Best Practices Guide McAfee Endpoint Encryption for PC 6.2 Software For use with ePolicy Orchestrator 4.5, 4.
COPYRIGHT Copyright © 2012 McAfee, Inc. Do not copy without permission.
Contents Preface About this guide . . . . . . . . . . . . Audience . . . . . . . . . . . . Conventions . . . . . . . . . . . Find product documentation . . . . . . . . 1 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction 5 5 5 6 7 Purpose of this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Abbreviations . . . . .
Contents Upgrade to EEPC 6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 7 Use ePolicy Orchestrator to report client status Track the progress of the deployment and encryption status . . . . . . . . . . . . . . . . 47 Report encryption status from McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . 47 Index 4 47 McAfee Endpoint Encryption for PC 6.
Preface This guide provides the information on best practices on using EEPC. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience.
Preface Find product documentation Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this...
1 Introduction McAfee Endpoint Encryption for PC (EEPC) provides superior encryption across a variety of endpoints such as desktops and laptops. The EEPC solution uses strong access control with Pre-Boot Authentication (PBA) and a NIST approved algorithm to encrypt data on endpoints. Encryption and decryption are completely transparent to the end user and performed without hindering system performance.
1 Introduction Purpose of this guide Table 1-1 Abbreviations (continued) 8 Titles Designations EEM Endpoint Encryption Manager EEPC Endpoint Encryption for PC ePO ePolicy Orchestrator LDAP Lightweight Directory Access Protocol MBR Master Boot Record NIST National Institute of Standards and Technology OS Operating System OU Organizational Unit PC Personal Computer SSO Single Sign On UBP User-Based Policy McAfee Endpoint Encryption for PC 6.
2 Design philosophy The McAfee ePO server is a central store of configuration information for all systems, servers, policies, and users. Each time the administrator initiates a policy update, or an Agent Server Communication Interval (ASCI), the EEPC protected system connects with McAfee ePO. The Endpoint Encryption protected system queries McAfee ePO for any configuration updates and downloads them.
2 Design philosophy EEPC Policies The overall experience and tasks of an administartor and users in installing and using EEPC are exactly the same regardless of whether the target system has an Opal drive or a normal HDD. The installation of the product extension, deployment of the software packages, policy enforcement, and the method of management are all the same for both systems with Opal and HDD.
Design philosophy PBA in EEPC 6.2 5 Click Actions | Endpoint Encryption | Configure UBP enforcement. The Configure UBP enforcement page appears with Enable and Disable options. 6 Select Enable or Disable, then click OK to configure the UBP enforcement state. On selecting Enable, Policy Assignment Rules are enabled for the selected users, and a specific UBP is assigned to the user according to the rule defined.
2 Design philosophy McAfee ePO requirements information about installing or using McAfee ePO, see the ePolicy Orchestrator product documentation for versions 4.5 and 4.6. Supported environments for McAfee ePO and EEPC As new operating systems and service packs are released, the original Product Guides for McAfee ePO and EEPC might not reflect the current McAfee support policy for those platforms. To view supported environments for McAfee ePO and EEPC, read the Knowledge Base article https://kc.mcafee.
3 Software configuration and policies When planning for a rollout and deployment of EEPC, we recommend that you understand the following important tasks correctly.
3 Software configuration and policies Active Directory configuration Active Directory configuration EEPC users are not created from the McAfee ePO server. They are assigned to the client systems from an Active Directory (AD) registered in ePolicy Orchestrator. The McAfee ePO Server is responsible for the connection between the client and AD. Check for the correct format of the Domain name, Username, and Server Address while registering the LDAP server in McAfee ePO.
Software configuration and policies Active Directory configuration 3 The McAfee ePO server allows the administrator to filter user accounts that can be imported into EEPC, based on a portion of LDAP. For example, if the configured LDAP has two major Organizational Units (OUs): OU=My OU and OU=Phils_OU and if only the user accounts from OU=My OU need to be imported then it can be achieved easily using ePO Server.
3 Software configuration and policies EE LDAP Server User/Group Synchronization EE LDAP Server User/Group Synchronization Make sure you use the correct user attribute format in the EE LDAP Server User/Group Synchronization task. Match the correct user attributes in the fields. Figure 3-4 EE LDAP Server User/Group Synchronization Username The value of this field determines the form of the PBA username.
Software configuration and policies EE LDAP Server User/Group Synchronization 3 User Certificate The User Certificate attribute is used by the McAfee ePO Server to determine which certificate should be sent from ePolicy Orchestrator to the client, for example, smartcard tokens. It is better to clear this attribute when you use the Password only token.
3 Software configuration and policies Recommended Product Settings Policy Recommended Product Settings Policy The Product Settings Policy controls the behavior of the EEPC client. For example, it contains the options for enabling encryption, enabling automatic booting, and controlling the theme for the Pre-Boot environment. You can configure the Product Settings Policies by navigating through Menu | Policy | Policy Catalog, then selecting Endpoint Encryption 1.2.0 from the Product drop-down list.
Software configuration and policies Recommended Product Settings Policy 3 Table 3-1 Recommended Product Settings Policies Policy Options Recommendations General Tab • Enable Policy — Leave this option checked (enabled). This policy should be enabled to activate EEPC on the client system. This option needs to be disabled to uninstall EEPC from the client. • Logging Level — Set the required logging level.
3 Software configuration and policies Recommended Product Settings Policy Table 3-1 Recommended Product Settings Policies (continued) Policy Options Recommendations Log On Tab • Enable Automatic Booting — Leave this option unchecked (disabled). If you enable this feature, the client system does not have the PBA. This is normally referred as Autoboot mode. It could be useful to enable this option when the administrator needs to manage the autobooting scenarios.
Software configuration and policies Recommended Product Settings Policy 3 Table 3-1 Recommended Product Settings Policies (continued) Policy Options Recommendations You need to enable the matching rules that are required for matching smartcard user principle name (UPN) with EEPC usernames. • Enable SSO — Leave this option checked (enabled). • Must match user name — Leave this option checked (enabled).
3 Software configuration and policies Recommended User-Based Policy Settings Recommended User-Based Policy Settings The User-Based Policy controls the parameters for EEPC user accounts. For example, it contains the options for selecting a token type (including password and smartcard) and password content rules. You can configure the User Based Policies by navigating through Menu | Policy | Policy Catalog, then selecting Endpoint Encryption 1.2.0 from the Product drop-down list.
Software configuration and policies Recommended User-Based Policy Settings 3 Table 3-2 Recommended User Based Policy Settings Policy Options Recommendations Authentication Tab • Token type: Select Password only. There are a number of other tokens that can be effectively used for your authentication as required. However, the Password only token is as strong as any other token that you could configure. • Certificate rule • Provide LDAP user certificate — Leave this option checked (enabled).
3 Software configuration and policies Phased deployment strategies Phased deployment strategies EEPC deployment (first time installation) can be done in various phases with different policy settings for different corporate environments. A model policy setting is explained in the recommended policy settings sections. Phased deployment (first time installation) There can be a number of scenarios where the PBA creates challenges during the EEPC deployment.
Software configuration and policies Phased deployment strategies 3 Auto booting Auto Booting (Enable Automatic Booting) is used by administrators for re-imaging process, patching cycles, and product deployments. Many software installation packages require one or more restarts of the target computer, and autobooting automatically authenticates without user or administrator intervention. The administrator can define a window of time-line during which autobooting remains active.
3 Software configuration and policies Phased deployment strategies 26 McAfee Endpoint Encryption for PC 6.
4 Deployment and activation The purpose of this section is to provide guidance with troubleshooting on why the Windows operating system will not start; encrypted systems do not allow access to the operating system until PBA is completed. Administrators should be mindful that fixing certain Windows problems on an encrypted system may require extra caution in the event that the registry must be edited or a driver should be modified.
4 Deployment and activation Basic preparations and recommendations Basic preparations and recommendations The following recommendations will make sure that your data is protected during and after the encryption process. As with any roll out and deployment, it is advisable to back up the system before you encrypt it, and perform regular backups It is good practice to back up the system before installing EEPC to ensure data is not lost in the unlikely event a problem occurs.
Deployment and activation High level process of the installation 4 Administrators should also run performance testing during the pilot test. McAfee professionals did not come across any performance related issues with EEPC during our own testing, however, this may vary depending upon the processor, memory, and drivers. Do a phased deployment An occasion may arise when the PBA creates challenges during deployment.
4 Deployment and activation Client task to deploy the EEAgent and EEPC packages 6 Add a user to the client system. Decide whether to add the users manually in ePolicy Orchestrator or to add users using the Add local domain user option present under the Product Settings Policy. At least one user must be assigned to each client in order to activate EEPC on it. 7 Create a client task to deploy the EEPC components to the client systems.
Deployment and activation Add group users 4 You can also create two separate tasks to deploy the packages, providing you wait for the first deployment (EEAgent) to complete before deploying the second package. You can also verify the completion of the EEAgent deployment, before deploying the EEPC package, by creating and executing a customized query from the McAfee ePO server. If the EEPC package is deployed first, you can run the EEAgent task and deploy it later.
4 Deployment and activation Add group users When enabled, the EEAgent queries the client system for the currently/previously logged on domain users to the client. The EEAgent will then send the collected data to the McAfee ePO server. These users will then be assigned to the client system.
4 Deployment and activation EEPC activation sequence EEPC activation sequence When EEAgent and EEPC are successfully deployed, the users will be prompted to restart their system. The restart can be canceled, however, EEPC will not become active on the client until the restart has occurred. Therefore, the restart is essential for activation of EEPC on the client to proceed. Endpoint Encryption Status System restarts as initiated.
4 Deployment and activation Activate EEPC using Add local domain users In short, the SSO option facilitates the user with the single authentication to the Operating System even when PBA is enabled. Though it requires an extra step, disabling SSO is the more secure configuration. When the Must match username option is enabled, both the EEPC user name and the Windows user name should match for SSO to work, regardless of which domain the user is part of. This user can even be a local user.
5 Operations and maintenance Managing your systems in different batches, branches or groups will make a great impact for EEPC deployment. It is a good practice to arrange the systems in ePolicy Orchestrator in department level or batch level, then deploy the product to these batches one by one. Managing the servers and client systems Client deployment in batches with an appreciable number of systems is a good practice by itself.
5 Operations and maintenance Manage Machine Keys What if a user is disabled from LDAP? If a user account that is initialized on the client system, and is later removed from LDAP, then it will be automatically deleted/ignored from the client when the next EE LDAP User/Group Synchronization task runs. To authenticate through the client PBA with a disabled or deleted LDAP user name, you should once again add the user to the LDAP and initialize the same user name on the client with the default password.
Operations and maintenance Manage Machine Keys 5 node does not have any users assigned to the client system. The administrator must therefore assign users to allow login, or enable the Add local domain user option in the Product Setting Policy. Also, the administrator must configure the required policies in ePolicy Orchestrator.
5 Operations and maintenance Configure role based access control for managing EEPC What happens to Machine Keys when moving systems from one branch to another in ePolicy Orchestrator? The LeafNode is not deleted from ePolicy Orchestrator database when a system is moved from one branch to another in ePolicy Orchestrator, hence the Machine Key is available for the particular client system.
Operations and maintenance EEPC 6.2 scalability 5 Before you begin • Make sure that your LDAP server is configured and registered in ePolicy Orchestrator. • Make sure that you schedule and run the EE LDAP Server User/Group Synchronization task. • Make sure that you enable the Active Directory User Login option in ePolicy Orchestrator.
5 Operations and maintenance EEPC 6.2 scalability • Longer ASCI interval • Password only deployments should remove certificate query from EE LDAP User/Group Synchronization task. The User Certificate attribute is used by the McAfee ePO server to determine which certificate should be sent from McAfee ePO to the client, for example, for smartcard tokens.
6 Migration and upgrade EEPC 6.2 has an improved architecture and interface. Due to these improvements, some functionality from earlier versions of the product is now handled differently. Contents Best practices for migration and upgrade Export user assignments from 5.x.x database Import user assignments to McAfee ePO Upgrade to EEPC 6.
6 Migration and upgrade Best practices for migration and upgrade Importing the systems or users from 5.x.x database into the McAfee ePO server • Make sure that 5.x.x and 6.2 are connected to the same LDAP server during the export and import process. • Make sure that you have registered an LDAP server on the McAfee ePO server before initiating the import process. • Make sure that you have scheduled and run the EE LDAP Server User/Group Synchronization Server task before initiating the import process.
Migration and upgrade Export user assignments from 5.x.x database 6 General recommendations • Retain the 5.x.x database for some time, so that you can access it case any loss or theft of a device after the migration. • Migrate only a small number of systems as an initial test before doing a large-scale migration. • If you are using the $autoboot$ user id in 5.x.
6 Migration and upgrade Import user assignments to McAfee ePO • • It is important to understand the export options; Machines and Users in the export wizard. You can select any one of the options to export the required user assignments from 5.x.x Endpoint Encryption Manager. • On selecting the Machines option in the export wizard, all users assigned to the selected machines from 5.x.x database are exported.
6 Migration and upgrade Upgrade to EEPC 6.2 attributes. The results are color-coordinated, so that it is easy for the administrator to analyze the results. • Green indicates a single match • Orange indicates more than one match • Red indicates no match Do 5.x.x policies get imported to 6.2 during the migration? No, 5.x.x policies are not imported to 6.2 as part of the migration process. The user should set the required 5.x.x policies, more importantly the Encrypt policy, in 6.
6 Migration and upgrade Upgrade to EEPC 6.2 What happens to a partially encrypted 5.x.x system after the migration? A partially encrypted 5.x.x system gets fully encrypted or decrypted as per the policies set in 6.2. What happens if the user initiates the upgrade process while the 5.x.x client is still in encrypting or decrypting state? It completes the encryption or decryption process as per the policies set in 6.2. What happens to a removable media that is encrypted with 5.x.
7 Use ePolicy Orchestrator to report client status McAfee ePolicy Orchestrator provides comprehensive management and reporting tools for EEPC. Administrators can create standard and customized dashboards, queries, and reports. The procedures on how to create standard dashboards, queries, and reports are documented in the McAfee Endpoint Encryption - 6.2 (EEPC) and 1.1 (EEMac) Product Guide.
7 Use ePolicy Orchestrator to report client status Report encryption status from McAfee ePO EEPC makes this task easy. An administrator can log on to McAfee ePO and, in just a few clicks, be able to produce a report showing that the missing computer was encrypted. • Log on to ePolicy Orchestrator as an administrator. • Locate the system in the System Tree. • In ePolicy Orchestrator 4.5, view system properties and drill-down to encryption properties. In ePolicy Orchestrator 4.
Index A E abbreviations 7 about this guide 5 activation 27 AD 14, 30 add local domain users 18, 31, 34–36 add users 14 Agent wake-up call 33 algorithm 45 ASCI 9, 10, 34, 36, 39 audit events 43 authentication 11 EEAdmin 29 EEAgent 10, 18, 29–31, 33 EEM 41, 43 EEPC 7, 11, 14, 18, 24, 27, 29–31, 33, 35, 36, 38, 39, 41, 47 EEPC extension 29 EEPC package 29 EETech 27, 28 Enable Automatic Booting 18 encrypted 45 encryption 7, 18, 24 encryption provider 18, 47 encryption status 33 Endpoint Encryption 11 export
Index O Opal 9, 36 operations 35 OU 14, 31 P password 22, 31 PBA 7, 11, 18, 27, 31, 33–35, 41 permission sets 38, 44 phased deployment 13, 24 pilot test 28 policies Product Settings Policy 10 User-Based Policy 10 preparations 28 Product Settings Policy 18, 29, 31, 34–36 purpose 7 Q queries 24, 47 R readers 28 recommendations 28 recovery 28 recursive 14 report 24, 47 reporting encryption status 47 requirements 11 Role Based Access Control (RBAC) 38 scalability 39 self recovery 22, 31, 45 server 35, 41 s
00
