Best Practices Guide McAfee Endpoint Encryption 7.0 Patch 1 Software For use with ePolicy Orchestrator 4.
COPYRIGHT Copyright © 2013 McAfee, Inc. Do not copy without permission.
Contents 1 Preface 5 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 5 6 Introduction 7 Comprehensive McAfee Endpoint Encryption . . . . . . . . . . . . . . . . . . . . . . . 7 Purpose of this guide . . . . . . . . . . .
Contents 6 Migration and upgrade Best practices for migration and upgrade . . . Export user assignments from 5.x.x database . Import user assignments to McAfee ePO . . . Upgrade to EEPC 7.0 Patch 1 . . . . . . . . 7 51 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface This guide provides the information on best practices on using McAfee Endpoint Encryption. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience.
Preface Find product documentation Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this...
1 Introduction McAfee Endpoint Encryption provides superior encryption across a variety of endpoints such as desktops and laptops. The Endpoint Encryption solution uses strong access control with Pre‑Boot Authentication (PBA) and a NIST approved algorithm to encrypt data on endpoints. Encryption and decryption are completely transparent to the end user and performed without hindering system performance.
1 Introduction Purpose of this guide • AD/LDAP • The associated Endpoint Encryption communication This document encapsulates the professional opinions of Endpoint Encryption certified engineers, and is not an exact science. You must understand both the product and the environment in which it will be used, before deciding on an implementation strategy. Calculations and figures in this guide are based on field evidence and not theoretical system testing; they are our best advice at the time of writing.
2 Design overview The McAfee ePO server is a central store of configuration information for all systems, servers, policies, and users. Each time the administrator initiates a policy update, or an Agent Server Communication Interval (ASCI), the EEPC/EEMac protected system connects with McAfee ePO. The Endpoint Encryption protected system queries McAfee ePO for any configuration updates and downloads them.
2 Design overview Endpoint Encryption Policies The overall experience and tasks of an administrator and users in installing and using EEPC are exactly the same regardless of whether the target system has an Opal drive or a normal HDD. The installation of the product extension, deployment of the software packages, policy enforcement, and the method of management are all the same for both systems with Opal and HDD.
Design overview PBA in Endpoint Encryption 7.0 Patch 1 2 Task 1 Click Menu | Reporting | Queries. The Queries page opens. 2 Select Endpoint Encryption from Shared Groups in Groups pane. The standard EE query list appears. 3 Run the EE: Users query to list all the Endpoint Encryption Users. 4 Select a user(s) from the list to enforce the policy. 5 Click Actions | Endpoint Encryption | Configure UBP enforcement. The Configure UBP enforcement page appears with Enable and Disable options.
2 Design overview How Endpoint Encryption works How Endpoint Encryption works A boot sequence is executed by the BIOS (Windows) or firmware (Mac) leading to the starting of the bootable operating systems. Operating system Remarks Windows The boot sequence is the initial set of operations that the computer performs when it is switched on. A boot loader (or a bootstrap loader) is a short computer program that loads the main operating system for the computer.
Design overview Requirements testing for client systems 2 information about installing or using McAfee ePO, see the ePolicy Orchestrator product documentation for version 4.6. Supported environments for McAfee ePO and Endpoint Encryption As new operating systems and service packs are released, the original Product Guides for McAfee ePO and Endpoint Encryption might not reflect the current McAfee support policy for those platforms.
2 Design overview Requirements testing for client systems 1 Install the EEGO extension (EEGO.ZIP) in McAfee ePO. Repeat the same procedures used for installing the product extension. 2 Check in the EEGO software package (EegoPackage.ZIP) to McAfee ePO. Repeat the same procedures used for checking in the product package. 3 Deploy Endpoint Encryption GO to the client system. Repeat the same procedures used for the product deployment task. 4 Enforce EEGO policies to the client system.
3 Software configuration and policies When planning for a rollout and deployment of EEPC/EEMac, we recommend that you understand the following important tasks correctly.
3 Software configuration and policies Active Directory configuration Active Directory configuration Endpoint Encryption users are not created from the McAfee ePO server. They are assigned to the client systems from an Active Directory (AD) registered in ePolicy Orchestrator. The McAfee ePO Server is responsible for the connection between the client and AD. Check for the correct format of the Domain name, Username, and Server Address while registering the LDAP server in McAfee ePO.
Software configuration and policies EE LDAP Server User/Group Synchronization 3 EE LDAP Server User/Group Synchronization Make sure you use the correct user attribute format in the EE LDAP Server User/Group Synchronization task. Match the correct user attributes in the fields. Figure 3-2 EE LDAP Server User/Group Synchronization Username The value of this field determines the form of the PBA username.
3 Software configuration and policies EE LDAP Server User/Group Synchronization EE LDAP Server User/Group Synchronization task log The administrator can also view a log of this particular server task by double clicking the particular server task on the Server Task Log page in ePolicy Orchestrator.
Software configuration and policies EE LDAP Server User/Group Synchronization 3 The McAfee ePO server allows the administrator to filter user accounts that can be imported into EEPC/EEMac, based on a portion of LDAP. For example, if the configured LDAP has two major Organizational Units (OUs): OU=My OU and OU=Phils_OU and if only the user accounts from OU=My OU need to be imported then it can be achieved easily using ePO Server.
3 Software configuration and policies Recommended Product Settings Policy Recommended Product Settings Policy The Product Settings Policy controls the behavior of the Endpoint Encryption client. For example, it contains the options for enabling encryption, enabling automatic booting, and controlling the theme for the Pre‑Boot environment. You can configure the Product Settings Policies by navigating through Menu | Policy | Policy Catalog, then selecting Endpoint Encryption 7.0.
Software configuration and policies Recommended Product Settings Policy 3 Table 3-1 Recommended Product Settings Policies Policy Options Recommendations General Tab • Enable Policy — Leave this option checked (enabled). This policy should be enabled to activate Endpoint Encryption on the client system. This option needs to be disabled to uninstall Endpoint Encryption from the client. • Logging Level — Set the required logging level.
3 Software configuration and policies Recommended Product Settings Policy Table 3-1 Recommended Product Settings Policies (continued) Policy Options Recommendations specifying the Windows or Mac drive letters/volume names. Partition level encryption is not applicable to client systems using OPAL encryption. Do not assign a drive letter to the Windows 7 hidden system partition on your client system. Doing so, will stop the EEPC software from being activated on the client system.
Software configuration and policies Recommended Product Settings Policy 3 Table 3-1 Recommended Product Settings Policies (continued) Policy Options Recommendations Log On Tab • Enable automatic booting — Leave this option unchecked (disabled). If you enable this feature, the client system does not have the PBA. This is normally referred as Autoboot mode. It could be useful to enable this option when the administrator needs to manage the autobooting scenarios.
3 Software configuration and policies Recommended Product Settings Policy Table 3-1 Recommended Product Settings Policies (continued) Policy Options Recommendations and hence EEPC is activated, even if the administrator has not explicitly assigned the user to the client system. If you select this option, at least one user should be added to the client system for a successful EEPC or EEMac activation on the client. The activation doesn't happen until a user logs on to Windows or Mac OS X as domain user.
Software configuration and policies Recommended Product Settings Policy 3 Table 3-1 Recommended Product Settings Policies (continued) Policy Options Recommendations user for which it was captured. When you select the Enable SSO option, the Must match user name option is also enabled by default. • Using smart card PIN — Leave this option checked or unchecked based on whether the eToken/smart card is used or not. This option allows EEPC to capture the smart card PIN for SSO.
3 Software configuration and policies Recommended Product Settings Policy Table 3-1 Recommended Product Settings Policies (continued) Policy Options Recommendations Boot Options Tab (Windows only) • Enable Boot Manager — Leave this option unchecked (disabled). Enabling this option activates the built in pre‑boot partition manager. This allows you to select the primary partition on the hard disk that you wish to boot. Naming of the partition is also possible with the boot manager.
Software configuration and policies Recommended Product Settings Policy 3 Table 3-1 Recommended Product Settings Policies (continued) Policy Options Recommendations Encryption Providers Tab (Windows only) • Use compatible MBR — Leave this option unchecked (disabled). This causes EEPC to boot a built‑in fixed MBR instead of the original MBR that was on the system after pre‑boot logon.
3 Software configuration and policies Recommended User-Based Policy Settings Recommended User-Based Policy Settings The User‑Based Policy controls the parameters for Endpoint Encryption user accounts. For example, it contains the options for selecting a token type (including password and smartcard) and password content rules. You can configure the User Based Policies by navigating through Menu | Policy | Policy Catalog, then selecting Endpoint Encryption 7.0.1 from the Product drop‑down list.
Software configuration and policies Recommended User-Based Policy Settings 3 Table 3-2 Recommended User Based Policy Settings Policy Options Recommendations Authentication Tab • Token type: Select Password only. There are a number of other tokens that can be effectively used for your authentication as required. However, the Password only token is as strong as any other token that you could configure. • Certificate rule • Provide LDAP user certificate — Leave this option checked (enabled).
3 Software configuration and policies Checklist for using Intel AMT and EEPC ® Table 3-2 Recommended User Based Policy Settings (continued) Policy Options Recommendations Password Content • Password length — Use default. Rules Tab • Enforce password content — Use default. • Password content restrictions — Use default or enable restrictions for better password strength. Self‑Recovery Tab • Enable self‑recovery — Leave this option checked (enabled). • Invalidate self recovery after No.
Software configuration and policies Phased deployment strategies • Deploy the EEAgent and EEPC packages to the client system. • Activate EEPC and restart client system. 3 ® Best practices and recommendations for using Intel AMT and EEPC • Enable CIRA only when it is necessary for the security requirements of your organization. • Limit the usage of EEDeep unlock feature during wake‑and‑patch cycles to the smallest time/ number of reboots.
3 Software configuration and policies Phased deployment strategies • Create a query in ePolicy Orchestrator to find all systems that need to stop autobooting and assign the second policy to these systems. • Send an agent wake‑up call from ePolicy Orchestrator to apply the policy with Pre‑Boot Authentication to all required systems. • The systems will start with PBA as and when the new policy is received.
4 Deployment and activation The purpose of this section is to provide guidance with troubleshooting on why the Windows or Mac operating system will not start; encrypted systems do not allow access to the operating system until PBA is completed. Administrators should be mindful that fixing certain Windows or Mac problems on an encrypted system may require extra caution in the event that the registry must be edited or a driver should be modified.
4 Deployment and activation Basic preparations and recommendations Basic preparations and recommendations The following recommendations will make sure that your data is protected during and after the encryption process. As with any roll out and deployment, it is advisable to back up the system before you encrypt it, and perform regular backups It is good practice to back up the system before installing Endpoint Encryption to ensure data is not lost in the unlikely event a problem occurs.
4 Deployment and activation Basic preparations and recommendations • Create and test the customized EETech WinPE V1 or V3 or V4 (for UEFI systems) Disk with EEPC drivers installed. • Create and test an EETech Standalone Boot disk. Run a pilot test of software compatibility We recommend that you run a pilot test of EEPC on a client system. This will make sure that EEPC is not in conflict with any encryption software on the client computers before rolling out to a large number of clients.
4 Deployment and activation High level process of the installation High level process of the installation This section lists the steps and considerations involved in Endpoint Encryption deployment and activation. This procedure is explained in more detail in the McAfee Endpoint Encryption ‑ 7.0 Patch 1 Product Guide. Task 1 Install the EEPC/EEMac extensions into ePolicy Orchestrator. Check for the correct and latest version of the extension. Install EEAdmin extension first then EEPC.
4 Deployment and activation Client task to deploy the EEAgent and Endpoint Encryption packages Order of the EEAgent and Endpoint Encryption deployment It is not mandatory to have two different tasks for the product deployment. You can create one single task to deploy both packages, but don't forget that they need to be deployed in the right order. The EEAgent package should be followed by the EEPC/EEMac package.
4 Deployment and activation Client task to deploy the EEAgent and Endpoint Encryption packages So, it is always better to execute the deployment using a single task wherein you need to deploy the EEAgent package first then the EEPC/EEMac package.
4 Deployment and activation Add group users End user experience The deployment task pushes both the Endpoint Encryption Agent and the EEPC/EEMac components to the selected systems. The installation is silent, however, the user is prompted to restart the client when the EEPC/EEMac component install is complete. It is important that the user restarts the client PC when prompted. If this does not happen, EEPC/EEMac will not activate.
4 Deployment and activation Add group users When enabled, the EEAgent queries the client system for the currently/previously logged on domain users to the client. The EEAgent will then send the collected data to the McAfee ePO server. These users will then be assigned to the client system.
4 Deployment and activation Endpoint Encryption activation sequence Endpoint Encryption activation sequence When the EEAgent and EEPC/EEMac packages are successfully deployed, the users will be prompted to restart their system. The restart can be canceled, however, Endpoint Encryption will not become active on the client until the restart has occurred. Also note that hibernation and using new USB devices will be impaired until a restart is issued.
4 Deployment and activation Activate Endpoint Encryption using Add local domain users Single Sign On (SSO) The EEPC client system then boots to Windows. This first boot establishes SSO (if it has been enabled). On future restarts, the user will login to PBA only. Once authenticated, SSO will auto‑login to Windows. In short, the SSO option facilitates the user with the single authentication to the Operating System even when PBA is enabled.
Deployment and activation Skip Unused Sectors 4 Skip Unused Sectors Skip Unused Sectors is one of the new features of offline activation that is introduced in EEPC 7.0 Patch 1. For more information about offline activation, see the McAfee Endpoint Encryption ‑ 7.0 Patch 1 Product Guide.
4 Deployment and activation Skip Unused Sectors 44 McAfee Endpoint Encryption 7.
5 Operations and maintenance Managing your systems in different batches, branches or groups will make a great impact for Endpoint Encryption deployment. It is a good practice to arrange the systems in ePolicy Orchestrator in department level or batch level, then deploy the product to these batches one by one. Managing the servers and client systems Client deployment in batches with an appreciable number of systems is a good practice by itself.
5 Operations and maintenance Manage Machine Keys What if a user is disabled from LDAP? If a user account that is initialized on the client system, and is later removed from LDAP, then it will be automatically deleted/ignored from the client when the next EE LDAP User/Group Synchronization task runs.
Operations and maintenance Manage Machine Keys 5 What happens to the Machine Key when you delete an Endpoint Encryption active system from ePolicy Orchestrator? The Machine Key remains in the ePolicy Orchestrator database; however, the key association with the client system is lost when the client system is deleted from ePolicy Orchestrator. When the client system reports back to ePolicy Orchestrator during the next ASCI, it will appear as a new node.
5 Operations and maintenance Configure role based access control for managing Endpoint Encryption How to destroy the recovery information for an Endpoint Encryption installed system? When you want to secure‑erase the drives in your Endpoint Encryption installed system, remove all users from the system (including those inherited from parent branches in the system tree). This will result in making the disks inaccessible through normal authentication as there are no longer any users assigned to the system.
Operations and maintenance EEPC 7.0 Patch 1 scalability 5 You can create different permission roles and assign them with different Endpoint Encryption Permission Sets to different users. Figure 5-1 Endpoint Encryption permission sets To verify the configured permission sets, log off from ePolicy Orchestrator, then log on with a user account that belongs to any one of the new roles. Use correct format of the user name (domain\username) when logging on to ePolicy Orchestrator. EEPC 7.
5 Operations and maintenance EEPC 7.0 Patch 1 scalability • Longer ASCI interval • Password only deployments should remove certificate query from EE LDAP User/Group Synchronization task. The User Certificate attribute is used by the McAfee ePO server to determine which certificate should be sent from McAfee ePO to the client, for example, for smartcard tokens.
6 Migration and upgrade EEPC 7.0 Patch 1 has an improved architecture and interface. Due to these improvements, some functionality from earlier versions of the product is now handled differently. Contents Best practices for migration and upgrade Export user assignments from 5.x.x database Import user assignments to McAfee ePO Upgrade to EEPC 7.
6 Migration and upgrade Best practices for migration and upgrade Importing the systems or users from 5.x.x database into the McAfee ePO server • Make sure that 5.x.x and 7.0 Patch 1 are connected to the same LDAP server during the export and import process. • Make sure that you have registered an LDAP server on the McAfee ePO server before initiating the import process.
Migration and upgrade Export user assignments from 5.x.x database 6 General recommendations • Retain the 5.x.x database for some time, so that you can access it case any loss or theft of a device after the migration. • Migrate only a small number of systems as an initial test before doing a large‑scale migration. • If you are using the $autoboot$ user id in 5.x.
6 Migration and upgrade Import user assignments to McAfee ePO • • It is important to understand the export options; Machines and Users in the export wizard. You can select any one of the options to export the required user assignments from 5.x.x Endpoint Encryption Manager. • On selecting the Machines option in the export wizard, all users assigned to the selected machines from 5.x.x database are exported.
6 Migration and upgrade Upgrade to EEPC 7.0 Patch 1 attributes. The results are color‑coordinated, so that it is easy for the administrator to analyze the results. • Green indicates a single match • Orange indicates more than one match • Red indicates no match Do 5.x.x policies get imported to 7.x during the migration? No, 5.x.x policies are not imported to 7.x as part of the migration process. The user should set the required 5.x.x policies, more importantly the Encrypt policy, in 7.
6 Migration and upgrade Upgrade to EEPC 7.0 Patch 1 What happens to a partially encrypted 5.x.x system after the migration? A partially encrypted 5.x.x system gets fully encrypted or decrypted as per the policies set in 7.x. What happens if the user initiates the upgrade process while the 5.x.x client is still in encrypting or decrypting state? It completes the encryption or decryption process as per the policies set in 7.x. What happens to a removable media that is encrypted with 5.x.
7 Use ePolicy Orchestrator to report client status McAfee ePolicy Orchestrator provides comprehensive management and reporting tools for Endpoint Encryption. Administrators can create standard and customized dashboards, queries, and reports. The procedures on how to create standard dashboards, queries, and reports are documented in the McAfee Endpoint Encryption ‑ 7.0 Patch 1 Product Guide.
7 Use ePolicy Orchestrator to report client status Track the progress of the deployment and encryption status Track the progress of the deployment and encryption status The progress of the EEPC/EEMac deployment and the number of encrypted drives can be easily determined by running the Endpoint Encryption query under Menu | Reporting | Queries | Endpoint Encryption | EE: Disk Status. This will report the crypt state for all disks on systems that have the EEAgent installed.
Use ePolicy Orchestrator to report client status Report encryption status from McAfee ePO 7 Endpoint Encryption makes this task easy. An administrator can log on to McAfee ePO and, in just a few clicks, be able to produce a report showing that the missing computer was encrypted. • Log on to ePolicy Orchestrator as an administrator. • Locate the system in the System Tree. • In the McAfee ePO server, drill‑down to encryption properties. • Check the encryption status under the Disks tab.
7 Use ePolicy Orchestrator to report client status Report encryption status from McAfee ePO 60 McAfee Endpoint Encryption 7.
Index A E abbreviations 8 about this guide 5 activation 33 AD 16, 36 add local domain users 20, 39, 42, 45, 46 add users 16 Agent wake-up call 41 algorithm 55 AMT, out-of-band actions 30 ASCI 9, 10, 42, 46, 49 audit events 53 authentication 12 auto boot 33, 39, 42 configure 31 EEAdmin 36 EEAgent 10, 20, 36, 39, 41 EEGO 13 EEM 51, 53 EEMac 7 EEPC 7, 11, 12, 20, 31, 33, 36, 39, 41, 45, 46, 48, 49, 51, 58 EEPC extension 36 EEPC package 36 EEPC/EEMac 16, 57 EETech 33, 34 Enable Automatic Booting 20 encrypte
Index McAfee ServicePortal, accessing 6 migration 51 O Opal 9, 46 operations 45 OU 16, 39 P password 28, 39 PBA 7, 11, 20, 33, 39, 41, 42, 45, 51 permission sets 48, 54 phased deployment 15, 31 pilot test 34 policies 7 Product Settings Policy 10 User-Based Policy 10 pre-boot smart check, enabling 20 preparations 34 Product Settings Policy 20, 36, 39, 42, 45, 46 purpose 7 Q queries 31, 58 R readers 34 recommendations 34 recovery 34 recursive 16 remediation out-of-band 30 report 31, 57, 58 reporting encr
00
