McAfee OFFICE 3.1 Spezifikationen Seite 1

McAfee® Endpoint Encryption for Files and Folders AdministrationGuideVersion3.1.3

Introduction 10 | A key feature of Endpoint Encryption for Files and Folders is the principle of containment, or persistent encryption, as it is als

Large-scale deployment considerations 100 | Make sure you have performed the name indexing before you start deploying your clients. The recommendati

Large-scale deployment considerations | 101 Tune encryption intensity for network When encrypting large folders on a network share through a policy,

Large-scale deployment considerations 102 | Exclude Endpoint Encryption for Files and Folders client program directory Irrespective of what antiviru

Tokens | 103 Tokens This chapter addresses the different authentication tokens that are supported in Endpoint Encryption for Files and Folders. Passw

Tokens 104 | When properly configured, the users can use the certificates on the supported USB authentication tokens to authenticate to Endpoint Enc

Tokens | 105 Also, for smart cards with certificates, you may want to try the Generic PKI token module available. Please see information below. With

Tokens 106 | Endpoint Encryption Connector Manager G2 for Active Directory is necessary. For documentation about the Endpoint Encryption Connector M

Tokens | 107 SbTokCSP.INI file must be done before creating any installation sets for Endpoint Encryption for Files and Folders clients that shall us

Tokens 108 | it in accordance with what CSP is supported, e.g. Generic PKI token files – Siemens and import/replace the SbTokCSP.INI file For a comp

Endpoint Encryption for Files and Folders Configuration Files | 109 Endpoint Encryption for Files and Folders Configuration Files Endpoint Encryption

Introduction | 11 Endpoint Encryption for Files and Folders supports three standard algorithms with various key lengths, including the Endpoint Encry

Endpoint Encryption for Files and Folders Configuration Files 110 | SBM.ini This is the configuration file for Endpoint Encryption authentication to

Endpoint Encryption for Files and Folders Program and Driver Files | 111 Endpoint Encryption for Files and Folders Program and Driver Files EXE files

Endpoint Encryption for Files and Folders Program and Driver Files 112 | SbCeProvider Utilities for receiving and providing encryption keys to the o

Endpoint Encryption for Files and Folders Program and Driver Files | 113 SbCeDriverCom Utilities for controlling and running the kernel driver. Deskt

Endpoint Encryption for Files and Folders Program and Driver Files 114 | NotificationManager Manages and responds to notification events. This libra

Endpoint Encryption for Files and Folders Program and Driver Files | 115 SbCe-POLICIES The default policy for an installation of Endpoint Encryption

Error Messages 116 | Error Messages Please see the file sberrors.ini for more details of these error messages. You can also find more information on

Error Messages | 117 [5c000008] A corrupt or unexpected message was received [5c000009] Unable to load the Windows TCP/IP library (WSOCK32.DLL) Chec

Error Messages 118 | This may occur if an attempt is made to import large amounts of data into the database (e.g. a file) [5c00001c] Unable to creat

Error Messages | 119 Choose a different database path [db00000a] Unable to create the database Check the path settings and make sure you have write a

Introduction 12 | installed, the user that logs on will be forced to retrieve the proper policy assigned to him/her in the central database. If Adm

Error Messages 120 | This usually means that your hard disks are in the process of being encrypted or decrypted. You can check the current Endpoint

Error Messages | 121 The object has been deleted from the database [db010011] License has been exceeded for this object type Check that your licenses

Error Messages 122 | Installer program errors [15000001] Memory Error [15000002] No EXE Stub [15000003] Error reading EXE Stub [15000004] Error C

Technical Specifications and Options | 123 Technical Specifications and Options Language Support Endpoint Encryption Manager American English, Inter

Technical Specifications and Options 124 | Endpoint Encryption for Files and Folders Client • Windows 2000 SP4 with RollUp1, XP SP2, Vista SP1. Ple

Technical Specifications and Options | 125 DoD 5220.22-M National Industrial Security Program Operating Manual (NISPOM) January 1995, Department of D

Appendix 126 | Appendix Making Endpoint Encryption for Files and Folders FIPS Compliant The following procedures must be followed to operate McAfee

Appendix | 127 FIPS mode registry script The following needs to be saved to a text file with the extension “.reg” and then merged into the registry a

Appendix 128 | "Path"="c:\\program files\\safeboot content encryption\\SbAlgs\\SbAlg00.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\SafeB

Appendix | 129 Encryption\Verifier\21] "Path"="c:\\program files\\safeboot content encryption\\SbCeDesktopIntegration.dll" [HKE

Introduction | 13 • Configuring Endpoint Encryption for Files and Folders Policies • Creating and assigning Endpoint Encryption for Files and Folde

Appendix 130 | [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\33] "Path"="c:\\program fil

Appendix | 131 “Path”=“c:\\program files\\safeboot content encryption\\SbCmaCe.dll” [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Co

Appendix 132 | Encryption\Verifier\20] “Path”=“c:\\program files\\safeboot content encryption\\SbCeCoreService.exe” [HKEY_LOCAL_MACHINE\SOFTWARE\S

Appendix | 133 [HKEY_LOCAL_MACHINE\SOFTWARE\SafeBoot International\SafeBoot Content Encryption\Verifier\32] “Path”=“c:\\program files\\safeboot con

Index 134 | Index AActiveDirectory,14algorithm,13,118,120,123,126,127authentication,13CClientcekeyfile,86configurationfiles,11

Index | 135 MMicrosoft,60NNetworkencryption,48NTDomain,14Oobjectdirectory,12,13,14,111,114PPagefileencryption,11Pentium,125,1

Introduction 14 | Typical information stored in the Object Directory includes: • User Configuration and Policy Configuration information • Client

Introduction | 15 Manager. This executable file contains the core components and drivers needed to enable Endpoint Encryption on a user’s machine. T

Endpoint Encryption for Files and Folders Client Software 16 | Endpoint Encryption for Files and Folders Client Software Endpoint Encryption for Fi

Endpoint Encryption for Files and Folders Client Software | 17 Encryption product icon), and the shell extension options, visible from the context me

Endpoint Encryption for Files and Folders Client Software 18 | Figure6:EndpointEncryptionsystemtrayiconmenu(EndpointEncryptionforFilesa

Endpoint Encryption for Files and Folders Client Software | 19 Removable media Endpoint Encryption for Files and Folders can enforce encryption on re

McAfee, Inc. McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USA Tel: (+1) 888.847.8766 For more information regarding local McAfee repre

Deploying Endpoint Encryption for Files and Folders 20 | Deploying Endpoint Encryption for Files and Folders There are 7 steps you need to follow to

Endpoint Encryption for Files and Folders Policy Settings | 21 Endpoint Encryption for Files and Folders Policy Settings About Endpoint Encryption fo

Endpoint Encryption for Files and Folders Policy Settings 22 | 3. Double-click it to expand its groups. 4. Either open an existing group, or creat

Endpoint Encryption for Files and Folders Policy Settings | 23 Adds a new policy to the group. Rename Changes the name of the policy. This does not a

Endpoint Encryption for Files and Folders Policy Settings 24 | Allow explicit decrypt Enables the Decrypt… option in the user’s context menu (displ

Endpoint Encryption for Files and Folders Policy Settings | 25 Show About option on system tray menu Enables the option in the system tray menu that

Endpoint Encryption for Files and Folders Policy Settings 26 | NOTE:iftheprevioussetting(AttemptlogonwithEndpointEncryptionforPCcredenti

Endpoint Encryption for Files and Folders Policy Settings | 27 The Endpoint Encryption user name and the Windows user name must be identical. It is r

Endpoint Encryption for Files and Folders Policy Settings 28 | 2. Click the icon for File Extensions encryption. 3. Assure the category Process Sp

Endpoint Encryption for Files and Folders Policy Settings | 29 8. Next you must add file extensions to be encrypted by the listed processes. Mark th

Contents Preface ... 6About This Guide ...

Endpoint Encryption for Files and Folders Policy Settings 30 | Figure10:Processspecificextensionencryption–Addingadditionalprocesses Figu

Endpoint Encryption for Files and Folders Policy Settings | 31 Figure12:Processspecificextensionencryption–ExamplesetupTo remove or edit a

Endpoint Encryption for Files and Folders Policy Settings 32 | Deleting extensions It is important to notice that deleting a file extension does not

Endpoint Encryption for Files and Folders Policy Settings | 33 [PROFILE] = The user’s local user root directory, i.e. [SYSDRIVE:\Documents and Settin

Endpoint Encryption for Files and Folders Policy Settings 34 | Edit Lets you edit a selected folder encryption item from the list, e.g. change encry

Endpoint Encryption for Files and Folders Policy Settings | 35 Whenencryptinglargefoldersonanetworksharethroughapolicy,itisstronglyreco

Endpoint Encryption for Files and Folders Policy Settings 36 | If the Make all removable media plaintext (see below) option is enabled, then any exi

Endpoint Encryption for Files and Folders Policy Settings | 37 • Commandpromptfileoperations(copy*,move*)• Filesbeingcreateddirectlyon

Endpoint Encryption for Files and Folders Policy Settings 38 | You will find the DeviceID of a device by looking in the Windows Device Manager on a

Endpoint Encryption for Files and Folders Policy Settings | 39 Figure17:IdentifyingtheDeviceIDforaremovablemediadeviceTo add exemptions to

Preface 4 | Client Registry controls ... 85Controlling the authentication

Endpoint Encryption for Files and Folders Policy Settings 40 | Changes to the list of exempted DeviceIDs are done by using the Edit and Remove butto

Endpoint Encryption for Files and Folders Policy Settings | 41 About Multi-Session CDs/DVDs The CD/DVD encryption feature supports burning of encrypt

Endpoint Encryption for Files and Folders Policy Settings 42 | Automatic key loading/unloading Enable inactivity timeout If a user has successfully

Endpoint Encryption for Files and Folders Policy Settings | 43 Allow user local keys Marking this box prepares the Endpoint Encryption for Files and

Endpoint Encryption for Files and Folders Policy Settings 44 | Allow import of user local keys This option allows users to import keys that have bee

Endpoint Encryption for Files and Folders Policy Settings | 45 With this option, it is possible to have the original time values restored (preserved)

Endpoint Encryption for Files and Folders Policy Settings 46 | If you want to enforce removable media encryption on floppy disk drives, setting this

Endpoint Encryption for Files and Folders Policy Settings | 47 The main purpose of process blocking is to prevent encrypted data from being unintenti

Endpoint Encryption for Files and Folders Policy Settings 48 | didn’t halt. In addition, encrypted files will be scanned later whenever they are acc

Endpoint Encryption for Files and Folders Policy Settings | 49 Enable network encryption This tick box switches network encryption on/off. If uncheck

Preface | 5 Index ... 134 

Encryption keys 50 | Encryption keys About Encryption keys Encryption keys are generic purpose objects which Endpoint Encryption applications can us

Encryption keys | 51 7. Select the algorithm to be used by the key. You may select algorithm from the drop-down menu. The recommendation is to use t

Encryption keys 52 | Delete key Deletes the selected encryption key. If you delete a key, all users connected to that policy will have all restricti

Encryption keys | 53 Group This dialog presents information about the Keys group. You may type in some description for the group in the field. Click

Encryption keys 54 | copy of the key. If the key could be obtained from the Database, then the local copy may be installed, or updated at the same t

Encryption keys | 55 userthatisassignedtothekey,thenthatgrouporusercannolongermanagethekey.Beextracautiousifthisistheonlyob

Encryption keys 56 | Users Please see Users section of this Guide for details on this dialog. 

Assigning and Updating Policies | 57 Assigning and Updating Policies Assigning policies Once you have created encryption policies, these must be assi

Assigning and Updating Policies 58 | NOTE:Youcanonlyassignonetypeofpolicytoausergrouporuser.I.e.ausercannothavetwodifferentEnd

Creating an Install Package | 59 Creating an Install Package About Install Packages Endpoint Encryption for Files and Folders is installed by running

Preface 6 | Preface McAfee is dedicated to providing you with the best in security for protecting data on personal computers. Applying the latest te

Creating an Install Package 60 | installation set and thus applied without the user having to logon on to the Endpoint Encryption database. Install

Creating an Install Package | 61 Figure28:CreatinganInstallSetAfter the install file has been run on a client machine and the machine restarte

Creating an Install Package 62 | Installing Endpoint Encryption for Files and Folders client Supported platforms • Windows 2000 Workstation SP4 wit

Creating an Install Package | 63 3. Execute the Install Package created by the Endpoint Encryption administrator on the target computer. This enable

Creating an Install Package 64 | If you know precisely the file(s) that have changed for a particular upgrade, you may upgrade the file(s) individua

Creating an Install Package | 65 8. In the search dialog that opens, browse the system directory where you have installed the Endpoint Encryption fi

Creating an Install Package 66 | Endpoint Encryption for Files and Folders authentication. If there is no connection to the Endpoint Encryption Serv

Creating an Install Package | 67 Also, when uninstalling from a Windows Vista system, there will be a (hidden) directory left behind on the client: [

Endpoint Encryption for Files and Folders client 68 | Endpoint Encryption for Files and Folders client This chapter describes the client side of End

Endpoint Encryption for Files and Folders client | 69 About Endpoint Encryption for Files and Folders This option opens up a dialog with information

Preface | 7 Conventions This guide uses the following conventions: Bold Condensed All words from the interface, including options, menus, buttons, an

Endpoint Encryption for Files and Folders client 70 | User Web Recovery is used, then the questions entered by the user at the time of Web Recovery

Endpoint Encryption for Files and Folders client | 71 For more information about setting up and configuring Endpoint Encryption Web Recovery, please

Endpoint Encryption for Files and Folders client 72 | Synchronize Synchronizing Endpoint Encryption for Files and Folders triggers an authentication

Endpoint Encryption for Files and Folders client | 73 Create Local Key… Starts the encryption key creation wizard. Keys may be stored either on the

Endpoint Encryption for Files and Folders client 74 | In order to complete the import, the transport password must be entered. Also, the user must a

Endpoint Encryption for Files and Folders client | 75 Figure34:EndpointEncryptionforFilesandFolders–ContextmenuoptionsEncrypt… If enabled

Endpoint Encryption for Files and Folders client 76 | If the folder/file is encrypted (e.g. according to a policy), the user cannot decrypt it. This

Endpoint Encryption for Files and Folders client | 77 This operation is very helpful before uninstalling Endpoint Encryption for Files and Folders fr

Endpoint Encryption for Files and Folders client 78 | Figure38:Enteringencryptionpasswordforself‐extractingfileIn essence, only the passwor

Endpoint Encryption for Files and Folders client | 79 The self-extractor is packaged into a *.cab file as these are widely recognized in most compute

Introduction 8 | Introduction Why Endpoint Encryption for Files and Folders? All organizations have their own rules about what data is available to

Endpoint Encryption for Files and Folders client 80 | By default, the open-close-wipe option is selected. If the Extract option is selected instead,

Endpoint Encryption for Files and Folders client | 81 CAUTION:Pleaseobservethefollowingregardingthisoption:First,inordertohaveEncryptan

Endpoint Encryption for Files and Folders client 82 | Identifying encrypted files and folders Figure43:EndpointEncryptionforFilesandFolders

Endpoint Encryption for Files and Folders client | 83 Accessing encrypted files Figure44:EndpointEncryptionforFilesandFoldersauthentication

Endpoint Encryption for Files and Folders client 84 | The .cekey file When encrypting folders, either manually using the Encrypt option or when encr

Endpoint Encryption for Files and Folders client | 85 Follow target When a file that is encrypted with key A, for example, and is moved to a folder w

Endpoint Encryption for Files and Folders client 86 | [Options.Logon] Manual.ShowFailedRemoteConnect=Yes RequestKey.ShowFailedRemoteConnect=Yes The

Endpoint Encryption for Files and Folders client | 87 8. Browse for the SbC4.INI file from step (4) and finish the import. 9. Create and deploy a n

Utilities for Endpoint Encryption for Files and Folders 88 | Utilities for Endpoint Encryption for Files and Folders This chapter describes the vari

Utilities for Endpoint Encryption for Files and Folders | 89 • Communication between the Endpoint Encryption for Files and Folders client and the da

Introduction | 9 Users can work without interruption. With the exception of the initial logon to access protected data, Endpoint Encryption for Files

Utilities for Endpoint Encryption for Files and Folders 90 | 2. SbCeShell -use_full_driver_trace 3. SbCeShell -enable_driver_trace <{comple

Utilities for Endpoint Encryption for Files and Folders | 91 Figure46:Windowsdialogformini‐dumpfile• In the section named Write debugging in

Utilities for Endpoint Encryption for Files and Folders 92 | Complete memory dump The Complete memory dump is the ideal dump from an error investiga

Utilities for Endpoint Encryption for Files and Folders | 93 Hanging applications Open the Task Manager and identify the frozen process that needs to

Utilities for Endpoint Encryption for Files and Folders 94 | 6. Wait until SBCECore.exe crashes. To know when this happens, you should look into th

Utilities for Endpoint Encryption for Files and Folders | 95 Where source must be a path to a file, either complete or relative, and destination must

The Endpoint Encryption for Files and Folders Logon 96 | The Endpoint Encryption for Files and Folders Logon The Forced Logon When Endpoint Encrypti

The Endpoint Encryption for Files and Folders Logon | 97 [Options.Logon] Manual.Force.UsePrivateDesktop=No Manual.UsePrivateDesktop=No

The Endpoint Encryption for Files and Folders Logon 98 | [Options.Logon] Manual.UsePrivateDesktop=No RequestKey.UsePrivateDesktop=No Manual.Force

Large-scale deployment considerations | 99 Large-scale deployment considerations This chapter briefly outlines some recommendations for large scale d