McAfee® Endpoint Encryption Enterprise Best Practices Guide November 2009 1
Copyright © 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
Contents INTRODUCTION 5 PURPOSE OF THIS GUIDE RELEVANT PRODUCTS 5 5 SOLUTION ARCHITECTURE 6 DESIGN PHILOSOPHY 6 SERVER CONFIGURATION 7 BASIC SERVER REQUIREMENTS 7 RECOMMENDED SERVER HARDWARE 7 SERVER REDUNDANCY HOT BACKUP DATABASES CLUSTERING LOAD BALANCING 8 8 8 8 SERVER AND OBJECT DIRECTORY OPTIMISATION 9 ENDPOINT TO SERVER COMMUNICATION ‐ NETWORK LOAD ESTIMATION ESTIMATING THE SIZE OF THE OBJECT DIRECTORY 9 9 TYPICAL GROWTH OF 5000 USER/MACHINE OBJECT DIRECTORY 10 VIRTUAL SERVERS GL
OBJECT DIRECTORY MAINTENANCE 19 MAINTENANCE INTRODUCTION ENVIRONMENT AUDIT MAINTENANCE EXTRACTING AND CLEARING AUDIT FROM THE DATABASE CLEARING THE AUDIT DELETED ITEMS CLEANUP CHECKING FOR DATABASE CORRUPTION WHY DOES THE DATABASE GET CORRUPTED? ORPHANED OBJECTS RESTORE COMMANDS CLEANUP COMMANDS DUMP MACHINE DESCRIPTION 19 19 19 19 19 20 20 20 21 21 21 22 USER OBJECTS ‐ GENERAL PERFORMANCE TIPS 23 GENERAL ADVICE 24 DEFAULT PRODUCT SETTINGS (FOR MAXIMUM COMPATIBILITY).
Introduction Purpose of this Guide When planning a large rollout of Endpoint Encryption v5, it is important to understand the process of scaling the back end Object Directory and the associated Endpoint Encryption Communications Server processes to meet requirements. This guide outlines the considerations around Endpoint Encryption 5 implementation and suggests possible solutions. The guide also discusses considerations on optimization and maintenance before and after its implementation.
Solution Architecture Design Philosophy McAfee Endpoint Encryption is a client/server application designed to be implemented with a simple, single server architecture. This single server hosts an encrypted database known as the Object Directory, and runs services to allow connections to the database from both the Encrypted Endpoints and the Management Center applications.
Server Configuration Basic Server Requirements The Endpoint Encryption Communications Server process runs under Microsoft Windows 2000/2003. Currently some customers report that it works well under Windows 2008, however McAfee has not officially certified this. Please see the McAfee KnowledgeBase article KB53698 for current information on supported environments.
Server Redundancy It is risky to have a single physical server for your enterprise, even if you take regular backups. We recommend you to take steps to expedite recovery from an outage in accordance with an established Business Continuity and Disaster Recovery (BCDR) plan. Hot Backup Databases Increase the redundancy of the system by replicating the Endpoint Encryption Object Directory to a second physical server.
Server and Object Directory Optimisation Endpoint to Server Communication ‐ Network Load Estimation Endpoint Encryption network traffic is the easiest to consider in terms of “synchronization events”. Each time a system starts it tries to connect to a designated EEPC database communication server and update its profile. It may also (depending upon configuration) try to connect periodically.
An Object Directory with 5000 users and 5000 systems could be expected to grow as follows: Typical Growth of 5000 user/machine Object Directory Day Data Size Approx Disk Space Used 1 5 20 50 100 365 83 MB 89 MB 204 MB 396 MB 747 MB 2455 MB 143 MB 143 MB 403 MB 745 MB 1050 MB 3900 MB Users and systems are the most prevalent object types in a large database. Typically, on creation, these types of objects take 4000 bytes. A day’s audit adds around an additional 700 bytes of data per object.
Global Deployments The single server approach works well as long as the endpoints can make and sustain a TCP/IP connection to the server. Depending on the quality of the WAN link, some global deployments will require multiple servers. Each of these is essentially its own environment, with its own Object Directory. Many customers have one server in each region: one for North America, one for Europe and Africa, and one for Asia.
Optimisation Actions Overview McAfee generally recommends the following actions (most of which are described in more detail later): • Optimize hard disks for I/O performance. As above, 15 K RPM disks are the best. The disks should be in a RAID 5 array with a controller, with the maximum amount of cache available. UPS backup is recommended. See chapters above. • Use DAS rather than a network location SAN/NAS. See chapters above. • Enable indexing of the Object Directory with dbcfg.ini.
Name Indexing (DBCFG.INI) Name indexing should be enabled on all databases especially those with over 1000 endpoints or users. It will be noticeably faster and improve performance. To do this, create a basic text file called DBCFG.INI; file and copy it to the SBDATA folder (assuming default location for Object Directory) and edit as below: Warnings • • Do not use Single File mode as shown in the options below. It can be used for small databases but not recommended as it can be much slower.
LifeTime=86400 The time (in seconds) for which the index will be used before it is automatically re‐created if somebody logs on to the database. The default is 30 minutes but is never recommended. A value of zero means that it never expires automatically, and the value of 86400 means one day. A value of zero gives you full control but this setting needs a separate process to recreate the index. This could be a simple batch file that runs overnight ‐ removes the index files and forces a recreate.
TCP/IP KeepAliveTime Reduction Reduce this setting on all EEPC servers from two hours (the default) to five minutes. The server will require a restart. Once this is done, if an endpoint client loses the connection with the server, the server will release the lock after approximately 5 minutes. This will also prevent broken remote sbadmcl connections from locking the scripting user account for 2 hours. Procedure 1. 2. 3. 4.
1. 2. 3. 4. 5. Open Regedit. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem. In the right pane, look for the Dword named NtfsMftZoneReservation. If exists change the Dword to 4. If not exists, create a new DWORD NtfsMftZoneReservation in the registry and set its value to 4. EXTRA INFO The default value for this key is 1. This is good for a drive that will contain relatively a few large files.
Windows Performance By default the Windows performance settings are set to ‘Applications’. However, testing should define the best setting. The recommended settings under Control Panel, System, Advanced, performance are: • Let Windows choose what’s best for my computer Under Advanced: • Background services • System cache Opening a test group with more than the recommended number of objects (for example 5000) can be a good test using the EEPC server connection (not through a local connection).
Object Directory Physical Location Consideration should be made to the location of the Object Directory. The default final folder for the Endpoint Encryption Object Directory is in a folder called SBDATA. If possible, use a separate fixed drive or partition to the OS for example, OS and application on C: database on D:. This is usually decided at the time of initial installation and can be modified at another time.
Object Directory Maintenance Maintenance Introduction To keep the database clean and healthy, maintenance is required on a regular basis. This maintenance can be done manually using the Endpoint Encryption Manager, or, with the EEPC command Line Tool (SBADMCL), which is the preferred way for larger Object Directories. This guide describes the processes needed for maintenance. It is written for Endpoint Encryption administrators.
To export and then clear ALL user audits use this command: SBADMCL –Command:DumpUserAudit –Adminuser:Admin –Adminpwd:mypassword – File:c:\dump\Dumpuser.txt –Group:* –clear To export and then clear ALL machine audits use this command: SBADMCL –Command:DumpMachineAudit –Adminuser:Admin –Adminpwd:mypassword – File:c:\dump\DumpMachine.
Orphaned Objects To begin a cleanup, the database starts with what are known as “Orphaned” objects. These are objects that exist in the Object Directory; they are not visible in the Endpoint Encryption Manager GUI. From the Endpoint Encryption Manager console, you can run Group scan found under Groups menu. The preferred method though is to use the command line tool as the process can be automated. The second step is to use the cleanup commands.
Dump Machine Description If objects seem to hang the Manager when opened, then attempt to dump the machine description to find which objects are actually corrupted. Use the DumpMachineDesc command: SBADMCL ‐Command:DumpMachineDesc ‐Adminuser:Admini ‐Adminpwd:mypassword ‐Group:”EndPoint Encryption Machines” ‐Database:"Customer database" ‐File:c:\temp\DuMaDesc.txt >>DumpMaDesc.log The log will show which systems are actually not responding. The broken objects in the DumpMaDesc.
User Objects ‐ General Performance Tips EEPC can support thousands of users per group and per machine. That said, for performance and security reasons, it is strongly recommended the numbers be kept to a minimum; assign fewer users to systems limiting to those who really need access. For example, a number of setups from customers have some administration/IT support users as well as individual users assigned to clients providing better security and performance.
General Advice Default Product settings (for maximum compatibility). Installing the Endpoint Encryption Manager (EEM) using the default settings will usually ensure maximum compatibility. Endpoint Encryption Machines For Endpoint Encryption Machine Groups and therefore individual Machines, the default settings in “Properties” would usually provide the most compatibility.
of the other groups should not be used unless there is a specific reason. These usually include “EEPC52 OPTION:” or similar at the start of the name (example from EEPC v5.2.2).
• When using smartcard readers and tokens, avoid assigning many or all of the Reader or Token file groups together. Whilst they can be used together, more compatibility and easier troubleshooting is ensured using just the specific token or reader files required for a group of machines. • Using $autoboot$ user assigned to machines permanently for convenience to bypass pre boot logon as a normal everyday operational client – there is NO security in doing this.
