultsize=10 ;Default size of SafeBoot.FS (in MB) Install.clearcryptlist=1(0) ;Determines whether to clear the cryptlist ;for a drive on install, or to leave it set. Boot.message=Starting SafeBoot %d%d

;The default starting message [boot] Hookflags=… ;Internal use only – do not change.

defscm.ini You can pre-set parameters used in the SCM.ini file created within install sets by

creating a file “defscm.ini” in the Administration system directory containing the lines

and sections you want to pre-define. defscm.ini is used as a seed to create the unique

scm.ini file for the install set.

sdmcfg.ini This file is used by the Endpoint Encryption Client to control the connection to the

Object Directory. There may be many connections listed in the file, the multi-

connection behavior is controlled through scm.ini.

[Databases]

Database1=192.168.20.57 The ip address for the remote server. This can be a DNS name.

[Database1] Description=SH-DELL-W2K IsLocal=No Authenticate=Yes Port=5555

ServerKey=… The public key for the remote Server. This is used to stop a hacker putting a rogue server in place and intercepting the traffic.

ExtraInfo=… Padding for the

Page 100: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

94 |

serverkey.

TrivialPwds.dat This file provides a dictionary of forbidden passwords. Simply create a Unicode text

file, with one password per line, and deploy it to the client machines. You need to

enable the user template option “no simple passwords”

The file needs to be deployed to the “[appdir]\SBTokens\Data” folder.

NOTE: It is more effective to restrict passwords using a template which insists on numeric or special 

characters, rather than supply a long list of forbidden words.  

Bootcode.ini Bootcode.ini defines the behaviour of the Endpoint Encryption pre-boot environment.

This file is not commonly modified by the end user as it is a system only file. The file is

stored in Endpoint Encryption’s pre-boot environment in the \boot directory.

[TokenSelect] ; the token type id of the last token the user selected. Default=0x01000000 [Locale] ; ; the user selected language to use (reference a key in the [Languages] section ; of the \Locale\Locale.ini file). ; Language=EnglishUS ; ; the user selected keyboard to use (reference a key in the [Keyboards] section ; of the \Locale\Locale.ini file). ; Keyboard=US [Audit] ; ; The maximum alllowed audit events ; MaxEvents=3000 ; ; The number of events to remove when the maximum is reached ; PurgeCount=300

BootManager.INI This file controls the partition names specified when the Endpoint Encryption Boot

Manager is enabled. The file is stored in Endpoint Encryption’s pre-boot environment in

the \boot directory.

[Partition.Names] Partition0=My secure partition Partition1=My Insecure partition

Page 101: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

| 95

Errors.XML This is an XML version of SBErrors.ini to allow Unicode translation. Endpoint Encryption

for PC uses SBErrors.XML instead of SBErrors.ini if both exist.

AutoBoot.ini The autoboot.ini file allows you to set a unique default password for the $autoboot$

user(s). The file is created in the [appdir]\Boot directory in the following format:

[AutoBoot]

Password=mypassword

SbClientFileSet.ini The SbClientFileSet.ini file is used to define what files are imported into the database.

SBWinLogonOpts.XML This file can be used to exclude users from single-sign-on logon, e.g. VMware user

accounts can overwrite the single-sign-on even though the “Must Match the Window

user name” option has been selected.

- <SafeBoot> - <SetSbPwd> - <Exclusions> <User name="__Vmware_User__" /> </Exclusions> </SetSbPwd> </SafeBoot>

SBCP.INI Microsoft has introduced a new logon method for the Vista operating system: a

credential provider (CP) that will replace the MSGina.dll. This CP works differently to

the MSGina, for example, each credential provider, rather than be cascaded, can be

active next to each other. If you enable the Require Endpoint Encryption logon

option in the Machine General Windows Logon options, then the Endpoint

Encryption credential provider is activated on the client's Windows logon; be aware

that all other credential providers will also be available.

The SBCP.ini activates the CP. If a customer requires another CP to run in parallel,

this can be defined in the SbCp.ini (in the Endpoint Encryption client directory).

Create the SBCP.ini; to enable all other credential providers add:

[CredentialProvider.Filter]

DefaultAction=Enable

If you want to enable/disable specific credential providers, then add entries to the

section [CredentialProvider.Filter.Providers] containing the credential provider's

Page 102: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Configuration Files

96 |

GUID on the left and either "Enable" or "Disable" on the right. For example, to enable

just MS password credential provider you would add:

[CredentialProvider.Filter]

DefaultAction=Disable

[CredentialProvider.Filter.Providers]

{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}=Enable

Setting up other multiple domains in the logon dialog box

The WindowCredentials.Domains section of the SBCP.ini allows you to specify other

domains which the user can select during single sign on.

The content of this section will determine what appears in the logon dialog box. See

example below.

[WindowsCredentials.Domains] ; ; Lists the domains to be added to the domain list. Note that the left side of the equals can be any value - it is ignored (of course it must be unique for this section). ; 1=MyDomain1 2=MyDomain2 3=MyDomain3 [WindowsCredentials.Options] ; ; Set this to "No" to prevent the local computer name automatically being added to the list of domains. ; AddLocalComputerToDomains=Yes ; ; Sets the domain to select as the default. If this is not specified, the current domain for the system is selected if there is one or the local computer name if there is not. ; DefaultDomain=MyDomain1 ; ; If set to "Yes", the domain box will only list domains that the system marks as domain controllers. If set to "No" (the default), all servers will be listed. ; DomainControllersOnly=No ; ; If set to "Yes", then the username and the domain of the last logged on user is automatically filled in (if it is available). ; SelectLastUsed=Yes

Deploying the SBCP.ini file

When you create this file, you can import it into the Endpoint Encryption for PC Client

Files file group, or alternatively, create a new file group, specify its function as “Client

Files” and assign it to a machine. See the File Groups and Management chapter for

further information.

Page 103: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Program and Driver Files

| 97

Endpoint Encryption Program and Driver Files

EXE Files

SafeTech

SafeTech is the disaster recovery tool for Endpoint Encryption client.

Setup

Setup.exe is the core executable in Endpoint Encryption’s' packaging mechanism. It is

used as an exe stub for the install package and also handles the de-install process.

Setup takes one parameter "-Uninstall" which prompts it to walk through

sbfiles41.lst, deleting files (or marking them for deletion if they are in use) and

reversing registry settings. Setup also re-runs any installation executables with the -

Uninstall flag to remove programs. The order of removal is reverse to the install, i.e.

Installation executables, registry settings, files.

SBTokWatch

The SBTokWatch.exe file notifies Endpoint Encryption for PC when a token has been

removed. This is for Vista installations only.

DLL Files

sbalgxx

The Utility Encryption algorithm module.

sbgina

Windows login pass through GINA driver for NT / 2000.

Usually Endpoint Encryption monitors the GINA settings in the registry to ensure that

nothing removes or disables the login system. You can change the behavior of this

system by editing the SB-NoUpdateGina DWORD key in

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]. The following

values can be set:

0 - SafeBoot will install and remove it's Gina 1 - SafeBoot will *not* install it's Gina, but will remove it. 2 - SafeBoot will *not* remove it's Gina, but will install it. 3 - SafeBoot will *not* install or remove it's Gina.

Page 104: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Program and Driver Files

98 |

You can use these settings to force compatibility with other GINA replacement login

systems. If you use option 1,2,3 you are responsible for keeping the GINA chain

correct, as Endpoint Encryption will not be monitoring some aspects of it .

SYS Files

SafeBoot.SYS

The core device driver for Endpoint Encryption, handling crypt of the disk, and

management functions.

You can block the use of Safe Mode when Endpoint Encryption is installed by setting

the following parameters. These options are included in the BlockSafeMode file group

option in Endpoint Encryption for PC.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SafeBoot] ;Prevent Safe Mode access if SafeBoot is activated PreventSafeMode=dword:00000001 ;The warning message to display (default if not set) ;PreventSafeModeMsg="" ;The screen background color (default red) ;PreventSafeModeBkCol=dword:00000000 ;The Screen forground color (default white) ;PreventSafeModeFgCol=dword:0000000f

Endpoint Encryption for PC uses several sectors of the hard disk between 1 and 63 -

commonly termed the “partition gap” - to store power fail information while encryption

and decryption is in progress. If you have other applications also using these sectors,

you can exclude them from the range used by specifying registry settings as below.

For each sector you need to exclude, add a DWORD value of 1 with a name of the

decimal sector number to the following registry key as follows:

[HKLM\Software\SafeBoot International\SafeBoot\DiskManager\ExcludedSectors] 14=dword:1 15=dword:1

You can specify any number of exclusions using this method, but be aware that at

least two sectors are required, and the smaller the number available, the slower

encryption processes will run.

You can add this information to the client NTDRV.SRG registry file to ensure it is

applied on all machines at point of install.

SBALG.SYS

This file is Endpoint Encryption’s device driver crypto algorithm module.

Page 105: Endpoint Encryption for PC Administration Guide

Endpoint Encryption Program and Driver Files

| 99

SafeBoot.CSC/RSV

Endpoint Encryption pre-boot sector chain for the boot loader. The SafeBoot.csc file

was renamed to SafeBoot.RSV in v5.01 for better defrag protection.

SafeBoot.FS

This file is the encrypted pre-boot environment (stored as a single file).

SbRegFlt

This file is applicable to Vista installations only. It allows the administrator to properly

support auto logon, i.e. ensure the control-alt-delete behavior is correct for single sign

on.

Other Files

srg files

Endpoint Encryption registry files – these are standard regedit files which are

processed into the registry by Endpoint Encryption, without using the windows regedit

utility.

Page 106: Endpoint Encryption for PC Administration Guide

WinTech and SafeTech

100 |

WinTech and SafeTech WinTech and SafeTech are Endpoint Encryption’s disaster recovery and diagnostic

tools. They should only be used in the event of a catastrophic failure of the machine,

for example, after severe hard disk corruption, virus attack, or, a complete OS failure.

WinTech and SafeTech can perform the following functions:

• Decrypt the drive using information obtained from the Endpoint Encryption

Manager.

• Start the Endpoint Encryption Emergency Repair process.

• Perform forensic analysis on encrypted data.

These tools should only be used by trained Endpoint Encryption staff. For more

information, and access to the WinTech and SafeTech Administration Guide, please

contact your McAfee representative.

Page 107: Endpoint Encryption for PC Administration Guide

Themes & Localization

| 101

Themes & Localization Endpoint Encryption for PC is the most flexible product of its kind in terms of

localization capabilities. It supports unlimited numbers of pre-boot languages and

keyboards, and offers full localized pre-boot on screen keyboard and automatic

language detection.

You can also restyle almost any aspect of the pre-boot interface, from changing colors

and graphics, to moving buttons and text on the screen.

Endpoint Encryption provides full localization and customization services, but for those

interested, the following information is provided to help you gain experience of how all

the components fit together. We provide numerous languages and graphical layouts

(themes) with our product. Readers are strongly advised to look to those while

reading these sections to understand how they work.

A tip to future theme designers – the Endpoint Encryption for PC client will synchronize

any file changes found in the [appdir]\locale and [appdir]\graphics trees into the

Endpoint Encryption pre-boot file system on every policy sync event, so, rather than

making your changes and uploading them to the Endpoint Encryption Manager, you

can simply change the files directly on a Endpoint Encryption client and perform a sync

event to load them into the pre-boot. A successful sync is not required – only an

attempt.

Themes Endpoint Encryption for PC uses graphical “Themes” to control the look and feel of the

pre-boot environment. These Themes are stored as “Client File” type file sets within

the Endpoint Encryption Object Directory. Only one theme can be assigned to a

machine at any time.

To assign a theme to a Endpoint Encryption for PC machine, simply enable its file set

from the “Files” tab of either the machine, or machine group properties.

Themes are comprised of the following components:

File or Directory  Description 

Graphics 

Graphics.ini 

Master definition file for the graphical theme. This file dictates the overall look of the theme, the button an d window positions, and the various graphical elements which are used for each resolution.  

ENGLISH  The English language font files 

Page 108: Endpoint Encryption for PC Administration Guide

Themes & Localization

102 |

File or Directory  Description 

640x480 

800x600 

1024x768 

1280x960 

1280x1024 

1400x1050 

1440x900 

1440x1050 

1600x1200 

1680x1050 

1680x1280 

1920x1440 

Images for this resolution 

Images for this resolution 

Images for this resolution 

Images for this resolution 

Images for this resolution 

Images for this resolution 

Images for this resolution 

Images for this resolution 

Images for this resolution 

Images for this resolution 

Images for this resolution 

Images for this resolution 

Shared  Shared images used in all modes 

Locale 

Locale.ini 

Language Translations. This file sets all the options re various language and keyboard support options. The options in Local.ini determine which font sets from Graphics.ini are used.  

Table 6. Theme Overview 

For information about the parameters in the Graphics.ini and Local.ini files, see the

example theme which has fully commented versions.

Keyboards

Physical Keyboard Layouts

Endpoint Encryption for PC supports many physical keyboard layouts, and also

supports automatic detection of the Windows keyboard layout in an attempt to choose

the most appropriate pre-boot layout.

Page 109: Endpoint Encryption for PC Administration Guide

Themes & Localization

| 103

Having the correct pre-boot layout selected is essential when authenticating, for

example, imagine the user has the French keyboard enabled in Windows, but has the

USA keyboard enabled in Endpoint Encryption for PC Pre-Boot.

Row 2 of the French keyboard begins “azerty…” whereas row 2 of a USA keyboard

begins “qwerty…” – so if the users password contains either “a” or “z”, then they will

not be able to press the same keys in pre-boot to authenticate.

Defining and adding layouts to the Endpoint Encryption PBA

Endpoint Encryption for PC can support an unlimited number of different keyboard

layouts. To define which layouts are available, usually you simply need to select the

appropriate file group for a machine and the layout will be added.

The PBA determines which layouts are installed by considering the Locale\Locale.ini

file in the pre-boot environment. This file is synchronised along with the entire [app-

dir]\locale directory each time the machine performs a sync operation.

An example keyboard layout is defined as follows in Locale.ini:

Node  Description 

;Norwegian Stub

;B5100

 

[Settings]

DefaultKeyboard=0414

Defines the default keyboard if no mapping in [LanguageIDMap] can be determined 

[Keyboards]

0414=Keyboard.0414

043B=Keyboard.043B

Defines the list of possible keyboards. In this example, two keyboards are defined (0414 and 043B), which are described in the sections keyboard.0414 and keyboard.043b. The definition names and section names are arbitary, but we recommend you use the actual keyboard ID for consistency.  

[Keyboard.0414]

name=Norwegian

mapfile=0414_E.MAP

OSK=0414_OSK.XML

This is a keyboard definition section, it describes the name of the keyboard (displayed in the selection list), the map file to use (stored in \Locale), and the On screen keyboard file to use (again, stored in \locale) 

 

Instead of using the “name” tag, you can use NameW which takes a comma separated list of 

Page 110: Endpoint Encryption for PC Administration Guide

Themes & Localization

104 |

Node  Description 

hex char codes, for example: 

NameW=32,54,23,6A,43DF 

With NameW you can display Unicode chars which are useful when defining double‐byte languages.  

[Keyboard.043B]

name=Norwegian with Sami

mapfile=043B_E.MAP

OSK=043B_OSK.XML

 

[LanguageIDMap]

0414.Keyboard=0414

043B.Keyboard=043B

This section describes how the client should attempt to map the selected Windows keyboard to the pre‐boot keyboards.  

0414.Keyboard=0414 indicates if Windows is using a keyboard with the ID 0414, Endpoint Encryption should use the keyboard described in [keyboards] under the definition name 0414.  

Table 7. Keyboard definition in Locale.ini 

Locale.ini

Normally Language and keyboard layouts are defined within the Endpoint Encryption

Database, and each language has a locale.ini file configured as a Merge INI. This

system enables administrators to add and remove languages without having to define

the exact set prior to distribution. As all keyboards and Languages are defined in the

same Locale.ini file, without merge INIs you would have to create a locale.ini file

describing the exact combination of keyboards and locales prior to sending it to a

Endpoint Encryption for PC client.

For examples of how to define a Locale.ini, see one of the supplied languages stored in

the Endpoint Encryption Manager install directory \Languages tree.

NOTE: If the language is changed in Windows, then auto detect will not work. The new language file for 

preboot and keyboard should be deployed using file groups. Select the language file from file groups and 

apply it to the machine or group. The machine or machine group must then synchronize with the admin 

system. 

Page 111: Endpoint Encryption for PC Administration Guide

Themes & Localization

| 105

The user(s) must then restart their machines. In the preboot screen they must select

“Options”. This will load a menu. They must then select “Options” from this menu.

From the “Options” screen you can then specify the preboot language and the

keyboard language.

Creating your own Keyboard Layout

Keyboard layouts are compiled from a source text file with the following structure:

Name=the keyboard name Flags=keyboard flags Scancode=Unicode char number, mask, keystate…

For example:

flags=0x8000007C NAME=Norwegian with Sami ;---- 0x02=0x0031,0x009F,0x0000 ;-normal 0x02=0x0021,0x009F,0x0010 ;-shift 0x02=0x0000,0x009F,0x0009 ;-altgr 0x02=0x0031,0x009F,0x0080 ;-caps 0x02=0x0000,0x009F,0x0090 ;-shiftcaps 0x02=0x0000,0x009F,0x0019 ;-shiftaltgr 0x02=0x0000,0x009F,0x0089 ;-altgrcaps 0x02=0x0000,0x009F,0x0099 ;-shiftaltgrcaps

The keyboard map source file is comprised of the following components:

Node  Description 

flags  Operational flags which control the behaviour of this keyboard map. Defined flags include: 

0x00000001 Caps is Shift 

0x00000002 Shift unsets Caps 

0x00000004 Acute  

0x00000008 Grave 

0x00000010 Circumflex 

0x00000020 Umlaut (Diaresis) 

0x00000040 Tilde  

0x00000080 Caron 

0x00000100 Apostrophe 

Page 112: Endpoint Encryption for PC Administration Guide

Themes & Localization

106 |

Node  Description 

0x00000200 Cedliia 

0x00000400 Breve 

0x00000800 Ogonek 

0x00001000 Dotabove 

0x00002000 DoubleAcute 

0x00004000 Degree 

0x00008000 Tonos 

0x00010000 Middle Dot 

0x00020000 Low Nine 

0x00040000 Dialytika 

0x00080000 Quotation 

0x00100000 Polish Programmers Tilde 

0x00200000 Ring Above 

0x00400000 Macron 

0x80000000 Extended Mode (should always be enabled) 

Name  The keyboard name 

Key definitions  Each key (scan code) behaviour is defined in a number of entries which state the Unicode character which should be produced. Each key may have many states (normal, shifted, caps etc) so there may be multiple entries per key.  

The possible states are defined with a mask (which keys to consider) and a state (the key state itself) 

The possible keys you can use in the mask and keystate are:

RIGHT_ALT_PRESSED      0x0001 

LEFT_ALT_PRESSED        0x0002 

Page 113: Endpoint Encryption for PC Administration Guide

Themes & Localization

| 107

Node  Description 

RIGHT_CTRL_PRESSED    0x0004 

LEFT_CTRL_PRESSED      0x0008 

SHIFT_PRESSED             0x0010 

NUMLOCK_ON                0x0020 

SCROLLLOCK_ON           0x0040 

CAPSLOCK_ON               0x0080 

ENHANCED_KEY              0x0100 

So as an example, to define key 2 (the number 1 key on a USA keyboard) you would add an entry for scan code 0x02 (the scan code of this key) followed by a number of possible key states.  

 

0x02=0x0031,0x009F,0x0000 

 

Would define the number 1 key to display the char “1” in the situation that none (keystate of 0x000) of the modifiers capslock, shift, left‐alt, right‐ctrl, left‐ctrl and right‐alt (0x09F) is pressed.  

 

To define the behaviour of this key when shift alone is pressed we use the following line: 

 

0x02=0x0021,0x009F,0x0010 

 

As above, if key 2 is pressed, create a quotation mark (Unicode char 21) if shift (0x0010) is pressed out of the combination of capslock, shift, left‐alt, right‐ctrl, left‐ctrl and right‐alt (0x09F).  

Page 114: Endpoint Encryption for PC Administration Guide

Themes & Localization

108 |

Node  Description 

 

Of course, in both the cases above, the keys not considered in the keystate must not be pressed. 

 

The Mask defines which keys to consider, and the keystate defines the state of each of those keys.  

Table 8. Keyboard map source file 

If you wish to create a custom keyboard map, you will need to have it compiled by

Endpoint Encryption before it can be used.

On Screen Keyboards

On-Screen keyboards provide visual representation of the physical keyboard. Each

keyboard map can be defined to provide either its own OSK, or, the system default

OSK (US English). The symbols on each key can be defined for the normal, alt, altgr,

shift, caps, and ctrl states, and also any combination of states.

OSK’s are defined in Endpoint Encryption pre-boot using an XML file which controls the

layout (key spacing, number of rows etc), and the display char for each key. The OSK

file (keyboardID_OSK.XML) is usually stored in the SBFS\Locale directory.

The can be many OSK’s installed, and each physical keyboard map can choose one of

the installed OSK’s to display on request.

Administrators can choose to always display an OSK for the user by selecting the

“always display on-screen keyboard” option of the Machine/General properties.

NOTE: Though the OSK displays the character for each possible state, the OSK sends the scan code and 

modifier (shift/alt etc) to the selected keyboard driver for conversion, so the actual character printed will be 

a result of the keyboard driver, NOT necessarily the one displayed on the OSK. 

A Sample OSK Keyboard could be defined as follows:

<?xml version="1.0" encoding="UTF-16"?> <keyboard> <options col="lightgray" button_col="lightgray" border_col="black" txt_col="black" font="System" down_col="blue" button_style="square" border_width="3"> </options> <layout id="English (US)"> <layout> <row>

Page 115: Endpoint Encryption for PC Administration Guide

Themes & Localization

| 109

<key id="18" obey-caps="true" scancode="0x11"> <default display="w" /> <shifted display="W" /> <caps display="W" /> <alt_gr display="GR" /> <text state="alt+shift" display="AS" /> <text state="alt+shift+ctrl" display="ASC" /> <text state="shift+ctrl" display="SC" /> <text state="caps+shift" display="PS" /> <text state="altgr+ctrl" display="GC" /> </key> <key id=”19” obey-caps=”false” scancode=”0x056”> … </key> <row> … </row> </layout> </keyboard>

The following nodes should be considered:

Node  Description 

Options/font  The name of the font used by this OSK. This should be defined in graphics.ini and needs to be an OnTime Binary font 

Layout ID  The name of this OSK layout – displayed in the title bar of the OSK 

Key/ID 

 

 

 

A decimal representation of the key – usually the decimal scan code ID 

 

Key/Obey‐Caps  If this key is subject to any caps state switching, this should be set to true. 

Key/Scancode  The Scancode produced by this key 

Key/default  The default display char 

Key/shifted  The shifted display char 

Key/caps  The caps lock state char 

Key/alt_gr  The alt_gr state char 

Key/text/state  The combination states for this key – The text/state attribute takes precedence over the key/default key/shift 

Page 116: Endpoint Encryption for PC Administration Guide

Themes & Localization

110 |

Node  Description 

etc states. You can specify single states, for example 

Text state=”shift” display=”Q” 

Or combination states, for example 

Text state=”shift+altgr” display=”%” 

For any key to consider any caps behaviour, the key/obey_caps needs to be true.  

Table 9. On Screen Keyboard Source 

To set which OSK is displayed per keyboard map, add an “OSK=” tag to the keyboard

definition in locale.ini, for example:

[Keyboard.043B] name=Norwegian with Sami mapfile=043B_E.MAP OSK=043B_OSK.XML

Node  Description 

Name  The display name of the Keyboard 

Mapfile  The name of the map file to use to map the key presses to chars 

OSK  The name of the OSK file to display 

Table 10. On Screen Keyboard Definition 

Pre-Boot Language Endpoint Encryption for PC supports many languages, and also supports automatic

detection (Note: this is only during Endpoint Encryption activation) of the Windows

Language in an attempt to choose the most appropriate pre-boot language.

NOTE: If the language is changed in Windows, then auto detect will not work. The new language file for 

preboot and keyboard should be deployed using file groups. Select the language file from file groups and 

apply it to the machine or group. The machine or machine group must then synchronize with the admin 

system. 

Page 117: Endpoint Encryption for PC Administration Guide

Themes & Localization

| 111

The user(s) must then restart their machines. In the preboot screen they must select “Options”. This will 

load a menu. They must then select “Options” from this menu. From the “Options” screen you can then 

specify the preboot language and the keyboard language. 

The selectable languages are defined in the SBFS Locale\Locale.ini file, for example:

Node  Description 

Chinese Stub

;B5100

 

[Settings]

DefaultLanguage=0804

The default language to use if no mapping is found in the [LanguageIDMap] section 

[Languages]

0804=Lang.0804

0404=Lang.0404

The defined languages – Both the definition name and section name are arbitrary.  

[LanguageIDMap]

0804.Language=0804

0404.Language=0404

0004.Language=0804

0C04.Language=0404

0404.Keyboard=0404

0804.Keyboard=0804

The Windows language to Endpoint Encryption Pre‐Boot language map.  

For example, if Windows is using the Locale 0404, then the Pre‐boot should use the definition 0404 for its language.  

Both the major and minor language can be checked, so in this example both Windows languages 0804 and 0004 use the Endpoint Encryption pre‐boot definition section 0804. If the primary variant for example 0F04 is found in Windows, then 0004 will be used in Endpoint Encryption 

[Lang.0804]

;Name=Chinese Simplified (PRC)

NameW=,0020,0050,0052,0043,0029

ID=0804

StringFile=0804.STR

FontSection=Fonts.SuperFont

This section defines a language.  

The Name tag is the name displayed in the pre‐boot selection list. You can supply a NameW tag instead which takes a comma separated list of char codes. This enables you to set a Unicode name for the list.  

The ID describes the Locale ID, this should be the ANSI recognised ID for this 

Page 118: Endpoint Encryption for PC Administration Guide

Themes & Localization

112 |

Node  Description 

languages.  

The StringFile describes the actual compiled definition file to use (stored in \locale).  

The FontSection describes the section in Graphics.ini which contains the fonts to be used for this particular language.  

Each language can use its own fonts, or can use fonts shared by other languages.  

Table 11. Pre‐Boot Language Definition 

Creating your own Language file

Endpoint Encryption for PC Language files are created from a Unicode master which

describes the text to display for each defined pre-boot message, for example:

Name=Chinese (Simplified) ID=0804 1=确定 2=取消 3=SafeBoot 4=是 5=否

50=请插入一张引导用的软盘或者按取消从硬盘引导。

100=SafeBoot登录

101=用户名:

102=密码:

103=修改密码

51=您不允许从软盘引导,系统将从硬盘引导。

You can obtain a pre-boot English master text file from your Endpoint Encryption

distributor. Once translated, the file needs to be compiled by Endpoint Encryption.

Normally Language and keyboard layouts are defined within the Endpoint Encryption

Database, and each language has a locale.ini file configured as a “Merge Ini”. This

system enables administrators to add and remove languages without having to define

the exact set prior to distribution. As all keyboards and Languages are defined in the

same Locale.ini file, without merge INIs you would have to create a locale.ini file

describing the exact combination of keyboards and locales prior to sending it to a

Endpoint Encryption for PC client.

Page 119: Endpoint Encryption for PC Administration Guide

Themes & Localization

| 113

For examples of how to define a Locale.ini, see one of the supplied languages stored in

the Endpoint Encryption Manager install directory \Languages tree.

Pre Boot Token Descriptions You can localise the token names used in the Endpoint Encryption for PC by adding a

XML definition file to the [appdir]\SBTokens\Languages directory. The client searches

for resources in the following order:

• The [appdir]\SBTokens\Languages \LanguageID directory

• The [appdir]\SBTokens\Languages \LanguageMajor directory

• The [appdir]\SBTokens\Languages directory

For example, on a US English system (Language ID 0409) Endpoint Encryption for PC

will look for token resources in [appdir]\SBTokes\Languages\0409, then [appdir]\

SBTokens\ Languages\ 0009, then [appdir]\ SBTokens\ Languages then

[appdir]\ SBTokens\Languages.

The definition file for each token is described in an XML file with the name

Token_tokenID.xml as follows:

Node  Description 

<SbTokenInformation>  

<Token type="xxxxxxxx"> The ID of the Token  ‐ see the Tokens section of this guide.   

<PromptName>prompr text</PromptName>

The text to display in the login box 

<ListName>list text</ListName>

The text to display in the list of tokens 

</Token> </SbTokenInformation>

 

Table 12. Token Translation File 

Windows Languages Endpoint Encryption for PC uses resource DLL’s and other files to convert its Windows

components to display in alternate languages.

The client searches for resources in the following order:

• Looks to the [appdir]\Languages\LanguageID directory

• Looks to the [appdir]\Languages\LanguageMajor directory

Page 120: Endpoint Encryption for PC Administration Guide

Themes & Localization

114 |

• Looks to the [appdir]\Languages directory

• Looks to the [appdir] directory and uses built in resources

For example, on a US English system (Language ID 0409) Endpoint Encryption for PC

will look for resources in [appdir]\Languages\0409, then [appdir]\Languages\0009,

then [appdir]\Languages then [appdir]

The following components are supported for localization:

• DLL resources (Windows resources)

• SBErrors.XML (Unicode Error code descriptions)

• SBErrors.INI (ASCII Error code descriptions)

• SBClient.CHM (Help file)

• SBHelp.INI (Help file index)

Page 121: Endpoint Encryption for PC Administration Guide

Troubleshooting PCs

| 115

Troubleshooting PCs For the latest information on Endpoint Encryption issues, patches and information

please see our web site, www.mcafee.com. We maintain several sections with the

latest tips from our implementation teams, and any suggested changes and updates.

You can also subscribe to an update list which uses e-mail to keep you informed of any

significant issues.

Page 122: Endpoint Encryption for PC Administration Guide

Error Messages

116 |

Error Messages Please see the file sberrors.ini for more details of these error messages. You can also

find more information on error messages on our web site, www.mcafee.com.

Module codes The following codes can be used to identify from which Endpoint Encryption module

the error message was generated.

Error Code  Module 

1c00  IPC 

5501  SBHTTP Page Errors 

5502  SBHTTP User Web Recovery 

5c00  SBCOM Protocol 

5c02  SBCOM Crypto 

a100  ALG 

c100  Scripting 

db00  Database Misc 

db01  Database Objects 

db02  Database Attributes 

e000  Endpoint Encryption General 

e001  Endpoint Encryption Tokens 

e002  Endpoint Encryption Disk 

e003  Endpoint Encryption SBFS 

e004  Endpoint Encryption BootCode 

e005  Endpoint Encryption Client 

e006  Endpoint Encryption Algorithms 

e007  Endpoint Encryption Users 

Page 123: Endpoint Encryption for PC Administration Guide

Error Messages

| 117

Error Code  Module 

e010  Endpoint Encryption Keys 

e011  Endpoint Encryption File 

e012  Endpoint Encryption Licenses 

e013  Endpoint Encryption Installer 

e014  Endpoint Encryption Hashes 

e015  Endpoint Encryption App Control 

e016  Endpoint Encryption Admin 

1C000 IPC Errors Code  Message and Description 

[1c000001]  Timeout during IPC 

[1c000002]  IPC terminated 

[1c000003]  Unable to initialise IPC 

[1c000004]  Unknown or unsupported function 

[1c000005]  Request to send data that is too big 

[1c000006]  Timeout sending data 

[1c000007]  Timeout waiting for reply 

[1c000008]  Out of memory 

5C00 Communications Protocol Code  Message and Description 

[5c000000]  Unsupported version 

The server and client are not talking the same communications protocol version 

[5c000005]  Out of memory 

Page 124: Endpoint Encryption for PC Administration Guide

Error Messages

118 |

Code  Message and Description 

[5c000008]  A corrupt or unexpected message was received 

[5c000009]  Unable to load the Windows TCP/IP library (WSOCK32.DLL) 

Check that the TCP/IP protocol is installed 

[5c00000a]  Communications library not initialised 

This is an internal programmatic error 

[5c00000c]  Unable to create TCP/IP socket 

[5c00000d]  Failed while listening on a TCP/IP socket 

[5c00000e]  Unable to convert a host name to an IP address 

Check the host file or the DNS settings 

[5c00000f]  Failed to connect to the remote computer 

The computer may not be listening or it is too busy to accept connections 

[5c000010]  Failed while accepting a new TCP/IP connection 

[5c000011]  Failed while receiving communications data 

The remote computer may have reset the connection 

[5c000012]  Failed while sending communications data 

[5c000013]  Invalid communications configuration 

[5c000014]  Invalid context handle 

[5c000015]  A connection has already been established 

[5c000016]  No connection has been established 

[5c000017]  Request for an unknown function has been received 

[5c000018]  Unsupported or corrupt compressed data received 

[5c000019]  Data block is too big 

[5c00001a]  Data of an unexpected length has been received 

Page 125: Endpoint Encryption for PC Administration Guide

Error Messages

| 119

Code  Message and Description 

[5c00001b]  Message too big to be received 

This may occur if an attempt is made to import large amounts of data into the database (e.g. a file) 

[5c00001c]  Unable to create thread mute 

[5c00001d]  Message too big to be sent 

This may occur if an attempt is made to import large amounts of data into the database (e.g. a file) 

[5c00001e] 

 

Wrong Endpoint Encryption Communications Protocol Version 

You are most likely trying to connect to a v4 Endpoint Encryption Server using a v5 Server definition with server authentication enabled.  

Check that you do not have both v4 and v5 servers running (perhaps as a service) at the same time. 

5C02 Communications Cryptographic Code  Message and Description 

[5c020000]  The Diffie‐Hellmen data is invalid or corrupt 

[5c020001]  An unsupported encryption algorithm has been requested 

[5c020002]  An unsupported authentication algorithm has been requested 

[5c020003]  Unable to sign data 

[5c020004]  Authentication signature is not valid 

[5c020005]  Authentication parameters are invalid or corrupt 

[5c020006]  Failed while generating DSA parameters 

[5c020007]  No session key has been generated 

[5c020008]  Unable to authenticate user 

[5c020009]  Session key too big 

Page 126: Endpoint Encryption for PC Administration Guide

Error Messages

120 |

A100 Algorithm Errors Code  Message and Description 

[a1000000]  Not enough memory 

[a1000001]  Unknown or unsupported function 

[a10000002]  Invalid handle 

[a1000003]  Encryption key is too big 

[a1000004]  Encryption key is too small 

[a1000005]  Unsupported encryption mode 

[a1000006]  Invalid memory address 

[a1000007]   Invalid key data 

DB00 Database Errors Code  Message and Description 

[db000000]  Out of memory 

[db000001]  More data is available 

[db000002]  The database has not been created or initialised yet 

Check the database path or create a new database. To force the new database wizard to be run, delete the SDMCFG.INI file and restart the administration program. 

[db000003]  Invalid context handle 

[db000004]  The name was not found in the database 

db000005]  Authentication was not successful.  

Check that you have the correct token for this database 

[db000006]   Unknown database 

[db000007]   Invalid database type 

[db000008]   The database could not be found. Check the database path 

Page 127: Endpoint Encryption for PC Administration Guide

Error Messages

| 121

Code  Message and Description 

settings 

[db000009]   Database already exists. 

Choose a different database path 

[db00000a]   Unable to create the database  

Check the path settings and make sure you have write access to the directory 

[db00000b]  Invalid database handle 

[db00000c]  The database is currently in use by another entity 

You cannot delete a database while someone is using it 

[db00000d]   Unable to initialise the database 

[db00000e]   User aborted 

[db00000f]  Memory access violation 

[db000010]   Invalid string 

[db000011]  No default group has been defined 

[db000012]  The group could not be found 

[db000013]  File not found 

[db000014]  Unable to read file 

[db000015]  Unable to create file 

[db000016]  Unable to write to file 

[db000017]  File corrupt 

[db000018]  Invalid function 

[db000019]  Unable to create mutex 

[db00001a]  Invalid license  

Page 128: Endpoint Encryption for PC Administration Guide

Error Messages

122 |

Code  Message and Description 

The license has been modified so that the signature is now invalid

[db00001b]  License has expired 

[db00001c]  The license is not for this database  

Check the database ID and ensure it is the same as the one specified in the license. Each time you create a new database, a different ID is generated. There is no way to change the ID of a database. 

[db00001d]  You do not have permission to access the object 

[db00001e]  Endpoint Encryption is currently busy with another task. Please wait for it to complete and try again. 

This usually means that your hard disks are in the process of being encrypted or decrypted. You can check the current Endpoint Encryption status from the right‐click menu of the Endpoint Encryption task bar icon. 

[db00001f]  Endpoint Encryption is still installed on this machine 

[db000020]  Buffer too small 

[db000021]  The requested function is not supported 

[db000022]  Unable to update the boot sector 

The disk may be in use by another application or Explorer itself. The disk may be protected by an anti‐virus program. 

DB01 Database Objects Code  Message and Description 

[db010000]  The object is locked 

Someone else is currently updating the same object 

[db010001]  Unable to get the object ID 

[db010002]  Unable to change the object's access mode 

Someone else may by accessing the object at the same time. If 

Page 129: Endpoint Encryption for PC Administration Guide

Error Messages

| 123

Code  Message and Description 

you are trying to write to the object while someone else has the object open for reading, you will not be able to change to write mode. 

[db010003]  Object is in wrong access mode 

[db010004]  Unable to create the object in the database 

The disk may be full or write protected 

[db010005]  Operation not allowed on the object type 

[db010006]  Insufficient privilege level 

You do not have the access rights required to access the object. 

[db010007]  The object status is disabled 

This is usually associated with User objects. Disabling the user's object prevents them logging on until their account is re‐enabled. 

[db010008]  The object already exists 

[db01000f]  The object is in use 

[db010010]  Object not found 

The object has been deleted from the database 

[db010011]  License has been exceeded for this object type 

Check that your licenses are still valid and if not obtain further licenses if necessary 

DB02 Database Attributes Code  Message and Description 

[db020000]  Attribute not found 

[db020001]  Unable to update attribute 

[db020002]  Unable to get attribute data 

[db020003]  Invalid offset into attribute data 

Page 130: Endpoint Encryption for PC Administration Guide

Error Messages

124 |

Code  Message and Description 

[db020004]  Unable to delete attribute 

[db020005]  Incorrect attribute length 

[db020006]  Attribute data required 

E000 Endpoint Encryption General Code  Message and Description 

[e0000000]  User aborted 

[e0000001]  Insufficient memory 

[e0000002]  Invalid date/time 

[e0000010]  Invalid date/time. Clock is reporting a time before 1992 or after 2038. 

E001 Tokens Code  Message and Description 

[e0010000]  General token error 

[e0010001]  Token not logged on 

[e0010002]  Token authentication parameters are incorrect 

[e0010003]  Unsupported token type 

[e0010004]  Token is corrupt 

[e0010005]  The token is invalidated due to too many invalid logon attempts 

[e0010006]  Too many incorrect authentication attempts 

[e0010007]  Token recovery key incorrect  

[e0010010]  The password is too small 

[e0010011]  The password is too large 

[e0010012]  The password has already been used before. Please choose a 

Page 131: Endpoint Encryption for PC Administration Guide

Error Messages

| 125

Code  Message and Description 

new one. 

[e0010013]  The password content is invalid 

[e0010014]  The password has expired 

[e0010015]  The password is the default and must be changed. 

[e0010016]  Password change is disabled 

[e0010017]  Password entry is disabled 

[e0010020]  Unknown user 

[e0010021]  Incorrect user key 

[e0010022]  The token is not the correct one for the user 

[e0010023]  Unsupported user configuration item 

[e0010024]  The user has been invalidated 

[e0010025]  The user is not active 

[e0010026]  The user is disabled 

[e0010027]  Logon for this user is not allowed at this time 

[e0010028]  No recovery key is available for the user 

[e0010030]  The algorithm required for the token is not available 

[e0010040]  Unknown token type 

[e0010041]  Unable to open token module 

[e0010042]  Unable to read token module 

[e0010043]  Unable to write token module 

[e0010044]  Token file not found 

[e0010045]  Token type not present 

[e0010046]  Token system class is not available 

Page 132: Endpoint Encryption for PC Administration Guide

Error Messages

126 |

Code  Message and Description 

[e0018000]  Sony Puppy requires fingerprint 

[e0018001]  Sony Puppy requires password 

[e0018002]  Sony Puppy not trained 

E002 Endpoint Encryption Disk Code  Message and Description 

[e0000002]  Invalid date/time 

[e0020000]  No more data is available 

[e0020001]  No more data is available 

[e0020002]  Unsupported disk driver function 

[e0020003]  Invalid disk driver request 

[e0020004]  Disk request buffer too small 

[e0020005]  Unsupported encryption algorithm 

[e0020006]  Unknown disk number 

[e0020007]  Error reading disk sector 

[e0020008]  Error writing disk sector 

[e0020009]  Unable to get disk partition information 

[e002000a]  Endpoint Encryption disk information not present 

[e002000b]  Not enough space for the Endpoint Encryption disk information 

[e002000c]  The Endpoint Encryption disk information is invalid 

[e002000d]  Sector not valid for Endpoint Encryption disk information use 

[e002000e]  Sector chain is invalid 

[e002000f]  Sector chain type incorrect 

[e0020010]  Sector chain sequence number incorrect 

Page 133: Endpoint Encryption for PC Administration Guide

Error Messages

| 127

Code  Message and Description 

[e0020011]  Sector chain checksum invalid 

[e0020012]  Crypt state information too big for available space 

[e0020013]  Crypt list full 

[e0020014]  Crypt range too big. 

[e0020015]  Attempt to crypt while in power fail state not allowed 

[e0020016]  Attempt to crypt in‐progress I/O 

[e0020017]  Error communicating with Endpoint Encryption disk driver 

[e0020018]  Endpoint Encryption disk driver not present 

[e0020019]  Unsupported disk driver version 

[e002001a]  No encryption has been key set 

[e002001b]  Unable to find the system boot disk 

[e002001c]  Unknown message slot 

[e002001d]  Message slot data too large 

[e002001e]  Unable to lock floppy disk driver for access 

[e002001f]  Unable to access floppy disk 

[e0020020]  The boot disk type is not supported 

[e0020021]  Access to driver not permitted 

E003 Endpoint Encryption SBFS Code  Message and Description 

[e0030001]  The SafeBot File System is already mounted 

[e0030002]  Unable to mount the Endpoint Encryption File System 

[e0030003]  Unable to unmount the Endpoint Encryption File System 

[e0030004]  The Endpoint Encryption File System is not mounted 

Page 134: Endpoint Encryption for PC Administration Guide

Error Messages

128 |

Code  Message and Description 

[e0030005]  Error reading Endpoint Encryption File System sector 

[e0030006]  Error writing Endpoint Encryption File System sector 

[e0030007]  Endpoint Encryption File System too fragmented 

[e0030008]  Endpoint Encryption File System size invalid 

[e0030009]  Error creating Endpoint Encryption File System host file 

[e003000a]  Error reading Endpoint Encryption File System host file 

[e003000b]  Error writing Endpoint Encryption File System host file 

[e003000c]  Error setting Endpoint Encryption File System host file pointer 

[e003000d]  Unable to locate sectors corresponding to the Endpoint Encryption File System host file 

[e003000e]  No host driver found for the Endpoint Encryption File System 

E004 Boot Code Image Code  Message and Description 

[e0040001]  Unable to open boot code image file 

[e0040002]  Error reading boot code image file 

[e0040003]  Boot code image file too big 

[e0040004]  Error creating boot code image host file 

[e0040005]  Error reading boot code image host file 

[e0040006]  Error writing boot code image host file 

[e0040007]  Error setting boot code image host file pointer 

[e0040008]  Unable to locate boot code image host file sectors 

[e0040009]  No host driver found for boot code image file 

[e004000a]  Unhandled instruction 

Page 135: Endpoint Encryption for PC Administration Guide

Error Messages

| 129

[e004000b]  Invalid instruction 

[e004000c]  Protected mode General Protection Fault 

E005 Client Code  Message and Description 

[e0050001]  Endpoint Encryption Client not activated 

[e0050002]  The Endpoint Encryption Client is already activated 

[e0050003]  The Endpoint Encryption Client activation is already in progress 

[e0050004]  The wrong version of the Endpoint Encryption Client is currently active 

[e0050005]  Unable to save original MBR 

[e0050006]  Disk Manager not open 

[e0050007]  Unable to load MBR copy 

[e0050008]  Unable to load the Endpoint Encryption MBR 

[e005000a]  Too many work items to perform encryption. 

[e005000b]  Endpoint Encryption MBR invalid 

[e005000c]  Endpoint Encryption Client sync failed to start 

[e005000d]  Endpoint Encryption Client sync already in progress 

[e005000e]  Key not available to the Endpoint Encryption Client 

[e005000f]  The recovery key is incorrect 

[e0050010]  Failed to start cryption 

[e0050011]  Cryption already in progress 

[e0050012]  The hard disk key is incorrect 

[e0050013]  The machine configuration is corrupt or invalid 

[e0050014]  Unable to load string data 

Page 136: Endpoint Encryption for PC Administration Guide

Error Messages

130 |

Code  Message and Description 

[e0050015]  String data is invalid 

[e0050016]  Incorrect user logon 

[e0050017]  The isolation period has expired 

[e0050018]  A possible virus has been detected 

[e0050019]  Recovery data is invalid 

[e005001a]  Recovery file version unsupported 

[e005001b]  Invalid recovery command 

[e005001c]  Invalid recovery type 

[e005001d  Recovery data not found 

[e005001d]  Client not initialized for emergency boot 

[e0050020]  Unable to open the client data store 

[e0050021]  The client data store is not open 

[e0050022]  The client data store already exists 

[e0050023]  Error creating client data store 

[e0050024]  Unable to create client data store directory 

[e0050025]  Client data store in use 

[e0050026]  Unable to delete client data store 

[e0050027]  The client data store is corrupt 

[e0050028]  Unsupported client data store version 

[e0050030]  Client data store object not found 

[e0050031]  Client data store object not open 

[e0050032]  Client data store object not exclusive 

[e0050033]  Client data store object ID invalid 

Page 137: Endpoint Encryption for PC Administration Guide

Error Messages

| 131

Code  Message and Description 

[e0050034]  Client data store object ID already exists 

[e0050035]  Unable to create client data store object directory 

[e0050036]  Client data store object name already exists 

[e0050037]  Unable to read client data store object name 

[e0050038]  Unable to write client data store object name 

[e0050040]  Unable to remove client data store object 

[e0050041]  Client data store attribute not found 

[e0050042]  Client data store attribute not open 

[e0050043]  Unable to open client data store attribute 

[e0050044]  Unable to create client data store attribute 

[e0050045]  Unable to read client data store attribute 

[e0050046]  Unable to write data store attribute 

[e0050047]  Client data store attribute version incorrect 

[e0050048]  Client data store attribute corrupt 

[e0050049]  Invalid size of client data store attribute 

[e005004a]  Access denied to client data store attribute 

[e0050060]  Upgrade of client is not possible 

[e0050061]  Upgrade old SbFs is invalid 

[e0050062]  Upgrade old SbFs not found 

[e0050063]  Upgrade old SbFs drive not found 

[e0050064]  Upgrade, unable to read old SbFs 

[e0050065]  Upgrade, old machine configuration invalid 

[e0050066]  Upgrade, invalid user data. 

Page 138: Endpoint Encryption for PC Administration Guide

Error Messages

132 |

Code  Message and Description 

[e0050067]  Upgrade, user directory version invalid 

[e0050068]  Upgrade, invalid user directory 

[e0050069]  Upgrade, unable to get original MB 

[e005006a]  Upgrade, unable to get audit data 

E006 Algorithms

E007 Readers Code  Message and Description 

[e0070001]  Unknown reader type 

[e0070002]  Unable to open reader module 

[e0070003]  Unable to read reader module 

[e0070004]  Unable to write reader module 

[e0070005]  Reader failure 

[e0070006]  Unable to create reader context 

[e0070007]  Invalid reader parameter 

[e0070008]  Reader not present 

[e0070009]  Reader timeout 

[e007000a]  Reader sharing violation 

Code  Message and Description 

[e0060001]  Unknown encryption algorithm 

[e0060002]  Unable to install pre‐boot encryption algorithm module 

[e0060003]  Error relocation 16‐bit encryption algorithm code 

[e0060004]  Error initializing 16‐bit encryption algorithm module 

[e0060005]  16‐bit encryption algorithm module invalid 

Page 139: Endpoint Encryption for PC Administration Guide

Error Messages

| 133

Code  Message and Description 

[e007000b]  Token not present in reader 

[e007000c]  Reader protocol mismatch 

[e007000d]  Reader communications error 

[e007000e]  Token not powered in reader 

[e007000f]  Token not reset in reader 

[e0070010]  Token removed from reader 

E008 Users Code  Message and Description 

[e0080001]  User configuration invalid or corrupt 

[e0080002]  User information field index invalid 

[e0080003]  User has no hard disk encryption key  

E010 Keys Code  Message and Description 

[e0100001]  Encryption key too big 

[e0100002]  Encryption key size invalid 

E011 Files Code  Message and Description 

[e0110001]  Unable to create file 

[e0110002]  Unable to open file 

[e0110003]  Error reading file 

[e0110004]  Error writing file 

[e0110005]  Error setting file pointer 

Page 140: Endpoint Encryption for PC Administration Guide

Error Messages

134 |

Code  Message and Description 

[e0110006]  Error getting file size 

E012 Licences Code  Message and Description 

[e0120001]  License invalid 

[e0120002]  License expired 

[e0120003]  License is not for this database 

[e0120004]  License count exceeded 

E013 Installer Code  Message and Description 

[e0130002]  No installer executable stub found 

[e0130003]  Unable to read installer executable stub 

[e0130004]  Unable to create file  

[e0130005]  Error writing file 

[e0130006]  Error opening file 

[e0130007]  Error reading file 

[e0130008]  Installer file invalid 

[e0130009]  No more files to install 

[e013000a]  Install archive block data too large 

[e013000b]  Install archive data not found 

[e013000c]  Install archive decompression failed 

[e013000d]  Unsupported installer archive compression type 

[e013000e]  Installation error 

Page 141: Endpoint Encryption for PC Administration Guide

Error Messages

| 135

Code  Message and Description 

[e013000f]  Unable to create temporary directory 

[e0130010]  Error registering module 

E014 Hashes Code  Message and Description 

[e0140001]  Insufficient memory 

[e0140002]  Error opening hashes file 

[e0140003]  Error reading hashes file 

[e0140004]  Hashes file invalid 

[e0140005]  Unable to create hashes file 

[e0140006]  Error writing hashes file 

[e0140007]  Hashes file is not open 

[e0140008]  Hashes file data invalid 

[e0140009]  Hashes file data too big 

[e014000a]  User aborted 

E015 Application Control Code  Message and Description 

[e0150001]  Insufficient memory 

[e0150002]  Application control invalid parameter 

[e0150003]  Error communicating with application control driver 

[e0150004]  Application control driver not installed 

[e0150005]  Error opening application control log file 

[e0150006]  Invalid hashes object list 

Page 142: Endpoint Encryption for PC Administration Guide

Error Messages

136 |

E016 Administration Center Code  Message and Description 

[e0160001]  Invalid plugin information 

xxH: BIOS If Endpoint Encryption’s boot loader detects a hardware error from the BIOS, it reports

the standard error code in the format “Endpoint Encryption ?? Error code H??”

The following list of codes may be reported:

Code  Message and Description 

01H  Invalid function call  

02H  Address mark not found  

03H  Disk is write protected  

04H  Sector not found  

05H  Reset failed (hard disk)  

06H  Diskette has been changed  

07H  Drive parameter activity failed (hard disk)  

08H  DMA overrun  

09H  DMA attempted across 64K boundary  

0AH  Bad sector flag detected (hard disk)  

0BH  Bad track detected (hard disk) 

0CH  Unsupported track or invalid media  

0DH  Invalid number of sectors for Format (hard disk)  

0EH  Control data address mark detected (hard disk)  

0FH  DMA arbitration level out of range (hard disk) 

10H  Uncorrectable CRC or ECC error on read  

11H  ECC corrected data error (hard disk)  

Page 143: Endpoint Encryption for PC Administration Guide

Error Messages

| 137

Code  Message and Description 

20H  Disk controller failure 

31H  No media in drive  

32H  Drive does not support media type  

40H  Seek failed  

80H  Timeout (disk not ready)  

AAH  Drive not ready  

B0H  Volume not locked in drive (INT 13 extensions)  

B1H  Volume locked in drive (INT 13 extensions)  

B2H  Volume not removable (INT 13 extensions)  

B3H  Volume in use (INT 13 extensions)  

B4H  Lock count exceeded (INT 13 extensions)  

B5H  Valid eject request failed (INT 13 extensions)  

BBH  Undefined error (hard disk)  

CCH  Write fault (hard disk)  

E0H  Status register error (hard disk)  

FFH  Sense failed (hard disk) 

Page 144: Endpoint Encryption for PC Administration Guide

Technical Specifications and Options

138 |

Technical Specifications and Options The following options are available from Endpoint Encryption but may not be included

on your install CD, or be appropriate for your version of Endpoint Encryption. Please

contact your Endpoint Encryption representative for information if you wish to use one

of these optional components.

Encryption Algorithms Endpoint Encryption supports many custom algorithms. Only one algorithm can be

used in a Endpoint Encryption Enterprise.

Algorithm performance is based on the “PassMark” rating which gives an overall

indication of system performance. All tests were performed on a K6-II-300 machine

running NT4.0. This test platform has a PassMark of 20.7. The closer to this figure an

algorithm gets, the less the impact of Endpoint Encryption on the user. Faster

machines will achieve correspondingly faster passmark ratings, but the percentage

difference between them will be comparable.

RC5-12 (FASTEST)

CBC Mode, 1024 bit key, 12 rounds, 64 bit blocks. PassMark 20.7 (100%)

RC5-18

CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks, PassMark 20.7 (100%)

The 18 round RC5 variant is designed to prevent the theoretical “Known Plaintext”

attack.

AES-FIPS (FIPS 140-2 Approved) - RECOMMENDED

CBC Mode, 256 bit key, 128 bit blocks, PassMark 19.3 (93%)

This algorithm is approved for FIPS 140-2 use.

Smart Card Readers The following smart card readers are supported.

PCMCIA Smart Card Readers

• SCR243 / SCR201 and compatibles such as HP DC350B, ActivIdentity and

others)

• PCMCIA smart card reader.

See 1http://www.scmmicro.com/security/SCR243.html for more information.

Page 145: Endpoint Encryption for PC Administration Guide

Technical Specifications and Options

| 139

• SCR201 and compatibles such as PCSR and Cisco PCMCIA readers

Generic USB CCID Smart Card Reader and compatibles

This module provides support for the following devices:

• Universal CCID USB smart card reader support (supports all industry standard

CCID readers)

• Dell D620 Integrated Smart Card Reader

• Gemplus GemPC430 USB Smart Card Reader

• Omnikey 3121 USB Smart Card Reader

• ACR38 USB Smart Card Reader

USB Smart Card Reader non CCID

Mako DT3500 Desktop smart card reader with USB Interface.

PCI Smart Card Readers

• HP 6400 Integrated Smart Card Reader

• Dell D610/810 Integrated Smart Card Reader

Tokens Please see the Using Tokens with Endpoint Encryption for PC chapter for further

information.

For the latest list of authentication methods using smart cards, tokens, fingerprint

readers please consult your McAfee representative.

Language Support

Client Pre‐Boot Languages (auto detect) 

Arabic 

Czech 

Chinese (Simplified) 

Chinese (Traditional) 

Dutch 

Italian 

Japanese 

Korean 

Polish 

Portuguese 

Page 146: Endpoint Encryption for PC Administration Guide

Technical Specifications and Options

140 |

English (United Kingdom) 

English (United States) 

Estonian 

German 

Hungarian 

Russian 

Slovak Republic 

Swedish 

Spanish 

Turkish 

Pre‐Boot Keyboards (auto detect) 

Arabic 101 

Arabic 102  

Arabic AZERTY 

Belgian Comma 

Belgian Period  

Canadian Multilingual 

Canadian French 

Canadian French Legacy 

Chinese Bopomofo 

Chinese ChaiJei 

Croatian  

Czech (Czech Republic) 

Czech (QWERTY) 

Czech (Programmers) 

Danish 

Dutch  

English (United States) 

English (United Kingdom) 

Greek 319 

Greek 220 Latin 

Greek 319 Latin 

Hebrew 

Hungarian 

Italian  

Icelandic 

Irish 

Japanese 

Kazakh 

Korean 

Latin American 

Norwegian 

Norwegian with Sami 

Polish 214 

Polish Programmers 

Portuguese Brazil 

Portuguese Portugal 

Page 147: Endpoint Encryption for PC Administration Guide

Technical Specifications and Options

| 141

Pre‐Boot Keyboards (auto detect) 

English (US International)  

English (UK Extended) 

Estonian 

French (Belgium) 

French (France)  

French (Canada) 

French (Swiss) 

Finnish  

Gaelic 

German (Standard) 

German (IBM) 

Greek 

Greek Latin 

Greek 220 

Romanian 

Russian 

Russian Typewriter 

Slovak 

Slovak QWERTY 

Slovenian 

Spanish (Spain) 

Spanish (International) 

Spanish Variant 

Swedish 

Swiss German 

Thai Kedmanee 

Turkish F  

Turkish Q 

US Dvorak 

Most of the keyboard layouts also support On-Screen representations.

Please note – other languages are available on request. We are continuously updating

our language translations and encourage feedback from our users.

Windows Languages (auto detect) 

English (United Kingdom) 

English (United States) 

 

System Requirements Implementation documentation discussing appropriate hardware for typical

installations of Endpoint Encryption is available from your representative.

Page 148: Endpoint Encryption for PC Administration Guide

Technical Specifications and Options

142 |

Client

• Windows 2000, XP, 2003 Server, Vista 32bit (all versions), Vista 64bit (all

versions)

• 128MB RAM, or OS Minimum specification

• 5-35MB Free hard disk space depending on localization and number of desired

users)

• Pentium compatible processor, multi-processor (up to 32 way), dual-core and

hyper threading processors, Pentium-compatible processors such as AMD

processors.

• For remote administration, a TCP/IP network connection is required.

Page 149: Endpoint Encryption for PC Administration Guide

Appendix

| 143

Appendix Legal Notices: McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766,

www.mcafee.com

McAfee, SafeBoot and/or other noted McAfee related products contained herein are

registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US

and/or other countries. McAfee Red in connection with security is distinctive of McAfee

brand products. Any other non-McAfee related products, registered and/or

unregistered trademarks contained herein is only by reference and are the sole

property of their respective owners. © 2007 McAfee, Inc. All rights reserved.

Your rights to install, run, copy, reproduce, distribute or make any other use of the

accompanying software is subject to your license agreement with McAfee, Inc. If you

have any questions, please review your software license or contact your McAfee

representative.

McAfee SafeBoot products make use of the following third party open source

technologies:

• ZLIB, a general compression library

• OpenSSL/OpenSSLeay - a general SSL/PKI communications library

• OpenLDAP - a general LDAP library

Open Source Components License Details

Communications Layer - ZLIB

==================

License

/* zlib.h -- interface of the 'zlib' general purpose compression library

version 1.2.2, October 3rd, 2004

Copyright (C) 1995-2004 Jean-loup Gailly and Mark Adler

This software is provided 'as-is', without any express or implied

warranty. In no event will the authors be held liable for any damages

arising from the use of this software.

Permission is granted to anyone to use this software for any purpose,

including commercial applications, and to alter it and redistribute it

freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not

Page 150: Endpoint Encryption for PC Administration Guide

Appendix

144 |

claim that you wrote the original software. If you use this software

in a product, an acknowledgment in the product documentation would be

appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be

misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

Jean-loup Gailly [email protected]

Mark Adler [email protected]

*/

Communications Layer and LDAP Connector - OpenSSL/OpenSSLEAY

=========================================

LICENSE ISSUES

==============

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of

the OpenSSL License and the original SSLeay license apply to the toolkit.

See below for the actual license texts. Actually both licenses are BSD-style

Open Source licenses. In case of any license issues related to OpenSSL

please contact [email protected].

OpenSSL License

---------------

/* ====================================================================

* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.

*

* Redistribution and use in source and binary forms, with or without

* modification, are permitted provided that the following conditions

* are met:

*

* 1. Redistributions of source code must retain the above copyright

* notice, this list of conditions and the following disclaimer.

*

* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in

* the documentation and/or other materials provided with the

* distribution.

*

* 3. All advertising materials mentioning features or use of this

* software must display the following acknowledgment:

* "This product includes software developed by the OpenSSL Project

* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

*

* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

Page 151: Endpoint Encryption for PC Administration Guide

Appendix

| 145

* endorse or promote products derived from this software without

* prior written permission. For written permission, please contact

* [email protected].

*

* 5. Products derived from this software may not be called "OpenSSL"

* nor may "OpenSSL" appear in their names without prior written

* permission of the OpenSSL Project.

*

* 6. Redistributions of any form whatsoever must retain the following

* acknowledgment:

* "This product includes software developed by the OpenSSL Project

* for use in the OpenSSL Toolkit (http://www.openssl.org/)"

*

* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR

* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

* OF THE POSSIBILITY OF SUCH DAMAGE.

* ====================================================================

*

* This product includes cryptographic software written by Eric Young

* ([email protected]). This product includes software written by Tim

* Hudson ([email protected]).

*

*/

Original SSLeay License

-----------------------

/* Copyright (C) 1995-1998 Eric Young ([email protected])

* All rights reserved.

*

* This package is an SSL implementation written

* by Eric Young ([email protected]).

* The implementation was written so as to conform with Netscapes SSL.

*

* This library is free for commercial and non-commercial use as long as

* the following conditions are aheared to. The following conditions

* apply to all code found in this distribution, be it the RC4, RSA,

* lhash, DES, etc., code; not just the SSL code. The SSL documentation

* included with this distribution is covered by the same copyright terms

* except that the holder is Tim Hudson ([email protected]).

*

* Copyright remains Eric Young's, and as such any Copyright notices in

* the code are not to be removed.

* If this package is used in a product, Eric Young should be given attribution

Page 152: Endpoint Encryption for PC Administration Guide

Appendix

146 |

* as the author of the parts of the library used.

* This can be in the form of a textual message at program startup or

* in documentation (online or textual) provided with the package.

*

* Redistribution and use in source and binary forms, with or without

* modification, are permitted provided that the following conditions

* are met:

* 1. Redistributions of source code must retain the copyright

* notice, this list of conditions and the following disclaimer.

* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in the

* documentation and/or other materials provided with the distribution.

* 3. All advertising materials mentioning features or use of this software

* must display the following acknowledgement:

* "This product includes cryptographic software written by

* Eric Young ([email protected])"

* The word 'cryptographic' can be left out if the rouines from the library

* being used are not cryptographic related :-).

* 4. If you include any Windows specific code (or a derivative thereof) from

* the apps directory (application code) you must include an acknowledgement:

* "This product includes software written by Tim Hudson ([email protected])"

*

* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

* SUCH DAMAGE.

*

* The licence and distribution terms for any publically available version or

* derivative of this code cannot be changed. i.e. this code cannot simply be

* copied and put under another distribution licence

* [including the GNU Public Licence.]

*/

Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.

This software is not subject to any license of the American Telephone

and Telegraph Company or of the Regents of the University of California.

Page 153: Endpoint Encryption for PC Administration Guide

Appendix

| 147

Permission is granted to anyone to use this software for any purpose on

any computer system, and to alter it and redistribute it, subject

to the following restrictions:

1. The author is not responsible for the consequences of use of this

software, no matter how awful, even if they arise from flaws in it.

2. The origin of this software must not be misrepresented, either by

explicit claim or by omission. Since few users ever read sources,

credits must appear in the documentation.

3. Altered versions must be plainly marked as such, and must not be

misrepresented as being the original software. Since few users

ever read sources, credits must appear in the documentation.

4. This notice may not be removed or altered.

Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.

This software is not subject to any license of the American Telephone

and Telegraph Company or of the Regents of the University of California.

Permission is granted to anyone to use this software for any purpose on

any computer system, and to alter it and redistribute it, subject

to the following restrictions:

1. The author is not responsible for the consequences of use of this

software, no matter how awful, even if they arise from flaws in it.

2. The origin of this software must not be misrepresented, either by

explicit claim or by omission. Since few users ever read sources,

credits must appear in the documentation.

3. Altered versions must be plainly marked as such, and must not be

misrepresented as being the original software. Since few users

ever read sources, credits must appear in the documentation.

4. This notice may not be removed or altered.

LDAP Connctor - OpenLDAP

=================

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

/*-

* Copyright (c) 1994

* The Regents of the University of California. All rights reserved.

*

* Redistribution and use in source and binary forms, with or without

* modification, are permitted provided that the following conditions

* are met:

* 1. Redistributions of source code must retain the above copyright

* notice, this list of conditions and the following disclaimer.

* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in the

Page 154: Endpoint Encryption for PC Administration Guide

Appendix

148 |

* documentation and/or other materials provided with the distribution.

* 3. All advertising materials mentioning features or use of this software

* must display the following acknowledgement:

* This product includes software developed by the University of

* California, Berkeley and its contributors.

* 4. Neither the name of the University nor the names of its contributors

* may be used to endorse or promote products derived from this software

* without specific prior written permission.

*

* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND

* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE

* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

* SUCH DAMAGE.

*

* @(#)COPYRIGHT 8.1 (Berkeley) 3/16/94

*/

LDAP Connector

==========

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

/*-

* Copyright (c) 1994

* The Regents of the University of California. All rights reserved.

*

* Redistribution and use in source and binary forms, with or without

* modification, are permitted provided that the following conditions

* are met:

* 1. Redistributions of source code must retain the above copyright

* notice, this list of conditions and the following disclaimer.

* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in the

* documentation and/or other materials provided with the distribution.

* 3. All advertising materials mentioning features or use of this software

* must display the following acknowledgement:

* This product includes software developed by the University of

* California, Berkeley and its contributors.

Page 155: Endpoint Encryption for PC Administration Guide

Appendix

| 149

* 4. Neither the name of the University nor the names of its contributors

* may be used to endorse or promote products derived from this software

* without specific prior written permission.

*

* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND

* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE

* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

* SUCH DAMAGE.

*

* @(#)COPYRIGHT 8.1 (Berkeley) 3/16/94

*/

LDAP Connector - The OpenLDAP Public License

=============================

Version 2.0.1, 21 December 1999

Copyright 1999, The OpenLDAP Foundation, Redwood City, California, USA.

All Rights Reserved.

Redistribution and use of this software and associated documentation

("Software"), with or without modification, are permitted provided

that the following conditions are met:

1. Redistributions of source code must retain copyright

statements and notices. Redistributions must also contain a

copy of this document.

2. Redistributions in binary form must reproduce the

above copyright notice, this list of conditions and the

following disclaimer in the documentation and/or other

materials provided with the distribution.

3. The name "OpenLDAP" must not be used to endorse or promote

products derived from this Software without prior written

permission of the OpenLDAP Foundation. For written permission,

please contact [email protected].

4. Products derived from this Software may not be called "OpenLDAP"

nor may "OpenLDAP" appear in their names without prior written

permission of the OpenLDAP Foundation. OpenLDAP is a trademark

of the OpenLDAP Foundation.

Page 156: Endpoint Encryption for PC Administration Guide

Appendix

150 |

5. Due credit should be given to the OpenLDAP Project

(http://www.openldap.org/).

THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS

``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT

NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND

FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL

THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,

INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

OF THE POSSIBILITY OF SUCH DAMAGE.

Making Endpoint Encryption for PC FIPS Compliant The following procedures must be followed to operate McAfee Endpoint Encryption for

PCs cryptographic module in a FIPS Approved mode

1. The module software must be operating in “FIPS” mode. This is done by

setting the FIPS registry key value from 0 (disabled) to 1 (enabled). The first

step is to create a FIPS registry script (see Appendix A for details). Once the

file is created right-click on the newly created .reg file and select Merge from

the drop down menu.

2. To verify that the registry has been updated properly the user must install a

registry editor and navigate to

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLoc

k\Verifier and verify the value of FipsMode equals 1. .

3. All application databases and external media on the device where McAfee

Endpoint Encryption for PCs has been installed MUST be fully encrypted. This is

performed by setting the module’s internal memory encryption parameter to

Encrypt Entire Device.

4. The PC used to run McAfee Endpoint Encryption for PCs Client must be built

using production grade components and configured in a single operator

mode. To do this, the following operating system services must be

disabled:

• Fast user switching

• Terminal services

• Remote registry service

Page 157: Endpoint Encryption for PC Administration Guide

Appendix

| 151

• Secondary logon service

• Telnet service

• Remote desktop and Remote assistance services

Creating the FIPS enable script

The following needs to be saved to a text file with the extension “.reg” and then

merged into the registry as a requirement for installing the module in a FIPS-

compliant mode of operation:

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Ver

ifier]

"FipsMode"=dword:00000001

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Ver

ifier\1]

"Path"="c:\\windows\\system32\\drivers\\SafeBoot.sys"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Ver

ifier\2]

"Path"="c:\\windows\\system32\\drivers\\SbAlg.sys"

Page 158: Endpoint Encryption for PC Administration Guide

Index

152 |

Index

Active Directory, 10 ActivIdentity, 20, 141 algorithm, 5, 8, 12, 83, 99, 100, 140 Attributes 

explained, 6 Auditing, 66 authentication, 5, 7, 9 Authentication 

with a smart card, 5 AutoBoot User, 33, 34 Auto‐boot users 

autoboot user, 14, 37 

BIOS Error codes, 138 

boot once, 73 boot process, 60 boot protection status, 31 

cache, 66 CE Server, 8 challenge / response, 71 Client 

creating an install set, 51 installing, 56 overview of, 8 synchronising, 60 using, 59 

Connector Manager overview of, 10 

cryptography, 2 Cryptography 

decryption, 60 encryption, 5, 9, 35, 100 

Data Recovery, 5 

decrypt, 31 Default Password, 13, 14, 37, 74 deploy, 10, 11, 44, 45, 52, 61 disable, 40, 57, 58 disabling users. See Users DNS, 29, 95 DSA, 7 

enabling users. See Users encryption, 35 Encryption 

algorithms, 140 windows swap file, 5 

Encryption Algorithm, 5, 8, 12, 99, 100, 140 Encryption Algorithms 

RC5, 140 Endpoint Encryption. See Client Endpoint Encryption CE Server, 8 Endpoint Encryption Components 

Endpoint Encryption File Encryptor, 4 VDisk, 4 

Endpoint Encryption File Encryptor, 4 Endpoint Encryption Server 

overview of, 7 Entities 

explained, 6 error codes, 93, 118, 138 error messages, 118 

File Encryption overview of, 9 

file group management, 44 Files 

deleting and exporting, 45 importing new, 45 ini files, 85 program and driver files, 99 properties, 46 

FIPS Approved, 152 force sync, 15, 50, 77 

Page 159: Endpoint Encryption for PC Administration Guide

Index

| 153

Force Sync, 29, 40, 50, See Machines 

groups, 13, 28, 30, 31, 37, 41, 44, 49, 51, 68, 80 

Importing Machines Importing a transfer database. See Offline Installs 

IP Address, 6, 7, 8, 29, 144 

LDAP, 8, 10 

Machines adding users to, 37 configuring, 31 creating, 28 Forcing Syncronization, 29 rebooting, 30 recovering, 71 synchronisation of, 39 

Microsoft, 5, 55, 61, 99 

NT Domain, 10 

object directory, 6, 7, 8, 9, 10, 11, 12, 15, 28, 33, 35, 39, 40, 46, 49, 52, 54, 59, 60, 63, 65, 66, 73, 95 

Objects explained, 6 

Offline Installs, 52 

Password Default, 13, 14, 37, 74 

passwords, 5, 7, 9, 32, 61, 63 Reset, 73 

Pentium, 144 performance, 8, 140 Placeholder, 28, 52, 53 Pocket Windows 

2002, 8 privileges, 7 

quickstart guide, 3 

RC5, 140 Reboot Machine. See Machines recovery, 5, 8, 9, 36, 38, 71, 72, 73, 74, 99 Recovery 

offline, 71 online, 77 

registry, 11, 47, 49, 99, 101 Registry File, 49 relogon, 65 removing Endpoint Encryption, 56 reset password, 73 RSA, 8, 9 

SafeTech, 99 SBAdmCL, 66 screen saver, 61 service, 39 smart card. See Authentication smartport, 141 Smarty, 140 synchronising machines, 39 

TCP/IP, 6, 7, 8, 144 Tokens 

changing during recovery, 74 transport database, 53 troubleshooting, 117 

US legislation 508, 61 user status, 6 Users 

device access, 15 enabling and disabling, 14 recovering, 71 

virus protection, 33 

Page 160: Endpoint Encryption for PC Administration Guide

Index

154 |

warning text, 38 Windows 2000, 47 Windows CE, 8 windows logon, 32, 61, 63 

Windows Logon how it works, 64 

X500, 8, 10