(endpoint mcafee)eem5210 admin guide

7/22/2019 (Endpoint Mcafee)EEM5210 Admin Guide

1/126

McAfee Endpoint Encryption Manager-5.2.10Administration Guide


2/126

COPYRIGHT

Copyright 2011 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any formor by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE

EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red inconnection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole propertyof their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICHTYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTSTHAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,

A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOUDO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURNTHE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee Endpoint Encryption Manager5.2.102


3/126

ContentsIntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

What is McAfee Endpoint Encryption for PC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Design philosophy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

How McAfee Endpoint Encryption solution works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

The Endpoint Encryption components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Finding product documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Installing Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Install Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Upgrade Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Endpoint Encryption Manager interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Administration level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Starting McAfee Endpoint Encryption Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Groups of users, systems, and other objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Finding orphaned objects using Group Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Audit trails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

The Endpoint Encryption Object Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

The Object Directory structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Object locking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

User management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Creating and configuring users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

User administration functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

User configuration options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Setting user administrative privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Hardware device support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Endpoint Encryption application support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Assigning the token to the user and create it. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3McAfee Endpoint Encryption Manager5.2.10


4/126

Install and configure Upek fingerprint reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

File Groups and Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Endpoint Encryption file groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Setting file group functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Importing new files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Exporting files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Deleting files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Setting file properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Common audit events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Managing Object Directories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Managing connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Adding a new directory connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Endpoint Encryption Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Installing the Endpoint Encryption Server program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Creating a new server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Server configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Using server/client authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Service accounts parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Key administration functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Key configuration options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Add a policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Managing policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Assign a policy object to a user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Assign a policy object to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Endpoint Encryption connector manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Connector manager tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Adding and removing connector instances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

NT Connector (NTCon). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Summary of connected attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

General options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Group mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

User information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64


Contents


5/126

LDAP Connector (LDAPCon). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65


General options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Group mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

User mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

User attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Excluded users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Using binary data attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

LDAP browser from Softerra. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Active Directory Connector (ADCon). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73


General options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Group mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

User mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

User attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Excluded users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Using binary data attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

LDAP browser from Softerra. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Endpoint Encryption webHelpdesk server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

About Endpoint Encryption HTTP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

webRecovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Remote password change. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Password expiration warning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Activating Endpoint Encryption webHelpdesk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Install an SSL Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Configuring the webHelpdesk server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Configuring webRecovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Recovering users using webHelpdesk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

With Challenge-Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Recovering users by directly changing their password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

User self recoverywebRecovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Registering for webRecovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Recovery using webRecovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

License management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

License information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96


Contents


6/126

Common criteria EAL4 mode operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Administrator guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

User guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Tuning the Object Directory (The Name Index). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

About name indexing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Enabling and configuring name indexing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Enabling directory compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Endpoint Encryption configuration files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

sbnewdb.ini. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Endpoint Encryption Manager program and driver files. . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Exe file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

DLL file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

SYS file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Error messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Module codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

5501 Web Server page errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

5502 Web Server user web recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

5C00 communications protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

5C02 communications cryptographic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

A100 algorithm errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

C100 scripting errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

DB00 database errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

DB01 database objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

DB02 database attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

E000 Endpoint Encryption general. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

E001 tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

E012 licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

E013 installer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

E014 hashes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

E016 administration center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

92h error. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Technical specifications and options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Encryption algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Language support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122


Contents


7/126

Introduction

McAfee Endpoint Encryption features a new dimension in IT security incorporating many newenterprise level options, including automated upgrades, file deployment, flexible grouping ofusers and centralized user management. In addition, users credentials can be imported andsynchronized with other deployment systems.

Around 1,000,000 laptops go missing each year, causing an estimated 4 billion USD worth oflost data. Is your data safely stored? Ever thought about the risks you run for your companyand your clients? The Endpoint Encryption product range was developed with the understandingthat often the data stored on a computer is much more valuable than the hardware itself.

Contents

What is McAfee Endpoint Encryption for PC

Design philosophy

How McAfee Endpoint Encryption solution works

The Endpoint Encryption components

About this guide

Conventions

Finding product documentation

Requirements

What is McAfee Endpoint Encryption for PCTo ensure data protection in todays dynamic IT environment, we need to protect what mattersmost the data. McAfee Endpoint Encryption for PC is a strong cryptographic facility for denyingunauthorized access to data stored on any system or disk when it is not in use. It prevents theloss of sensitive data, especially from lost or stolen equipment. It protects the data with strongaccess control using Pre-Boot Authentication and a powerful encryption engine.

To log on to a system, the user must first authenticate through the Pre-Boot environment. Ona successful authentication, the client system's operating system loads and gives access tonormal system operation. McAfee Endpoint Encryption for PC is completely transparent to theuser and has little impact on performance of the computer.

McAfee Endpoint Encryption for PC is the encryption software installed on client systems. It isdeployed and managed through the Endpoint Encryption Manager using policies. A policy is aset of rules that determine how encryption functions on the users computer.



8/126

Design philosophyThe Endpoint Encryption product range enhances the security of devices by providing dataencryption and a token-based logon procedure using, for example a Smart Card, Fingerprint orUSB Key. McAfee also has optional File and Media encryption programs (VDisk, File Encryptorand Endpoint Encryption for Files and Folders), as well as hardware VPN solutions further

enhancing the security offered. Endpoint Encryption supports the following operating systems:

Microsoft Windows 2000 Professoinal

Microsoft Windows XP Professional (32-bit only)

Microsoft Vista 32-bit and 64-bit (all versions)

Microsoft Windows Server 2003 and 2008

Microsoft Windows 7

All Endpoint Encryption products are centrally managed through a single system, which supportsscalable implementations and rich administrator control of policies.

How McAfee Endpoint Encryption solution worksMcAfee Endpoint Encryption for PC protects the data on a system by taking control of the harddisk from the operating system. The Endpoint Encryption driver encrypts all data written to thedisk; it also decrypts the data read off the disk.

The client software is installed on the client system. After the installation, the system synchronizeswith EEM and acquires the user data, token data, and Pre-Boot graphics. When this is complete,the user authenticates and logs on through the Pre-Boot environment, which loads the operatingsystem, and uses the system as normal.

On PDAs such as Pocket Windows and PalmOS, Endpoint Encryption installs applications anddrivers to provide authentication and encryption services. Endpoint Encryption can protect

memory cards, internal databases (such as e-mail and contact lists), and provide secure,manageable authentication services.

Management

Every time a Endpoint Encryption protected system starts, and optionally every time the userinitiates a dial-up connection or after a set period of time, Endpoint Encryption tries to contactits Object Directory. This is a central store of configuration information for both systems andusers, and is managed by Endpoint Encryption Administrators. The Object Directory could beon the users local hard disk (if the user is working completely standalone), or could be in someremote location and accessed over TCP/IP through a secure Endpoint Encryption Server (in thecase of a centrally managed enterprise).

McAfee Endpoint Encryption applications query the directory for any updates to theirconfiguration, and if needed download and apply them. Typical updates could be a new userassigned to the system by an administrator, a change in password policy, or an upgrade to theEndpoint Encryption operating system or a new file specified by the administrator. At the sametime Endpoint Encryption uploads details such as the latest audit information, any user passwordchanges, and security breaches to the Object Directory. In this way, transparent synchronizationof the enterprise becomes possible.

IntroductionDesign philosophy



9/126

Objects, entities, and attributes explained

The Endpoint Encryption database stores information about users, systems, servers, PDAs etcin collections called objects - from an internal point of view, it does not matter to EndpointEncryption what an object represents, only the information in it matters. So an objectrepresenting a user, say John Smith, and an object representing a system, for example Johnsand Laptop both contain information about encryption keys, account status and administrationlevel.

Within the object are collections of configuration data called attributes, again the same typeof attribute may exist across many object types. To take our previous example of John and hislaptop, the details of the encryption keys, user status and administration level would all bestored as separate attributes.

Entities are applications within the Endpoint Encryption system. Because of the generality ofthe object design, all Endpoint Encryption applications also have some generality about them,for instance the entity representing the Endpoint Encryption client, and the entity representingthe Endpoint Encryption Server, both authenticate to the Object Directory in the same way -as an object which could be a system or user - which it is does not matter. This generality ismainly hidden from users and administrators, but because of this core design, you will find that

many Endpoint Encryption related functions and tasks are common between users, systemsand entities.

The Endpoint Encryption components

Endpoint Encryption Manager (EEM)

The most important component of the Endpoint Encryption enterprise is the Endpoint EncryptionManager, the administrator interface. This utility allows privileged users to manage the enterprisefrom any workstation that can establish a TCP/IP link or file link to the Object Directory.

Figure 1: Endpoint Encryption Manager

Typical procedures that the Endpoint Encryption Administrator handles are:

IntroductionThe Endpoint Encryption components



10/126

Adding users to systems

Configuring Endpoint Encryption protected systems

Creating and configuring users

Revoking users logon privileges

Updating file information on remote systems

Recovering users who have forgotten their passwords

Creating logon tokens such as smart cards for users.

Endpoint Encryption Server

The Endpoint Encryption Server facilitates connections between the client and EndpointEncryption Manager, and the central Object Directory over an IP connection. The server performsauthentication of the entity using DSA signatures, and link encryption using the Diffie-Hellmankey exchange and bulk algorithm line encryption. This ensures that snooping the connectioncannot result in any secure key information being disclosed.

The server exposes the Object Directory through fully routed TCP/IP, meaning that access to

the Object Directory can be safely exposed to the Internet/Intranet, allowing clients to connectwherever they are. As all communications between the server and client are encrypted andauthenticated, there is no security risk in exposing it in this way.

There is a unique PDA Server which provides similar services to PDAs such as Microsoft PocketWindows and PalmOS devices.

Endpoint Encryption Object Directory

The Endpoint Encryption Object Directory is the central configuration store for EEPC and is usedas a repository of information for all the Endpoint Encryption entities. The default directory usesthe operating systems file system driver to provide a high performance scalable system whichmirrors an X500 design. Alternative stores such as LDAP are possible contact your EndpointEncryption representative for details. The standard store has a capacity of over 4 billion users

and machines. Typical information stored in the Object Directory includes:

User Configuration information

Machine Configuration information

Client and administration file lists

Encryption key and recovery information

Audit trails

Secure Server Key information.




11/126

Endpoint Encryption for PC Client

The Endpoint Encryption for PC client software is largely invisible to the end user. The onlyvisible part is an entry, the Endpoint Encryption icon in the users tool tray.

Figure 2: Endpoint Encryption client

Clicking on this icon allows the user to lock the PC with the screen saver (if the administratorhas set this option). Right-clicking on the monitor allows them to perform a manualsynchronization with their Object Directory, or, monitor the progress of any activesynchronization.

Normally the Endpoint Encryption client attempts to connect to its home server or directoryeach time the system restarts, or, establishes a new dial-up connection. During this process,any configuration changes made by the Endpoint Encryption administrator are collected andimplemented by the Endpoint Encryption client. In addition, information such as the last auditlogs are uploaded to the directory.

Endpoint Encryption PDA server

The Endpoint Encryption PDA Server facilitates connections between entities such as the EndpointEncryption client, the Management Center and the central Object Directory over an IP connection(rather than the file based "local" connection). The server performs authentication of the entityusing DSA signatures and link encryption using Diffie-Hellman key exchange and bulk algorithmline encryption. This ensures that snooping the connection cannot result in any secure keyinformation being disclosed.

NOTE: The default port for PDA Server is 5557.

The server exposes the Object Directory through fully routed TCP/IP, meaning that access tothe Object Directory can be safely exposed to the Internet or Intranet, allowing clients to connectwherever they are. As all communications between the server and client are encrypted andauthenticated, there is no security risk in exposing it in this way.

Endpoint Encryption file encryptor

By right clicking on a file, users can elect to encrypt it using various keys. Files can be encryptedwith other Endpoint Encryption users keys, and/or passwords.

Once protected in this way, the file can be sent elsewhere, for example through e-mail, or ona floppy disk, without the risk of disclosure.

When the file needs to be used, it just needs to be double clicked, a password or logon promptis presented for authentication, if correct, the file is decrypted. The File Encryptor also has an




12/126

option to create an RSA key pair for recovery if the password to a file is lost, then the file canstill be recovered using the correct recovery key.

Endpoint Encryption Connector Manager

Endpoint Encryptions object directory keeps track of security information. It is designed so that

synchronization of details between Endpoint Encryption and other systems is possible.The Connector Manager is a customizable module which enables data from systems such asX500 directories (commonly used in PKI infrastructures) to propagate to the Endpoint EncryptionObject Directory. Using this mechanism, it is possible to replicate details such as a users accountstatus between Endpoint Encryption for PC and other directories.

Current connector options include LDAP, Active Directory, and a NT Domain Connector. Forinformation on these components, contact your Endpoint Encryption representative, or, see theEndpoint Encryption Manager Administration Guide.

About this guideThis document helps corporate security administrators to implement and deploy the EndpointEncryption Manager. Although this guide is complete in terms of setting up and managingEndpoint Encryption systems, it does not attempt to teach the topic of Enterprise Security asa whole.

Refer to the Administration Guides for individual Endpoint Encryption products, such as theEndpoint Encryption for PC, for specific information.

Target audience

This guide is designed to be used by qualified system administrators and security managers.Knowledge of basic networking and routing concepts, and a general understanding of the aimsof centrally managed security is required.

ConventionsThis guide uses the following typographical conventions.

Title of a book, chapter, or topic; introduction of a newterm; emphasis.

Book titleor Emphasis

Text that is strongly emphasized.Bold

Commands and other text that the user types; the pathof a folder or program.

User input or Path

A code sample.Code

Words in the user interface including options, menus,buttons, and dialog boxes.

User interface

A live link to a topic or to a website.Hypertext blue

Additional information, like an alternate method ofaccessing an option.

Note

Suggestions and recommendations.Tip

Valuable advice to protect your computer system, softwareinstallation, network, business, or data.

Important/Caution

Critical advice to prevent bodily harm when using ahardware product.

Warning

IntroductionAbout this guide



13/126

Finding product documentationMcAfee provides the information you need during each phase of product implementation, frominstalling to using and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.2 Under Self Service, access the type of information you need:

Do this...To access...

User documentation 1 ClickProduct Documentation.

2 Select a Product, then select a Version.

3 Select a product document.

KnowledgeBase Click Search the KnowledgeBase for answers to your product questions.

ClickBrowse the KnowledgeBase for articles listed by product andversion.

Requirements

System requirements

RequirementsSystems

Endpoint Encryption Manager CPU: Pentium III 1GHz or higher.

RAM: 512 MB minimum (1 GB recommended).

Hard Disk: 200 MB minimum free disk space.

Operating system requirements

SoftwareSystems

Endpoint Encryption Manager

Microsoft Windows 7 32-bit and 64-bit

Microsoft Windows 2000 Professoinal

Microsoft Windows XP Professional (32-bit only)

Microsoft Vista 32-bit and 64-bit (all versions)

Microsoft Windows Server 2003 and 2008

IntroductionFinding product documentation

http://mysupport.mcafee.com/http://mysupport.mcafee.com/


14/126

Installing Endpoint Encryption Manager

McAfee Endpoint Encryption Manager is the administration tool for managing all EndpointEncryption applications.

NOTE: If you are unfamiliar with Endpoint Encryption, you should follow the Endpoint Encryptionfor PC Quick Start Guidewhich describes setting up an Endpoint Encryption enterprise. Pleaseread the Quick Start guide before tackling any of the topics in this guide. You will find this inyour Endpoint Encryption box, or,on your Endpoint Encryption CD.

Install Endpoint Encryption Manager

Upgrade Endpoint Encryption Manager

Install Endpoint Encryption ManagerInstall Endpoint Encryption Manager by running the appropriate setup.exe from the EndpointEncryption CD or download.

Before you begin

You should run this first on the system that will be the master or administrators system.

Task

1 Run the appropriate setup.exe from the Endpoint Encryption CD or download.

2 Follow the on-screen prompts and select a language, a smart card reader, and encryptionalgorithm. The McAfee Endpoint Encryption Manager software is now installed on yoursystem.

3 Restart your system. The Endpoint Encryption Management suite adds the required itemsto your system start menu: Endpoint Encryption Manager which starts the managementconsole; the Database Server which starts the communication server and provides encryptedlinks between clients and the configuration.

4 Run the Endpoint Encryption Manager program. A wizard walks you through the creationof a new Endpoint Encryption directory.

NOTE: If you have an existing Object Directory in your network, you can connect to it bycancelling the wizard and manually configuring a connection.

For information on this procedure, see Managing Object Directories.

Upgrade Endpoint Encryption ManagerUse this task to upgrade Endpoint Encryption Manager to the latest version of the software.



15/126

Before you begin

Make sure you install this package to a system where the Endpoint Encryption Manager databaseis already present.

Task

For option definitions, click? in the interface.1 Download the Endpoint Encryption Manager software from the McAfee download site.

2 Run the setup file and complete the upgrade. See Install Endpoint Encryption Manager forthe installation procedures.

NOTE: See the Endpoint Encryption Update and Migration Guide (contained in the download)for more details.

Installing Endpoint Encryption ManagerUpgrade Endpoint Encryption Manager



16/126

Endpoint Encryption Manager interface

McAfee Endpoint Encryption Manager allows certain classifications of user to manage andinteract with the backend Object Directory. Users and systems can perform certain tasks andchange certain details within the directory, depending upon their assigned AdministrationPrivilege, and administrative rights.

Contents

Administration level

Starting McAfee Endpoint Encryption Manager

Groups of users, systems, and other objects

Finding orphaned objects using Group Scan

Audit trails

Administration levelEach object in the directory has a certain administration privilege with a range of between1 (lowest) to 32 (root administrator), no object except the root administrator can change theattributes of an object of its privilege or above, but some attributes can be read regardless.This mechanism stops low privilege users from changing their own configuration, and protects

high-level administrators from the activities of lower levels.

The recommended assigned privileges are:

Administration LevelUser Classification

32Root Administrator

10Other Administrators

1Normal Users

1Normal Machines

NOTE: As there are no objects with a privilege above 32, all level 32 objects are treated equallyand without restraint (except delete rights). This means that any top-level admin can edit the

properties of any other top-level admin. However, a level 32 administrator with limited adminfunctions cannot add those restricted functions to another level 32 administrator. For this reason,it is recommended that general Endpoint Encryption administrators use accounts with a privilegebelow 32, and the master (or root) administrator account should be used only in extremecircumstances.

In addition to this rule, extra restrictions on what administration processes an individual mayuse can be set when they are created, for instance the ability to add users may be blocked, asmay be the ability to create install sets.



17/126

This gives the ability to create high-privilege users with no admin abilitiesthese users cannotbe administered or recovered by lower privilege users although the lower level users may haveaccess to the administration functions.

Starting McAfee Endpoint Encryption ManagerMcAfee Endpoint Encryption Manager communicates with the Object Directory and requests auser authentication on start-up, which it uses to connect to an Object Directory. Users andadministrators authenticate using their Endpoint Encryption credentials, so if they usually usea smart card to login to Endpoint Encryption, they will need the same card to access EndpointEncryption Manager.

NOTE: For details on setting up connections to directories, see Managing Object Directories.

There is no real limit to the number of concurrent Endpoint Encryption sessions that can beconnected to each directory, either directly or via an Endpoint Encryption Server. In the caseof two administrators updating an objects configuration at the same time, the last one to clickSave overrides all others. The limiting factor is the hardware supplying access to the directory,i.e. the network and server speed.

Groups of users, systems, and other objectsWithin the Endpoint Encryption Directory, objects are grouped in order to simplify configuration.For example, in a large corporate with many departments, the Endpoint Encryption administratormay choose to create groups of systems based on their physical location - for instance Salesand Helpdesk.

The configuration of these two groups would be similar, but not identical - for instance, theSales group of PCs may not synchronize with the Object Directory so often, and the Helpdesk

PCs would not be receiving some sales-related database information.

To facilitate configuration at group level, two types of group can be created:

Controlled groups

Members of configuration-controlled groups cannot have their core configuration altered on amember-by-member basis (non-core items include system description for instance). All changeshave to be made at group level, and immediately affect all members of the group. When anobject is moved into a controlled group, it immediately loses its individuality and inherits thegroups properties.

Controlled groups are used where it is not necessary to have many individual objects with theirown configurations, for example an administrator may choose to enforce a strict security policy

which must be adhered to. In this situation, there is no scope for objects to have individualconfigurations. Another use is where a collection of systems needs to have their configurationssynchronized as one. For example, if there was a controlled group of 200 systems with theproperty of Endpoint Encryption enabled set as false, if the option was enabled at group level,this change would affect each system in the group. Each system would automatically enableEndpoint Encryption the next time it synchronizes with the directory.

Endpoint Encryption Manager interfaceStarting McAfee Endpoint Encryption Manager



18/126

Free groups

Free groups have no master control; objects inherit the properties of the group when they arecreated, but this configuration is stored individually for the object and can be altered at anytime. Existing objects moved into a free group do not inherit any group properties; they simplyretain their own configurations. Changing the group configuration only effects new objectscreated within the group, it does not affect existing objects.

One Group for each object type is defined as the default. Unless otherwise specified this is thegroup which new Objects (systems, users etc) appear under and inherit their initial attributes.This group may or may not be configuration controlled, and is displayed in bold type in theobject tree. To set the default group, select it and use the right-click menu option Set as DefaultGroup.

Finding Objects

You can search the object trees by either typing into the Find box on the tool bar of EndpointEncryption Manager, or, by using the Filter or Find by ID options from the Objects Menu.

Finding orphaned objects using Group ScanYou can search the object trees either by typing into the Find box on the tool bar of EndpointEncryption Manager, or, by using the Filter or Find by ID options from the Objects Menu.

The Group Scan feature within the Groups drop down menu allows you to scan through anygroup and identify missing objects, for example, systems, users, etc.

Before you begin

Make sure that you have appropriate permissions perform this task.

Task1 Select a group from the Users, System, Policies, or Devices tabs.

2 Click the Groups option from the menu bar.

3 ClickGroup Scan.

4 Select a group from the drop down list.

5 ClickOK. This begins a search across the selected group for orphaned objects. The reportoutput will appear in the bottom right pane.

Audit trailsEndpoint Encryption audits the most types of object. To view the current audit, select the objectin question and use the right-click menu option View Audit. Audit trails can be exported ascomma delimited files for use in other applications.

The ability for a user to be able to view another users audit is a function of their relativeadministration level, and their View Audit administration right. It is recommended that not allusers are given this permission.

Endpoint Encryption Manager interfaceFinding orphaned objects using Group Scan



19/126

The Endpoint Encryption Object Directory

Endpoint Encryption stores all its configuration and security information in a central, genericdata store referred to as the Object Directory. This store resembles a tree-based modular,object-structured directory, similar in design to an X500 directory.

The Endpoint Encryption Configuration Manager on the protected system periodically checksthis store via a connection manager (the Directory Manager) to see if there are any changesto apply, and delivers any updates necessary in return. The directory stores information for theconfiguration of users, systems etc in logical Objects containing data blocks ("attributes").

Contents

The Object Directory structure

Object locking

The Object Directory structureThe Object Directory manages three levels of information, object type, actual Objects, andattributes. This can be viewed as a correlation of a file or directory system. The top level hasthe various object classifications, user, group, and system. Below this level is the individualObjects, for example, in the case of the user tree, there would be Objects containing the

attributes for users. For each object there are many attributes, for example, account status,private key, and password.

NOTE: Supported accessible Objects are Users, systems, Servers, Files, Directories, and Groups.Endpoint Encryption makes no distinction between the different types of object at themanagement and access level. Only the Attributes stored within them differ. This independencegreatly increases the speed the object store can work at.

There is no requirement for any particular type of directory within as long as the directoryengine can support the minimum layout. All data sources are viable, for example, ODBC, Access,LDAP, DAP, X500 etc.

Endpoint Encryption ships with two directory drivers, one, a high performance file system baseddriver for large corporate users, and a small single-file transport directory driver designed for

single use and disconnected deployment. For information on porting Endpoint Encryption'sbackend directory to an alternate system, please contact your McAfee Services representative.

A simple pictorial layout of the directory structure could be explained thus:

Root Directory

| Users-------Machines-------Groups-------Servers--------Files (Object Classes)

| User.0-----User.1-----User.2-----User.3----- User.n (User level)

| Attrib.0----Attrib.1-----Attrib.2------Attrib.n (Attributes containing Configuration information)

This structure mirrors an X500 directory, and allows fast access to attributes and modification(adding new attributes, new object classes etc) without significant effort.



20/126

Object lockingTo prevent problems where two or more processes try to access the same data simultaneously,only one process can have write permission to an Objectat any time. Normally an object suchas a user is only locked during the actual write process, if there is a conflict in locks, one processwill wait for the other to release. This usually takes only a few seconds. In the standard file

managed directory, object locking is provided by the operating system itself.

The Endpoint Encryption Object DirectoryObject locking



21/126

User management

New users can be created in Endpoint Encryption Manager by selecting the group they need tobe in, and using the menu option Create User. You can also create users automatically usinga connector to another directory, such as Active Directory, or an automated script. Please seethe Endpoint Encryption Connector Manager chapter, or, the Endpoint Encryption Scripting ToolUsers Guide.

Contents

Creating and configuring users

User administration functionsUser configuration options

Setting user administrative privileges

Creating and configuring usersThe new users logon id and recovery information about them can be entered. The userspassword or token is inherited from the group, and can be set or generated at this point.

Figure 3: Creating new users

The fields of information are used to identify the user in case of a helpdesk issue, such as theuser forgetting their password. The helpdesk and user can see the majority of these fields, butsome may be defined as "hidden from user" - in this example, the field Group Access is oneof those. Hidden fields can only be seen by administrators with a higher privilege than the user,or the root administrator.



22/126

This gives the helpdesk operator the ability to ask the user a question to validate their identity.For more information on recovery, see the Recovery chapters of your product administratorsguide.

Once created, the user assumes the configuration of the group they were created in. If thisgroup is "controlled", then only a few options are available to be configured on a user-by-userbasis. If the group is "Free" then although the user assumes the properties of the group on

creation, the parameters can then be set individually afterwards.

User administration functionsThe following administration functions can be set for users, or groups of users.

Create Token

Creates a new Token for the selected user - this could be a soft (password) token, or a hardtoken such as a smart card or eToken.

NOTE: In the case of hard tokens, creating the token does not necessarily set the user toactually use that token. This must be accomplished separately from the users Token propertiespage.

Reset Token

Resets the token authentication to the default. In the case of the soft (password) token resetsthe password to 12345.

NOTE: Some hard tokens may not be able to be reset using Endpoint Encryption - for exampleDatakey Smart Cards. In this case, contact the manufacturer of your token to determine thecorrect re-use procedure.

Set SSO DetailsSets the Single-Sign-On details for the user. For more information on SSO, see the EndpointEncryption for PC Administration Guide.

Force Password Change at Next Logon

Forces the user to change their password at their next logon. This policy option applies to boththe Endpoint Encryption Manager and all compatible applications, such as Endpoint Encryptionfor PC.

View Audit

Displays the audit for the user.

Reset (All) to Group Configuration

Resets the configuration of the user, or all the users in the group, to the groups configuration.

Create Copy

Creates a new object based on the selected object.

User managementUser administration functions



23/126

Properties

Displays the properties of the selected object.

User configuration optionsThe following configuration options can be set for users, or groups of users.

General

The General page enables you to display the User ID, manage auto-boot, the user accounts,and to manage other General options.

Figure 4: User options-General

Table 1: General Options

DescriptionOptionsSettings

The user ID of a given user is the system-wideidentifier that Endpoint Encryption uses internally

User IDGeneral

to keep track of the user. This number is uniquewithin the Object Directory and is displayed fortechnical support purposes. The users recoveryscreens also show this number.

Special user ids containing the tag $autoboot$with a password of12345 (or set by

Auto-boot users

administrators) can be used to auto-boot aEndpoint Encryption Endpoint Encryption for PCprotected machine. This option is useful if an

auto boot of a machine is needed, for examplewhen updating software using a distributionpackage such as SMS or Zenworks. This IDshould be used with caution though, as iteffectively bypasses the security of EndpointEncryption.

You can find out more about the $autoboot$user from the Endpoint Encryption for PC

Administration Guide.

User managementUser configuration options



24/126


Shows whether the user account is enabled ornot. The enabled status is always userselectable.

Enabled

Once a system has synchronized, it checks theuser account list to ensure that the currently

logged on user is still valid (because they loggedon at boot time before the network and ObjectDirectory was available). Users with disabledaccounts (or users who have been removedfrom the user list) will find the screen saver willactivate and they will be unable to log in.

NOTE: If you want to force a Endpoint Encryptionmachine to synchronize (and hence immediatelystop the user from accessing the machine), youcan use the force sync option of the machinesright-click menu to force an update. For moreinformation see the Endpoint Encryption for PC


Valid From/UntilSets the period that

this account is valid until. Once the periodhas past, the user will no longer be able tolog on. If the user is logged on while theaccount expires, then the user will not beautomatically logged off the system (but ifthey reboot, or the screen saver activates,they will not be able to log on again).

BothValid From andValid Until settingscan be made. This enables theadministrator to set up accounts thatself-activate sometime in the future and/orexpire at some fixed point (Example: Forcontracted employees with a fixed termcontract starting and expiring on a givenday).

Allows the administrator to set a picture for theuser. The picture helps the helpdesk in the

Change Picture

identification of a user when doing a challengeor response password reset. The importedpicture can be any size bitmap image.

When a user is created several fields ofinformation may be set to help the helpdesk

User Defined Labels

(Information Fields)

identify the user during the recovery process. Fora full description of the use of these fields seeCreating Users, and Recovering Users and

Machines.




25/126

Password parameters

Figure 5: User configuration-Password parametersTable 2: Password parameters


Ticking this option prevents users from continuingto use the Endpoint Encryption default password

Force Change if 12345Password change

of12345. If this password is ever used, forinstance after recovering a user, it must bechanged before Endpoint Encryption allows theoperating system to boot. The force passwordchange mechanism is also supported in theWindows Screen Saver.

Disables the Change Password option on theEndpoint Encryption boot screen, and on thedirectory logon screen.

Prevent Change

Endpoint Encryption records previouspasswords, and stops the user repeating old

Enable Password History

passwords when they are forced to changethem.

The maximum number of previous passwordsthat can be saved is limited by the users token,typically a password token can remember 19previous passwords, whereas a smart card tokenonly 10. Passwords are added to the history listwhen the user sets them, so the defaultpassword (12345) may be used once again, asis not added to the history list when a user iscreated .

Special smart card scripts can be made availablewhich increase the maximum history countbeyond 10, at the expense of the time neededto log on. For information on these scriptsplease contact your Endpoint Encryptionrepresentative.




26/126


Forces the user to change their password after aperiod of days.

Require Change After

WarnWarns the user that their passwordwill expire a set number of days in advanceof their password change.

When logging on, the user has three attempts topresent Endpoint Encryption with a correct

Timeout passwordIncorrect passwords

password. If the user fails, then a "lockout" periodof 60 seconds commences. The user cannot login while this period is in force, and if they rebootthe PC, the period starts again.

Once the period has expired, the user is allowedfurther logon attempts, which the time periodbetween each logon doubling:

1st incorrect attemptNo lockout

2nd incorrect attemptNo lockout

3rd incorrect attempt60 seconds lockout

4th incorrect attempt120 seconds lockout 5th incorrect attempt4 min lockout

9th incorrect attempt64 min lockout

After a sequence of incorrect passwords, EndpointEncryption can disable the users account. To log

Invalidate password after

on again once this has happened, the user willneed to call their Endpoint Encryption helpdeskfor a password reset. The number of incorrectpasswords that have to be entered before thisoccurs is normally 10, but can be set as needed.




27/126

Password Template

Figure 6: User configuration - Password templateTable 3: User configuration - Password template


Sets the expected length of the users passwordbetween two extremes. Recommended settings

Password lengthPassword template

are a minimum length of five characters, and amaximum length of 40 characters.

Enforcing content in password forces the user topick more secure passwords, but also reduces the

Enforce Password Content

number of possible passwords the user can selectfrom. Content is not case sensitive.

AlphaA minimum number of characters

from the range a-z and A-Z. AlphanumericA minimum number of

non-symbol chars from the range a-z, A-Z,and 0-9.

NumericNumbers only, from the range0-9.

Symbols!"$%^&*()_+{}~@:>


28/126


editor. Place each forbidden word on its ownline in the file. Name the file TrivialPWDs.datand place it in your client install set in the[appdir]\SBTokens\Data folder. Thepassword password is excluded by default.

Cant Be User NamePrevents users fromusing their user name as their password.

Windows content rulesMirrors thestandard Windows password content rule.For passwords to be accepted, they mustcontain at least 3 of the following:

Lower case letters

Upper case letters

Numbers

Symbols and special characters.

Token type

Sets the token for a given user/group of users. The list of available tokens is created from thetoken modules installed in the Object Directory. For information on particular token options,please see the Tokens chapter.

Some tokens may be incompatible with other options - for instance, you cannot use the FloppyDisk token if the users floppy disk access is disabled, set to read only, or set as Encrypted.

Figure 7: Token type

Assigning a token to a user does not necessarily mean they will be able to log into a machine for example giving a user a smart card does not mean their machine has a smart card reader,or the software needed to drive such a reader.

NOTE: When you change a users token, Endpoint Encryption automatically brings up the tokencreation wizard. You need to remember to create Soft Tokens even though theyre justpasswords.

Recovery KeyYou can reset a users password, or change their token type using the recoveryprocess this involves the user reading a small challenge of 18 characters from the machineto an administrator, then typing in a larger response from the administrator.




29/126

The recovery key size defines the exact length of this code exchange. The range of options ofthe recovery key is dependent apron the maximum key size of the algorithm in use. A key sizeof 0 disables the user recovery system.

Allow web-based self recoveryYou can prevent a password-only user from registering forweb recovery by selecting this option.

Administration rights

Figure 8: Administration rights

Table 4: Administration rights


The administration level of a given user definestheir Administration Scope. Users can only work

Administration levelAdministration rights

with directory objects (machines, other users etc)below their own level, thus a level 2 user can onlyadminister users of level 1. All users are by defaultcreated at level 1, and are therefore unable toadminister each other. The user who first createdthe directory is created at level 32, and cantherefore administer any other object in thedirectory.

NOTE: A special case exists for the highest levelof user (root users), allowing them to administerat level 32.

Options in the administration functions boxselect what administrative options are availableto a given user / group of users.

Administration Functions

When creating a new user, the administrationrights of the creator are reflected to the newuser.

Most administration functions are obvious butthe following may require more explanation:

Users/Allow Administration controlsa users right to start administration systemssuch as the Endpoint Encryption Manageror Connector Manager. If this option isremoved for all users, the managementenvironment will be unavailable.




30/126

Logon hours

Endpoint Encryption can prevent a user from accessing any machine during particular timeperiods. In the example above, the user "John Smith" can access any machine his account hasbeen allocated to during the hours of 9am - 5pm any day.

Figure 9: Logon hours

If the Force user to logoff box is not ticked, restricting the logon hours of a user does notprevent them continuing to use a machine out of hours if they were logged on when therestriction comes into force, however it does prevent them logging on after this time, for instanceat a screen saver prompt.

Devices

This is used by Endpoint Encryption for PC only. Please see the Endpoint Encryption for PC


Application Control

This policy is used by Endpoint Encryption for PC only. Please see the Endpoint Encryption forPC Administration Guide.

Policies

Endpoint Encryption can control other systems through the Policies Interface. You can definethe actual parameters of a policy through its entry on the System Tree, and assign which policiesare enforced for a particular user, or group of users, from the policies tab. For more informationon policies see the Policies chapter.

Add/RemoveClick Add or Remove to associate a policy with a user. You can only associateone policy of each type with a user.

Bindings

The Endpoint Encryption Connectors use the bindings specified for a user to match their EndpointEncryption account with their account on an alternate system. When a connector creates a newEndpoint Encryption user, it automatically fills in the binding tabs to make the association. It is




31/126

possible though to connect one, or many users created in Endpoint Encryption to a connectedaccount, by manually editing the bindings list.

Figure 10: Connector Bindings

For information on the correct system tag to use for a given connector, please see the EndpointEncryption Connector Manager chapter.

Local recovery

The Local Recovery option allows the user to reset a forgotten password by answering a set ofsecurity questions. The full list of security questions is set by the administrator using the EndpointEncryption Manager.

NOTE: Endpoint Encryption contains a generic set of questions.

When the user first sets up their local recovery feature they will be prompted to select a numberof questions and provide the answers to them. These form the basis for their local self recoveryfeature.




32/126

Setting Local recovery for a user name or user group

Using Endpoint Encryption Manager, the administrator assigns the local recovery option to theusers logon, or, to a user group. The local recovery options are available from the user logonor group Properties screen.

Figure 11: Local recovery

Table 5: Local recovery


Selecting this check box will set Local Recoveryfor the specified user or user group.

Enable Local RecoveryLocal recovery

Require__questions to beansweredThis option determines howmany questions the user must select toperform a Local Recovery.

Allow__logons before forcing userto setanswersThis option determines how manytimes a user can logon without setting theirLocal Recovery questions and answers.

The Add button will load the Local Self RecoveryQuestion dialog box and allow you to create a

Add

new question. You can also specify the languagethat question should be in and the minimumnumber of characters the user must specify whenconfiguring the answer to this question.

The Remove button will remove a selectedquestion from the list.

Remove

The Edit button will allow you to edit theconfiguration of a selected question.

Edit

The Apply button will save any changes that havebeen made.

Apply

The Restore button will undo your changes andrestore the Local Recovery options to the previous

Restore

settings (providing you have not clicked the Applybutton).




33/126

See the Endpoint Encryption for PC Administrators Guide or the Help File for the user localrecovery procedures.

Administration groups

The groups which an administrator can manage can be restricted this gives the ability to

create high privilege administrators who can only work a particular population of users andmachines for instance departmental administrators. You can specify all group types for therestriction, so you can also create administrator accounts that have the ability to manage onlyservers, certain groups of users, or certain groups of machines.

Figure 12: Administration groups

When group restrictions are in place, the users view of the database is restricted to only thegroups specified.

Leaving the admin groups box empty gives the account admin capability throughout the ObjectDirectory.

When an administrator with group restrictions creates a new user, the group restrictions arereflected into the new users properties. If the new user also inherits groups from their groupmembership, these too will be set.

NOTE: Do not restrict the administrative scope of the root administrator or you may not be ableto make configuration changes in the future.

Setting user administrative privilegesEndpoint Encryption has a powerful and flexible administration structure. You can set threeconditions that must be met before a user can perform an administration task.

Administration level

This must be higher than the object you are trying to administer, or in the case of top-levelobjects (level 32), must also be level 32.

User managementSetting user administrative privileges



34/126

Groups

If there are any groups specified for administration, the object you are trying to administermust be in one of the groups.

Administration Functions

The feature or command you are trying to use must be enabled in you Admin Rights list.If all these conditions are met then the user will be able to perform the function. Using a selectionof these features enables certain administration hierarchies to be created.

We advise that the minimum administration rights are given to each user, to prevent unauthorizedconfiguration of the security. By delegating responsibility, administration can become a simpletask.

Example 1: Top-down administration

Root User level 32.

Master Administrator(s)Level 30, no other restrictions.

Sub Admin(s)Level 20, no other restrictions. UsersLevel 1, all rights removed.

In this scenario there is a simple top-down chain of administration.

Example 2: Tree administration

In this scenario, the departmental administrators are prevented from managing each othersdepartment by the group restriction. Administrators are also prevented from adding any of theirusers to machines in the other department by the same mechanism. Only the EnterpriseAdministrator(s) can start or manage Endpoint Encryption Servers.

Root UserLevel 32

Enterprise Administrator(s)Level 30, no other restrictions

Department A Administrator(s)Level 20, restricted to user and machine groups indepartment A only. Rights for server management removed.

Department B Administrator(s)Level 20, restricted to user and machine groups indepartment B only. Rights for server management removed.

Department A UsersLevel 1, all rights removed

Department B Users Level 1, all rights removed

Example 3: Function/Department Administration

In this scenario, there are additional accounts for the Server Manager a person responsiblefor keeping the Endpoint Encryption Server running. Their account has no ability to manage

users or logon to clients. There could also be other accounts with the ability to add/removeusers (for example used by the personnel department).

Root UserLevel 32

Enterprise AdministratorLevel 30, no other restrictions

Server Manager Level 30, groups restricted to servers only, Rights restricted to managingservers only.

Department A AdministratorLevel 20, restricted to user and machine groups in departmentA only. Rights for server management removed.




35/126

Department B AdministratorLevel 20, restricted to user and machine groups in departmentB only. Rights for server management remove.

Department A UsersLevel 1, all rights removed

Department B UsersLevel 1, all rights removed




36/126

Tokens

The Endpoint Encryption Manager and connected applications support many different types oflogon token, for example passwords, smart cards, fingerprint readers and others. Before a usercan use a non-password token, you must ensure any machine they are going to use has beensuitably prepared.

Go to https://kc.mcafee.com/corporate/index?page=content&id=pd20895 for the supportedsmart cards and tokens.

Contents

Hardware device supportEndpoint Encryption application support

Assigning the token to the user and create it

Install and configure Upek fingerprint reader

Hardware device supportEnsure the system has the appropriate Windows drivers for the hardware tokens it needs tosupport, for example, if you intend to use Aladdin eTokens you need to install the AladdineToken RTE (Run Time Environment).

If you intend to use smart cards, you need to ensure that a Endpoint Encryption supportedsmart card reader is installed, along with its drivers for example the Mako/Infineer LT4000PCMCIA smart card reader must be installed.

In both cases, the appropriate device drivers are available either direct from the manufacturer,or from the Endpoint Encryption install CD in the Tools directory.

Endpoint Encryption application supportOnce you have installed hardware support for the devices, you can enable software supportfor them. See the dedicated product administration guide for details how to enable tokens for

that particular product.

Assigning the token to the user and create itFrom the users Token properties pane, select the token you want the user to log on with.Endpoint Encryption prompts you to insert the token and creates the appropriate data files onit.

https://kc.mcafee.com/corporate/index?page=content&id=pd20895https://kc.mcafee.com/corporate/index?page=content&id=pd20895


37/126

If all steps are followed, when you install Endpoint Encryption, or after the machines synchronize,users will be able to log in using their new token.

Install and configure Upek fingerprint readerThe Upek Protector Suite QL software must be installed and configured on the client system.The software can be found on the McAfee Endpoint Encryption Tools download. Please consultyour McAfee representative for further information.

Before you begin

Make sure that you have appropriate permissions to perform this task.

Task

1 From the Endpoint Encryption Manager, create a file group for the Upek token and importthe token files: SbTokenUpek.dll and SbTokenUpek.dlm.

NOTE: The Upek file group must be assigned to the system or system group.The fingerprint reader must be assigned to a user or a user group. See the user or usergroup Properties | Tokens screen.

2 The user logs on to the client system using the Upek token module in password mode. Theusers are presented with a dialog box to register their fingerprints with Endpoint Encryption;the user configures the fingerprint reader to work with one or more of their fingerprints.

From then on the users need to authenticate to Endpoint Encryption with their fingerprintinstead of a password.

TokensInstall and configure Upek fingerprint reader



38/126

File Groups and Management

Endpoint Encryption for Manager uses central collections of files, called Deploy Sets, to managewhat versions of files are used on many Endpoint Encryption applications. For information ona particular applications support for File Groups, please see the Administration Guide.

Contents

Endpoint Encryption file groups

Setting file group functions

Importing new files

Exporting files

Deleting files

Setting file properties

Endpoint Encryption file groupsWhen Endpoint Encryption Manager is installed, it automatically adds the entire standardEndpoint Encryption administrator files into the file groups and also may create language sets,for example English Language. An INI file, ADMFILES.INI determines the contents of thecore groups. INI files such as these can be edited to allow custom collections of files to be



39/126

quickly imported and then applied using the Import file list menu option. For more informationon ADMFILES.ini see the Endpoint Encryption Configuration Files chapter.

Figure 13: Endpoint Encryption file groups

Other file sets created as standard include those to support login tokens, such as smart cardreaders, and USB Key tokens.

File Groups and ManagementEndpoint Encryption file groups



40/126

Setting file group functionsYou can specify the function of a file group by right-clicking it and selecting its properties. Somefile selection windows, for example the file selector for machines, only display certain classesof file group (in this example, those marked as Client Files).

Figure 14: File group content

Importing new filesNew files can be imported one by one into an existing deploy set using the Import files menuoption. Simply select the file, the Endpoint Encryption Manager will then import it into thedirectory and add it to the deploy set.

Exporting filesYou can export a file group, or an individual file back to a directory. This may be useful, forexample if you have an out of date administration system driver and there is an updated file inthe Object Directory.

Deleting filesYou can delete individual files from a file set. With connected applications this usually resultsin the deletion of the file from their local directory at the next synchronization event.

Setting file propertiesTo see the properties of a file, right click on the file in question and select Properties. Twoscreens of information are available: File Information and Advanced.

File Groups and ManagementSetting file group functions



41/126

The name of the file is the actual name, which will be used when deploying the file on theremote machine. The ID is the Object Directory object ID which is used as a reference for thefile from the client PC.

Figure 15: File Properties, file information

The version number is an incremental version of the file. When the file is updated, the versionis incremented. This is used by the clients to check whether an update is needed. Otherinformation such as the name of the user who imported the file and its size may be shown.

Figure 16: File Properties, Advanced

Table 6: File Properties, AdvancedDescriptionOptionsSettings

Sets the type of the file.File TypesSetting File Properties

Set the destination directory for the file.File Location

Because some files are only applicable to someoperating system(s), the target operating

Operating System

system(s) for the file must be selected. This is toprevent Windows NT drivers being installed on

File Groups and ManagementSetting file properties



42/126


Windows 98 machines, or windows 9x registryfiles being run on Windows 2000 servers.

If you are installing file which is shared betweenmultiple Endpoint Encryption applications, you

App ID

can specify this applications ID. This prevents one

application from installing files shared by another.

Specify when Endpoint Encryption should updatethe file.

Update

File Groups and ManagementSetting file properties



43/126

Auditing

Introduction

The Endpoint Encryption Manager audits user, system, and server activity. By right-clicking ona object in the Endpoint Encryption Object Directory, you can select the view audit function.

Audit trails are uploaded to the central directory by both the Administration Center and connectedEndpoint Encryption Applications such as Endpoint Encryption for PC and Endpoint Encryptionfor Files and Folders.

The permission to view or clear an audit log can be controlled on a user or group basis. Both

the administration level and administration function rights are checked before allowing accessto a log. For more information on setting these permissions see the Creating and ConfiguringUserschapter.

(endpoint mcafee)eem5210 admin guide

Documents