McAfee® Endpoint Encryption for Files and Folders AdministrationGuideVersion3.1.3
Introduction 10 | A key feature of Endpoint Encryption for Files and Folders is the principle of containment, or persistent encryption, as it is als
Large-scale deployment considerations 100 | Make sure you have performed the name indexing before you start deploying your clients. The recommendati
Large-scale deployment considerations | 101 Tune encryption intensity for network When encrypting large folders on a network share through a policy,
Large-scale deployment considerations 102 | Exclude Endpoint Encryption for Files and Folders client program directory Irrespective of what antiviru
Tokens | 103 Tokens This chapter addresses the different authentication tokens that are supported in Endpoint Encryption for Files and Folders. Passw
Tokens 104 | When properly configured, the users can use the certificates on the supported USB authentication tokens to authenticate to Endpoint Enc
Tokens | 105 Also, for smart cards with certificates, you may want to try the Generic PKI token module available. Please see information below. With
Tokens 106 | Endpoint Encryption Connector Manager G2 for Active Directory is necessary. For documentation about the Endpoint Encryption Connector M
Tokens | 107 SbTokCSP.INI file must be done before creating any installation sets for Endpoint Encryption for Files and Folders clients that shall us
Tokens 108 | it in accordance with what CSP is supported, e.g. Generic PKI token files – Siemens and import/replace the SbTokCSP.INI file For a comp
Endpoint Encryption for Files and Folders Configuration Files | 109 Endpoint Encryption for Files and Folders Configuration Files Endpoint Encryption
Introduction | 11 Endpoint Encryption for Files and Folders supports three standard algorithms with various key lengths, including the Endpoint Encry
Endpoint Encryption for Files and Folders Configuration Files 110 | SBM.ini This is the configuration file for Endpoint Encryption authentication to
Endpoint Encryption for Files and Folders Program and Driver Files | 111 Endpoint Encryption for Files and Folders Program and Driver Files EXE files
Endpoint Encryption for Files and Folders Program and Driver Files 112 | SbCeProvider Utilities for receiving and providing encryption keys to the o
Endpoint Encryption for Files and Folders Program and Driver Files | 113 SbCeDriverCom Utilities for controlling and running the kernel driver. Deskt
Endpoint Encryption for Files and Folders Program and Driver Files 114 | NotificationManager Manages and responds to notification events. This libra
Endpoint Encryption for Files and Folders Program and Driver Files | 115 SbCe-POLICIES The default policy for an installation of Endpoint Encryption
Error Messages 116 | Error Messages Please see the file sberrors.ini for more details of these error messages. You can also find more information on
Error Messages | 117 [5c000008] A corrupt or unexpected message was received [5c000009] Unable to load the Windows TCP/IP library (WSOCK32.DLL) Chec
Error Messages 118 | This may occur if an attempt is made to import large amounts of data into the database (e.g. a file) [5c00001c] Unable to creat
Error Messages | 119 Choose a different database path [db00000a] Unable to create the database Check the path settings and make sure you have write a
Introduction 12 | installed, the user that logs on will be forced to retrieve the proper policy assigned to him/her in the central database. If Adm
Error Messages 120 | This usually means that your hard disks are in the process of being encrypted or decrypted. You can check the current Endpoint
Error Messages | 121 The object has been deleted from the database [db010011] License has been exceeded for this object type Check that your licenses
Error Messages 122 | Installer program errors [15000001] Memory Error [15000002] No EXE Stub [15000003] Error reading EXE Stub [15000004] Error C
Technical Specifications and Options | 123 Technical Specifications and Options Language Support Endpoint Encryption Manager American English, Inter
Technical Specifications and Options 124 | Endpoint Encryption for Files and Folders Client • Windows 2000 SP4 with RollUp1, XP SP2, Vista SP1. Ple
Technical Specifications and Options | 125 DoD 5220.22-M National Industrial Security Program Operating Manual (NISPOM) January 1995, Department of D
Appendix 126 | Appendix Making Endpoint Encryption for Files and Folders FIPS Compliant The following procedures must be followed to operate McAfee
Appendix | 127 FIPS mode registry script The following needs to be saved to a text file with the extension “.reg” and then merged into the registry a
Appendix 128 | "Path"="c:\\program files\\safeboot content encryption\\SbAlgs\\SbAlg00.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\SafeB
Appendix | 129 Encryption\Verifier\21] "Path"="c:\\program files\\safeboot content encryption\\SbCeDesktopIntegration.dll" [HKE
Introduction | 13 • Configuring Endpoint Encryption for Files and Folders Policies • Creating and assigning Endpoint Encryption for Files and Folde
Appendix 130 | [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\33] "Path"="c:\\program fil
Appendix | 131 “Path”=“c:\\program files\\safeboot content encryption\\SbCmaCe.dll” [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Co
Appendix 132 | Encryption\Verifier\20] “Path”=“c:\\program files\\safeboot content encryption\\SbCeCoreService.exe” [HKEY_LOCAL_MACHINE\SOFTWARE\S
Appendix | 133 [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\32] “Path”=“c:\\program files\\safeboot con
Index 134 | Index AActiveDirectory,14algorithm,13,118,120,123,126,127authentication,13CClientcekeyfile,86configurationfiles,11
Index | 135 MMicrosoft,60NNetworkencryption,48NTDomain,14Oobjectdirectory,12,13,14,111,114PPagefileencryption,11Pentium,125,1
Introduction 14 | Typical information stored in the Object Directory includes: • User Configuration and Policy Configuration information • Client
Introduction | 15 Manager. This executable file contains the core components and drivers needed to enable Endpoint Encryption on a user’s machine. T
Endpoint Encryption for Files and Folders Client Software 16 | Endpoint Encryption for Files and Folders Client Software Endpoint Encryption for Fi
Endpoint Encryption for Files and Folders Client Software | 17 Encryption product icon), and the shell extension options, visible from the context me
Endpoint Encryption for Files and Folders Client Software 18 | Figure6:EndpointEncryptionsystemtrayiconmenu(EndpointEncryptionforFilesa
Endpoint Encryption for Files and Folders Client Software | 19 Removable media Endpoint Encryption for Files and Folders can enforce encryption on re
McAfee, Inc. McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USA Tel: (+1) 888.847.8766 For more information regarding local McAfee repre
Deploying Endpoint Encryption for Files and Folders 20 | Deploying Endpoint Encryption for Files and Folders There are 7 steps you need to follow to
Endpoint Encryption for Files and Folders Policy Settings | 21 Endpoint Encryption for Files and Folders Policy Settings About Endpoint Encryption fo
Endpoint Encryption for Files and Folders Policy Settings 22 | 3. Double-click it to expand its groups. 4. Either open an existing group, or creat
Endpoint Encryption for Files and Folders Policy Settings | 23 Adds a new policy to the group. Rename Changes the name of the policy. This does not a
Endpoint Encryption for Files and Folders Policy Settings 24 | Allow explicit decrypt Enables the Decrypt… option in the user’s context menu (displ
Endpoint Encryption for Files and Folders Policy Settings | 25 Show About option on system tray menu Enables the option in the system tray menu that
Endpoint Encryption for Files and Folders Policy Settings 26 | NOTE:iftheprevioussetting(AttemptlogonwithEndpointEncryptionforPCcredenti
Endpoint Encryption for Files and Folders Policy Settings | 27 The Endpoint Encryption user name and the Windows user name must be identical. It is r
Endpoint Encryption for Files and Folders Policy Settings 28 | 2. Click the icon for File Extensions encryption. 3. Assure the category Process Sp
Endpoint Encryption for Files and Folders Policy Settings | 29 8. Next you must add file extensions to be encrypted by the listed processes. Mark th
Contents Preface ... 6About This Guide ...
Endpoint Encryption for Files and Folders Policy Settings 30 | Figure10:Processspecificextensionencryption–Addingadditionalprocesses Figu
Endpoint Encryption for Files and Folders Policy Settings | 31 Figure12:Processspecificextensionencryption–ExamplesetupTo remove or edit a
Endpoint Encryption for Files and Folders Policy Settings 32 | Deleting extensions It is important to notice that deleting a file extension does not
Endpoint Encryption for Files and Folders Policy Settings | 33 [PROFILE] = The user’s local user root directory, i.e. [SYSDRIVE:\Documents and Settin
Endpoint Encryption for Files and Folders Policy Settings 34 | Edit Lets you edit a selected folder encryption item from the list, e.g. change encry
Endpoint Encryption for Files and Folders Policy Settings | 35 Whenencryptinglargefoldersonanetworksharethroughapolicy,itisstronglyreco
Endpoint Encryption for Files and Folders Policy Settings 36 | If the Make all removable media plaintext (see below) option is enabled, then any exi
Endpoint Encryption for Files and Folders Policy Settings | 37 • Commandpromptfileoperations(copy*,move*)• Filesbeingcreateddirectlyon
Endpoint Encryption for Files and Folders Policy Settings 38 | You will find the DeviceID of a device by looking in the Windows Device Manager on a
Endpoint Encryption for Files and Folders Policy Settings | 39 Figure17:IdentifyingtheDeviceIDforaremovablemediadeviceTo add exemptions to
Preface 4 | Client Registry controls ... 85Controlling the authentication
Endpoint Encryption for Files and Folders Policy Settings 40 | Changes to the list of exempted DeviceIDs are done by using the Edit and Remove butto
Endpoint Encryption for Files and Folders Policy Settings | 41 About Multi-Session CDs/DVDs The CD/DVD encryption feature supports burning of encrypt
Endpoint Encryption for Files and Folders Policy Settings 42 | Automatic key loading/unloading Enable inactivity timeout If a user has successfully
Endpoint Encryption for Files and Folders Policy Settings | 43 Allow user local keys Marking this box prepares the Endpoint Encryption for Files and
Endpoint Encryption for Files and Folders Policy Settings 44 | Allow import of user local keys This option allows users to import keys that have bee
Endpoint Encryption for Files and Folders Policy Settings | 45 With this option, it is possible to have the original time values restored (preserved)
Endpoint Encryption for Files and Folders Policy Settings 46 | If you want to enforce removable media encryption on floppy disk drives, setting this
Endpoint Encryption for Files and Folders Policy Settings | 47 The main purpose of process blocking is to prevent encrypted data from being unintenti
Endpoint Encryption for Files and Folders Policy Settings 48 | didn’t halt. In addition, encrypted files will be scanned later whenever they are acc
Endpoint Encryption for Files and Folders Policy Settings | 49 Enable network encryption This tick box switches network encryption on/off. If uncheck
Preface | 5 Index ... 134
Encryption keys 50 | Encryption keys About Encryption keys Encryption keys are generic purpose objects which Endpoint Encryption applications can us
Encryption keys | 51 7. Select the algorithm to be used by the key. You may select algorithm from the drop-down menu. The recommendation is to use t
Encryption keys 52 | Delete key Deletes the selected encryption key. If you delete a key, all users connected to that policy will have all restricti
Encryption keys | 53 Group This dialog presents information about the Keys group. You may type in some description for the group in the field. Click
Encryption keys 54 | copy of the key. If the key could be obtained from the Database, then the local copy may be installed, or updated at the same t
Encryption keys | 55 userthatisassignedtothekey,thenthatgrouporusercannolongermanagethekey.Beextracautiousifthisistheonlyob
Encryption keys 56 | Users Please see Users section of this Guide for details on this dialog.
Assigning and Updating Policies | 57 Assigning and Updating Policies Assigning policies Once you have created encryption policies, these must be assi
Assigning and Updating Policies 58 | NOTE:Youcanonlyassignonetypeofpolicytoausergrouporuser.I.e.ausercannothavetwodifferentEnd
Creating an Install Package | 59 Creating an Install Package About Install Packages Endpoint Encryption for Files and Folders is installed by running
Preface 6 | Preface McAfee is dedicated to providing you with the best in security for protecting data on personal computers. Applying the latest te
Creating an Install Package 60 | installation set and thus applied without the user having to logon on to the Endpoint Encryption database. Install
Creating an Install Package | 61 Figure28:CreatinganInstallSetAfter the install file has been run on a client machine and the machine restarte
Creating an Install Package 62 | Installing Endpoint Encryption for Files and Folders client Supported platforms • Windows 2000 Workstation SP4 wit
Creating an Install Package | 63 3. Execute the Install Package created by the Endpoint Encryption administrator on the target computer. This enable
Creating an Install Package 64 | If you know precisely the file(s) that have changed for a particular upgrade, you may upgrade the file(s) individua
Creating an Install Package | 65 8. In the search dialog that opens, browse the system directory where you have installed the Endpoint Encryption fi
Creating an Install Package 66 | Endpoint Encryption for Files and Folders authentication. If there is no connection to the Endpoint Encryption Serv
Creating an Install Package | 67 Also, when uninstalling from a Windows Vista system, there will be a (hidden) directory left behind on the client: [
Endpoint Encryption for Files and Folders client 68 | Endpoint Encryption for Files and Folders client This chapter describes the client side of End
Endpoint Encryption for Files and Folders client | 69 About Endpoint Encryption for Files and Folders This option opens up a dialog with information
Preface | 7 Conventions This guide uses the following conventions: Bold Condensed All words from the interface, including options, menus, buttons, an
Endpoint Encryption for Files and Folders client 70 | User Web Recovery is used, then the questions entered by the user at the time of Web Recovery
Endpoint Encryption for Files and Folders client | 71 For more information about setting up and configuring Endpoint Encryption Web Recovery, please
Endpoint Encryption for Files and Folders client 72 | Synchronize Synchronizing Endpoint Encryption for Files and Folders triggers an authentication
Endpoint Encryption for Files and Folders client | 73 Create Local Key… Starts the encryption key creation wizard. Keys may be stored either on the
Endpoint Encryption for Files and Folders client 74 | In order to complete the import, the transport password must be entered. Also, the user must a
Endpoint Encryption for Files and Folders client | 75 Figure34:EndpointEncryptionforFilesandFolders–ContextmenuoptionsEncrypt… If enabled
Endpoint Encryption for Files and Folders client 76 | If the folder/file is encrypted (e.g. according to a policy), the user cannot decrypt it. This
Endpoint Encryption for Files and Folders client | 77 This operation is very helpful before uninstalling Endpoint Encryption for Files and Folders fr
Endpoint Encryption for Files and Folders client 78 | Figure38:Enteringencryptionpasswordforself‐extractingfileIn essence, only the passwor
Endpoint Encryption for Files and Folders client | 79 The self-extractor is packaged into a *.cab file as these are widely recognized in most compute
Introduction 8 | Introduction Why Endpoint Encryption for Files and Folders? All organizations have their own rules about what data is available to
Endpoint Encryption for Files and Folders client 80 | By default, the open-close-wipe option is selected. If the Extract option is selected instead,
Endpoint Encryption for Files and Folders client | 81 CAUTION:Pleaseobservethefollowingregardingthisoption:First,inordertohaveEncryptan
Endpoint Encryption for Files and Folders client 82 | Identifying encrypted files and folders Figure43:EndpointEncryptionforFilesandFolders
Endpoint Encryption for Files and Folders client | 83 Accessing encrypted files Figure44:EndpointEncryptionforFilesandFoldersauthentication
Endpoint Encryption for Files and Folders client 84 | The .cekey file When encrypting folders, either manually using the Encrypt option or when encr
Endpoint Encryption for Files and Folders client | 85 Follow target When a file that is encrypted with key A, for example, and is moved to a folder w
Endpoint Encryption for Files and Folders client 86 | [Options.Logon] Manual.ShowFailedRemoteConnect=Yes RequestKey.ShowFailedRemoteConnect=Yes The
Endpoint Encryption for Files and Folders client | 87 8. Browse for the SbC4.INI file from step (4) and finish the import. 9. Create and deploy a n
Utilities for Endpoint Encryption for Files and Folders 88 | Utilities for Endpoint Encryption for Files and Folders This chapter describes the vari
Utilities for Endpoint Encryption for Files and Folders | 89 • Communication between the Endpoint Encryption for Files and Folders client and the da
Introduction | 9 Users can work without interruption. With the exception of the initial logon to access protected data, Endpoint Encryption for Files
Utilities for Endpoint Encryption for Files and Folders 90 | 2. SbCeShell -use_full_driver_trace 3. SbCeShell -enable_driver_trace <{comple
Utilities for Endpoint Encryption for Files and Folders | 91 Figure46:Windowsdialogformini‐dumpfile• In the section named Write debugging in
Utilities for Endpoint Encryption for Files and Folders 92 | Complete memory dump The Complete memory dump is the ideal dump from an error investiga
Utilities for Endpoint Encryption for Files and Folders | 93 Hanging applications Open the Task Manager and identify the frozen process that needs to
Utilities for Endpoint Encryption for Files and Folders 94 | 6. Wait until SBCECore.exe crashes. To know when this happens, you should look into th
Utilities for Endpoint Encryption for Files and Folders | 95 Where source must be a path to a file, either complete or relative, and destination must
The Endpoint Encryption for Files and Folders Logon 96 | The Endpoint Encryption for Files and Folders Logon The Forced Logon When Endpoint Encrypti
The Endpoint Encryption for Files and Folders Logon | 97 [Options.Logon] Manual.Force.UsePrivateDesktop=No Manual.UsePrivateDesktop=No
The Endpoint Encryption for Files and Folders Logon 98 | [Options.Logon] Manual.UsePrivateDesktop=No RequestKey.UsePrivateDesktop=No Manual.Force
Large-scale deployment considerations | 99 Large-scale deployment considerations This chapter briefly outlines some recommendations for large scale d
Comentarios a estos manuales