McAfee® Endpoint Encryption ManagerAdministration Guide Version 5.2.5 McAfee, Inc. McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USA Tel: (+1) 888.847.8766 For more information regarding local McAfee representatives please contact your local McAfee office, or visit: www.mcafee.com Document: Endpoint Encryption Manager Administration Guide Last updated: Tuesday, 30 March 2010 Copyright (c) 1992‐2010 McAfee, Inc., and/or its affiliates. All rights reserved. McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non‐McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners. Contents Preface ........................................................................................... 6 About this guide ............................................................................................. Audience ................................................................................................. Conventions ............................................................................................ Related Documentation............................................................................. Acknowledgements .................................................................................. Contacting Technical Support .................................................................... 6 6 7 7 7 7 Introduction ...................................................................................8 Why Endpoint Encryption?......................................................................... 8 Design Philosophy .................................................................................... 8 How Endpoint Encryption Solutions Work .................................................... 8 Objects, Entities, and Attributes explained. ................................................. 9 The Endpoint Encryption Components ........................................................ 10 Installing Endpoint Encryption Manager ....................................... 14 Upgrading the Endpoint Encryption Manager .............................................. 14 Endpoint Encryption Manager Interface ........................................ 15 Administration Level ................................................................................ 15 Starting Endpoint Encryption Manager ....................................................... 16 Groups of Users, Machines and other Objects ............................................. 16 Audit Trails. ........................................................................................... 18 The Endpoint Encryption Object Directory .................................... 19 The Object Directory Structure ................................................................. 19 Object locking ........................................................................................ 20 Creating and Configuring Users .................................................... 21 User Administration Functions .................................................................. 22 User configuration Options ....................................................................... 23 Setting User Administrative Privileges........................................................ 35 Some Example Administration Structures ................................................... 36 Tokens .......................................................................................... 38 File Groups and Management ........................................................ 40 Setting file group functions ...................................................................... 41 Importing new files ................................................................................. 41 Exporting Files ........................................................................................ 41 Deleting Files.......................................................................................... 41 Setting File Properties ............................................................................. 41 Auditing ........................................................................................ 44 Introduction ........................................................................................... 44 Common Audit Events ............................................................................. 44 Managing Object Directories ......................................................... 49 Managing Connections ............................................................................. 49 Adding a new directory connection ............................................................ 49 Endpoint Encryption Server .......................................................... 51 Installing the Endpoint Encryption Server Program ...................................... 51 Creating a new Server ............................................................................. 51 Starting The Endpoint Encryption Server for the first Time ........................... 52 ............................................... 68 Group Mappings ........................................................................................................ 93 With Challenge-Response ................... 76 Summary of connected attributes ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... 62 Adding and Removing Connector Instances ...................................................................... 87 Pre-Requisites ........... 59 Policy Administration Functions ..................................... 96 Registering for webRecovery ..................................... 86 Remote Password Change ............................. 87 Password Expiration Warning.................... 56 Key Administration Functions ....................................... 101 Common Criteria EAL4 Mode Operation .................... 95 User self recovery ....................................... 96 Recovery using webRecovery...................................................................................................................................................................................................................... 70 Using Binary Data Attributes .............................................................. 64 Summary of connected attributes .................. 57 Policies .................................................... 86 webRecovery ... 54 Checking a Server’s Status Remotely ........................ 90 Configuring webRecovery ................ 89 Installing a SSL Certificate .........................................................................webRecovery................ 74 LDAP Browser from Softerra .............................................................................. 74 Active Directory Connector (ADCon) ................... 103 ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... 89 Configuring the webHelpdesk Server .... 53 Using Server / Client Authentication .................................................................................... 98 License Management ..... 76 General Options ........................ 54 Keys ............ 59 About Policies ..................... 60 Assigning a policy object to a machine .............. 86 About Endpoint Encryption HTTP Server ............................................................................................................................... 65 Group Mappings . 62 NT Connector (NTCon) ................... 67 Summary of connected attributes .............. 80 User Information.......................................................................................Server Configuration ............................... 59 Assigning a policy object to a user ....... 60 Endpoint Encryption Connector Manager ........................................................... 54 Using Restricted User ID's for Servers ... 88 Activating Endpoint Encryption webHelpdesk ................................................................................ 53 Connecting to a new Endpoint Encryption Server ................................................................... 66 LDAP Connector (LDAPCon) .. 56 About Keys ............... 67 General Options ................................................. 82 Endpoint Encryption webHelpdesk Server...... 65 User Information...................................................................................................................................... 53 Starting the Endpoint Encryption Server as a Service ....... 64 General Options ........................................................................................ 56 Key Configuration Options .............................................................. 92 Recovering Users using webHelpdesk ................................................................................................................................................................................................................................ 93 By Directly Changing their Password .................................................... 77 Group Mapping ...................................... .......................... 106 About Name Indexing . 131 Index ................................Algorithm Certificate Numbers ............................................................................................................................. 128 E016 Administration Center ........................................ini ..................................................................................................................... 124 DB02 Database Attributes ......................ini .......................................................................................................... 112 LDAPCon / ADCon Manual Settings ................................................................................................................ 127 E013 Installer ....................................................... 133 ................................................. 111 sbconmgr............. 112 SBHTTP......................................................................................ini ..................................................... 106 Enabling and Configuring Name Indexing: .......................................................................... 114 DLL Files ............ 130 Encryption Algorithms ...................................................................................................................................................................................................... 130 Language Support .........................................................................................................................................................................................................................ini .................................... 112 EXE Files .......................................................................................... 109 sbfeatur.............................................. 109 sbnewdb..... 121 DB01 Database Objects .......................................................................................ini ............................ 130 Tokens ....... 115 5501 Web Server Page Errors ...................................................................................... 109 sberrors.................................................................ini ................................................... 109 dbcfg........................ 116 5502 Web Server User Web Recovery ..................................ini ..........................................................................................................................................................................................................................................................ini ....... 125 E012 Licences.......................................... 104 Tuning the Object Directory ..... 114 Error Messages ........................................................................ 109 sbadmin................. 114 SYS Files................................................................................................................................................................................. 110 SBServer...........................................................................................ini ................................ 106 The Name Index .......... 125 E000 Endpoint Encryption General ............................. 115 Module codes ...................................................................................................... 119 C100 Scripting Errors ............................................................................ 106 Enabling Directory Compression........ 109 sbhelp..................................................................................................................................................... 130 Smart Card Readers .................................................................................................. 120 DB00 Database Errors ........................................................................................................ 109 sbfiledb. 111 Cmsettings................................................. 117 5C00 Communications Protocol ................ 114 srg files ....................... 117 5C02 Communications Cryptographic ..... 109 sdmcfg....................................... 125 E001 Tokens ............................................................. 131 System Requirements......................................................................................................................................................... 107 Endpoint Encryption Configuration Files .......................... 129 Technical Specifications and Options .............ini ........................................................................................................ 127 E014 Hashes .........................ini ........................ini ...... 112 LDAPCon Manual Settings ....................... Deiter Gollman. ISBN: 0471128457 Computer Security. 3 edition. PDAs and across networks. Applying the latest technology. The Endpoint Encryption Manager and associated products are designed to protect your mobile data on PCs. it does not attempt to teach the topic of "Enterprise Security" as a whole. Through the continued investment in technology and the inclusions of industry standards we are confident that our goal of keeping Endpoint Encryption at the forefront of data security will be achieved. Audience This guide was designed to be used by qualified system administrators and security managers. Charles P. Knowledge of basic networking and routing concepts. Readers should refer to the Administration Guides for individual Endpoint Encryption products. Pub. for specific information. such as the Endpoint Encryption for PC. Although this guide is complete in terms of setting up and managing Endpoint Encryption systems. John Wiley & Sons. Pub Prentice Hall PTR. and Source Code in C. Algorithms. ISBN: 0471978442 Security in Computing. readers are advised to consult the following publications: Applied Cryptography: Protocols. ISBN 0130355488 6| . For information about cryptography topics. John Wiley and Sons. deployment and management of users is enhanced using simple and structured administration controls. 2nd Edition. and a general understanding of the aims of centrally managed security is required. Pub.Preface Preface The team at McAfee is dedicated to providing you with the best in security for protecting data on personal computers. About this guide This document will aid corporate security administrators in the correct implementation and deployment of the Endpoint Encryption Manager. Bruce Schneier. Pfleeger. openldap. for example. Supplemental information. The path of a folder or program.org).com. and dialog box names. or data.openssl. |7 .org) and OpenSSL (www. Important advice to protect your computer system. Emphasis or introduction of a new term. Contacting Technical Support Please refer to www. enterprise. Due credit is given 0 1 to these organizations for their free API’s. names of product manuals. A web address (URL). buttons.Preface Conventions This guide uses the following conventions: Bold Condensed Courier Italic Blue All words from the interface. http://www. a command at the system prompt). Note Caution Related Documentation The following materials are available from our web site. software installation.mcafee.mcafee. an alternate method of executing the same command. text that represents something the user types exactly (for example. and from your Endpoint Encryption Distributor: • • • • • • Endpoint Encryption Manager Administration Guide (this document) Endpoint Encryption for PC Administration Guide Endpoint Encryption for Files and Folders Administration Guide Port Control Administration Guide Endpoint Encryption for PC Quick Start Guide Endpoint Encryption for Files and Folders Quick Start Guide Acknowledgements Endpoint Encryption’s Novell NDS Connector and LDAP Connectors make use of OpenLDAP (www. menus. including options. a live link.com for further information. Design Philosophy The Endpoint Encryption product range enhances the security of devices by providing data encryption and a token-based logon procedure using. Endpoint Encryption supports all current Microsoft Operating Systems.0/6.4 All Endpoint Encryption products are centrally managed through a single system. as well as hardware VPN solutions further enhancing the security offered. causing an estimated 4 billion USD worth of lost data. This is a central store of configuration information for both machines and users. Endpoint Encryption tries to contact its Object Directory. The Object Directory could be on the user’s local hard disk (if the user is working completely stand-alone). or could be in some remote location and accessed 8| . and optionally every time the user initiates a dial-up connection or after a set period of time. How Endpoint Encryption Solutions Work Management Every time a Endpoint Encryption protected system starts. Fingerprint or USB Key.1 Palm OS 3.0/6.Introduction Introduction Why Endpoint Encryption? Around 1. for example a Smart Card. File Encryptor and Endpoint Encryption for Files and Folders). McAfee also has optional File and Media encryption programs (VDisk. and also common PDA platforms: • • • • • • • • Microsoft Windows 7 Microsoft Windows 2000 through SP4 Microsoft Windows XP through SP3 (32bit only) Microsoft Windows 2003 through SP2 (32bit only) Microsoft Vista 32bit and 64bit (all versions) Microsoft Pocket Windows 2002 and 2003 Microsoft Windows Mobile 5.000. Is your data safely stored? Ever thought about the risks you run for your company and your clients? The Endpoint Encryption product range was developed with the understanding that often the data stored on a computer is much more valuable than the hardware itself. and is managed by Endpoint Encryption Administrators.000 laptops go missing each year. which supports scalable implementations and rich administrator control of policies.5 through 5. So an object representing a user. for instance the entity representing the Endpoint Encryption client.which it is does not matter. This generality is mainly hidden from users and administrators. or an upgrade to the Endpoint Encryption operating system or a new file specified by the administrator. machines and entities. and an object representing a machine. At the same time Endpoint Encryption uploads details like the latest audit information. only the information it contains. transparent synchronization of the enterprise becomes possible.as an "object" which could be a machine or user . and if needed download and apply them. Objects.from an internal point of view it does not matter to Endpoint Encryption what an "object" represents. Within the object are collections of configuration data called "attributes". account status and administration level. and security breaches to the Object Directory. machines. a change in password policy. Entities are applications within the Endpoint Encryption system. user status and administration level would all be stored as separate attributes.Introduction over TCP/IP via a secure Endpoint Encryption Server (in the case of a centrally managed enterprise). In this way. the details of the encryption keys. for example "Johns Laptop" both contain information about encryption keys. and Attributes explained. and the entity representing the Endpoint Encryption Server. you will find that many Endpoint Encryption related functions and tasks are common between users. say "John Smith". Entities. but because of this core design. any user password changes. servers. PDAs etc in collections called "objects" . The Endpoint Encryption database stores information about users. Endpoint Encryption applications query the directory for any updates to their configuration. both authenticate to the Object Directory in the same way . all Endpoint Encryption applications also have some generality about them. again the same type of attribute may exist across many object types. Because of the generality of the "object" design. Typical updates could be a new user assigned to the machine by an administrator. |9 . To take our previous example of John and his laptop. The server performs 10 | . the administrator interface. Endpoint Encryption Manager The most important component of the Endpoint Encryption enterprise is the Endpoint Encryption Manager. This utility allows privileged users to manage the enterprise from any workstation that can establish a TCP/IP link or file link to the Object Directory.Introduction The Endpoint Encryption Components Endpoint Encryption Manager Figure 1. Typical procedures that the Endpoint Encryption Administrator handles are: • • • • • • • Adding users to machines Configuring Endpoint Encryption protected machines Creating and configuring users Revoking users logon privileges Updating file information on remote machines Recovering users who have forgotten their passwords Creating logon tokens such as smart cards for users Endpoint Encryption Server The Endpoint Encryption Server facilitates connections between entities such as the client. the Endpoint Encryption Manager and the central Object Directory over an IP connection (rather than the file based "local" connection). More information about this can be found in later chapters. Endpoint Encryption Object Directory The Endpoint Encryption Object Directory is the central configuration store for Endpoint Encryption for PC and is used as a repository of information for all the Endpoint Encryption entities. allowing clients to connect wherever they are. Alternative stores such as LDAP are possible – contact your Endpoint Encryption representative for details. there is no security risk in exposing it in this way. The server exposes the Object Directory via fully routed TCP/IP. This ensures that "snooping" the connection cannot result in any secure key information being disclosed. and link encryption using the DiffieHellman key exchange and bulk algorithm line encryption. There is a unique PDA Server which provides similar services to PDAs such as Microsoft Pocket Windows and PalmOS devices. meaning that access to the Object Directory can be safely exposed to the Internet / Intranet. The standard store has a capacity of over 4 billion users and machines. Typical information stored in the Object Directory includes: • • • • • • User Configuration information Machine Configuration information Client and administration file lists Encryption key and recovery information Audit trails Secure Server Key information | 11 .Introduction authentication of the entity using DSA signatures. As all communications between the Server and client are encrypted and authenticated. The default directory uses the operating systems file system driver to provide a high performance scalable system which mirrors an X500 design. This ensures that "snooping" the connection cannot result in any secure key information being disclosed. Note: The default port for PDA Server is 5557. the Management Center and the central Object Directory over an IP connection (rather than the file based "local" connection). Endpoint Encryption PDA Server The Endpoint Encryption PDA Server facilitates connections between entities such as the Endpoint Encryption client. As all communications between the server and 12 | . monitor the progress of any active synchronization. allowing clients to connect wherever they are. The server performs authentication of the entity using DSA signatures and link encryption using Diffie-Hellman key exchange and bulk algorithm line encryption. information such as the last audit logs are uploaded to the directory. Endpoint Encryption Client The Endpoint Encryption for PC client software is largely invisible to the end user. In addition. The only visible part is an entry in the user’s tool tray (the Endpoint Encryption icon). establishes a new dial-up connection. Right-clicking on the monitor allows them to perform a manual synchronization with their Object Directory. meaning that access to the Object Directory can be safely exposed to the Internet / Intranet. Normally the Endpoint Encryption client attempts to connect to its home server or directory each time the machine boots. The server exposes the Object Directory via fully routed TCP/IP. During this process. any configuration changes made by the Endpoint Encryption administrator are collected and implemented by the Endpoint Encryption client. Clicking on this icon allows the user to lock the PC with the screen saver (if the administrator has set this option there one is selected). or.Introduction Endpoint Encryption for PC Client Figure 2. or. or dock a PDA device protected with Endpoint Encryption it tries to communicate with its home Endpoint Encryption PDA Server and set its security profile . then the file can still be recovered using the correct recovery key. As with Endpoint Encryption for PCs. without the risk of disclosure. it just needs to be double clicked. For information on these components. and a NT Domain Connector. Every time you activate it you are prompted to enter a secure. Endpoint Encryption Connector Manager Endpoint Encryption’s directory used to keep track of security information is designed so that synchronization of details between Endpoint Encryption and other systems is possible. Endpoint Encryption for Mobile Endpoint Encryption for Mobile provides authentication and crypt services for mobile devices. and/or passwords. The File Encryptor also has an option to create an RSA key pair for recovery – if the password to a file is lost. Once protected in this way the file can be sent elsewhere. Using this mechanism. a password or login prompt will be presented for authentication. set from the Endpoint Encryption Manager.Introduction client are encrypted and authenticated. every time you activate. Files can be encrypted with other Endpoint Encryption users’ keys. it's possible to replicate details such as a user’s account status between the Endpoint Encryption Manager and other directories. if correct the file will be decrypted. Endpoint Encryption File Encryptor By right clicking on a file. When the file needs to be used. for example via e-mail. recoverable password or pin.again. or on a floppy disk. The Connector Manager is a customizable module which enables data from systems such as X500 directories (commonly used in PKI infrastructures) to propagate to the Endpoint Encryption Object Directory. | 13 . Active Directory. see your Endpoint Encryption representative. there is no security risk in exposing it in this way. Current connector options include LDAP. users can elect to encrypt it using various keys. You should run this first on the machine which you want to be the “master” or administrators machine.exe from the Endpoint Encryption CD. run the Endpoint Encryption Manager program. The Endpoint Encryption Manager suite adds some items to your start menu: Endpoint Encryption Manager starts the Endpoint Encryption Manager. Upgrading the Endpoint Encryption Manager 1. 2. you can connect to it by canceling the wizard and manually configuring a connection. You may also have icons for the Endpoint Encryption Connector manager. Follow the onscreen prompts to install the software. smart card reader. The Quick Start guides provide an overview of setting up an Endpoint Encryption enterprise. you may be prompted to select a language. Endpoint Encryption Manager is the administration part of Endpoint Encryption and is the core tool for managing all Endpoint Encryption aware applications. and encryption algorithm. The Endpoint Encryption Manager will now install on your machine. English) you want to install. If you have an existing Object Directory in your network. If this is the first time you have installed an Endpoint Encryption application. Once completed you may need to restart your system. After rebooting. For information on this procedure please see Managing Object Directories.Installing Endpoint Encryption Manager Installing Endpoint Encryption Manager NOTE: Readers unfamiliar with Endpoint Encryption should follow the Endpoint Encryption Quick Start Guide for the product you are installing. Download the Endpoint Encryption Manager software from the McAfee download site. 14 | . If you have a multi-language CD. A wizard will walk you through the creation of a new Endpoint Encryption directory. before tackling any of the topics in this guide. Run the setup file and complete the upgrade. Install Endpoint Encryption Manager by running the appropriate setup. See the Endpoint Encryption Update and Migration Guide (contained in the download) for more detail. Endpoint Encryption Server starts the communication server which provides encrypted links between clients and the configuration. then please read the Quick Start Guide for that application. You will find this either on your Endpoint Encryption download. select the language (for example. and administrative rights. However.Endpoint Encryption Manager Interface Endpoint Encryption Manager Interface The Endpoint Encryption Manager allows certain classifications of user to manage and interact with the backend Object Directory. The recommended assigned privileges are: User Classification Root Administrator Other Administrators Normal Users Normal Machines Administration Level 32 10 1 1 NOTE: As there are no objects with a privilege above 32. In addition to this rule. all level 32 objects are treated equally and without restraint (except delete rights). This mechanism stops low privilege users from changing their own configuration. For this reason it is recommended that general Endpoint Encryption administrators use accounts with a privilege below 32. a level 32 administrator with limited admin functions cannot add those restricted functions to another level 32 administrator. | 15 . depending upon their assigned "Administration Privilege". Administration Level Each object in the directory has a certain "administration privilege" with a range of between 1 (lowest) to 32 (root administrator). Users and machines can perform certain tasks and change certain details within the directory. This means that any top‐level admin can edit the properties of any other top‐level admin. extra restrictions on what administration processes an individual may use can be set when they are created. for instance the ability to add users may be blocked. and protects high-level administrators from the activities of lower levels. and the master (or root) administrator account should be used only in extreme circumstances. no object except the root administrator can change the attributes of an object of its privilege or above. as may be the ability to create install sets. but some attributes can be read regardless. Controlled groups are used where it is not necessary or desirable to have many individual objects with their own configurations. but not identical . There is no real limit to the number of concurrent Endpoint Encryption sessions that can be connected to each directory. the "Sales" group of PCs may not synchronize with the Object Directory so often. either directly or via an Endpoint Encryption Server.for instance "Sales" and "Helpdesk". When an object is moved into a controlled group. Groups of Users. Starting Endpoint Encryption Manager Endpoint Encryption Manager communicates with the Object Directory and requests a user authentication on start-up.e. for example an administrator may choose to enforce a strict security policy which must be adhered to. the network and server speed.for instance. The limiting factor is the hardware supplying access to the directory. and immediately affect all members of the group. in a large corporate with many departments. The configuration of these two groups would be similar. and the "Helpdesk" PCs would not be receiving some sales-related database information. NOTE: for details on setting up connections to directories. see Managing Object Directories. Users and administrators authenticate using their Endpoint Encryption credentials. To facilitate configuration at group level. the last one to click Save overrides all others. two types of group can be created: Controlled Groups Members of configuration-controlled groups cannot have their core configuration altered on a member-by-member basis (non-core items include machine description for instance). Machines and other Objects Within the Endpoint Encryption Directory. so if they usually use a smart card to login to Endpoint Encryption. they will need the same card to access Endpoint Encryption Manager. Another use is 16 | . In the case of two administrators updating an objects configuration at the same time.Endpoint Encryption Manager Interface This gives the ability to create high-privilege users with no admin abilities . All changes have to be made at group level.these users cannot be administered or recovered by lower privilege users although the lower level users may have access to the administration functions. i. it immediately loses its individuality and inherits the group’s properties. For example. In this situation then there is no scope for objects to have individual configurations. the Endpoint Encryption administrator may choose to create groups of machines based on their physical location . which it uses to connect to an Object Directory. objects are "grouped" in order to simplify configuration. etc. by using the Filter or Find by ID options from the Objects Menu. if the option was enabled at group level.Endpoint Encryption Manager Interface where a collection of machines needs to have their configurations synchronized as one. To set the default group. One Group for each object type is defined as the default. This group may or may not be configuration controlled. | 17 . Select a group from the drop down list. Each machine would automatically enable Endpoint Encryption the next time it synchronized with the directory. or Devices tabs. users etc) appear under and inherit their initial attributes. but this configuration is stored individually for the object and can be altered at any time. System. users. or. 5. This will begin a search across the selected group for orphaned objects. 4. they simply retain their own configurations. it does not affect existing objects. 1. Free Groups Free groups have no master control. Select a group from the Users. Existing objects moved into a free group do not inherit any group properties. 2. Click Ok. objects inherit the properties of the group when they are created. Changing the group configuration only effects new objects created within the group. Finding orphaned objects using Group Scan The Group Scan feature within the Groups drop down menu allows you to scan through any group and identify missing objects. Unless otherwise specified this is the group which new Objects (machines. 3. Policies. select it and use the right-click menu option Set as Default Group. For example. e. if there was a controlled group of 200 machines with the property of Endpoint Encryption enabled set as false. this change would affect each machine in the group. Finding Objects You can search the object trees by either typing into the Find box on the tool bar of Endpoint Encryption Manager. and is displayed in bold type in the object tree.g. Click Group Scan. Click the Groups option from the menu bar. machines. The report output will appear in the bottom right pane. select the object in question and use the right-click menu option View Audit. The ability for a user to be able to view another user’s audit is a function of their relative administration level. To view the current audit. Audit trails can be exported as comma delimited files for use in other applications. It is recommended that not all users are given this permission. Endpoint Encryption audits to most types of object.Endpoint Encryption Manager Interface Audit Trails. 18 | . and their View Audit administration right. For information on porting Endpoint Encryption's backend directory to an alternate system. and a small single-file "transport" directory driver designed for single use and disconnected deployment. The Endpoint Encryption Configuration Manager on the protected machine periodically checks this store via a connection manager (the Directory Manager) to see if there are any changes to apply. and machine. X500 etc. a high performance file system based driver for large corporate users. The directory stores information for the configuration of users.0-----User. for example. Endpoint Encryption makes no distinction between the different types of object at the management and access level. similar in design to an X500 directory.. please contact your McAfee Services representative. and Groups. This store resembles a treebased modular. private key and password. Servers.The Endpoint Encryption Object Directory The Endpoint Encryption Object Directory Endpoint Encryption stores all its configuration and security information in a central.n | | 19 . e. There is no requirement for any particular type of directory within as long as the directory engine can support the minimum layout. ODBC.3-. The top level has the various object classifications. Endpoint Encryption ships with two directory drivers. The Object Directory Structure The Object Directory manages three levels of information. generic data store referred to as the Object Directory. For each object there are many attributes. actual Objects. Files. Below this level is the individual Objects. user. This independence greatly increases the speed the object store can work at. LDAP. Access. Machines. e. User. A simple pictorial layout of the directory structure could be explained thus: Root Directory | (Object Classes) (User level) Users-------Machines-------Groups-------Servers--------Files | User. there would be Objects containing the attributes for users. NOTE ‐ Supported accessible Objects are Users.2-----User.1-----User. Directories.g. object type. in the case of the user tree. Only the Attributes stored within them differ. and attributes. machines etc in logical Objects containing data blocks ("attributes"). and delivers any updates necessary in return. one. account status.g. This can be viewed as a correlation of a file or directory system. object-structured directory. group. DAP. All data sources are viable. 2------Attrib. Object locking To prevent problems where two or more processes try to access the same data simultaneously. if there is a conflict in locks.The Endpoint Encryption Object Directory Attrib.1-----Attrib. Normally an object such as a user is only locked during the actual write process. and allows fast access to attributes and modification (adding new attributes.0----Attrib.n information) (Attributes containing Configuration This structure mirrors an X500 directory. one process will wait for the other to release. new object classes etc) without significant effort. 20 | . In the standard file managed directory. object locking is provided by the operating system itself. only one process can have write permission to an Object at any time. This usually takes only a few seconds. The user’s password or token is inherited from the group. Creating New Users New users can be created in Endpoint Encryption Manager by selecting the group they need to be in. but some may be defined as "hidden from user" .in this example. The fields of information are used to identify the user in case of a helpdesk issue. the parameters can then be set individually afterwards. This gives the helpdesk operator the ability to ask the user a question to validate their identity. and can be set or generated at this point. You can also create users automatically using a connector to another directory. such as the user forgetting their password. and using the menu option Create User. or an automated script. If this group is "controlled". or the root administrator. the field Group Access is one of those. The new user’s logon id and recovery information about them can be entered. the Endpoint Encryption Scripting Tool Users Guide. If the group is "Free" then although the user assumes the properties of the group on creation. | 21 . then only a few options are available to be configured on a user-by-user basis.Creating and Configuring Users Creating and Configuring Users Figure 3. Once created. The helpdesk and user can see the majority of these fields. see the Recovery chapters of your product administrators’ guide. such as Active Directory. or. For more information on recovery. Please see the Endpoint Encryption Connector Manager chapter. Hidden fields can only be seen by administrators with a higher privilege than the user. the user assumes the configuration of the group they were created in. In the case of the soft (password) token resets the password to 12345. This must be accomplished separately from the user’s Token properties page.this could be a soft (password) token. Force Password Change at Next Logon Forces the user to change their password at their next logon. to the groups configuration.Creating and Configuring Users User Administration Functions Create Token Creates a new Token for the selected user . NOTE: In the case of hard tokens. Reset Token Resets the token authentication to the default. This policy option applies to both the Endpoint Encryption Manager and all compatible applications. Set SSO Details Sets the Single-Sign-On details for the user. Reset (All) to Group Configuration Resets the configuration of the user. In this case contact the manufacturer of your token to determine the correct re‐use procedure. For more information on SSO see the Endpoint Encryption for PC Administration Guide. such as Endpoint Encryption for PC. creating the token does not necessarily set the user to actually use that token. View Audit Displays the audit for the user. Create Copy Creates a new object based on the selected object. Properties Displays the properties of the selected object. or a hard token such as a smart card or eToken. or all the users in the group. NOTE: Some hard tokens may not be able to be reset using Endpoint Encryption ‐ for example Datakey Smart Cards. 22 | . Auto-boot users Special user ids containing the tag “$autoboot$” with a password of “12345” (or set by administrators) can be used to auto-boot a Endpoint Encryption Endpoint Encryption for PC protected machine. Users with disabled accounts (or users | 23 .Creating and Configuring Users User configuration Options General Figure 4. as it effectively bypasses the security of Endpoint Encryption. for example when updating software using a distribution package such as SMS or Zenworks. This number is unique within the Object Directory and is displayed for technical support purposes. This option is useful if an auto boot of a machine is needed. This ID should be used with caution though. The enabled status is always user selectable. User Options ‐ General User ID The user ID of a given user is the system-wide identifier that Endpoint Encryption uses internally to keep track of the user. Once a machine has synchronized. The user’s recovery screens also show this number. Enabled Shows whether the user account is enabled or not. it checks the user account list to ensure that the currently logged on user is still valid (because they logged on at boot time before the network and Object Directory was available). You can find out more about the “$autoboot$” user from the Endpoint Encryption for PC Administration Guide. User Defined Labels (Information Fields) When a user is created several fields of information may be set to aid the helpdesk identify the user during the recovery process. or the screen saver activates. This enables the administrator to set up accounts that self-activate sometime in the future and/or expire at some fixed point (e. Once the period has past. the will NOT be automatically logged off the system (but if they reboot. and Recovering Users and Machines. If the user is logged on while the account expires. Both Valid From and Valid Until settings can be made. For a full description of the use of these fields see Creating Users. for contracted employees with a fixed term contract starting and expiring on a given day). 24 | . For more information see the Endpoint Encryption for PC Administration Guide. the user will no longer be able to log on. The imported picture can be any size bitmap image. they will not be able to log on again). NOTE: If you want to force a Endpoint Encryption machine to synchronize (and hence immediately stop the user from accessing the machine). Change Picture Allows the administrator to set a picture for the user.Creating and Configuring Users who have been removed from the user list) will find the screen saver will activate and they will be unable to log in. The picture aids the helpdesk in the identification of a user when doing a challenge/response password reset. you can use the force sync option of the machines right‐click menu to force an update.g. Valid From / Until Sets the period that this account is valid until. and on the directory login screen. User Configuration ‐ Password Parameters Force Change if "12345" Ticking this option prevents users from continuing to use the Endpoint Encryption default password of "12345". Passwords are added to the history list when the user sets them. and stops the user repeating old passwords when they are forced to change them.Creating and Configuring Users Password Parameters Figure 5. for instance after recovering a user. it must be changed before Endpoint Encryption will allow the operating system to boot. as is not added to the history list when a user is created . For information on these scripts please contact your Endpoint Encryption representative. Prevent Change Disables the Change Password option on the Endpoint Encryption boot screen. If this password is ever used. Enable Password History Endpoint Encryption records previous passwords. whereas a smart card token only 10. typically a password token can remember 19 previous passwords. The maximum number of previous passwords that can be saved is limited by the user’s token. Require Change After | 25 . The force password change mechanism is also supported in the Windows Screen Saver. Special smart card scripts can be made available which increase the maximum history count beyond 10. at the expense of the time needed to log in. so the default password (“12345”) may be used ONCE again. Creating and Configuring Users Forces the user to change their password after a period of days. Warn Warns the user that their password will expire a set number of days in advance of their password change. Timeout password When logging on, the user has three attempts to present Endpoint Encryption with a correct password. If the user fails, then a "lockout" period of 60 seconds commences. The user cannot log in while this period is in force, and if they reboot the PC, the period starts again. Once the period has expired, the user is allowed further logon attempts, which the time period between each logon doubling, i.e. • • • • • • 1st incorrect attempt 2nd incorrect attempt 3rd incorrect attempt 4th incorrect attempt 5th incorrect attempt 9th incorrect attempt No lockout No lockout 60 seconds lockout 120 seconds lockout 4 min lockout. 64 min lockout 64 minutes is the maximum lockout period that may be set. Invalidate Password after After a sequence of incorrect passwords, Endpoint Encryption can disable the user’s account. To log on again once this has happened, the user will need to call their Endpoint Encryption helpdesk for a password reset. The number of incorrect passwords that have to be entered before this occurs is normally 10, but can be set as needed. 26 | Creating and Configuring Users Password Template Figure 6. User Configuration ‐ Password Template Password Length Sets the expected length of the user’s password between two extremes. Recommended settings are a minimum length of 5 characters, and a maximum length of 40 characters. Enforce Password Content Enforcing content in password forces the user to pick more secure passwords, but also reduces the number of possible passwords the user can select from. Content is not case sensitive. The following options can be set :Alpha A minimum number of characters from the range a-z and A-Z. Alphanumeric A minimum number of non-symbol chars from the range a-z, A-Z, and 0-9. Numeric Numbers only, from the range 0-9. Symbols !"£$%^&*()_+{}~@:><,./ :;@'~#<,>.?/¬¦`[], and other non alpha and non numeric characters. Content restrictions force the user to be more particular when they change their password. Depending upon the selected options, passwords, which are related, will not be accepted. The following restrictions can be set: | 27 Creating and Configuring Users No Anagrams "wordpass" is not acceptable after a password of "password". No palindromes The passwords "1234321", "asdsa" etc are unacceptable. No Sequences "password2" after "password1" is unacceptable, as are passwords such as “aaaaaa” and “111111”. No Simple Words Allows an administrator-defined dictionary to be set containing forbidden passwords. You can create this dictionary using a unicode text editor. Place each forbidden word on its own line in the file. Name the file TrivialPWDs.dat and place it in your client install set in the [appdir]\SBTokens\Data folder. The password “password” is excluded by default. Can’t Be User Name Prevents users from using their user name as their password. Windows content rules Mirrors the standard Windows password content rule. For passwords to be accepted they must contain at least 3 of the following: • • • • Lower case letters Upper case letters Numbers Symbols and special characters 28 | please see the Tokens chapter. Allow web-based self recovery | 29 . The list of available tokens is created from the token modules installed in the Object Directory. or change their token type using the recovery process – this involves the user reading a small “challenge” of 18 characters from the machine to an administrator.for instance. then typing in a larger “response” from the administrator. NOTE: When you change a user’s token. You need to remember to create Soft Tokens even though they’re just passwords. For information on particular token options. you cannot use the Floppy Disk token if the users floppy disk access is disabled. The recovery key size defines the exact length of this code exchange. set to read only. Recovery Key You can reset a user’s password. User Configuration ‐ Token Selection Sets the token for a given user / group of users. or the software needed to drive such a reader. Some tokens may be incompatible with other options . A key size of “0” disables the user recovery system. or set as Encrypted. Endpoint Encryption automatically brings up the token creation wizard.Creating and Configuring Users Token Type Figure 7. Assigning a token to a user does not necessarily mean they will be able to log into a machine – for example giving a user a smart card does not mean their machine has a smart card reader. The range of options of the recovery key is dependent apron the maximum key size of the algorithm in use. All users are by default created at level 1. allowing them to administer at level 32. User Configuration ‐ Administration Rights Administration Level The administration level of a given user defines their Administration Scope. NOTE: A special case exists for the highest level of user (“root users”).Creating and Configuring Users You can prevent a password-only user from registering for web recovery by selecting this option. and can therefore administer any other object in the directory. When creating a new user. Users can only work with directory objects (machines. Administration Rights Figure 8. and are therefore unable to administer each other. thus a level 2 user can only administer users of level 1. If 30 | . The user who first created the directory is created at level 32. Most administration functions are obvious but the following may require more explanation: • Users/Allow Administration – controls a user’s right to start administration systems such as the Endpoint Encryption Manager or Connector Manager. other users etc) below their own level. Administration Functions Options in the administration functions box select what administrative options are available to a given user / group of users. the administration rights of the creator are reflected to the new user. for instance at a screen saver prompt. Please see the Endpoint Encryption for PC Administration Guide. Logon Hours Figure 9. Please see the Endpoint Encryption for PC Administration Guide | 31 .5pm any day. In the example above.Creating and Configuring Users this option is removed for all users. the management environment will be unavailable. Devices This is used by Endpoint Encryption for PC only. If the Force user to logoff box is not ticked. restricting the logon hours of a user does not prevent them continuing to use a machine out of hours if they were logged on when the restriction comes into force. however it does prevent them logging on after this time. the user "John Smith" can access any machine his account has been allocated to during the hours of 9am . Application Control This policy is used by Endpoint Encryption for PC only. User Configuration ‐ Logon Hours Endpoint Encryption can prevent a user from accessing any machine during particular time periods. Add / Remove Click Add or Remove to associate a policy with a user.Creating and Configuring Users Policies Figure 10. from the policies tab. Connector Bindings 32 | . Policies Endpoint Encryption can control other systems through the Policies Interface. You can only associate one policy of each type with a user. You can define the actual parameters of a policy through its entry on the System Tree. For more information on policies see the Policies chapter. and assign which policies are enforced for a particular user. Bindings Figure 11. or group of users. For information on the correct system tag to use for a given connector. These form the basis for their local self recovery feature. the administrator assigns the local recovery option to the user’s logon. it automatically fills in the binding tabs to make the association. When the user first sets up their local recovery feature they will be prompted to select a number of questions and provide the answers to them.Creating and Configuring Users The Endpoint Encryption Connectors use the bindings specified for a user to match their Endpoint Encryption account with their account on an alternate system. or. It is possible though to connect one. by manually editing the bindings list. Setting Local Recovery for a user name or user group Using Endpoint Encryption Manager. Local Recovery The Local Recovery option allows the user to reset a forgotten password by answering a set of security questions. When a connector creates a new Endpoint Encryption user. please see the Endpoint Encryption Connector Manager chapter and those after it. Note: Endpoint Encryption contains a generic set of questions. The local recovery options are available from the user logon or group Properties screen. or many users created in Endpoint Encryption to a connected account. Figure 12 ‐ Setting the Local Recovery options Enable Local Recovery | 33 . See below. to a user group. The full list of security questions is set by the administrator using the Endpoint Encryption Manager. Require ? questions to be answered This option determines how many questions the user must select to perform a Local Recovery. Remove The Remove button will remove a selected question from the list. Edit The Edit button will allow you to edit the configuration of a selected question. 34 | . You can also specify the language that question should be in and the minimum number of characters the user must specify when configuring the answer to this question. See the Endpoint Encryption for PC Administrators Guide or the Help File for the user local recovery procedures. Add The Add button will load the Local Self Recovery Question dialog box and allow you to create a new question. Restore The Restore button will undo your changes and restore the Local Recovery options to the previous settings (providing you have not clicked the Apply button). Apply The Apply button will save any changes that have been made. Allow ? logons before forcing user to set answers This option determines how many times a user can logon without setting their Local Recovery questions and answers.Creating and Configuring Users Selecting this check box will set Local Recovery for the specified user or user group. If the new user also inherits groups from their group membership. certain groups of users. You can set three conditions that must be met before a user can perform an administration task: Administration Level | 35 . these too will be set. or certain groups of machines. so you can also create administrator accounts that have the ability to manage only servers. You can specify all group types for the restriction. the group restrictions are reflected into the new users properties.Creating and Configuring Users Administration Groups Figure 13 ‐ Administration Groups The groups which an administrator can manage can be restricted – this gives the ability to create high privilege administrators who can only work a particular population of users and machines – for instance departmental administrators. NOTE: Do not restrict the administrative scope of the root administrator or you may not be able to make configuration changes in the future. the users’ view of the database is restricted to only the groups specified. Setting User Administrative Privileges Endpoint Encryption has a powerful and flexible administration structure. When group restrictions are in place. When an administrator with group restrictions creates a new user. Leaving the admin groups box empty gives the account admin capability throughout the Object Directory. no other restrictions. must also be level 32. Administrators are also prevented from 36 | . Top-down administration. • • • Root User – Level 32 Enterprise Administrator(s) – Level 30. restricted to user and machine groups in department A only. all rights removed. Administration Functions The feature or command you are trying to use must be enabled in you Admin Rights list If all these conditions are met then the user will be able to perform the function. Department A Administrator(s) – Level 20. • Department B Administrator(s) – Level 20. We advise that the minimum administration rights are given to each user. administration can become a simple task. In this scenario there is a simple top-down chain of administration. all rights removed. Rights for server management removed. Users – Level 1. By delegating responsibility. to prevent unauthorized configuration of the security. no other restrictions. Groups If there are any groups specified for administration. the departmental administrators are prevented from managing each other’s department by the group restriction. Example 2. all rights removed. restricted to user and machine groups in department B only. • • Department A Users – Level 1.Creating and Configuring Users This must be higher than the object you are trying to administer. Rights for server management removed. no other restrictions. Tree administration. Using a selection of these features enables certain administration hierarchies to be created. In this scenario. Master Administrator(s) – Level 30. or in the case of toplevel objects (level 32). the object you are trying to administer must be in one of the groups. Sub Admin(s) – Level 20. Department B Users – Level 1. Some Example Administration Structures Example 1. • • • • Root User – level 32. there are additional accounts for the Server Manager – a person responsible for keeping the Endpoint Encryption Server running. There could also be other accounts with the ability to add/remove users (for example used by the personnel department). • Department B Administrator – Level 20. Server Manager – Level 30. restricted to user and machine groups in department A only. Rights for server management removed. | 37 . • • • Root User – Level 32 Enterprise Administrator – Level 30. • Department A Administrator – Level 20. Department B Users – Level 1. Rights restricted to managing servers only. no other restrictions.Creating and Configuring Users adding any of their users to machines in the other department by the same mechanism. Only the Enterprise Administrator(s) can start or manage Endpoint Encryption Servers. restricted to user and machine groups in department B only. Function / Department Administration. all rights removed. Example 3. Rights for server management remove. Their account has no ability to manage users or logon to clients. In this scenario. groups restricted to servers only. • • Department A Users – Level 1. all rights removed. or after the machines synchronize. Endpoint Encryption will prompt you to insert the token and will create the appropriate data files on it. Endpoint Encryption Application Support Once you have installed hardware support for the devices. Upek Fingerprint Reader 1.com/corporate/index?page=content&id=pd20895 Hardware Device Support Ensure the machine has the appropriate Windows drivers for the hardware tokens it needs to support.mcafee. along with its drivers – for example the Mako/Infineer LT4000 PCMCIA smart card reader must be installed. fingerprint readers and others. From the user’s Token properties pane. smart cards.Tokens Tokens The Endpoint Encryption Manager and connected applications support many different types of logon token. if you intend to use Aladdin eTokens you need to install the Aladdin eToken RTE (Run Time Environment). Assign the token to the user and create it. The Upek Protector Suite QL software must be installed and configured on the client machine. you need to ensure that a Endpoint Encryption supported smart card reader is installed. In both cases. The software can be found on the McAfee Endpoint Encryption 38 | . See the dedicated product administration guide for details how to enable tokens for that particular product. when you install Endpoint Encryption. If you intend to use smart cards. the appropriate device drivers are available either direct from the manufacturer. Supported Smart Cards and Tokens The link below contains the supported smart cards and tokens: https://kc. you can enable software support for them. select the token you want that user to log in with. If all steps are followed. or from the Endpoint Encryption install CD in the Tools directory. users will be able to log in using their new token. for example. you must ensure any machine they are going to use has been suitably prepared. for example passwords. Before a user can use a non-password token. Tokens screen. 5. See the user or user group Properties 3. The user logs onto the client machine using the Upek token module in password mode. Please consult your McAfee representative for further information.Tokens Tools download. | 39 . The fingerprint reader must be assigned to a user or a user group. From then on the user will need to authenticate to Endpoint Encryption with their fingerprint instead of a password. From the Endpoint Encryption Manager: • Create a file group for the Upek token and import the token files: SbTokenUpek.dlm. 2.dll and SbTokenUpek. • • The Upek file group must be assigned to the machine or machine group. The user will be presented with a dialog which will ask them to register their fingerprints with Endpoint Encryption. 4. the user configures the fingerprint reader to work with one or more of their fingerprints. INI files such as these can be edited to allow custom collections of files to be quickly imported and then applied using the Import file list menu option.File Groups and Management File Groups and Management Figure 14. it automatically adds the entire standard Endpoint Encryption administrator files into the file groups and also may create language sets. Endpoint Encryption File Groups The Endpoint Encryption Manager uses central collections of files. For more information on ADMFILES. 40 | . ADMFILES. and USB Key tokens).ini see the Endpoint Encryption Configuration Files chapter. please see the Administration Guide. called Deploy Sets to manage what versions of files are used many Endpoint Encryption applications. for example "English Language". When Endpoint Encryption Manager is installed. An INI files. Other file sets created as standard include those to support login tokens (such as smart card readers.INI determines the contents of the core groups. For information on a particular applications support for File Groups. This may be useful. Setting File Properties To see the properties of a file. With connected applications this usually results in the deletion of the file from their local directory at the next synchronization event. right click on the file in question and select Properties. Two screens of information are available. Deleting Files You can delete individual files from a file set. Simply select the file. for example if you have an out of date administration system driver and there is an updated file in the Object Directory. the file selector for machines. Endpoint Encryption will then import it into the directory. Exporting Files You can export a file group. | 41 . Some file selection windows. and add it to the deploy set. Importing new files New files can be imported one by one into an existing deploy set using the Import files menu option (right-click menu). File Group Content You can specify the function of a file group by right-clicking it and selecting its properties.File Groups and Management Setting file group functions Figure 15. only display certain classes of file group (in this example. for example. or an individual file back to a directory. those marked as Client Files). Figure 17.File Groups and Management Figure 16. the version is incremented. When the file is updated. 42 | . Other information such as the name of the user who imported the file and its size may be shown. File Properties. File Information The name of the file is the actual name. which will be used when deploying the file on the remote machine. The version number is an incremental version of the file. The ID is the Object Directory object ID used as a reference for the file from the client PC. File Properties. Advanced File Types Set the type of the file. This is used by the clients to check whether an update is needed. File Location Set the destination directory for the file. This is to prevent Windows NT drivers being installed on Windows 98 machines. Update Specify when Endpoint Encryption should update the file. the target operating system(s) for the file must be selected. or windows 9x registry files being run on Windows 2000 servers. you can specify this applications ID. This prevents one application from installing files shared by another. Appid If you are installing file which is shared between multiple Endpoint Encryption applications. | 43 .File Groups and Management Operating System Because some files are only applicable to some operating system(s). Common Audit Events The text displayed in the audit log will depend on your localization and language settings. you can select the view audit function. Information Events Description Audit cleared Boot started Event 01000000 01000001 44 | . for example the Login Successful event will be logged both in the user account doing the login. The permission to view or clear an audit log can be controlled on a user or group basis. refer to the Endpoint Encryption for PC Administration Guide. they continue to grow indefinitely. the entire audit of the directory can be exported using the Endpoint Encryption Scripting Tool – for information on this option please contact your McAfee representative.e. Audit trails are uploaded to the central directory by both the Administration Center and connected Endpoint Encryption Applications such as Endpoint Encryption for PC and Endpoint Encryption for Files and Folders. Audit trails can be exported to a CDF file by using the Audit menu option. Also. Many events can appear at multiple places. machine. You can find out about product specific events from its dedicated administration guide – for example to find out about Endpoint Encryption for PC events. The following table lists the common events and their ID codes for the American English version of Endpoint Encryption. Both the administration level and administration function rights are checked before allowing access to a log. and the machine being logged into simultaneously. For more information on setting these permissions see the Creating and Configuring Users chapter. i.Auditing Auditing Introduction The Endpoint Encryption Manager audits user. By rightclicking on a object in the Endpoint Encryption Object Directory. The Object Directory audit logs are open-ended. or by rightclicking the trail and selecting Export. but can be cleared on mass again using SBAdmCL. and server activity. Auditing Description Boot complete Booted non‐secure Backwards Date Change Booted from floppy Token battery low Power fail A virus was detected Synchronization Event Add group Add object Delete group Delete object Import object Export object Export configuration Update object Import file set Create token Reset token Export key Recover Create database Reboot machine Event 01000002 01000003 01000005 01000004 01000010 01000011 01000013 01000014 01000082 01000083 01000084 01000085 01000086 01000087 01000088 01000089 01000090 01000091 01000092 01000093 01000094 01000095 01000096 | 45 . Auditing Description Move Object between groups Rename Object Server started Server stopped Event 01000098 01000099 010000C0 010000C1 Try Events Description Logon attempt Change password Forced password change Recovery started Database logon attempt Logon successful Password changed successfully Boot once recovery Password reset Password timeout Lockout recovery Change token recovery Screen saver recovery Database logon successful Logon failed Password change failed Event 02000001 02000002 02000003 02000016 02000081 04000001 04000002 04000016 04000017 04000018 04000018 04000019 0400001A 04000081 08000001 08000002 46 | . Auditing Description Password invalidated Recovery failed Database logon failed Machine configuration expired A virus was detected Event 08000005 08000017 08000081 Undefined Undefined Succeed Events Description Logon successful Password changed successfully Boot once recovery Password reset Password timeout Lockout recovery Change token recovery Screen saver recovery Database logon successful Event 04000001 04000002 04000016 04000017 04000018 04000018 04000019 0400001A 04000081 Failure Events Description Logon failed Password change failed Password invalidated Machine configuration expired Recovery failed Event 08000001 08000002 08000005 08000012 08000017 | 47 . Auditing Description Database logon failed Event 08000081 48 | . remote directories are accessed through a Endpoint Encryption server. for example in the case of the Endpoint Encryption file directory. The logon system automatically remembers the last token which was used. then selecting Edit Connections on the Select Your Login Method dialog.Managing Object Directories Managing Object Directories All Endpoint Encryption Manager connected applications require a connection and logon to an Object Directory. Managing Connections You can add and remove directory connections by clicking Cancel on the Endpoint Encryption Manager Login box. and displays that interface to the user – if you want to log on with a different token. Endpoint Encryption Database Connections The Endpoint Encryption Database Connections window lists the currently configured directory locations and types. select the Local option from the | 49 . simply cancel the login box and select a different token from the token selection list. it is stored on your local machine. or on an accessible network drive. The Endpoint Encryption logon screen provides an interface to manage these connections. the connection appears with a tick. If you are going to access the directory directly. for instance a smart card. Adding a new directory connection Click Add to create a new connection. Where authentication parameters for the directory connection have been imported. Figure 18. whether they are direct to local directories or through Endpoint Encryption servers. Local directories are accessed directly. or fingerprint scan. If the directory has an Endpoint Encryption server supplying its information. NOTE: If you are authenticated to a directory. When adding a new server. and choose Export Public Key. Local Directories Local directories (accessed without a Endpoint Encryption server) need a UNC or mapped drive data path (or a file location in the case of a file directory) and a description. If the key the server returns is invalid. by forcing DSA key checking between the server and Endpoint Encryption application. Endpoint Encryption servers ALWAYS use a local directory . 50 | . Server Port Set the port the server should communicate on. you will be promoted to provide a key file (. This process sets up the connection in advance and adds all the key information if available.spk file). if you elect to create an authenticated link. you can add alternate Endpoint Encryption server connections to this directory to the list by simply right clicking on the server’s directory entry in the system tree. and the port it is running on. Authenticate Server authentication prevents a malicious "rogue" server masquerading as a valid Endpoint Encryption server.you cannot chain one server onto another. You can obtain this key from an existing connected administrator by asking them to right-click on the server definition in the Endpoint Encryption Manager.Managing Object Directories connection type dropdown list.this is used to identify the directory in the list. the Endpoint Encryption application will refuse to connect to the server and inform the user of a key mismatch. The default driver for Endpoint Encryption’s Directory is sbfiledb. Server Address Supply the address or DNS name of the server. use the Remote option. and selecting Add to Directories.dll. Remote Directories Description Type a description for the directory . The default is 5555. over a TCP/IP link. and setting up a new local or remote connection in the subsequent logon box. an entry for it must be created in a Endpoint Encryption Object Directory . Endpoint Encryption for PC Client. configuration and other parameters. | 51 . and Endpoint Encryption Directory Synchronizer. and manually configure the connection to the existing directory by canceling the Object Directory creation wizard.Endpoint Encryption Server Endpoint Encryption Server Figure 19. You can install multiple servers attached to one directory. This entry/object contains the server’s public and private key set. Installing the Endpoint Encryption Server Program The Endpoint Encryption Server is installed as part of the Endpoint Encryption Manager setup. The Endpoint Encryption Server The Endpoint Encryption Server provides a secure communication interface between the Object Directory . Creating a new Server Before The Endpoint Encryption Server can start. and other components. simply install a new copy of Endpoint Encryption Manager. such as Endpoint Encryption Manager. a new server definition can be created. Creating a new Endpoint Encryption Server Object To create a new server object. or you can use the "create" button on the Endpoint Encryption Server startup screen shown after authenticating to the Object Directory. see Managing Object Directories. Figure 21. Creating a new Endpoint Encryption Server object.Endpoint Encryption Server Figure 20. or an existing ID selected. Once the directory has been selected. you can either use the New Server option to create a new server in the System/Endpoint Encryption Servers tree using Endpoint Encryption. and the authentication keys it will use. automatically adds the definition to the local directories list.exe may be run. you will be able to choose to log on to the new Server. and a logon id and password supplied. From this dialog. Both procedures follow the same path. Selecting the Endpoint Encryption Server Object to use for configuration 52 | . a prompt to select the object is displayed. For information on how to set up directory connections. The next time you perform a directory logon. The first task is to log in to the local Object Directory. Starting The Endpoint Encryption Server for the first Time Once the object for the server has been created the program SBServer. The definition selected controls the startup parameters for the server. To do this. To prevent this kind of attack. The local file sbserver. With this mechanism if the server is substituted by re-routing the network traffic or DNS name for instance. Starting the Endpoint Encryption Server as a Service In Windows 2000 you can start the Endpoint Encryption Server as a true service. including details of what drives should be encrypted. This file is shared between all the Endpoint Encryption entities. etc. who then use it to verify the private key on the server each time they communicate with it. with a "Rogue" server which told Endpoint Encryption protected machines to decrypt their hard drives. TIP: You can stop certain user accounts being used to start servers as services by removing their administration privilege Start Server as service. | 53 .ini supplies the location and type of Object Directory the server should connect to.ini supplies the port the server should speak on. and rely on their server for their configuration. It also supplies the logon ID and password to use in case of an automated start. This is not the user’s password.ini for use in subsequent logons. the Endpoint Encryption Server generates a publicprivate key set on install. but could give a hacker a method of attacking the Object Directory. You will need to supply a user ID and password for the server to use for subsequent starts. the clients will recognize the change and refuse to communicate. select the Start as service option from the server menu.ini supplies the id of the object in the local Object Directory that the server uses for its port. and its public and private key information. The public part of the key is distributed on install to the clients. It also specifies whether the user should be prompted to select an id each time the server starts. One possible way around the Endpoint Encryption security would be to substitute an organization’s Endpoint Encryption server and Object Directory. Using Server / Client Authentication Endpoint Encryption clients exchange highly sensitive information with their respective Servers.Endpoint Encryption Server Server Configuration The Endpoint Encryption Server obtains its configuration from three places. The local file sdmcfg. The server's object within the Object Directory specified in sdmcfg. The Endpoint Encryption Server stores the user’s authentication key in sbserver. For information on this process see Managing Object Directories. its public key may be exported from the Object Directory as a file. NOTE: the active connections list will always show 1 more than the current user / machine connections. level admin rights. or the highest. then this information will be automatically included within the deploy set. This creates a new entry in the local list. Checking a Server’s Status Remotely You can check the status of an Endpoint Encryption Server listed in the Object Directory by right-clicking its object. 54 | . simply select the server from the server tree.sky file can then be freely distributed. then high level users and machines will not receive any configuration updates because their admin level exceeds that which can be accessed by the Endpoint Encryption Server. and if necessary downloads the server’s public key information. For more information see Managing Object Directories.for instance on a web site. If this server was created by someone else in the Endpoint Encryption enterprise. For instance if a very low admin privilege user starts the Endpoint Encryption Server. This key file can be freely distributed or placed in a publicly accessible repository . Connecting to a new Endpoint Encryption Server Once a server has been created it appears in the Object Directory system tree. Using Restricted User ID's for Servers Although any valid user id can start an Endpoint Encryption server. you can still add this server to the local list of Endpoint Encryption servers used in the login dialog by selecting the Add to Directories option. For this reason the Endpoint Encryption Server should usually only be started by uses with very high. NOTE: If the Object Directory selected during the creation of a deploy set already has authentication configured. due to the connection by Endpoint Encryption to get the status. and selecting Get Status. If the server is online and responsive. the access yielded to it by the Object Directory is a reflection of that user’s directory permissions.Endpoint Encryption Server Setting up the Endpoint Encryption Server / Endpoint Encryption authentication Once an Endpoint Encryption server has been created and started. The resulting . and use the Export public key option. it will return its current status in the system log. To extract a Server key from the Object Directory. To import the information into a directory connection use the Advanced button on the login screen. Endpoint Encryption allows you to create very high privilege users with no administrative ability . Service Accounts Parameters Service accounts are created in the same way as normal users.usually the corporate server managers have this responsibility. | 55 .full access to the objects with no administrative ability . With these parameters the only use for the account is as a login to the Object Directory. The following parameters can be set to yield an account useless for login on to PCs. It would not be good security for the master accounts to be given out to any users except those directly involved with the Endpoint Encryption parameters.Endpoint Encryption Server For practical reasons it is often not the master Endpoint Encryption administrator who starts the Endpoint Encryption Server . Passwords Prevent Change set Require Change disabled Admin Rights Administration Level 30 All rights cleared except Start as Service Devices No access to any devices Token Password Only WARNING – Remember not to add any “service accounts” or the group you create them in to machines.we will term these Service Accounts. To overcome this conflict of interests . We recommend they be created in their own group Service Accounts. and enter a description of the key to aid in its identification.Keys Keys About Keys Keys are generic purpose objects which other Endpoint Encryption-Aware applications can use to encrypt information. Find the key from the Keys node of the System tab within the object tree. From the open group window. Key Administration Functions Create New Key This function creates a new Key. NOTE: If you permanently delete a key. Find the key provider. To create a new policy: 1. Only the human-readable name is changed. for example. Endpoint Encryption for Files and Folders uses Key objects to protect files and folders on network and user hard disks. Double-click it to expand its groups. You can select the keys name. all data protected with that key will be permanently lost. 56 | . or create a new group by right-clicking the top node and selecting Create Key Group. 5. Enter the name for the new key. select an algorithm. Either open an existing group. Rename Key This option changes the name of a key – this does not affect the association of keys to users. Delete Key This option deletes a key from the system. 3. Right-click the key and select Delete. Navigate to the System tab of the object tree. you can restore the key if it has been backed up. To delete a key: 1. and select OK. 2. 2. right-click and select Create New Key. 4. however. which algorithm it will use. 6. or the protection of data. Keys Reset to group configuration Sets the properties of a key to be those of its group. Normally keys are obtained on access from the network Endpoint Encryption Key Server. Reset to group configuration (exclude users) Sets the properties of a key to be those of its group excluding the key’s user list. After this date access to the key (and therefore access to data protected by it) will be denied. Key Configuration Options Information Displays information about the key Description A text description of the key. If you need data to be available to users offline. This includes the user list assigned to the key. then all requests for this key (and therefore all data protected by it) will be denied. this can be used to identify the purpose or use of the key. and whether it can be cached on users’ local systems Key is Enabled Tick to make the key accessible to users – if the key is disabled. Each time a key is requested. This means that the only way to access protected data is to have a good connection to the corporate Key Server. Validity You can specify when a key is valid until. Properties Displays the properties of a key. Caching Allow keys to be cached locally Enables local caching of the key. the user must authenticate against a Endpoint Encryption Key Server to obtain a fresh copy of the key. for example when they are working disconnected from the network. If the Key Server is not | 57 . you can allow local caching of a particular key. Expiry You can specify a date where the key will be valid until. Restrict Access To Defines the user list for a key. Minimum Admin Level Required You can specify the minimum admin level required to access a key. If the list is empty. This parameter is enforced in ADDITION to the restricted user lists. then any user can access the key. 58 | . ONLY those users can obtain.Keys accessible then the user authenticates against a local key cache and queries it for a copy of the key. If you add a user to the user list. or administer the key. This prevents users obtaining keys. and also set an admin level.. that these changes are enforced within a certain period of time. then the local copy may be installed. Causes a local cached copy of a key to be wiped from the local key cache after a certain number of days of disconnection. then continuing to use them for extended periods of time without validating their credentials against the central Endpoint Encryption Key Server. If the user’s credentials are not correct. no keys are released. See the Administration Rights section for more information. properties etc) by setting a users administration rights. Remove from cache after. delete key. any user who has valid Endpoint Encryption credentials can obtain the key. Once one or more users are added to the list though. This prevents general Endpoint Encryption administrators from being able to access sensitive data. NOTE: You can restrict what administration functions regarding keys (add key. or updated at the same time. If the key could be obtained from the Key Server. If one or more users are added then ONLY they can access or administer the key. For more information on admin levels see the Administration Rights section. When the list is empty. Users You can restrict access to keys to certain users by adding them to the keys user list. then if the user does not match or exceed the level they will not be able to access the key. You can use this option to ensure that if you make changes to the validity or user list of cacheable keys. 4. You should create policies to fulfill an organizational or functional need – for example a policy for a role within your organization. 3. Enter the name for the new policy. and select OK. machines. such as users. Navigate to the Policies tab of the object tree. Each additional application provides a Policy system which allows the parameters for the application to be defined – for example the Endpoint Encryption for Files and Folders policy provider integrates into the Endpoint Encryption Database. 2. or create a new group by right-clicking the top node and selecting Create Policy Group. and also to groups of objects (such as groups of machines). To create a new policy: 1. 6. Double-click it to expand its groups. and allows you to set the functions and parameters for the Endpoint Encryption for Files and Folders system. 5. | 59 . such as Management Team. right-click and select Add. Either open an existing group. Find the Policy provider you want to create a new policy for – for example Endpoint Encryption for Files and Folders Policies.Policies Policies About Policies Endpoint Encryption can manage other systems and applications from the main Administration console. You can assign policies to both individual objects (such as users). for example. You can assign policies to most kinds of Endpoint Encryption supported object. Policy Administration Functions Add Policy You can create any number of policies of each type. From the open group window. PDAs etc – wherever appropriate for the individual policy type. This does not affect the association of the policy to other objects. Rename Policy Changes the name of the policy. to install Endpoint Encryption you can create an Install EXE direct from the policy object. Assigning a policy object to a user 1. See the Endpoint Encryption Endpoint Encryption for Files and Folders Administration Guide. Move to the Policies properties type in the properties list. Click Ok. Assigning a policy object to a machine 1. Create Installation Set To install a policy object. For more information about Endpoint Encryption. Reset to Group Configuration Resets the properties in the selected policy to those of its group. per user. You can normally only assign one policy of each type to any particular object. 60 | . Select the policy you want to associate with that user. for example one Endpoint Encryption for Files and Folders policy. Open the users Properties window. Click the Add button. Right-click the policy and select Delete. Create Copy Creates a copy of a policy object based on the selected one. 5. 2. Move to the Policies properties type in the properties list. 3. To delete a policy: 1. Find the policy from the Policies tab of the object tree. all users of that policy will receive the “Default” policy instead the next time they update. 2. 2. Open the machine Properties window. some types allow you to create an installation set directly from the Endpoint Encryption database for that application – for example. Properties Opens the properties of the selected group or object.Policies Delete Policy If you delete a policy. 4. You can normally only assign one policy of each type to any particular object. Click Ok. | 61 . 4. Click the Add button. Select the policy you want to associate with that machine. for example one Asset policy per machine. 5.Policies 3. To discuss synchronization with other data stores please contact your McAfee representative. Active Directory. Support for alternate data stores are implemented on a customer basis. This remote source may be another Object Directory. or an NT Domain). The Connector Manager is a set of customizable routines that can be used to quickly implement the desired synchronization functions. 62 | . and Novell Netware NDS as a uni-directional process. Add Connector Creates a new connector instance. You can select from the available connector types. or may be some disparate system (for example an X500 directory over LDAP. Connector Manager The Connector Manager tools are supplied pre-configured to provide Endpoint Encryption directory to alternate systems such as NT Domains. Figure 22.Endpoint Encryption Connector Manager Endpoint Encryption Connector Manager The Connector Manager is responsible for managing the correlation of information between the Endpoint Encryption Object Directory and another data source. Adding and Removing Connector Instances You can add connectors to the Manager Tree simply by right-clicking the root node (Endpoint Encryption Connector Manager). and give the connector a unique name. Error Messages For information on error messages generated by the Connector Manager. Scheduled tasks are enabled from the moment they are created. | 63 . unconnected to any alternate system. This happens automatically – you do not need to run a special version of the connector manager. To set the schedule for a connector.Endpoint Encryption Connector Manager Delete Connector Deletes the selected connector from the tree. Schedule and Log Each connector has a schedule and log controlled through the Connector Manager. You can add periodic events to the schedule to control when each connector performs its activity. The connector will output a progress log of its activities. Service Mode The Connector Manager uses the Windows Scheduled Task Service to run individual connectors at preset times and intervals. simply click its name in the connector tree. You can also specify that the log should be appended to a file as it is created. The activity of the connector is logged centrally to the Connector Manager. Rename Connector You can rename a connector to a more descriptive name. or one of its connectors – please see the Error Messages chapter. You can also set repeat intervals for the tasks. or change its log settings. Any connected users will become “orphaned”. Running Connectors Interactively You can run a connector interactively from the run now tab. We recommend you disable users only. Domain User Logon Hours The Endpoint Encryption user logon hours are set to match the domain users. Description The domain user description is placed in the Endpoint Encryption user’s field list. or a Windows 2000 server / workstation. the connector mines the domain user list. WARNING: If you delete an Endpoint Encryption user account.0 Domain Server. the connector makes the appropriate change to the Endpoint Encryption user account for that user. creating Endpoint Encryption user accounts for those domain users not found. Password Change The ability to change the password is reflected in the Endpoint Encryption user account. no files protected by only that Endpoint Encryption user id will be recoverable. Either enabled or disabled.NT Connector (NTCon) NT Connector (NTCon) The NT connector is designed to populate the Endpoint Encryption user list from an existing NT Domain. the Endpoint Encryption user is either deleted or disabled depending upon the state of the Disable Users Only box. By specifying a server to synchronize with. The NT Connector needs to be run on either an NT4. If a domain user account is deleted or disabled. Full name The domain user full name field is placed in the Endpoint Encryption user’s field list. Also used in the Endpoint Encryption user-binding tab to maintain a connection to the domain user. and delete them manually. Valid until 64 | . Domain User Status The Endpoint Encryption user status mirrors the domain user status. and needs access to the Endpoint Encryption Object Directory. Summary of connected attributes Domain user name Used to create new Endpoint Encryption users. If the domain user is deleted. the NT Group Name fields are compared with the domain | 65 . As each domain account is checked. This negates the need to read the entire configuration each time a sync on the user occurs. WARNING: If you delete a Endpoint Encryption user account. General Options NT Server Specify the server you want to obtain the user list from. Disable Users Only If a user is deleted from the domain. NOTE: The domain password for a user account is not available for Endpoint Encryption. their matched Endpoint Encryption account can be either deleted or disabled. Click the Servers button to obtain a list of machines accessible from this station. logic can be applied to determine which group the new Endpoint Encryption user is created in (if at all). each new user will be created with the default password of “12345” – you should ensure that all Endpoint Encryption groups which receive new users from the NT Connector have the Change password if default attribute set. and delete them manually. no files protected by only that Endpoint Encryption user id will be recoverable. or specify a domain server. Use Configuration Checksum The connector can store a checksum of the domain configuration in the domain user comment. You can use the local machine.NT Connector (NTCon) The expiry date of the domain account is placed in the Endpoint Encryption user valid until field. To use this option you need to run the connector on a primary or backup domain controller – you cannot use this option on a remote server. We recommend you disable users only. Throttling You can specify a delay between checking each user account to make the synchronization process more network-friendly. you can map them to different Endpoint Encryption user groups based on their domain membership. Group Mappings To ease the configuration of many synchronized domain users. Group Membership On creation. NT Connector (NTCon) users’ memberships. The first match found causes NT Connector to create the user in the specified Endpoint Encryption user group. By pre-creating Endpoint Encryption user groups with specific machine access and attributes, you can effectively synchronize a domain user list into Endpoint Encryption and have minimal configuration work left. For example, if the following group mappings were specified: NT group name Domain Admins Domain Guests Sales Domain Users Endpoint Encryption group name NT Domain Admins NT Domain Guests NT Domain Sales NT Domain Users A domain user with memberships of Domain Admins and Sales would be placed in the Endpoint Encryption user group NT Domain Admins. A user with membership to Domain Users and Sales would be placed in NT Domain Sales as it is listed first. If you clear the Add user to default group tick box, and the NT user being checked does not belong to any of the specified groups, they will not be synchronized into the Endpoint Encryption directory. User Information You can specify which Endpoint Encryption information fields receive information from the domain account comment and description. You can also select the default behavior when new users are created. 66 | LDAP Connector (LDAPCon) LDAP Connector (LDAPCon) LDAPCon is an optional connector designed to populate the Endpoint Encryption user list from an existing LDAP Protocol 1-3 Directory server. By specifying the directory to synchronize with, the connector mines the directory, creating Endpoint Encryption user accounts for directory users who meet certain pre-defined criteria. For information on purchasing these connectors please contact your McAfee representative. If a directory user account is deleted or disabled, the connector makes the appropriate change to the Endpoint Encryption user account for that user. You can also make decisions to globally disable users based on any attribute using the excluded users function. The v4.2.12+ versions of the LDAP Connector can also use certificates stored in the AD to create users who can logon to Endpoint Encryption applications using Smart Cards and eTokens. These “crypt-only” tokens do not have to be initialized for use with Endpoint Encryption, as the PKI certificates stored on them can be used without any initialization. LDAPCon can run on Windows 2000, XP and Vista. It requires network access to both an Endpoint Encryption Server, and the directory server itself. Summary of connected attributes User name Used to create new Endpoint Encryption users. Various directory attributes can be used to create the Endpoint Encryption user name. If the user is deleted, the Endpoint Encryption user is either deleted or disabled depending upon the state of the Disable Users Only box. WARNING: If you delete an Endpoint Encryption user account, no files protected solely by that Endpoint Encryption users’ key will be recoverable. We recommend you disable users only, and delete them manually. User Status The Endpoint Encryption user status mirrors the directory user status. Either enabled or disabled. User Logon Hours The Endpoint Encryption user logon hours are set to match the directory users. Password Change | 67 LDAP Connector (LDAPCon) The ability to change the password is reflected in the Endpoint Encryption user account. Information Fields Up to 10 fields of information from the directory can be placed in the Endpoint Encryption user’s field list. Valid until The expiry date of the directory account is placed in the Endpoint Encryption user valid until field. Group Membership Logic can be applied to determine which group the new Endpoint Encryption user is created in (if at all). Also, if certain changes happen to the directory user, their Endpoint Encryption group can be set to change accordingly. General Options Connection Details Connection Name A text description for this incident of the connector. Host The IP address, or DNS Name of the directory server you wish to connect to. Port The TCP/IP port that the target directory is publishing on. This is usually 389 or 636 for secure connections. Use Secure Connection This option is used to get full access to the directory. You may have to obtain a certificate from your directory manager. Use the Certificate button to point the connector to the appropriate .DER file. Protocol Version The LDAP Protocol version your directory supports – this is usually Version 3. Use Secure Connection This option allows you to specify a secure connection. It will change the port number to 636 (note: this is configurable). The Certificate... button will also activate and you can browse and select the right certificate from the Microsoft Certificate store. 68 | Anonymous Login If your directory supports anonymous login. The default filter: (&(objectClass=User)(!objectClass=Computer)) Restricts the view to directory objects that are of a class User and not of a class Computer. Search Settings Base DN The base distinguished name for the section of the directory this instance of the connector is to work with. If you only need to synchronize a small segment of users from your directory to Endpoint Encryption. You can set the Base DN to a sub-branch of your directory if you need to limit the scope of the connector. you must use the full parameters as accepted by the directory. otherwise complete the Logon Credentials section. the encryption and logon is determined by the certificate.LDAP Connector (LDAPCon) Certificates are generated for particular users. For example. Timeout | 69 . User DN Enter the full distinguished name for the administrator’s account. so in the example above the memberOf parameter must match exactly that shown in the user. to restrict the connectors view to users of the group Endpoint Encryption only. Object Filter Enter an appropriate filter to restrict the connectors view of objects in the directory.OU=Uk. Microsoft has removed the ability to specify a user logon in this instance. Password Enter and confirm the password for the account you specified in the User DN field. you could use a query like:(&(objectClass=user)(!objectClass=computer)(memberOf=CN=McAfee. You can use an LDAP browser to see the correct attribute details.DC=c bi. check this box.DC=com)) Wherever you specify a search query. you can specify a detailed Object Filter – this will make the process more efficient by forcing the connector only to look at the users which are “interesting” to it. For example. As each directory account is checked. For production use. Referrals If your directory uses referrals. Attribute Types Binary data attributes must be defined in this list before they can be used by the connector. By default. in the DN “CN= McAfee. Group Mappings Group Mapping Information To ease the configuration of many synchronized directory users. Search Groups You can specify a list of DN’s for group objects in your directory which contain members you wish to include in this connectors scope of operation. Entry Limit Specify the maximum number of objects to synchronize – this setting is useful when you need to test the behavior of the connector. Search Depth You can limit the scope of the connector by reducing the section of the directory that is searched for users. This sets up an asynchronous search on the directory server which reports when leafs are updated. The first match found per user causes 70 | . Search Groups takes precedence over the object filter specified in the Search Settings pane.CN=COM. Some directory servers may not accept this parameter. set it to 0 (unlimited). the entire value of an attribute is considered significant by specifying it for substring search you can allow sub-values to be significant. the specified attributes are compared with the table set in the Group Mapping tab.FN=Fred” if substring searching is enabled for DN. you can enable this feature in the connector.LDAP Connector (LDAPCon) Specify the connection timeout for your directory. Monitor Changes If your directory supports change logging. You can also specify which attributes to substring search. then “CN=COM” is a valid match. you can enable monitoring to enhance the performance of the connector. you can map them to different Endpoint Encryption user groups based on some attribute in their directory object. A typical use of this feature would be security question-answer sessions to aid validation of a remote user. by right-clicking an entry you can change its order.LDAP Connector (LDAPCon) the LDAPCon to create or assign the user in the specified Endpoint Encryption user group. if the following group mappings were specified: Directory Organizational Unit (attribute value) OU=R&D OU=Sales OU=Support OU=Management Endpoint Encryption group name R&D Sales Techsup MT Directory service Attribute distinguishedName distinguishedName distinguishedName distinguishedName A directory user with memberships of Sales and Support would be placed in the Endpoint Encryption user group Sales as that clause comes first in the list. For example. Add the user to the default group Ignore. generating the name from an attribute of the user (such as their DN). 4. or delete it. Disable or Recycle the user NOTE: If you map based on the value of a binary data type attribute. User Mapping The LDAPCon has the ability to map up to 10 fields of information from the directory into the Endpoint Encryption Directory. Use a defined group Create a new group based on an existing Endpoint Encryption group. By specifying the No Mapping Exists behavior you can select one of four options: 1. For information on this process. or right click on the input table. Remove. | 71 . To add a new entry either double click. you can effectively synchronize a directory user list into Endpoint Encryption and have minimal configuration work left. 3. you need to properly define and escape the data. You can create new entries by double-clicking the table. By pre-creating Endpoint Encryption user groups with specific machine access and attributes. 2. edit. via for example Microsoft Certificate Server. Removal Behavior You can choose to either : • Remove users from Endpoint Encryption if their account is removed from the directory. the password will be set to the option specified. If you can pre-seed the Endpoint Encryption directory with the names of the users. For information about the supported tokens please see the Tokens chapter of this guide. You can use the Search Endpoint Encryption option to process directories which contain a large population of “uninteresting users”. • • Disable them only. By selecting this option the search for users will be disabled.LDAP Connector (LDAPCon) If the directory attributes mapped to these Endpoint Encryption fields change. You can also decide the behavior if there is no valid certificate for the user. Search Endpoint Encryption for User Binding Traditionally the connector searches the directory for all users which match the set criteria. eToken. Ignore this event. for example an Activcard. 72 | . New Users Token If you are using certificates. then the users’ Endpoint Encryption account will be updated accordingly. If you set the account to a random password. and appropriate binding information (for example using the scripting tool) you can greatly streamline the process. no data protected solely with their personal Endpoint Encryption key will be retrievable. The connector will search for users with a binding which matches its identifier. New Users Password When a new account is created in the Endpoint Encryption directory. you can allow your users to login to Endpoint Encryption using their existing Certificate Token. or Setec token. NOTE: If you choose to remove users from Endpoint Encryption. and will only process those users. Select from the list of installed tokens which one to create for the user. the user will need to be “recovered” or the account manually set to a known password before the user will be able to authenticate to Endpoint Encryption. and the connector will expect to find the users pre-existing in the Endpoint Encryption directory. the user is denied access to | 73 . Revocation Check If you are using certificates to authenticate your users. Logon Hours The directory attribute containing the User Logon Hours information. Account Control The directory attribute containing the user account disabled/enabled information. and unlikely to change for the existence of this account despite changes in surname or group membership Endpoint Encryption User name An attribute used to create the Endpoint Encryption user name NOTE – Endpoint Encryption user id’s are limited to 256 characters. Excluded Users You can specify a selection of attributes to check to globally exclude a series of users from the synchronization process. you can enable revocation checking to ensure that if certificates are revoked. Account Expires The directory attribute containing the account expiry date. Change Attribute The directory attribute containing the account change stamp. Binding Attribute The non-changing unique identifier for the user. The attributes specified on this tab should not need changing unless the directory is set up in a non-standard way. This should be an item that is unique for that user.LDAP Connector (LDAPCon) User Attributes The User Bindings tab is used to correlate the directory attributes to the Endpoint Encryption Directory. you should not use an attribute that is likely to exceed this length. Delay between each user You can stifle the bandwidth that this connector consumes by putting a delay between each user synchronization. You can also optionally disable existing Endpoint Encryption users that are bound to the excluded users. Connector Binding with Escaped Value LDAP Browser from Softerra When configuring the LDAPCon.username in their Endpoint Encryption profile which matched the escaped attribute value. you would need to assign the binding attribute to objectGUID in the Endpoint Encryption user’s User Bindings properties. Using Binary Data Attributes In some circumstances you may want to use binary attributes to perform matching and group associations in the LDAPCon. the attributes objectGUID and objectSid are binary attributes. and add a binding to LDAPConnector. it is highly desirable to view the Netware Directory in its unadulterated. To do this we strongly recommend the free tool LDAP Browser from Softerra (http://www. If you wanted to manually link an existing Endpoint Encryption user to this directory user connecting via their objectGUID. for example: In this schema.com). they must be entered as escaped sequences. and the behavior the connector should follow when revoking users. Figure 15‐23. The values for such attributes cannot be directly entered into the connector fields. LDAP state. or included on the Endpoint Encryption Enterprise CD in the Tools directory.ldapbrowser. raw. 74 | . and also define the attribute objectGUID as a binary data type in the Attribute Types list in general options. Specify the appropriate LDAP parameters for your published revocation list.LDAP Connector (LDAPCon) Endpoint Encryption. This tool may be found 4 on your Endpoint Encryption CD. To determine what values to add. use your LDAP Browser to view the data in the directory. for your directory server. Also. it can be seen that there are multiple objectClass attributes – these could be used to make a decision on their mapping to Endpoint Encryption groups (by using the Group Information fields). but exists internally. All other attributes are matched on their entire value. Choosing the correct fields for Synchronization The exact settings used in any particular installation of LDAPCon are particular to each installation. although some customization can be performed. | 75 . This attribute may not be displayed in a browser window. it can be seen that any of the attributes cn. Once you have successfully connected to your Netware Directory. but will need the full distinguished name for your administration account. givenName. and custom exclusion of users. in most cases the default settings are appropriate for general use. although some of these may result in collisions with other similarly named users. you will need to know its IP or DNS name. and have a valid administrative account to access the data with. you can start browsing the information to check the appropriate fields to use for the LDAPCon. sn could be used to populate the Endpoint Encryption Username. you may not need to enter a Base DN. or to exclude a particular user from the synchronization process. especially when considering custom user to Endpoint Encryption group mapping. In the case of the user whose properties are listed above. Create a new entry in LDAP Browser. Attributes such as groupMembership or securityEquals could also be used to map a user to a group. NOTE: the distinguishedName attribute is treated as a special case when matching values – any fragment of the value can be matched.LDAP Connector (LDAPCon) Connecting to your Directory using LDAP Browser To connect LDAP Browser to your directory. Summary of connected attributes Active Directory User name Used to create new Endpoint Encryption users. and delete them manually. ADCon can run on Windows 2000. WARNING: If you delete an Endpoint Encryption user account. It requires network access to both an Endpoint Encryption Server. the Endpoint Encryption user is either deleted or disabled depending upon the state of the Disable Users Only box. no files protected solely by that Endpoint Encryption user s’ key will be recoverable. XP and Vista. By specifying an Active Directory to synchronize with. creating Endpoint Encryption user accounts for Active Directory users who meet certain pre-defined criteria.12+ versions of the Active Directory Connector can also use certificates stored in the AD to create users who can logon to Endpoint Encryption applications using Smart Cards and eTokens. If the Active Director user is deleted. and continuously updating their policy to mach that stored in the AD. the connector mines the directory. and the Active Directory itself. These “crypt-only” tokens do not have to be initialized for use with Endpoint Encryption. Active Directory User Status The Endpoint Encryption user status mirrors the Active Directory user status. the connector makes the appropriate change to the Endpoint Encryption user account for that user. as the PKI certificates stored on them can be used without any initialization.Active Directory Connector (ADCon) Active Directory Connector (ADCon) ADCon is an optional connector designed to populate the Endpoint Encryption user list from an existing Microsoft Active Directory. If an Active Directory user account is deleted or disabled. You can also make decisions to globally disable users based on any attribute using the excluded users function. Active Directory User Logon Hours The Endpoint Encryption user logon hours are set to match the Active Directory users’ 76 | . For information on purchasing ADCon please contact your McAfee representative. The v4.2. We recommend you disable users only. Various Active Directory attributes can be used to create the Endpoint Encryption user name. Either enabled or disabled. Port The TCP/IP port that the target Active Directory is publishing on. otherwise complete the Logon Credentials section. Valid until The expiry date of the Active Directory account is placed in the Endpoint Encryption user valid until field. Also. This is usually 389. It will change the port number to 636 (note: this is configurable). Information Fields Up to 10 fields of information from the Active Directory can be placed in the Endpoint Encryption user’s field list. Protocol Version The LDAP Protocol version your Active Directory connector supports – this is usually Version 3. Anonymous Login If your Active Directory supports anonymous login.Active Directory Connector (ADCon) Password Change The ability to change the password is reflected in the Endpoint Encryption user account. or DNS Name of the Active Directory Server you wish to connect to. General Options Connection Details Connection Name A text description for this incident of the connector. Use Secure Connection This option allows you to specifiy a secure connection. The account name you use to authenticate to the AD | 77 . Host The IP address. check this box. Group Membership Logic can be applied to determine which group the new Endpoint Encryption user is created in (if at all). if certain changes happen to the Active Directory user. their Endpoint Encryption group can be set to change accordingly. see the next section. You can also use Search Groups to define which users the connector processes.Active Directory Connector (ADCon) must have full view access of the full set of user attributes you want to synchronize with. If you only need to synchronize a small segment of users from the AD to Endpoint Encryption.com. NOTE: Either Search Settings. someone@somewhere. decisions as to whether to process these users are made in Group Settings described later on in this chapter. for more information. you could use a query like:- 78 | . you can specify a detailed Object Filter – this will make the process more efficient by forcing the connector only to look at the users which are “interesting” to it. to restrict the connectors view to users of the group Endpoint Encryption only. You can set the Base DN to a sub-branch of your Active Directory if you need to limit the scope of the connector. You can find this by contacting your AD Administrator. Search Settings Search Settings define which AD users are visible to the connector. You can also specify the user name in a fully qualified AD format. for example. 5 Password Enter and confirm the password for the account you specified in the User DN field. User DN Enter the full distinguished name for the AD administrator’s account. Search Groups takes precedence. they cannot be used together. The default filter: (&(objectClass=User)(!objectClass=Computer)) Restricts the view to directory objects that are of a class User and not of a class Computer. Base DN The base distinguished name for the section of the directory this instance of the connector is to work with. or Search Groups can be used. Object Filter Enter an appropriate filter to restrict the connectors view of objects in the directory. For example. or the account you intend to use the connector with. For production use.AttribVal=user UserValid1.OU=Uk. you can enable monitoring to enhance the performance of the connector.DC=com)) Wherever you specify a search query. if you need to specify more criteria than the default to prevent the monitor returning unwanted users.DSAttrib=memberOf UserValidity2. Monitor Changes If your Active Directory supports change logging. Referrals If your Active Directory uses referrals. You can use an LDAP browser to see the correct attribute details. you must use the full parameters as accepted by the AD. Entry Limit Specify the maximum number of objects to synchronize – this setting is useful when you need to test the behavior of the connector. Some versions of Active Directory may not accept this parameter.AttribVal='full memberOf attribute' | 79 . adding entries in the following section: UserValid0.DSAttrib=objectCategory UserValidity1. This sets up an asynchronous search on the Active Directory server which reports when leafs are updated. you can edit the Connector Manager Settings file manually.Active Directory Connector (ADCon) (&(objectClass=user)(!objectClass=computer)(memberOf=CN= McAfee.DC=cbi. you can enable this feature in the connector. set it to 0 (unlimited).AttribVal=CN=Person UserValid2.DSAttrib=objectClass UserValidity0. Timeout Specify the connection timeout for your Active Directory. Search Depth You can limit the scope of the connector by reducing the section of the directory that is searched for users. so in the example above the memberOf parameter must match exactly that shown in the user. The Active Directory search monitoring cannot take account of complex Object Filters. You can also use Search Settings to define which users the connector processes. You cannot use this method with OU’s. the entire value of an attribute is considered significant. the specified attributes are compared with the table set in the Group Mapping tab.Active Directory Connector (ADCon) Search Groups Search Groups define which AD users are visible to the connector. NOTE: Either Search Settings. For example. in the DN CN= McAfee.CN=COM. by specifying it for substring search you can allow sub-values to be significant. This method can be more efficient that the Search Settings method if the population of users which are needed to be synchronized are defined in a small number of groups.e. Search Settings may be more appropriate. If the users can be identified through another attribute. objects containing “members”. The connector will then retrieve all the members from the specified groups (and any groups contained within). you can map them to different Endpoint Encryption user groups based on some attribute in their directory object. You can also specify which attributes to substring search. decisions as to whether to process these users are made in Group Settings described later on in this chapter. they cannot be used together. or Search Groups can be used. then CN=COM is a valid match. or are all within certain OU’s. NOTE: Search Groups can only be used with true LDAP Groups (i. if substring searching is enabled for DN. Attribute Types Binary data attributes must be defined in this list before they can be used by the AD connector. Group Mapping Group Information To ease the configuration of many synchronized Active Directory users. The first match found per 80 | . see the previous section.FN=Fred . Search Groups takes precedence. for more information. then individually process the derived user list. By default. With Search Groups you can specify the DN’s of a list of group objects from your AD. As each Active Directory account is checked. Remove. By specifying the No Mapping Exists behavior you can select one of four options: • • Use a defined group Create a new group based on an existing Endpoint Encryption group. you can effectively synchronize an Active Directory user list into Endpoint Encryption and have minimal configuration work left. By pre-creating Endpoint Encryption user groups with specific machine access and attributes. edit. generating the name from an attribute of the user (such as their DN).Active Directory Connector (ADCon) user causes the ADCon to create or assign the user in the specified Endpoint Encryption user group. | 81 . if the following group mappings were specified: Active Directory Organizational Unit (attribute value) OU=R&D OU=Sales OU=Support OU=Management Endpoint Encryption group name Directory service Attribute R&D Sales Techsup MT distinguishedName distinguishedName distinguishedName distinguishedName An Active Directory user with memberships of Sales and Support would be placed in the Endpoint Encryption user group Sales as that clause comes first in the list. Disable or Recycle the user NOTE: If you map based on the value of a binary data type attribute. You can use any attribute of the user to map. • • Add the user to the default group Ignore. for example their DN. You can create new entries by double-clicking the table. or delete it. or a group membership. For example. by right-clicking an entry you can change its order. you need to properly define and escape the data. New Users Token If you are using certificates. To add a new entry either double click. then the users’ Endpoint Encryption account will be updated accordingly. Search Endpoint Encryption for User Binding Traditionally the connector searches the directory for all users which match the set criteria. or Setec token. the password will be set to the option specified. The connector will search for users with a binding which matches its identifier. New Users Password When a new account is created in the Endpoint Encryption directory. If the Active Directory attributes mapped to these Endpoint Encryption fields change. or right click on the input table. the user will need to be “recovered” or the account manually set to a known password before the user will be able to authenticate to Endpoint Encryption. disable them only. for example an Activcard. If you can pre-seed the Endpoint 82 | . NOTE: If you choose to remove users from Endpoint Encryption. You can also decide the behavior if there is no valid certificate for the user. By selecting this option the search for users will be disabled. Select from the list of installed tokens which one to create for the user. and the connector will expect to find the users pre-existing in the Endpoint Encryption directory. eToken. Removal Behavior You can choose to remove users from Endpoint Encryption if their account is removed from the Active Directory. or ignore this event. via for example Microsoft Certificate Server. and will only process those users. For information about the supported tokens please see the Tokens chapter of this guide. A typical use of this feature would be security question-answer sessions to aid validation of a remote user. You can use the Search Endpoint Encryption option to process directories which contain a large population of “uninteresting users”.Active Directory Connector (ADCon) User Information User Mapping The ADCon has the ability to map up to 10 fields of information from the Active Directory into the Endpoint Encryption Directory. you can allow your users to login to Endpoint Encryption using their existing Certificate Token. If you set the account to a random password. no data protected solely with their personal Endpoint Encryption key will be retrievable. Account Expires The Active Directory attribute containing the account expiry date.Active Directory Connector (ADCon) Encryption directory with the names of the users. User Attributes The User Bindings tab is used to correlate the Active Directory attributes to the Endpoint Encryption Directory. You can also optionally disable existing Endpoint Encryption users that are bound to the excluded users. Delay between each user You can stifle the bandwidth that this connector consumes by putting a delay between each user synchronization. The attributes specified on this tab should not need changing unless the Active Directory is set up in a non-standard way. you should not use an attribute that is likely to exceed this length. and unlikely to change for the existence of this account despite changes in surname or group membership Endpoint Encryption User name An attribute used to create the Endpoint Encryption user name NOTE: Endpoint Encryption user id’s are limited to 256 characters. Binding Attribute The non-changing unique identifier for the user. | 83 . This should be an item that is unique for that user. Account Control The Active Directory attribute containing the user account disabled/enabled information. Change Attribute The Active Directory attribute containing the account change stamp. Excluded Users You can specify a selection of attributes to check to globally exclude a series of users from the synchronization process. Logon Hours The Active Directory attribute containing the User Logon Hours information. and appropriate binding information (for example using the scripting tool) you can greatly streamline the process. use your LDAP Browser to view the data in the Active Directory. Specify the appropriate LDAP parameters for your published revocation list. This tool may be found on 6 your ADCon CD. you would need to assign the binding attribute to objectGUID in the Endpoint Encryption user’s User Bindings properties. Using Binary Data Attributes In some circumstances you may want to use binary attributes to perform matching and group associations in the ADCon.ldapbrowser. but will need the full distinguished name for your administration account.com). and add a binding to ADConnector. Typical properties of an Active Directory connection are: Once you have successfully connected to your Active Directory. for Microsoft Active Directory.username in their Endpoint Encryption profile which matched the escaped attribute value. LDAP Browser from Softerra When configuring the ADCon. you can enable revocation checking to ensure that if certificates are revoked. you can start browsing the information to check the appropriate fields to use for the ADCon. the user is denied access to Endpoint Encryption. and the behaviour the connector should follow when revoking users. To do this we strongly recommend the free tool. raw. and have a valid administrative account to access the data with. To determine what values to add. 84 | . and also define the attribute objectGUID as a binary data type in the Attribute Types list in general options. Connecting to your Active Directory using LDAP Browser To connect LDAP Browser to your active directory. it is highly desirable to view the Active Directory in its unadulterated. you will need to know its IP or DNS name. If you wanted to manually link an existing Endpoint Encryption user to this Active Directory user connecting via their objectGUID. Create a new entry in LDAP Browser. The values for such attributes cannot be directly entered into the connector fields. included on the Endpoint Encryption Enterprise CD in the Tools directory. you may not need to enter a Base DN. LDAP Browser. or.Active Directory Connector (ADCon) Revocation Check If you are using certificates to authenticate your users. the attributes objectGUID and objectSid are binary attributes. from Softerra (http://www. LDAP state. they must be entered as “escaped” sequences. In this schema. although some customization can be performed. | 85 . or cn could be used to populate the Endpoint Encryption Username. it can be seen that there are multiple memberOf attributes – these could be used to make a decision on their mapping to Endpoint Encryption groups (by using the Group Information fields). Attributes such as memberOf or distinguishedName could also be used to map a user to a group. it can be seen that any of the attributes userPrincipalName.Active Directory Connector (ADCon) Choosing the correct fields for Synchronization The exact settings used in any particular installation of ADCon are particular to each installation. Also. sn. name. sAMAccountName. especially when considering custom user to Endpoint Encryption group mapping. and custom exclusion of users. NOTE: the distinguishedName attribute is treated as a special case when matching values – any fragment of the value can be matched. in most cases the default settings are appropriate for general use. although some of these may result in “collisions” with other similarly named users. All other attributes are matched on their entire value. In the case of the user whose properties are listed above. or to exclude a particular user from the synchronization process. givenName. is the ability for users to reset their own passwords . users to drive the challenge/response system themselves simply by providing the correct answers to a selection of pre-registered questions. About Endpoint Encryption HTTP Server Figure 24.this is an optional service which allows. after pre-registering. 86 | . In some environments this may not be practical.Endpoint Encryption webHelpdesk Server Endpoint Encryption webHelpdesk Server Endpoint Encryption webHelpdesk Server allows Endpoint Encryption administrators and users to perform password reset functions (The Endpoint Encryption Challenge Response system) via a web interface. webRecovery A further enhancement available with the Endpoint Encryption webHelpdesk Server. webHelpdesk / webRecovery The normal recovery interface requires the administrator to have access to a Endpoint Encryption Manager console. in this case the Endpoint Encryption webHelpdesk Server can be used to present the same recovery interface via a web browser. Endpoint Encryption webHelpdesk Server Figure 25. you will need a pre-configured Endpoint Encryption Manager at version 4. | 87 . It is stand-alone and does not require Microsoft IIS. Endpoint Encryption HTTP Server is designed to function on Windows 2000/XP only and does not use any other internet services. without going through the recovery process. We strongly advise that Microsoft IIS is not used on the same computer as a Endpoint Encryption Manager system or database for security reasons. Pre-Requisites To install this component. Remote Password Change As a final option. or any other web services to be installed on the hosting computer.2 or above. You can check the version of Endpoint Encryption you are using through “Help/About/Modules”. you can also change a users password directly within the Endpoint Encryption database using the Reset User’s Password option. customised to prevent against known web server hacking attacks. This allows administrators to set new passwords for other administrators and users. webRecovery Registration Questions The Endpoint Encryption webHelpdesk server is a dedicated SSL (Secure Sockets Layer) web server. The time of this warning can be set in the User → Properties → Passwords screen of the Endpoint Encryption Manager. You can purchase one of these from Endpoint Encryption. or from other certificate vendors. 88 | .Endpoint Encryption webHelpdesk Server Because Endpoint Encryption webHelpdesk Server uses HTTPS. You will need to provide it with a suitable SSL certificate. Password Expiration Warning The Web Helpdesk administration and support passwords will not expire without a prior warning. *. Installing a SSL Certificate You must install a SSL certificate before the server will run correctly. 3. or sbhttp -stopservice The service will not start correctly until you have installed an SSL certificate. 8. Import a Server Authentication certificate into the Personal certificate store for the service. | 89 . 7. Click the Endpoint Encryption HttpServer\Personal option and then select the Certificates folder inside it. 4. See screenshot overleaf. Right-click in the right hand pane and select All Tasks followed by Import. If you are using a Endpoint Encryption certificate.cer. *. This will add the Certificates option to the Console. 9. or Local User. either for the Endpoint Encryption service. Click the Place all certificates in the following store option (EndpointEncryptionHttpServer\Personal). 6.pfx). Start Run MMC. 1. Select Certificates from the Add Standalone Snap-in dialog. 5.Activating Endpoint Encryption webHelpdesk Activating Endpoint Encryption webHelpdesk Once installed you can start the Endpoint Encryption webHelpdesk server with the following command prompt command or from the services manager: sbhttp -startservice The service can be correspondingly stopped either using the system service manager. 2. Click Next followed by Finish to add the certificate.crt. Click File and then Add/Remove Snap-in… Click Add from the Standalone tab. to do this use Microsoft’s MMC console: Start Run MMC and add a Certificates plugin to the Endpoint Encryption HTTP Server service on Local Computer. Follow the same procedure for other certificates. Browse until you find the certificate files (*. Open the MMC Console. Local Computer. you can also import the Endpoint Encryption root CA cert into the Trusted Root Certification Authorities store. 10. 1 or https://server dns name. and restarted the service. To configure the connection. you can log on to the webHelpdesk server and configure it to talk to a Endpoint Encryption Object Directory. once you have installed it you can restart the service using one of the following commands or the system service manager: net start “Endpoint Encryption HTTP Server” sbhttp -startservice If the certificate has a different name then the server will not start and will log a Certificate Not Found error. any connection type specified in the login box for Endpoint Encryption can be used. added a certificate. NOTE ‐ if you use a mismatched site/machine/cert name. then users and administrators will be warned that the certificate is invalid every time they access the recovery web site.CertName=Name of the cert In the file SBHTTP.0.ini to point to the Machine name registered in the cert. Configuring the webHelpdesk Server Once you have installed the program. Endpoint Encryption ships with an evaluation server certificate with the name “127. You can edit the section [Configuration] Server.Ssl.1.ini directly. 7 The server uses the same connection details as Endpoint Encryption administrator.pfx” and password “12345” which can be found in the Tools directory of your Endpoint Encryption CD. or use one from a third party certificate provider. click the Administrators section link and then click Configure Endpoint Encryption HTTP Server. You will need to login with a user id which has Endpoint Encryption Start Server as Service rights. 90 | . The address is https://127. You can purchase a full cert from CBI.0.0.0.Activating Endpoint Encryption webHelpdesk If the certificate you are using is allocated to the same machine name that you are running the server on. or edit SBHTTP. Log File A path/name for the server diagnostic log. | 91 . Logon Timeout A time (in minutes) to keep inactive Administrator connections authenticated for (usually 5 minutes).Activating Endpoint Encryption webHelpdesk Figure 26. Configuring the Endpoint Encryption HTTP Server Server Name A logical name used to identify the server Port The port the server should expose the interface on (usually 443) Server Certificate Name The machine name specified in the SSL certificate. WARNING: when you configure the webHelpserver you will need to close the browser and restart the webRecovery server for the changes to take effect. This will not prevent users with out of date questions from recovering their password. The questions can be changed by editing the SBWebRec. You can specify a number of questions (1-10) to be registered. The user name and password you log in to configure webRecovery are stored in sbwebrec. 92 | . Configuring webRecovery You configure the user webRecovery server via its web interface. NOTE: You must log in to webRecovery at least one to set up its initial parameters – if you do not. and the number to be answered to authenticate the user for self recovery.ini file. WARNING: when you configure the webHelpserver you will need to close the browser and restart the webRecovery server for the changes to take effect. users will not be able to reset their password and will receive db010010 Object Not Found messages. Questions and Answers are stored as pairs in the users Endpoint Encryption profile so you can safely change the questions at any time.ini and used for future sessions.Activating Endpoint Encryption webHelpdesk Configuring webRecovery Figure 27. With Challenge-Response After navigating in to the helpdesk operators section of the web helpdesk. Figure 28.Recovering Users using webHelpdesk Recovering Users using webHelpdesk Warning: webHelpdesk cannot be used for resetting or changing the pin codes of smart cards. Reset User’s Password Selecting this action will reset a user’s forgotten password. for example Reset User’s Password followed by the Next button. and logging in using their Endpoint Encryption id and password. webHelpdesk Challenge Screen The helpdesk operator enters the challenge from the users screen (the user reads it to the helpdesk operator over the telephone). Change Token | 93 . the operator is presented with the webHelpDesk User Challenge screen. Unlock User This option will unlock a user whose account has become locked. choosing either to reset an Endpoint Encryption. or a pocket Endpoint Encryption system. and selects the action they want to perform. Bypass Preboot Authentication This action will skip the authentication option and log the user into Windows. Cancel Screen Saver This action will cancel the Endpoint Encryption screen saver.2 of Endpoint Encryption (SafeBoot). Figure 29.2 SP1 + Create Token This action allows you to create a token for version 4. a response page is displayed which gives the operator the correct recovery code to read out to the user which will perform the selected operation (in this case. Choose from the drop down list. The page also displays user information which can be used to check the authenticity of the user: The 94 | . 4. Boot Machine Once This option will reboot the machine. reset their password to “12345”). The user can then change their Windows password and allow the synchronization and single-sign-on processes to follow through.Recovering Users using webHelpdesk This option allows you to change the authentication token for the user. webHelpdesk response screen If the challenge was entered correctly. and their new password (and password confirmation). What is your mother’s maiden name? and then check the answer. such as Endpoint Encryption for Files and Folders. As long as the administrator performing the change has greater admin rights than the user being reset. the new password will be applied. webRecovery Reset Password | 95 . e. By Directly Changing their Password From the main page. select the Reset User’s Password button.Recovering Users using webHelpdesk helpdesk operator can ask the user. You will next be presented with a simple form which allows you to specify a user id. You will then be forced to authenticate using your normal Endpoint Encryption administrator ID and Password. Endpoint Encryption for PC etc can be recovered using this system. Various Endpoint Encryption applications.g. Figure 30. Users register a variable number of answers to pre-set questions. After clicking the Register button. webRecovery main screen The webRecovery interface allows users to reset their own forgotten passwords for Endpoint Encryption on PCs once they have pre-registered with the service. They must also have the Allow webRecovery option ticked in their Token properties. It is not as secure as the helpdesk driven recovery service. users need to log in with their current Endpoint Encryption ID and Password 96 | . but has the advantage that it can operate 24x7 without human interaction. they are required to recall the correct answers to authenticate themselves to get their password reset. they must register a number of questions and answers that they use to prove their identity to the system using the recovery interface.webRecovery Figure 31. Registering for webRecovery Before users can reset their own passwords. as it’s quite possible for users to enter simple or trivial information for their recovery questions.Recovering Users using webHelpdesk User self recovery . See the Creating and Configuring Users chapter. webRecovery Registration NOTE: If Users do not know their password at this time. they will have to call their Endpoint Encryption helpdesk and get their password reset using one of the helpdesk driven mechanisms. | 97 .Recovering Users using webHelpdesk Figure 32. the user who has forgotten their password simply access the HTTP Server via a web terminal. 98 | . Recovery using webRecovery To use the webRecovery service. webRecovery registration questions Once they have registered their preferred questions and answers. perhaps in an internet Café. They then enter the challenge that is displayed on their Endpoint Encryption screen. they are free to use the recovery service if they forget their password.Recovering Users using webHelpdesk Figure 33. and clicks the Reset Password button. they will be asked to enter the correct answers for a selection of their registered questions. Figure 35. the user is presented with the response to type back into their Endpoint Encryption boot screen.Recovering Users using webHelpdesk Figure 34. and if these are correct. webRecovery answers screen | 99 . webRecovery challenge screen If the challenge is correct. Recovering Users using webHelpdesk Figure 36. webRecovery Response Screen 100 | . Figure 37. The summary boxes at the bottom of the screen indicate the current active license count. although they may still be shown in the license list. License Restrictions License files can have many restrictions built in: Number of Users Restricts the maximum number of users that can be managed. You can view the current license status of your directory by using the file/license information option. Number of Machines Restricts the maximum number of machines that can be managed. Any expired or invalid licenses are not included. Directory locked Some license files can be locked to only work on a particular directory. License information Multiple license files can be added to the list using the Add button.License Management License Management The Endpoint Encryption directory is licensed in terms of number of allowed users. Expires | 101 . and license file expiry dates. but each file can only be added once. If you re-create your directory. you will need to obtain a new license file. number of allowed machines. Number of PDA Devices Restricts the maximum number of CE Machines that can be managed. 102 | . They can obtain all the details required to create new extended licenses from this information. You may also want to save the license file information to help you order replacement files in the event of a drive crash. The names of the additional components licensed will be displayed in this field. Connectors. only the first one will be effective. Exclusive License files marked as exclusive do not co-exist with other license files. and other utilities may require additional license code. Addons Extra components such as SBAdmCL.License Management Some license files expire after a certain time period. you can save the current information out of your directory using the Save button – this creates a text file which you can fax or e-mail to your McAfee representative. Only one exclusive license file can be used at any time. If you import two exclusive license files. You may have received an extra license file with your copy of Endpoint Encryption – if so you can import it into the directory using the Add button. If you need more licenses. • There must be a system in place for maintaining secure backups that are separately encrypted or physically protected to ensure data security is not compromised through theft of or unauthorised access to backup information.Common Criteria EAL4 Mode Operation Common Criteria EAL4 Mode Operation CESG in the United Kingdom. • Administrators must enforce the following Policy Settings. you need to ensure the following criteria are met:Administrator Guidance • Endpoint Encryption must be installed using the Endpoint Encryption AES (FIPS) 256bit Algorithm. | 103 . • Backups should be regular and complete to enable system recovery in the event of loss or damage to data as a result of the actions of a threat agent and to avoid vulnerability through being forced to use less secure systems. these policy settings must be applied before installing any clients. Use of Autoboot Mode is prohibited. has certified the following products to EAL4 • Endpoint Encryption for PC To apply this standard to your implementation of Endpoint Encryption. A minimum password length of 5 characters or more. All data and operating system partitions on the machines where Endpoint Encryption client has been installed MUST be fully encrypted. • To comply with CC regulations. You can check the conformance to this issue by viewing the Endpoint Encryption client status window – if any drives are highlighted in red then they are not fully encrypted. Disabling of accounts after 10 or less invalid password attempts. Machine and User recovery key sizes must be non-zero (Machine/Encryption properties and User/Token properties). Administrators must enforce use of the Endpoint Encryption Secure Screen Saver Mode. such as passwords and tokens.Common Criteria EAL4 Mode Operation • Users (including administrators) must protect all access credentials.gov.cesg. Endpoint Encryption provides the means to display personal information such as the users ID number as part of the User Information Fields – but any other appropriate system is acceptable.gov/cryptval/aes/aesval. unless it is protected by the secure screen saver. 256). • Customers implementing a Endpoint Encryption enterprise must ensure that they have in place a database of authorized TOE-users along with user-specific authentication data for the purpose of enabling administrative personnel to verify the identity of a user over a voice-only telephone line before providing them with support or initiating recovery. • Administrators should ensure their users are fully trained in the use of the Endpoint Encryption for PC Client software as described in the chapter Client Software of the Endpoint Encryption for PC Administration Guide. 256). CBC(e/d.html 9 104 | . • Users must be informed of the process that they need to go through in order that they may contact their administrator in the event of needing to recover their PC if they forget their password or their user account becomes disabled.uk/site/iacs/index. CFB8(e/d.nist.cfm?menuSelected=1&displayPage=1 8 52&id=336 Algorithm Certificate Numbers AES Cert 21 and 170 ECB(e/d. • Users must not leave an Endpoint Encryption protected PC unattended in a logged on state. and should remind them of the security procedures detailed in the User Guidance Below. User Guidance • Users must maintain the confidentiality of their logon credentials. 256) http://csrc. Common Criteria EAL4 Certificate You can find the official recognition of this certification on CESG’s website: http://www. such as passwords or other authentication information in a manner that maintains IT security objectives. html | 105 . RNG on AMD Athalon XP.gov/cryptval/des/desval.nist.. SHA.gov/cryptval/shs/shaval. PentiumIII Windows 2000 http://csrc.gov/cryptval/rng/rngval.e/d) http://csrc.nist. Windows XP SP1.nist. DSA.gov/cryptval/dss/dsaval.htm 1 RNG Cert 15 AES.html DES Cert 145 CBC(e/d).Common Criteria EAL4 Mode Operation SHA1 Cert 71 and 254 http://csrc. CFB( 8 bits.nist.htm 1 DSA/DSS DSS cert 53 and 112 Sig(ver) Mod(all) http://csrc. Tuning the Object Directory Tuning the Object Directory The Name Index To improve object name-to-id lookup and license validation.for instance when a machine synchronizes. the directory infrastructure performs a name-to-id lookup. About Name Indexing Most lookup events in the Endpoint Encryption object directory are performed by object id .as the Cache is much smaller than the directory this leads to dramatic increases of performance. When a user logs in through. The index files are stored in the root of each object type.ini: [NameIndex] Enabled=Yes More details about the dbcfg. the name index also speeds up counting objects in the database (part of license validation). 106 | . As a side-effect. Also when a new object is created a trawl of the entire database is initiated to check that the new user/machine etc is unique. with a low CPU usage. Once created. you may also benefit from enabling name caching. Endpoint Encryption contains an extra "Name Index" ability which can be enabled to improve performance on object directories with large numbers of users (>3000) or high levels of synchronous activity (more than 10 simultaneous administration connections). and further tuning options can be found in the Endpoint Encryption Configuration Files chapter. or Administration console. it navigates directly to its attributes via a unique object id. all lookups pass through the cache for resolution . mainly through better use of the operating system file cache. for instance the file encryptor. this involves trawling the object directory to find the the user object with a name attribute which matches the one requested.ini stored in the root of the object directory (normally the sbdata directory).ini file. This mechanism holds true for the majority of activity over the directory. If your Endpoint Encryption object directory server is showing high or constant hard disk access. The Name Index creates a "shortcut" to name-to-id lookup by periodically creating indexes of the name/id attributes of all objects in the directory. Enabling and Configuring Name Indexing: The Name Index is controlled through the file dbcfg. The following sections should be in dbcfg. CBI consultants have found that tuning the bucket number to give cache files not exceeding 64KB has proved optimal. If you require performance tuning for your object database. Using a single file has the following advantages / disadvantages:- Advantages The OD uses less disk space because there is a reduced number of files. Entire objects are cached. A reduction in disk space of a factor of 10 can be expected.Tuning the Object Directory Performance Tests: These tests are approximate indications of the benefits of the Name Index running on a 5000 user database. therefore the cluster size overhead is reduced. Disadvantages The size of the actual data in the OD increases due to header overheads in the attribute files. The exact parameters to use for any particular database / server combination depend largely upon the memory and cache functions of the server itself. Name Index Enabled Task Create User 1 Bucket +455% 16 Buckets +460% 64 Buckets +500% 256 Buckets +400% As you can see from the table above. whereas before resilience was gained by splitting them up into multiple files. enabling the Name Index drastically improves the performance of the enumeration functions. | 107 . As a rough guide. Enabling Directory Compression To reduce the number of files stored in an Object Directory. They were performed using a login id which was at the end of the database (worst case scenario). a special mode can be enabled which uses a single attribute file instead of the numerous files created within a standard sbfiledb structures. please consider a consultancy visit as “tinkering” with the Endpoint Encryption object database can result in loss of users and machines. not just the most recent opened attribute files leading to a ‐theoretical‐ increase in performance if frequent large updates Resilience to corruption is reduced as all the object attributes are in one file. Migrating to a compressed directory All local connections to a compressed object database must go through a sbfiledb.will be converted to the new compressed format at that time. With large (>10000) databases. Disadvantages Name‐to‐id resolution time is increased unless the Name Index mode (UK4005) is also enabled. or infrequent updates. You can enable compression on an existing database. performance may well drop when using the compressed directory mode. Enabling and Configuring Directory Compression Dbcfg.You cannot mix connections as the previous drivers do not understand the compressed attributes.dll which has the compression code .ini file from the root of the object directory needs the following section added:[Attribs] . AutoConvert=yes Performance Notes No performance change has been noted between identical compressed and uncompressed databases up to 5000 users. or compress only a branch of it. There may be some benefit on servers with exceptionally high amounts of memory.Tuning the Object Directory Advantages take place. CBI can provide a tool to entirely compress an Object Directory.If this option is set to "yes" then all existing uncompressed objects which are updated . 108 | . If this option is set to "yes" then all new objects created will use the . The reduced number of files makes handling the OD for backups and replication easer.compressed format Singlefile=Yes . overall database performance will drop. in such a way as either only new objects will be created compressed. and faster. If frequent small updates take place. or in self-compress mode where each object gets compressed as it is written to. for this reason it is stored not in the application directory. For more information on dbcfg. but in the root of the file database.Endpoint Encryption Configuration Files Endpoint Encryption Configuration Files Endpoint Encryption uses many . [NameIndex] | 109 . This file is digitally signed by the Endpoint Encryption team and must not be modified. you can substitute the Unicode file SBErrors.ini Used to match on-screen windows to their help file sections. sbnewdb.ini SBFileDB controls the locking behavior of local running database connections. sbfiledb.ini Controls the feature set available to Endpoint Encryption. sbadmin.ini This file controls the global database behavior . sbhelp.exe . In 5.ini. sbfeatur. [LockOptions] Timeout=time in 100ths of a second (3000) Sleep=time in 1000ths of a second (10) dbcfg. The sbnewdb file contains instructions as to creating custom groups.ini files to maintain information about the configuration of various components. Some of the more important files are listed here. see the Tuning the Object Directory chapter. setting the default user id and password. You can add further descriptions to errors by amending this file.you can modify it to display certain nodes of the database on tabs other than the defaults. sberrors.ini Used to customize the creation of Endpoint Encryption Object Directories.ini to give localized translations of the error messages.ini This file controls the tree layout and behavior of SBAdmin.1 and beyond.ini Used to increase the detail available in on-screen error messages.XML in place of SBErrors. and other instructions related to the location of the directory. Endpoint Encryption Configuration Files Enabled=No . if set to "Yes". There may be many connections listed in the file.20. in 1000th of a second.168. [Databases] Database1=192. Otherwise only . the minimum space to allocate per object name MinEntrySize=16 . new objects will use the single file. that fact is recorded . the number of "buckets" into which the hash of the name is split HashCount=16 . if this is set to "Yes". automatically re-created (default is 30 minutes). rather than individual ones. in a single file. all the attributes will be stored in a single TLV file .firstid= hex number starting point for ALL objects . then when objects are opened for writing all the . SingleFile=No .57 The ip address for the remote server. the multi-connection behavior is controlled through scm. LifeTime=1800 [Attribs] . attribute are automatically converted to a single file.g. the time we wait for the lock on the index file to become available . then all changes to attributes will be recorded e. in 100ths of a second (default is 30 seconds). if set to "Yes". the whenever an object is modified. if set to "Yes". This file could then be used to determine which objects . ObjectChanges=No [idassignment] . that it never expires. have changed since a certain time by reading only a single file. possible use with a replication system.ini. This can 110 | .lastid= hex number sdmcfg. LockTimeout=3000 . the time we wait before re-trying locking of the index file . A value of zero means .ini Used by the Endpoint Encryption Client to control the connection to the Object Directory. the time (in seconds) for which the index will be used before it is . AutoConvert=No [Tracking] . for . AttributeChanges=No . LockSleep=10 . the client will fail with a communications error. when in (the default) Accept At Max=No mode. Thus. Padding for the serverkey. [Connections] Max=200 AcceptAtMax=No sbconmgr. Because Windows maintains a queue of 5 pending connections. it can behave in one of two ways: either it simply stops accepting connections or it accepts connections and then immediately closes them. for example [Connectors] SBNTCON=SBNTCON. the first 5 connections after the maximum is reached will be held in the queue until the number of connections has dropped below the maximum.ini is used to store the credentials by the server in service mode. ExtraInfo=… SBServer.Endpoint Encryption Configuration Files be a DNS name. those 5 will not timeout at the client end and the client will appear to hang until a connection becomes free.ini This SBServer. [Database1] Description=SH-DELL-W2K IsLocal=No Authenticate=Yes Port=5555 ServerKey=… The public key for the remote Server.DLL [Authentication] DatabaseId=1 ObjectType=0x00000001 ObjectId=0x00000001 Key=00000000000000000000000000000000000000000000000000000000000000 0006557FB28C5A226BB8BF634A68EE75DE2C4010DD1E143D9BC29808C5E5C3A729 838DD1D1E0B032D6C2A015BD8B1AAF5DC2D1E3F58D37A41F29AF5DC108EB03D441 8D95316CCC84EE2881DCBE0012C6F705F6A6D5063C2D0BEB87897C2A9AC318D659 | 111 . the maximum is 200 connections. In the Accept At Max mode. You can adjust the maximum number of connections the Endpoint Encryption server will accept and the behavior when the maximum is reached. By default. This is used to stop a hacker putting a rogue server in place and intercepting the traffic.ini Used to define the active connectors displayed in the Connector Manager. When the limit has been reached. Flags that control what is logged if logging is enabled.ini Used to define the parameters associated with each individual connector.Flags=00000005 112 | . The default is a value of "5" which logs request and response headers. Server.givenName Limits the attributes that a directory search returns. LDAPCon / ADCon Manual Settings CaseSensitive=0 / 1 Switches on and off case sensitive attribute searches. . .ini .cn. If no name is specified here.Endpoint Encryption Configuration Files C712E99D515DB18E567218CC2B1520EBD6119095674C9C215BA329521CFE200000 0000000000000000000000000000000000A6 [Manager] LastFile=G:\Program Files\SBAdmin\CmSettings.Log.ini Configuration for the main webServer [Configuration] . CheckInterval=500 Cmsettings.Log.Port=443 . The port on which the server listens for connections.the check interval (ms) defines how often the connector manager looks for an updated cmsettings. LDAPCon Manual Settings SearchAttribs=objectClass.uid.g. Server. Server. . then no logging will occur (the default). form results) . The settings contained in this file are usually maintained by the connector manager application. Bit 0 (value=1) = Log request headers . Normally all attributes are returned. hex number. Optional log file to record server activity. The default is 443 . Only manual settings are documented below. Bit 1 (value=2) = Log request data (e. Bit 3 (value=4) = Log response headers . which is the standard HTTPS port. no request data. The default value is 1 (searches are case sensitive) SBHTTP.FileName= . This is a 32-bit . The following bits are used: .ini file. but . This can affect the performance of the directory server if many are not wanted. . [Questions] Question1=What is your favorite color? Question2=What is your pet's name? Question3=Who is your favorite musician? Question4=What is a memorable date? Question5=What is your date of birth? Question6=What is your favorite place? Question7=Who is your favorite actor? Question8=What is your favorite film? Question9=What is your favorite song? Question10=What is your favorite food? | 113 ." and the right .Attempts.Id=00000001 Database.2=Some of your answers were not correct.DLL Handler.String. This section lists all the optional page handlers that will get loaded . the .Ssl. by the web server. . The certificate must reside in the server's .CertName= . automatically logged off.2=The challenge you entered was not correct. Server. Specifies the period of inactivity (in minutes) after a logged on user is .1=The challenge you entered was not correct. Server.Timeout=5 [Strings] . Server.Endpoint Encryption Configuration Files .DLL SBwebRec.String. should use for SSL connections.User. Please try again. network name of the computer is used.Key=… Recover.Attempts. .ini Configuration for webRecovery [Configuration] Register.Questions. Handler.String.Questions.Server. Use the "|" character to .WebRecovery=SBWEBREC. . String.String. The left side should start with "Handler. side is the name of the DLL to load. If this is not specified. [Page.Max=3 Recover. .User.Logon.1=Web Server Server. Please try again.4=The requested URL "%s" was not found. Specifies the name of the Subject field of the certificate the server .3=The recovery action you selected was not valid.Required=5 Recover. Please try again. Server. specify a new line. private store (SbHttpServer service store).Timeout=3600 [Strings] String. These are strings that the server can display.Asked=3 Database. . .Handlers] . Pleast try again.CeRecovery=SBCEDEV. SYS Endpoint Encryption’s device driver crypto algorithm module. srg files Endpoint Encryption registry files These are standard regedit files which are processed into the registry by Endpoint Encryption.Endpoint Encryption Configuration Files The questions used can be changed at any time without affecting current registered users. 114 | .exe Main Endpoint Encryption Manager Executable DLL Files sbalgxx Utility Encryption algorithm module. Endpoint Encryption Manager Program and Driver Files EXE Files SBAdmin. without using the windows regedit utility. SYS Files SBALG. Module codes The following codes can be used to identify from which Endpoint Encryption module the error message was generated.com.ini for more details of these error messages. As the code and design does not expect such errors to be generated. You can also find more information on error messages on our web site. www. 1 Please note that many of these error codes are not designed to ever be shown – they are mentioned for completeness.a place in our software where we ensure a number of conditions are true before continuing.mcafee.Error Messages Error Messages Please see the file sberrors. This kind of error is termed an “Assertion” . Error Code 1c00 5501 5502 5c00 5c02 a100 c100 db00 db01 db02 e000 Module IPC SBHTTP Page Errors SBHTTP User Web Recovery SBCOM Protocol SBCOM Crypto ALG Scripting Database Misc Database Objects Database Attributes Endpoint Encryption General | 115 . even though the design does not allow for a specific case where the conditions could not be true. resolving them involves working through the context of the issue – without knowing the steps required to reproduce the error it would not be possible to conclude how the system managed to arrive at the error state. Error Messages Error Code e001 e002 e003 e004 e005 e006 e007 e010 e011 e012 e013 e014 e015 e016 Module Endpoint Encryption Tokens Endpoint Encryption Disk Endpoint Encryption SBFS Endpoint Encryption BootCode Endpoint Encryption Client Endpoint Encryption Algorithms Endpoint Encryption Users Endpoint Encryption Keys Endpoint Encryption File Endpoint Encryption Licenses Endpoint Encryption Installer Endpoint Encryption Hashes Endpoint Encryption App Control Endpoint Encryption Admin 5501 Web Server Page Errors Code [55010000] [55010001] [55010002] [55010003] [55010004] [55010005] Message and Description URL not found Invalid parameter encoding Invalid parameter Missing parameter Not logged on No user challenge has been provided 116 | . Error Messages Code [55010006] [55010007] [55010008] [55010009] [5501000a] Message and Description Unable to get configuration Unable to set configuration Incorrect user challenge Invalid recovery action Reparse required 5502 Web Server User Web Recovery Code [55020000] Message and Description Permission to use web recovery is denied 5C00 Communications Protocol Code [5c000000] Message and Description Unsupported version The server and client are not talking the same communications protocol version [5c000005] [5c000008] [5c000009] Out of memory A corrupt or unexpected message was received Unable to load the Windows TCP/IP library (WSOCK32.DLL) Check that the TCP/IP protocol is installed [5c00000a] Communications library not initialised This is an internal programmatic error [5c00000c] [5c00000d] [5c00000e] Unable to create TCP/IP socket Failed while listening on a TCP/IP socket Unable to convert a host name to an IP address Check the host file or the DNS settings | 117 . a file) [5c00001e] Wrong Endpoint Encryption Communications Protocol Version You are most likely trying to connect to a v4 Endpoint Encryption Server using a v5 Server definition with server authentication 118 | .g. a file) [5c00001c] [5c00001d] Unable to create thread mute Message too big to be sent This may occur if an attempt is made to import large amounts of data into the database (e.g.Error Messages Code [5c00000f] Message and Description Failed to connect to the remote computer The computer may not be listening or it is too busy to accept connections [5c000010] [5c000011] Failed while accepting a new TCP/IP connection Failed while receiving communications data The remote computer may have reset the connection [5c000012] [5c000013] [5c000014] [5c000015] [5c000016] [5c000017] [5c000018] [5c000019] [5c00001a] [5c00001b] Failed while sending communications data Invalid communications configuration Invalid context handle A connection has already been established No connection has been established Request for an unknown function has been received Unsupported or corrupt compressed data received Data block is too big Data of an unexpected length has been received Message too big to be received This may occur if an attempt is made to import large amounts of data into the database (e. 5C02 Communications Cryptographic Code [5c020000] [5c020001] [5c020002] [5c020003] [5c020004] [5c020005] [5c020006] [5c020007] [5c020008] [5c020009] Message and Description The Diffie‐Hellmen data is invalid or corrupt An unsupported encryption algorithm has been requested An unsupported authentication algorithm has been requested Unable to sign data Authentication signature is not valid Authentication parameters are invalid or corrupt Failed while generating DSA parameters No session key has been generated Unable to authenticate user Session key too big A100 Algorithm Errors Code [a1000000] [a1000001] [a10000002] [a1000003] [a1000004] [a1000005] Message and Description Not enough memory Unknown or unsupported function Invalid handle Encryption key is too big Encryption key is too small Unsupported encryption mode | 119 . Check that you do not have both v4 and v5 servers running (perhaps as a service) at the same time.Error Messages Code Message and Description enabled. for example user or group name. The standard Endpoint Encryption database includes this feature.Error Messages Code [a1000006] [a1000007] Message and Description Invalid memory address Invalid key data C100 Scripting Errors Code [c1000001] [c1000002] Message and Description Invalid Argument Missing Parameter There is a required parameter missing [c1000003] [c1000004] [c1000005] [c1000006] [c1000007] [c1000009] Missing Value Machine Already In Group Database Not Found User Already In Group Wrong Group Type Wrong Database Capabilities Usually only returned when the database does not have ID assignment support. [c100000b] [c100000c] [c100000d] Unsupported Connection Type No Admin Name Specified No Admin Password Specified 120 | . [c1000009] Parameter Needed You must enter one of the required parameters. [c100000a] Parameter Positive You must specify a positive value for this parameter. delete the SDMCFG. To force the new database wizard to be run.INI file and restart the administration program. [db000003] Invalid context handle | 121 .Error Messages Code [c100000e] [c100000f] [c1000010] [c1000011] Message and Description Unknown Authentication Type No Connection Reference Unknown Connection Mutex Creation Failed Caused when there are insufficient system resources in the host OS to create another mutex [c1000012] [c1000013] [c1000014] [c1000015] [c1000016] [c1000017] Command Skipped No Command Specified Unknown Command No User ID specified No User Key Found No Key File No key file was specified [c1000018] Key File Not Found The authentication key file specified as UserIDKeyFile was not found DB00 Database Errors Code [db000000] [db000001] [db000002] Message and Description Out of memory More data is available The database has not been created or initialised yet Check the database path or create a new database. Error Messages Code [db000004] db000005] Message and Description The name was not found in the database [Authentication was not successful. Choose a different database path [db000009] [db00000a] Unable to create the database Check the path settings and make sure you have write access to the directory [db00000b] [db00000c] Invalid database handle The database is currently in use by another entity You cannot delete a database while someone is using it [db00000d] [db00000e] [db00000f] [db000010] [db000011] [db000012] [db000013] [db000014] [db000015] Unable to initialise the database User aborted Memory access violation Invalid string No default group has been defined The group could not be found File not found Unable to read file Unable to create file 122 | . Check that you have the correct token for this database [db000006] [db000007] [db000008] Unknown database Invalid database type The database could not be found. Check the database path settings Database already exists. This usually means that your hard disks are in the process of being encrypted or decrypted. Please wait for it to complete and try again. There is no way to change the ID of a database. | 123 .Error Messages Code [db000016] [db000017] [db000018] [db000019] [db00001a] Message and Description Unable to write to file File corrupt Invalid function Unable to create mutex Invalid license The license has been modified so that the signature is now invalid [db00001b] [db00001c] License has expired The license is not for this database Check the database ID and ensure it is the same as the one specified in the license. a different ID is generated. [db00001f] [db000020] [db000021] [db000022] Endpoint Encryption is still installed on this machine Buffer too small The requested function is not supported Unable to update the boot sector The disk may be in use by another application or Explorer itself. Each time you create a new database. The disk may be protected by an anti‐virus program. You can check the current Endpoint Encryption status from the right‐click menu of the Endpoint Encryption task bar icon. [db00001d] [db00001e] You do not have permission to access the object Endpoint Encryption is currently busy with another task. [db010007] The object status is disabled This is usually associated with User objects. If you are trying to write to the object while someone else has the object open for reading. you will not be able to change to write mode.Error Messages DB01 Database Objects Code [db010000] Message and Description The object is locked Someone else is currently updating the same object [db010001] [db010002] Unable to get the object ID Unable to change the object's access mode Someone else may by accessing the object at the same time. Disabling the user's object prevents them logging on until their account is re‐enabled. [db010008] [db01000f] [db010010] The object already exists The object is in use Object not found The object has been deleted from the database [db010011] License has been exceeded for this object type Check that your licenses are still valid and if not obtain further licenses if necessary 124 | . [db010003] [db010004] Object is in wrong access mode Unable to create the object in the database The disk may be full or write protected [db010005] [db010006] Operation not allowed on the object type Insufficient privilege level You do not have the access rights required to access the object. E001 Tokens Code [e0010000] [e0010001] [e0010002] [e0010003] [e0010004] [e0010005] Message and Description General token error Token not logged on Token authentication parameters are incorrect Unsupported token type Token is corrupt The token is invalidated due to too many invalid logon attempts | 125 .Error Messages DB02 Database Attributes Code [db020000] [db020001] [db020002] [db020003] [db020004] [db020005] [db020006] Message and Description Attribute not found Unable to update attribute Unable to get attribute data Invalid offset into attribute data Unable to delete attribute Incorrect attribute length Attribute data required E000 Endpoint Encryption General Code [e0000000] [e0000001] [e0000002] [e0000010] Message and Description User aborted Insufficient memory Invalid date/time Invalid date/time. Clock is reporting a time before 1992 or after 2038. Error Messages Code [e0010006] [e0010007] [e0010010] [e0010011] [e0010012] Message and Description Too many incorrect authentication attempts Token recovery key incorrect The password is too small The password is too large The password has already been used before. Password change is disabled Password entry is disabled Unknown user Incorrect user key The token is not the correct one for the user Unsupported user configuration item The user has been invalidated The user is not active The user is disabled Logon for this user is not allowed at this time No recovery key is available for the user The algorithm required for the token is not available Unknown token type Unable to open token module [e0010013] [e0010014] [e0010015] [e0010016] [e0010017] [e0010020] [e0010021] [e0010022] [e0010023] [e0010024] [e0010025] [e0010026] [e0010027] [e0010028] [e0010030] [e0010040] [e0010041] 126 | . Please choose a new one. The password content is invalid The password has expired The password is the default and must be changed. Error Messages Code [e0010042] [e0010043] [e0010044] [e0010045] [e0010046] [e0018000] [e0018001] [e0018002] Message and Description Unable to read token module Unable to write token module Token file not found Token type not present Token system class is not available Sony Puppy requires fingerprint Sony Puppy requires password Sony Puppy not trained E012 Licences Code [e0120001] [e0120002] [e0120003] [e0120004] Message and Description License invalid License expired License is not for this database License count exceeded E013 Installer Code [e0130002] [e0130003] [e0130004] [e0130005] [e0130006] [e0130007] Message and Description No installer executable stub found Unable to read installer executable stub Unable to create file Error writing file Error opening file Error reading file | 127 . Error Messages Code [e0130008] [e0130009] [e013000a] [e013000b] [e013000c] [e013000d] [e013000e] [e013000f] [e0130010] Message and Description Installer file invalid No more files to install Install archive block data too large Install archive data not found Install archive decompression failed Unsupported installer archive compression type Installation error Unable to create temporary directory Error registering module E014 Hashes Code [e0140001] [e0140002] [e0140003] [e0140004] [e0140005] [e0140006] [e0140007] [e0140008] [e0140009] [e014000a] Message and Description Insufficient memory Error opening hashes file Error reading hashes file Hashes file invalid Unable to create hashes file Error writing hashes file Hashes file is not open Hashes file data invalid Hashes file data too big User aborted 128 | Error Messages E016 Administration Center Code [e0160001] Message and Description Invalid plugin information | 129 Technical Specifications and Options Technical Specifications and Options The following options are available from Endpoint Encryption but may not be included on your install CD, or be appropriate for your version of the Endpoint Encryption Manager. Please contact your McAfee representative for information if you wish to use one of these optional components. Encryption Algorithms Endpoint Encryption supports many custom algorithms. Only one algorithm can be used in an Endpoint Encryption Enterprise. RC5-12 CBC Mode, 1024 bit key, 12 rounds, 64 bit blocks The RC5-12 algorithm is compatible with the Endpoint Encryption 3.x algorithm. RC5-18 CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks The 18 round RC5 variant is designed to prevent the theoretical “Known Plaintext” attack. AES-FIPS (FIPS 140-1 Approved) - RECOMMENDED CBC Mode, 256 bit key, 128 bit blocks This algorithm is approved for FIPS 140-1 use. Smart Card Readers The following smart card readers are supported. • • Any Windows supported smart card reader All PC/SC Smart Card Readers Tokens Smart Cards For the latest list of authentication methods using smart cards, tokens, fingerprint readers please consult your McAfee representative. 130 | Dual Core and AMD processors are supported. Dutch. Vista 32bit (all versions). XP. English (United States). 200MB Free hard disk space Pentium compatible processor. 1024MB recommended. 2003. • For remote administration a TCP/IP network connection with a static DNS name / ip address is required. | 131 . 2000. Endpoint Encryption Database Server • Windows NT4. Dual Core and AMD processors are supported. • For remote administration. Hyperthreading. For production systems. please contact your McAfee representative for enterprise implementation documentation. Vista 64bit (all versions) • • • 256MB or OS Minimum RAM 40MB free hard disk space Pentium compatible processor. French.0sp6a. Administration • Windows NT4.0sp6a. The following specifications should be considered appropriate for evaluation deployments only. Vista 64bit (all versions) • • • 256MB Or OS Minimum RAM. a TCP/IP network connection is required. Japanese. Vista 32bit (all versions). • This configuration is considered appropriate for evaluation systems only. Portuguese (Brazil) System Requirements Implementation documentation discussing appropriate hardware for typical installations of Endpoint Encryption is available from your representative. 2000. English (United Kingdom). XP. multi-way (up to 32 processors). 2003. Korean. Hyperthreading.Technical Specifications and Options Language Support Endpoint Encryption Manager Czech. multi-way (up to 32 processors). x with Novell Server 7.Technical Specifications and Options SFDBBack • All versions of Windows (IE4. • Domain account access for Windows 2000+. NT Connector • Windows NT4. Windows XP. 132 | . Vista 32bit and Vista 64bit. Vista 64bit.x. Windows 2000.0sp6a) Active Directory Connector • Windows NT4sp6a. Windows 2003. Windows 2000. NOTE: The NT connector must be installed on a PDC or BDC on Windows NT4. Future versions of Novell are expected to function. Windows 2000.0 with Offline Browsing Pack required for Windows 95 and NT4. Windows XP. Vista 32bit and Vista 64bit • • Novell eDirectory 8. Vista 32bit. Windows 2003. Windows XP.6.0sp6a. Windows 2003.0. Novell Netware / LDAP Connector • Windows NT4sp6a. • Requires read/write access to v3+ Active Directory. 65 Base DN. 78. 19 Databases adding a new connection. 29. 71. 13 Endpoint Encryption Components File Encryptor. 44 authentication. 11. 75. 84 | 133 . 65. 69. 115 error messages. 18 Auditing. 32. 81. 15 priviledge. 114. 68. 33 Controlled Groups. 104. 77. 76. 85 admin rights. 9 error codes. 49 connecting to NT Domains. 13 D DAP. 67. 54 Entities explained. 11. 50. See groups cryptography. 35. 69. 72. 53. 130 Encryption Algorithms RC5. 11. 74. 55 algorithm. 13 chipdrive. 36 Administration Level. 53 Auto‐boot users autoboot user. 81. 84. 30. 109. 65. 84 DNS. 26. 68. 79. 69. 75. 10 restricting user id's for. 24. 69. 71. 11. 62. 82. 67. 84 C cache. 68. 73. 73. 13. See Towitoko Client overview of.Index Index A Account Validity. 9 Audit Trails viewing. 81 ADCon. 49 decrypt. 83. 16. 53. 78. 67. 15 Administration Function. 75. 50. 8 VDisk. 71. 15. 80. 84. 50 E enabling users. 131 DNS Name. 130 Endpoint Encryption CE Server. 115 excluded users. 29. 74. 90. 8 Endpoint Encryption Server connecting to a new. 74. 49. 107 CE Server. 82. 25. 77 Active Directory. 73. 132 Organizational Units. 82. 72. 53 Default Password. 14. 13. 76. 76. 78. 41. See Users distibguished name(s). 33. 130 maximum key size. 75. 83 disabling users. 49 managing. 23. 54 Administration level. 77 DSA. 65. 12 compressed Object Directory. 130 Encryption Algorithm. 54 disable. 70. 67. 64. 35 rights. 83 B backup. 11. 23 Connector Manager. 54 overview of. 14. 78 distinguished name. 13 user bindings to. 114. 110. 64 Connector Bindings. 22. 6 Cryptography encryption. 108 connecting to databases. 11. 29 Attributes explained. 15 privleges. 73. 54 Authentication client/server. 83. 94 deploy. 52. 62 overview of. See Users Encryption algorithms. 76. 44. 51. 13. 68. 9. 70. 17. 13. See Group mappings Microsoft. 69. 10. 70. 102 restrictions. 110 Objects explained. 74. 10. 51. 84. 101 local databases. 64. 23. 26. 106 Network Name. 90. 70. 78. 53. 29 referrals. 40 Files deleting and exporting. 107. 29. 130 recovery. 79 User DN. 11. 10. 78. 40. 25. 75. 24 M mapping groups. 75. 109 program and driver files. 13. 22. 84 Licence Files adding. 55. 24. 69. 75. 71. 131 L language support. 19. 54. 64. 13. 11 privileges. 66. 65. 22. 97 Passwords. 78 LDAP Browser. 16. 35. 11. 67. 41. 19 Performance Object Directory. 11. 80. 96. See Users hours. 53 I IP Address. 67. 8 file group management. 23. 65. 106. 26. 94 passwords. 19. 12. 37. 46. 9. 29 Reset. 9 locking of. 16. 101 expiry of. 41 importing new. See Group mappings. 131 performance. 114 properties. 23. 17 of users and machines. 65. 107 Pocket Endpoint Encryption. 11. 15 public / private keys. 35 controlled vs free. 76 Q quick start guide. 15. 93 Pocket Windows 2002. 76. 84. 85. 25 Pentium. 79 object directory. 86. 87. 41 force sync. 77 NT Domain. 79 Protocol Version. 76 N Name Index. 13 NT Domains ‐ connecting to. 131 LDAP. 132 H hidden fields. 68. 21. 50 logon hours. 16 free. 79 134 | . 7 R RC5. 11. 25 history. 36. 16 O object change log. 90. 81. 68. 89 Microsoft Active Directory. 27. 24. 70. 69. 77. 25.Index F File Encryption overview of. 8. 41 ini files. 84 Object Filter. 14. 62 Base DN. 10. 31. 70. 64 G Group mappings. 35. 75. 20 Offline Browsing Pack. 13 File Encryptor. 49. See Group mappings. 52. 80 groups. See Users P Password Default. 77 Referrals. 62. 109 Groups administration of. 42. 28. 108. 76 enabling and disabling. 89. 53 service. 130 S SafeBoot Server overview of. 9. 64. 132 Smarty. 52 Server configuration of. 11. 67. 130 system requirements. 55. 11 X X500. 44. 65. 64. 10. 13 Server starting a. 71. 9. 13. 11. 86. 53. 62 T TCP/IP. 19. 67. 114 RSA. 76 Disabling. 113 Service Accounts. 98. 96. 63 Server creating a. 11. 21 password parameters. 12 SBAdmCL. 90. 51 Server Endpoint Encryption CE Server. 81. 78 user status. 55 SFDBBack. 83 hidden fields. 73. 69. 21 logon hours. 65. 20. 76. 102 schedule. 51. 30 creating new. 131 U user dn. 21 disable. 25 W Windows 2000. 31 logon id. 53 Server starting as a service. 13 towitoko chipdrive. 63 scheduling synchronisations.Index registry. 63. 76 Users administration level. 64. 64 Windows CE. 131 | 135 . 43. 67. 43. 67. 23 Excluding.