You are on page 1of 160

McAfee® Endpoint Encryption for PC

Administration Guide 
Version 5.2.5 
 

   
McAfee, Inc. 
McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USA 

Tel: (+1) 888.847.8766 

For more information regarding local McAfee representatives please contact your local McAfee office, 
or visit: 

www.mcafee.com 

 
Document: Endpoint Encryption for PC Administration Guide 
 

Copyright (c) 1992‐2010 McAfee, Inc., and/or its affiliates. All rights reserved.  

McAfee and/or other noted McAfee related products contained herein are registered trademarks or 
trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in 
connection with security is distinctive of McAfee brand products.  Any other non‐McAfee related 
products, registered and/or unregistered trademarks contained herein is only by reference and are the 
sole property of their respective owners. 

 
Contents

Preface ........................................................................................... 1 
Using this guide ............................................................................................. 1 
Audience ................................................................................................. 1 
Conventions ............................................................................................ 1 

Welcome .........................................................................................2 
About This Guide ..................................................................................... 2 
Audience ................................................................................................. 2 
Related Documentation............................................................................. 3 
Acknowledgements .................................................................................. 3 
Design Philosophy .................................................................................... 3 
Contacting Technical Support .................................................................... 3 

Introduction ...................................................................................4 
Why Endpoint Encryption for PC? ............................................................... 4 
How Endpoint Encryption for PC Works ............................................................. 4 
Protection ............................................................................................... 4 
Management ................................................................................................. 5 
The Object Directory ................................................................................ 5 
Objects, Entities, and Attributes explained. ................................................. 6 
The Endpoint Encryption Components ............................................................... 6 
Endpoint Encryption Manager .................................................................... 7 
Endpoint Encryption Server ....................................................................... 7 
Endpoint Encryption Object Directory ......................................................... 8 
Endpoint Encryption for PC Client ............................................................... 8 
Endpoint Encryption File Encryptor ............................................................. 9 
Endpoint Encryption Connector Manager ..................................................... 9 
Install and Deployment ............................................................................ 10 

Installing the Endpoint Encryption Manager ................................. 11 

Endpoint Encryption for PC User Policies ...................................... 12 


User Administration Functions ......................................................................... 12 
Create Token .......................................................................................... 12 
Reset Token ........................................................................................... 12 
Set SSO Details ...................................................................................... 12 
Force Password Change at Next Logon....................................................... 12 
View Audit ............................................................................................. 12 
Reset (All) to Group Configuration............................................................. 12 
Create Copy ........................................................................................... 13 
Properties .............................................................................................. 13 
User configuration Options ............................................................................. 13 
General ................................................................................................. 13 
Devices.................................................................................................. 14 
Application Control .................................................................................. 15 

Using Tokens with Endpoint Encryption for PC .............................16 


Supported Smart Cards and Tokens .......................................................... 16 
General Token Operation. ........................................................................ 16 
Stored Value Tokens ............................................................................... 17 
Certificate, or “Crypt Only” tokens ............................................................ 17 
Other Types Of Token .............................................................................. 19 
Token Compatibility ................................................................................ 19 
Specific Token Notes ............................................................................... 19 
Sony Puppy Fingerprint Reader ................................................................. 22 
Aladdin eToken 64KB............................................................................... 24 
SafeNet IKEY 2032 .................................................................................. 24 
Endpoint Encryption Phantom USB Biometric Key ........................................ 24 
Upek Fingerprint Reader .......................................................................... 26 

Creating and Configuring Machines .............................................. 27 


Machine Administration Functions (right-click menu) ................................... 27 
Machine Configuration Options.................................................................. 29 

File Groups and Management ........................................................ 42 


Setting file group functions ...................................................................... 43 
Importing new files ................................................................................. 43 
Exporting Files ........................................................................................ 43 
Deleting Files.......................................................................................... 44 
Setting File Properties ............................................................................. 44 

Adding components to a Machine ................................................. 46 

Using Endpoint Encryption as a File Deploy System ......................47 


Example - Copying a new file to the desktop .............................................. 47 

Creating an Install Package .......................................................... 49 


Selecting the Group / Machine .................................................................. 49 
Select the Install Set type ........................................................................ 49 
Online Installs ........................................................................................ 50 
Offline Installs ........................................................................................ 50 
Importing a Transport Directory................................................................ 51 
Summary of Offline Install set contents ..................................................... 51 
Select the Master Directory ...................................................................... 52 
Set install options and create the set ......................................................... 53 

Installing, Upgrading, and Removing Endpoint Encryption for PC .54 


Offline Package Installs ............................................................................ 54 
Online Package Installs ............................................................................ 54 
Removing / Uninstalling Endpoint Encryption Client ..................................... 54 
Upgrading Endpoint Encryption from previous versions. ............................... 55 

Client Software ............................................................................. 57 


The Tool Tray Icon .................................................................................. 57 
Client Auditing ........................................................................................ 58 
Boot and Logon Process ........................................................................... 58 
Endpoint Encryption Screen Saver............................................................. 59 
Windows Sign-On and Logon Mechanisms. ................................................. 59 
Changing the Password ............................................................................ 59 
Section 508: Logon Accessibility ............................................................... 59 

Windows Sign-on and SSO ............................................................ 61 


Windows Logon Features ......................................................................... 61 
How Windows Logon works ...................................................................... 62 

Auditing ........................................................................................ 64 


Introduction ........................................................................................... 64 
Common Audit Events ............................................................................. 64 
Try Events ............................................................................................. 66 
Succeed Events ...................................................................................... 67 
Failure Events......................................................................................... 67 

Recovering Users and Machines .................................................... 69 


Offline Recovery ..................................................................................... 69 
Local Recovery ....................................................................................... 72 
User Local Recovery Procedures ................................................................ 74 
Online Recovery...................................................................................... 75 
Trusted Applications ..................................................................... 76 
Hash Sets .............................................................................................. 76 
Hash Set Properties ................................................................................. 77 
File Hashes ............................................................................................ 77 
Using Hash Sets...................................................................................... 78 

Hash Generator ............................................................................. 79 


Introduction ........................................................................................... 79 
Using Hash Generator .............................................................................. 79 

Common Criteria EAL4 Mode Operation ........................................ 80 


Algorithm Certificate Numbers .................................................................. 81 

Endpoint Encryption Configuration Files .......................................83 


sbgina.ini ............................................................................................... 83 
sberrors.ini ............................................................................................ 91 
sbhelp.ini ............................................................................................... 92 
sbfeatur.ini ............................................................................................ 92 
scm.ini .................................................................................................. 92 
defscm.ini .............................................................................................. 93 
sdmcfg.ini .............................................................................................. 93 
TrivialPwds.dat ....................................................................................... 94 
Bootcode.ini ........................................................................................... 94 
BootManager.INI .................................................................................... 94 
Errors.XML ............................................................................................. 95 
AutoBoot.ini ........................................................................................... 95 
SbClientFileSet.ini ................................................................................... 95 
SBWinLogonOpts.XML.............................................................................. 95 
SBCP.INI ............................................................................................... 95 

Endpoint Encryption Program and Driver Files ..............................97 


EXE Files ................................................................................................ 97 
DLL Files ................................................................................................ 97 
SYS Files................................................................................................ 98 
Other Files ............................................................................................. 99 

WinTech and SafeTech ................................................................ 100 

Themes & Localization ................................................................ 101 


Themes ............................................................................................... 101 
Keyboards ............................................................................................ 102 
Pre-Boot Language ................................................................................ 110 
Pre Boot Token Descriptions ................................................................... 113 
Windows Languages .............................................................................. 113 

Troubleshooting PCs ................................................................... 115 

Error Messages ........................................................................... 116 


Module codes ....................................................................................... 116 
1C000 IPC Errors .................................................................................. 117 
5C00 Communications Protocol ............................................................... 117 
5C02 Communications Cryptographic ...................................................... 119 
A100 Algorithm Errors ........................................................................... 120 
DB01 Database Objects ......................................................................... 122 
DB02 Database Attributes ...................................................................... 123 
E000 Endpoint Encryption General .......................................................... 124 
E001 Tokens ........................................................................................ 124 
E002 Endpoint Encryption Disk ............................................................... 126 
E003 Endpoint Encryption SBFS .............................................................. 127 
E004 Boot Code Image .......................................................................... 128 
E005 Client .......................................................................................... 129 
E006 Algorithms ................................................................................... 132 
E007 Readers ....................................................................................... 132 
E008 Users .......................................................................................... 133 
E010 Keys............................................................................................ 133 
E011 Files ............................................................................................ 133 
E012 Licences....................................................................................... 134 
E013 Installer ....................................................................................... 134 
E014 Hashes ........................................................................................ 135 
E015 Application Control ........................................................................ 135 
E016 Administration Center .................................................................... 136 
xxH: BIOS ........................................................................................... 136 

Technical Specifications and Options .......................................... 138 


Encryption Algorithms ........................................................................... 138 
Smart Card Readers .............................................................................. 138 
Tokens ................................................................................................ 139 
Language Support ................................................................................. 139 
System Requirements............................................................................ 141 

Appendix .................................................................................... 143 


Legal Notices: ...................................................................................... 143 
Open Source Components License Details ................................................ 143 
Making Endpoint Encryption for PC FIPS Compliant ................................... 150 

Index .......................................................................................... 152 


Preface

Preface

Using this guide


This guide describes the administration functions of McAfee Endpoint Encryption for
PC.

Audience
This guide is intended for administrators of Endpoint Encryption for PC.

Conventions
This guide uses the following conventions:
Bold Condensed All words from the interface, including options, menus, buttons, and dialog
box names.
Courier The path of a folder or program; text that represents something the user
types exactly (for example, a command at the system prompt).
Italic Emphasis or introduction of a new term; names of product manuals.
Blue A web address (URL); a live link.
Note Supplemental information; for example, an alternate method of executing
the same command.
Caution Important advice to protect your computer system, enterprise, software
installation, or data.

   

|1
Welcome

Welcome
The team at McAfee is dedicated to providing you with the best in security for
protecting data on personal computers. Applying the latest technology, deployment
and management of users is enhanced using simple and structured administration
controls.

Endpoint Encryption for PC represents the latest addition to the McAfee family and
incorporates functionality not found in earlier versions. This new edition of Endpoint
Encryption for PC features a new dimension in IT security incorporating many new
enterprise level options, including automated upgrades, file deployment, flexible
grouping of users and centralized user management. In addition, user’s credentials
can be imported and synchronized with other deployment systems.

Through the continued investment in technology and the inclusions of industry


standards we are confident that our goal of keeping Endpoint Encryption at the
forefront of data security will be achieved.

About This Guide


This is designed to aid corporate security administrators in the correct implementation
and deployment of Endpoint Encryption for PC. Although this guide is complete in
terms of setting up and managing Endpoint Encryption systems, it does not attempt to
teach the topic of "Enterprise Security" as a whole.

Readers unfamiliar with Endpoint Encryption should follow the appropriate sections of
the Endpoint Encryption for PC Quick Start Guide which walks through setting up a
Endpoint Encryption enterprise before tackling any of the topics in this guide.

Audience
This guide was designed to be used by qualified system administrators and security
managers. Knowledge of basic networking and routing concepts, and a general
understanding of the aims of centrally managed security is required.

McAfee can only contribute to information security within your organization as part of
a coherent and well-implemented organizational security policy.

For information about cryptography topics, readers are advised to consult the following
publications:

Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition, Bruce
Schneier, Pub. John Wiley & Sons; ISBN: 0471128457

Computer Security, Deiter Gollman, Pub. John Wiley and Sons; ISBN: 0471978442

2|
Welcome

Security in Computing, Charles P. Pfleeger, Pub Prentice Hall PTR; 3 edition; ISBN
0130355488

Related Documentation
The following materials are available from our web site, www.mcafee.com, and from
your Endpoint Encryption Distributor:

• Endpoint Encryption for PC Administration Guide (this document)

• Endpoint Encryption Manager Administration Guide

• Endpoint Encryption for PC Quick Start Guide

• WinTech and SafeTech Administration Guide

• Endpoint Encryption Update and Migration Guide

Acknowledgements
McAfee’s Novell NDS Connector and LDAP Connectors make use of OpenLDAP
(www.openldap.org) and OpenSSL (www.openssl.org). Due credit is given to these
1 2

organizations for their free API’s.

Design Philosophy
Unlike other security systems, Endpoint Encryption for PC does not prevent access to
specific files, or in any way alter the way the PCs and PDAs are used.

Contacting Technical Support


Please refer to www.mcafee.com for further information.

|3
Introduction

Introduction
Why Endpoint Encryption for PC?
Around 1,000,000 laptops go missing each year, causing an estimated 4 billion USD
worth of lost data. Is your data safely stored? Ever thought about the risks you run for
your company and your clients? Endpoint Encryption for PC was developed with the
understanding that often the data stored on a computer is much more valuable than
the hardware itself.

McAfee’s product range enhances the security of devices by providing data encryption
and a token-based logon procedure using, for example, a Smart Card via a USB,
PCMCIA, serial or parallel reader. Endpoint Encryption also has optional File and Media
encryption programs (VDisk, File Encryptor and Endpoint Encryption for Files and
Folders). Endpoint Encryption for PC supports the following Microsoft Operating
Systems:

• Microsoft Windows 7

• Microsoft Windows 2000 through SP4

• Microsoft Windows XP through SP3 (32bit only)

• Microsoft Windows 2003 through SP2 (32bit only)

• Microsoft Vista 32bit and 64bit (all versions)

• Microsoft Pocket Windows 2002 and 2003

NOTE: For end users, Endpoint Encryption allows users to work as usual, including the
security and network services. Apart from the initial Logon, Endpoint Encryption for PC
offers completely transparent security.

How Endpoint Encryption for PC Works


Protection
Endpoint Encryption protects the user’s PC by simply taking control of the hard disk
from the operating system. The Endpoint Encryption for PC driver encrypts every piece
of data written to the disk; it also decrypts every piece of information read off the
disk.

If an unauthorized application broke through the Endpoint Encryption barrier and read
the disk directly, it would find only encrypted data, even in the Windows swap file and
temporary file areas.

4|
Introduction

If a Data Recovery agency tried to retrieve information from a Endpoint Encryption-


protected hard drive, without access to the Endpoint Encryption System via the
passwords or recovery information there is no way of accessing this data – total
security.

Endpoint Encryption installs a mini-operating system on the user’s hard drive, this is
what the user sees when they boot the PC. Endpoint Encryption looks and feels like
Microsoft Windows, with mouse and keyboard support, moveable windows, etc. This
Endpoint Encryption OS is completely contained and does not need to access any other
files or programs on the hard disk, and is responsible for allowing the user to
authenticate with a password, or, a token such as a smart card.

Once the user has entered the correct authentication information, the Endpoint
Encryption operating system starts the crypt driver in memory and boots the protected
machine’s original operating system. From this point on the machine will look and
behave as if Endpoint Encryption was not installed. The security is invisible to the
user: the only readable data on the hard disk will be the Endpoint Encryption
operating system; the encryption key for the hard drive is itself protected with the
user’s authentication key. The only possible way to defeat Endpoint Encryption is to
either guess the hard disk encryption key (a one in 2256 chance with the AES256
algorithm), or to guess the user’s password.

On PDAs such as Pocket Windows and PalmOS, Endpoint Encryption installs


applications and drivers to provide authentication and encryption services. Endpoint
Encryption can protect memory cards, internal databases (such as e-mail and contact
lists), and provides secure, manageable authentication services.

Management
The Object Directory
The Object Directory is a central store of configuration information for all machines,
servers, policies and users. It is managed by Endpoint Encryption Administrators using
the Endpoint Encryption Manager.

Each time an Endpoint Encryption protected device boots, it will try and connect with
the Object Directory; optionally, every time the user initiates a dial-up connection, or,
after a set period of time, the Endpoint Encryption protected machine will attempt to
contact the Object Directory. The Object Directory is accessed over TCP/IP via a
secure Endpoint Encryption Server (in the case of a centrally managed enterprise).

The Endpoint Encryption protected machine queries the Object Directory for any
updates to its configuration; when the updates are found they are downloaded to the

|5
Introduction

client machine. Typical updates could be a new user assigned to the machine by an
administrator, a change in password policy, an upgrade to the Endpoint Encryption
operating system, or, a new file specified by the administrator. At the same time,
Endpoint Encryption uploads details like the latest audit information, e.g. any user
password changes and security breaches to the Object Directory, thus allowing
transparent synchronization of the enterprise system.

Objects, Entities, and Attributes explained.


Endpoint Encryption for PC stores information about users, machines, servers, policies,
etc in collections called "objects"; from the perspective of the Endpoint Encryption
system, it does not matter what an object represents, only the information it contains
- therefore, an object representing a user, e.g. "John Smith", and an object
representing a machine, e.g. "Johns Laptop", would both contain information about
encryption keys, account status and administration level.

Within the object are collections of configuration data called Attributes. Again, the
same type of attribute may exist across many object types. Using the previous
example of John and his laptop, the details of the encryption keys, user status and
administration level would all be stored as separate attributes.

Entities are applications within the Endpoint Encryption system. Because of the
generality of the object design all Endpoint Encryption applications also have some
generality about them, for example, the Entity representing the Endpoint Encryption
client and the Entity representing the Endpoint Encryption Server. Both authenticate to
the Object Directory in the same way - as an "object" which could be a machine or
user. This generality is mainly hidden from users and administrators, however,
because of this core design, you will find that many Endpoint Encryption related
functions and tasks are common between users, machines and entities.

The Endpoint Encryption Components

6|
Introduction

Endpoint Encryption Manager

 
Figure 1. Endpoint Encryption Manager Interface 

The most important component of the Endpoint Encryption enterprise is the Endpoint
Encryption Manager, the administrator interface. This utility allows privileged users to
manage the enterprise from any workstation that can establish a TCP/IP link or file link
to the Object Directory. Typical procedures that the Endpoint Encryption Administrator
handles are:

• Adding users to machines

• Configuring Endpoint Encryption protected machines

• Creating and configuring users

• Revoking users logon privileges

• Updating file information on remote machines

• Recovering users who have forgotten their passwords

• Creating logon tokens such as smart cards for users

Endpoint Encryption Server


The Endpoint Encryption Server facilitates connections between entities such as the
client and Endpoint Encryption Manager, and the central Object Directory over an IP
connection (rather than the file based "local" connection). The server performs
authentication of the entity using DSA signatures, and link encryption using the Diffie-

|7
Introduction

Hellman key exchange and bulk algorithm line encryption. This ensures that
"snooping" the connection cannot result in any secure key information being disclosed.

The server exposes the Object Directory via fully routed TCP/IP, meaning that access
to the Object Directory can be safely exposed to the Internet / Intranet, allowing
clients to connect wherever they are. As all communications between the Server and
client are encrypted and authenticated there is no security risk in exposing it in this
way.

There is a unique PDA Server which provides similar services to PDAs such as
Microsoft Pocket Windows and PalmOS devices. More information about this can be
found in later chapters.

Endpoint Encryption Object Directory


The Endpoint Encryption Object Directory is the central configuration store for
Endpoint Encryption for PC and is used as a repository of information for all the
Endpoint Encryption entities. The default directory uses the operating systems file
system driver to provide a high performance scalable system which mirrors an X500
design. Alternative stores such as LDAP are possible – contact your Endpoint
Encryption representative for details. The standard store has a capacity of over 4
billion users and machines.

Typical information stored in the Object Directory includes:

• User Configuration information

• Machine Configuration information

• Client and administration file lists

• Encryption key and recovery information

• Audit trails

• Secure Server Key information

Endpoint Encryption for PC Client


The Endpoint Encryption for PC client software is largely invisible to the end user. The
only visible part is an entry in the user’s tool tray (the Endpoint Encryption icon).

Clicking on this icon allows the user to lock the PC with the screen saver (if the
administrator has set this option there one is selected). Right-clicking on the monitor
allows them to perform a manual synchronization with their Object Directory, or,
monitor the progress of any active synchronization.

8|
Introduction

Normally the Endpoint Encryption client attempts to connect to its home server or
directory each time the machine boots, or, establishes a new dial-up connection.
During this process, any configuration changes made by the Endpoint Encryption
administrator are collected and implemented by the Endpoint Encryption client. In
addition, information such as the last audit logs are uploaded to the directory.

Endpoint Encryption File Encryptor


By right clicking on a file, users can elect to encrypt it using various keys. Files can be
encrypted with other Endpoint Encryption users’ keys, and/or passwords.

Once protected in this way the file can be sent elsewhere, e.g. via e-mail or a floppy
disk, without the risk of disclosure.

When the file needs to be used, it just needs to be double clicked; a password or login
prompt will be presented for authentication. If they are authenticated correctly, the
file will be decrypted.

The File Encryptor also has an option to create an RSA key pair for recovery – if the
password to a file is lost, then the file can still be recovered using the correct recovery
key.

Endpoint Encryption Connector Manager

Figure 2. Endpoint Encryption Connector Manager 

Endpoint Encryption’s object directory keeps track of security information. It is


designed so that synchronization of details between Endpoint Encryption and other
systems is possible.

|9
Introduction

The Connector Manager is a customizable module which enables data from systems
such as X500 directories (commonly used in PKI infrastructures) to propagate to the
Endpoint Encryption Object Directory. Using this mechanism, it is possible to replicate
details such as a user’s account status between Endpoint Encryption for PC and other
"directories".

Current connector options include LDAP, Active Directory, and a NT Domain Connector.
For information on these components, contact your Endpoint Encryption
representative, or, see the Endpoint Encryption Manager Administration Guide.

Install and Deployment


Endpoint Encryption is installed on users PCs by running small deploy sets created by
the Endpoint Encryption Manager. This executable file contains the core components
and drivers needed to enable Endpoint Encryption on a user’s machine.

With the increasing necessity of install mechanisms which do not involve end users,
and software industries striving to make the cost of ownership and implementation of
products as small as possible, Endpoint Encryption for PC utilizes "smart-update" type
technology.

With this mechanism, only a small amount of code needs to be placed on the client
machine to facilitate installation. The remaining code modules are downloaded on
demand from either central Endpoint Encryption Servers (in the case of a network
install), or from a local compressed directory (in the case of a standalone PC). With
network connected machines, this gives the additional benefit of being able to update
Endpoint Encryption files simply by updating the data stored in the Object Directory.

Endpoint Encryption’s file deploy mechanism can also be used to "push" other files to
Endpoint Encryption protected machine, for instance virus databases can be stored in
the central Endpoint Encryption directory, when it needs updating a Endpoint
Encryption administrator upgrades the central copy. All Endpoint Encryption protected
machines notice the change and automatically download the new file. This deploy
mechanism can also be used to make registry changes on remote machines and can
even execute files.

10 |
Installing the Endpoint Encryption Manager

Installing the Endpoint Encryption


Manager
NOTE: If you are unfamiliar with Endpoint Encryption, you should follow the Endpoint Encryption for PC 
Quick Start Guide which describes setting up an Endpoint Encryption enterprise. Please read the Quick Start 
guide before tackling any of the topics in this guide. You will find this in your Endpoint Encryption box, or, 
on your Endpoint Encryption CD. 

The Endpoint Encryption Manager is the administration tool for managing all Endpoint
Encryption aware applications.

Install it by running the appropriate setup.exe from the Endpoint Encryption CD or


download. You should run this first on the machine that will be the “master” or
administrators machine.

The Endpoint Encryption Manager will now be installed on your machine. Follow the
on-screen prompts to install the software: you may be prompted to select a language,
a smart card reader, and encryption algorithm. For more information on these options
please see the Encryption Manager Administration Guide. Once completed you may
need to restart your system.

The Endpoint Encryption Management suite adds some items to your start menu:
Endpoint Encryption Manager which starts the management console; the Database
Server which starts the communication server and provides encrypted links between
clients and the configuration.

After rebooting, run the Endpoint Encryption Manager program. A wizard will walk you
through the creation of a new Endpoint Encryption directory. If you have an existing
Object Directory in your network, you can connect to it by cancelling the wizard and
manually configuring a connection.

For more information on the Endpoint Encryption Manager please see the Endpoint
Encryption Manager Administration Guide.

| 11
Endpoint Encryption for PC User Policies

Endpoint Encryption for PC User


Policies
The following sections describe the Endpoint Encryption specific parameters.

User Administration Functions


Create Token
This option creates a new Token for the selected user - this could be a soft (password)
token or a hard token such as a smart card or eToken. See the Token Operation
chapter for more information.

In the case of hard tokens, creating the token does not necessarily set the user to
actually use that token. This must be accomplished separately from the user’s Token
properties page.

Reset Token
This option resets the token authentication to the default. In the case of the soft
(password) token resets the password to 12345.

Some hard tokens may not be able to be reset using Endpoint Encryption, for
example, Datakey Smart Cards. In this case contact the manufacturer of your token to
determine the correct re-use procedure.

Set SSO Details


This option sets the Single-Sign-On details for the user. For more information on SSO
see the Windows Logon Features chapter.

Force Password Change at Next Logon


This option Forces the user to change password at their next logon.

View Audit
This option displays the audit for the user - for more information see the Auditing
chapter.

Reset (All) to Group Configuration


This option resets the configuration of the users, or, all the users in the group, to the
groups configuration.

12 |
Endpoint Encryption for PC User Policies

Create Copy
This option creates a new object based on the selected object.

Properties
This option displays the properties of the selected object.

User configuration Options


General

Figure 3. User Options ‐ General 

Auto-boot users
The special user id “$autoboot$”, with a password of “12345”, can be used to auto-
boot a Endpoint Encryption protected machine. This option is useful if an auto-boot of
a machine is required, for example, when updating software using a distribution
package such as SMS or Zenworks. However, this ID should be used with caution as it
effectively bypasses the security of Endpoint Encryption.

Enabled
This option shows whether the user account is enabled or not. The enabled status is
always user selectable.

When an Endpoint Encryption for PC protected system synchronizes with the Endpoint
Encryption Manager, it checks the user account list to ensure that the currently logged
on user is still valid (because they logged on at a boot time before the network and
Object Directory were available).

| 13
Endpoint Encryption for PC User Policies

Users with disabled accounts, or users who have been removed from the user list, will
find their workstation will lock and they will be unable to log in.

NOTE: If you want to force an Endpoint Encryption machine to synchronize (and hence immediately stop 
the user from accessing the machine), you can use the "force sync" option to force an update. See the Force 
Synchronization chapter. 

Devices

Figure 4. User Configuration ‐ Devices 

Floppy Disk Access


Users can be prevented from accessing the floppy disk or, from writing to it. You can
also elect to allow only encrypted floppy disks: in this situation the user must format
their own disks, which only they can then use. Note: the disk is encrypted with the
user’s personal key.

Ports
Endpoint Encryption can attempt to block access to the serial and/or parallel ports.
This blocking is implemented after the operating system has booted. Therefore, if the
machine has a serial mouse, it will still function. Likewise a printer connected to the
parallel port will still function. This option is designed to stop users adding serial and
parallel devices AFTER the machine has booted.

NOTE: The McAfee Port Control product provides granular device access by allowing you to take detailed 
control of the devices which are available to your users. 

14 |
Endpoint Encryption for PC User Policies

Application Control

Figure 5 User Configuration ‐ Application Control 

Endpoint Encryption includes an innovative application blocking system which can be


used to restrict what code can actually be run by a user. For more information on this
feature see the Trusted Applications chapter.

List Contains Untrusted Applications


This option allows you to specify files in the listed file hash sets that should be blocked
(untrusted). All unlisted executable files will be permitted to execute code (trusted).

List Contains Trusted Applications


This option allows you to specify files in the listed file hash sets that will be permitted
to execute code (trusted). All unlisted executable files will be blocked (untrusted).

Enable Blocking of Untrusted Applications


This option blocks code from executing untrusted applications. If this option is not set,
then any code can run. This is a debugging option.

Enable Logging of Executed Applications


This option makes a record of files that try to execute code. A status message
indicating whether the file is trusted or not, is written to the SBAPPLOG.TXT file. This
feature is useful for debugging trusted application file sets.

| 15
Using Tokens with Endpoint Encryption for PC

Using Tokens with Endpoint


Encryption for PC
Endpoint Encryption supports many different types of logon token, for example
passwords, smart cards, Aladdin eToken, and others. Before a user can use a non-
password token, you must ensure any machine they are going to use has been
suitably prepared.

Supported Smart Cards and Tokens


The link below contains the supported smart cards and tokens:

https://kc.mcafee.com/corporate/index?page=content&id=pd20895

General Token Operation.


Hardware Device Support
Ensure the machine has the appropriate Windows drivers for the hardware tokens it
needs to support. For example, if you intend to use Aladdin eTokens you need to
install the Aladdin eToken RTE (Run Time Environment).

If you intend to use smart cards, you need to ensure that a Endpoint Encryption
supported smart card reader is installed, along with its drivers – for example the
Mako/Infineer LT4000 PCMCIA smart card reader must be installed.

In both cases, the appropriate device drivers are available either direct from the
manufacturer, or from the Endpoint Encryption install CD in the \Tools directory.

Endpoint Encryption for PC Driver Support


Once you have installed hardware support for the devices, you can enable software
support for them: from the machine, or machine group Properties window, select
the “Files” properties pane and tick the appropriate options for the tokens you want
the machine, or group of machines, to support, e.g. if you want the machines to
support eTokens, select the “eToken PRO Client Token” file group. To support the
Mako/Infineer Smart Card reader, select “Infineer Smart Card Reader” file set.

NOTE: You should also note that some USB key tokens are in fact a combined USB Smart Card reader and 
USB Device in one unit, therefore, you need to add USB CCID Smart Card reader support to your Endpoint 
Encryption for PC clients for them to work. See the Token Compatibility section later in this chapter for 
information on the tokens which are of this nature.  

16 |
Using Tokens with Endpoint Encryption for PC

Assign the token to the user and create it.


From the user’s Token properties pane, select the token you want that user to log in
with. Endpoint Encryption will prompt you to insert the token and will create the
appropriate data files on it.

If all steps are followed, when you install Endpoint Encryption, or after the machines
synchronize, users will be able to log in using their new token.

NOTE: When learning how to use Endpoint Encryption, we advise you always leave at least one password‐
only user assigned to machines in case you make a mistake when setting up token support. 

Stored Value Tokens


Endpoint Encryption can store user keys on certain tokens, such as smart cards or
USB keys such as the Aladdin eToken.

Storage tokens host around 1KB of data unique to the Endpoint Encryption
environment and user, on each token. They are configured within the Endpoint
Encryption Manager for the specific user before they can be used.

Tokens offer the following advantages over passwords:

• The users key is not stored on the users machine, and is protected from brute
force attack by the microprocessor of the token

• The same token can be used to authenticate to many systems

• Tokens can be used for other physical purposes, for example door access
systems

Certificate, or “Crypt Only” tokens


Endpoint Encryption can leverage your investment in PKI and tokens to allow users to
authenticate using their certificates. This can be quite advantageous in the corporate
environment for the following reasons:

• Leverage investment in PKI and existing tokens

• Tokens do not need to be provisioned specifically for Endpoint Encryption

• Users can login to Windows etc using their PKI certificates

• Revocation of certificates denies access to Endpoint Encryption-protected PCs

By using one of Endpoint Encryption’s certificate connectors, you can quickly make
your Endpoint Encryption enterprise aware of all certificate-holding users, and can
allow them to be allocated to computers using Endpoint Encryption for PC without
having to create new smart cards or other forms of token for them to use.

| 17
Using Tokens with Endpoint Encryption for PC

Endpoint Encryption has been tested with the following tokens and PKI environments –
more tokens and PKIs are being developed so if your environment is not listed, please
contact your Endpoint Encryption representative for the latest information.

You can use any token with any PKI.

How Certificate Tokens Work


Certificate tokens leverage the unique one-way properties of public-key encryption: a
piece of data can be encrypted for a user, using some public information, but cannot
be subsequently decrypted with that same information.

Endpoint Encryption uses the information stored in the public certificate store of a PKI
to look up users and encrypt their unique key with the public key stored in their
certificate. This online process is handled transparently by one of the Endpoint
Encryption Connectors.

Once encrypted, Endpoint Encryption stores the information within its policy store, and
makes it available to all Endpoint Encryption-aware applications: for example, with
Endpoint Encryption for PC, the user’s key encrypted with their public key is stored on
each machine the user is assigned to. When a user tries to login, Endpoint Encryption
sends their encrypted user key to their token and asks it to be decrypted using the
private key stored on the token. The actual decryption happens securely within the
microprocessor of the token and only after the user has supplied the correct token PIN
or password. This ensures the user’s decryption key (private key) never has to leave
the token.

Once decrypted, the resulting user key can be used to authenticate the user.

You can see from this process that there is no need for Endpoint Encryption to have
prior experience, or to have stored anything on the users token. All the information
Endpoint Encryption needs to prepare the system can be obtained online through the
PKI certificate server.

Certificate Connectors
Setting up Certificate tokens is the responsibility of the Endpoint Encryption Certificate
connectors – these are available for both Active Directory and LDAP systems, and
more information on configuring them can be found in the Endpoint Encryption
Manager Administration Guide, in the Active Directory Connector and LDAP Connector
chapters.

The connectors can search AD and LDAP directories for users, and create them in
Endpoint Encryption based on certain criteria. The connectors can also monitor CRL

18 |
Using Tokens with Endpoint Encryption for PC

lists for revoked certificates, and also automatically handle the rollover of certificates
on expiry.

Other Types Of Token


There are other types of token also supported by Endpoint Encryption, such as
Biometric and Cognometric tokens. For more information on these tokens please
contact the manufacturer or your distributor

Other Tokens Supported in Endpoint Encryption for PC:

• Sony Puppy Biometric Reader (http://www.sony.co.jp/puppy/)

• RealUser Passfaces (http://www.realuser.com)


5

• Infineon Embedded TPM Chip

• Security Chip: TPM (TCG V1.2) with Infineon Package versions: InfineonTPM
Professional Package V2.5 and InfineonTPM Professional Package V2.5 SP1

• Upek Fingerprint Reader

Token Compatibility
Endpoint Encryption supports many tokens, but due to the pre-boot nature of Endpoint
Encryption for PC, not all tokens are supported in all environments. If you have a
specific token requirement, please contact your Endpoint Encryption representative for
the latest information. Please also see the token overview spreadsheet. Contact your
McAfee representative for further details.

Some USB key tokens are a combined USB Smart Card reader and USB Device in one
unit. You therefore need to add USB CCID Smart Card reader support to your Endpoint
Encryption for PC clients, to enable them to work.

Specific Token Notes


RSA SID800 USB Token
Storage token supported pre-boot. This token requires firmware 1.01.33 or higher.

ActivIdentity Smart Cards and USB Keys


These modules support ActivIdentity 64K v1 (card profile S4), ActivIdentity 64K v2
(card profile O4) and ActivIdentity 64K v2C (card profile S4 Cards. You can choose to
use the card in Stored Value mode, or Certificate mode. The Tested ActivIdentity
ActivKeys are AAK300 version (product code ZFG-3007-AB).

| 19
Using Tokens with Endpoint Encryption for PC

Infineon Embedded TPM Chip


The Infineon Trusted Platform Module (TPM) on Fujitsu PCs can be used as a token for
Endpoint Encryption allowing:

• Authentication to Endpoint Encryption Manager

• Pre-Boot Authentication

• Screensaver Authentication

NOTE: If you use TPM as a token for Endpoint Encryption Manager, ensure that the UserID is not used on 
any other PC with a TPM. If it is, it will be locked to that PC from then on. 

The embedded TPM chip, in its simplest form, can be envisaged as a smart card
physically attached to the motherboard of the PC. The TPM (Trusted Platform Module)
can perform similar cryptographic operations to PKI smart cards, such as encryption,
decryption, key generation, signing of data etc.

With the Endpoint Encryption TPM module, the TPM chip is used to secure a users
logon credentials. This means once initialized the users unique secret key is removed
from the Endpoint Encryption environment and secured by the TPM chip. The user
from this stage onwards will only be able to login to that particular machine.

Conversion from password mode to TPM mode is automatic and occurs as soon as the
user uses their account on a TPM protected machine. From activation onwards, that
Endpoint Encryption user will only be able to log into the machine on which the TPM
chip holds their keys.

Pre-Requisites for Endpoint Encryption Pre-Boot TPM Support


• Endpoint Encryption

• PC with Infineon TPM Chip installed (TCG Spec. Version 1.2)

Endpoint Encryption's TPM module also requires that the TPM be "initialized". This
involves creating the Endorsement Key, Storage Root Key and setting an Owner
password. If this is not done, Endpoint Encryption will find the TPM and try to convert
the user to use it at first logon, but the operation will fail and the user will not be able
to logon.

• Infineon TPM Professional Package (Version 2.5)

• Infineon TPM Professional Package (Version 2.5 SP1)

The TPM initialization process is performed by the Infineon software after you install it.
The TPM Chip must be enabled in the BIOS on the target PC.

20 |
Using Tokens with Endpoint Encryption for PC

The TPM has to be enabled in the BIOS (which it is not by default). Until it is enabled,
it is essentially not present as far as Endpoint Encryption and Infineon software is
concerned. If you try to install the Infineon software with TPM disabled, it will warn
you that the "Infineon TPM not found" and abort the install (exactly as it does on
machines without a TPM).

Endpoint Encryption has been tested with the following TPM Components:

• Infineon TPM Professional Package v2.5 HF2

- Chip State = Enabled

- Owner State = Initialized

- User State = Initialized

• Trusted Platform Module

- TCG Spec. Version = 1.2

- Vendor = Infineon Technologies AG

- Chip Version = SLB 9635 TT 1.2 (41313100) FW Version = 1.00 FW


ROM CRC = 0x4028

• TPM Device Driver

- File name = ifxtpm.sys (x86)

- Version = 1.80.0002.00 built by: WinDDK

• TPM Device Driver Library

- File name = IFXTPM.dll

- Version = 2.50.0771.00

Configuring the TPM on the target PC


The following instructions detail how to enable TPM support for a user on a target PC:

1. From the system tray double-click the TPM icon or from Start Æ All
Programs Æ Infineon Security Platform solution Æ Manage Security
Platform.

2. Click on the User Settings tab.

3. Click on the Basic User Password Æ Change button.

4. Follow the on screen instructions to register password for the TPM.

5. When you have successfully created the TPM password, exit the application.

| 21
Using Tokens with Endpoint Encryption for PC

Endpoint Encryption for PC setup


1. Install Endpoint Encryption for PC with TPM support.

2. Login to the Endpoint Encryption Manager.

3. Click on Devices and from Endpoint Encryption Machine Groups add a


new machine group.

4. Right click on the machine group and select Properties.

5. Click on the Files icon and select TPM Machine Chip. Apply these settings.

6. Click on the Users tab and create an Endpoint Encryption user

7. Right click on the new Endpoint Encryption user and select Properties.

8. Assign an Infineon Embedded TPM Chip to the user and apply these settings
(Note: the Configure option does not apply to the Puppy token).

9. Assign the user to the machine group.

10. Create an install set from the machine group.

Installing Endpoint Encryption with TPM


1. Install Endpoint Encryption on the client PC using the newly created install
set.

2. Reboot and synchronize with the Endpoint Encryption database.

3. Login to the Pre-Boot authentication using the default password “12345”.

4. When prompted to change the password, select the same password as the
Basic User password for the TPM.

5. After the PCs next boot, the password for the TPM will be the TPM Basic
User password.

6. Reboot the machine and logon at PBA by selecting the Sony Puppy token.

Recovery
When a user password recovery is performed Endpoint Encryption will reset the
password to the default ‘12345’ and will allow the user to login. The user will be
prompted to change the password. Select a new password and ensure that you change
the TPM password to the new one before rebooting the PC.

Sony Puppy Fingerprint Reader


The Sony Puppy can be used as a token for Endpoint Encryption allowing:

22 |
Using Tokens with Endpoint Encryption for PC

• Authentication to Endpoint Encryption Manager

• Pre-Boot Authentication

• Screensaver Authentication

The Puppy allows two mode of operation: Fingerprint or Password. This means that if a
user fails to login using their fingerprint, they can do so using their password.

Requirements to use Sony Puppy with Endpoint Encryption


1. Puppy Suite Enterprise / Personal - v2.1 or later

2. Sony Puppy device (FIU-810-N03)

3. Endpoint Encryption V5.0

The following instructions detail how to enable Sony Puppy Support for a user. For this
you will need to have a new Sony Puppy or Reset an exsiting one using the Sony
Puppy Administration Tools.

Step 1. Setup the Sony Puppy Fingerprint Reader


1. Install the Sony Puppy software - SC-API 810 setup (Basic).

2. Plug the Sony Puppy finger-print reader into an available USB Port.

3. Click Start Æ All Programs Æ FIU-810 tools Æ User Manager

4. Follow the on screen instructions to register a User Name and Fingerprint /


Password for the device.

5. When you have successfully created the Sony Puppy User and registered
your fingerprint(s) exit the application.

Step 2. Endpoint Encryption for PC setup


1. Install Endpoint Encryption for PC with Sony Puppy support.

2. Login to the Endpoint Encryption Manager.

3. Click on Devices and from Endpoint Encryption Machine Groups, add a


new machine group.

4. Right click on the Machine Group and select Properties.

5. Click on the Files icon and select Sony Puppy Client Files.

6 Apply these settings.

7. Click on the Users tab and create a Endpoint Encryption user (Keep a note
of the UserID).

| 23
Using Tokens with Endpoint Encryption for PC

8. Right click on the new Endpoint Encryption user and select Properties.

9. Assign a Puppy token to the User and apply these settings. (Note: the
configure option does not work with the Puppy token).

10. Assign the user to the machine group.

11. Create an install set from the machine group.

Step 3. Installing Endpoint Encryption with Puppy Support


1. Install Endpoint Encryption for PC on the client using the newly created
install set.

2. Once installed, start SbPuppytrainer.exe from the default Endpoint


Encryption directory.

3. Select Train Puppy from the menu. The logon screen will appear.

4. Select Use Endpoint Encryption Username and enter the User ID and
Password of the Endpoint Encryption user and click the Logon with
Password button. You will be asked to verify your fingerprint.

5. Place your finger on the reader and it should verify OK. The training is
complete. You may Reboot the machine and logon at PBA by selecting the
Sony Puppy token.

Aladdin eToken 64KB


Tokens with id 0x0514 and 0x0600 are supported. Tokens 0x050c are no longer
supported as they are discontinued by Aladdin.

This token module requires Aladdin RTE 3.65 to be installed.

SafeNet IKEY 2032


Requires the v3.4.7 drivers as available from www.safenet.com. The Windows update
6

drivers do not function. This token is supported in Storage Mode only.

Endpoint Encryption Phantom USB Biometric Key


The Endpoint Encryption Phantom is a combined USB storage + Biometric
authentication token. To use it for Endpoint Encryption for PC Pre-Boot:

Step 1.

Create a user and assign their finger within the USB Phantom by running
SMCforUSB.exe (this is the USB Management utility):

1. Create user

24 |
Using Tokens with Endpoint Encryption for PC

2. Enroll user i.e. register finger

3. Assign a partition to the user

Step 2.

1. From the Endpoint Encryption Manager create a user account for the user
name created in step 1.

2. Assign Endpoint Encryption for USB token to user (default token is password)
Note: The default in EEPC is to create a default password of 12345.

Step 3.

Define the Machine Policy which should include file sets:

• Endpoint Encryption for PC client files

• READER: USB CCID smart card

• TOKEN V5x: Endpoint Encryption for USB Phantom client files

Step 4.

Create online installation set note: assign user or user group to the machine as part of
machine policy.

Step 5.

Install Endpoint Encryption for PC on the client computer.

After the second reboot, the client should see the preboot authentication screen. This
will have the password and Endpoint Encryption for USB token options.

Step 7.

Select Endpoint Encryption for USB which should generate a Endpoint Encryption
Biometric challenge screen:

1. Attach USB phantom to PC.

2. Swipe enrolled finger on USB Phantom

3. Tick the box for user listed Provide User Name.

The standard Endpoint Encryption logon screen should appear which will require the
SAME user name to be entered as the one registered with the USB Phantom. At this
point you will need to enter the default Endpoint Encryption password of 12345 which
will marry the Endpoint Encryption for PC client with the USB phantom. This step has
completed the integration of Endpoint Encryption for PC with the USB phantom.

The PC should now boot into Windows. After rebooting the client you will be prompted
to authenticate via the USB Phantom biometric reader.

| 25
Using Tokens with Endpoint Encryption for PC

Upek Fingerprint Reader


Before the Upek fingerprint reader can be used as an authentication device the
following steps must be performed:

1. The Upek Protector Suite QL software must be installed and configured on the
client machine. The software can be found on the McAfee Endpoint Encryption
Tools download. Please consult your McAfee representative for further
information.

2. From the Endpoint Encryption Manager:

• Create a file group for the Upek token and import the token files:
SbTokenUpek.dll and SbTokenUpek.dlm. See the File Groups and
Management chapter for further information.

• The Upek file group must be assigned to the machine or machine group.

• The fingerprint reader must be assigned to a user or a user group. See the
user or user group Properties Æ Tokens screen.

3. The user logs onto the client machine using the Upek token module in
password mode.

4. The user will be presented with a dialog which will ask them to register their
fingerprints with Endpoint Encryption; the user configures the fingerprint
reader to work with one or more of their fingerprints.

5. From then on the user will need to authenticate to Endpoint Encryption with
their fingerprint instead of a password.

26 |
Creating and Configuring Machines

Creating and Configuring Machines


The Object Directory contains a unique record for every machine attached to it. When
Endpoint Encryption installs, it creates a record either directly in the Object Directory
or in a transfer directory for later inclusion – this “object” contains the machine’s
encryption key, hard drive geometry, and secure configuration.

Each user machine periodically tries to connect to its parent directory to check that its
local configuration matches the centrally defined one. If there are any differences, the
local machine reconfigures itself to match. You can change any aspect of the
machine’s configuration centrally; these changes get applied to the machine the next
time it synchronizes.

Machines normally create their own object in the directory when Endpoint Encryption
first installs, this happens automatically if you use a Group Install Set (see the
Creating an Install Package chapter), but you can pre-create a “placeholder” object for
the machine, set a unique custom configuration for it, and then create an install set for
that object only.

Users are assigned to machines and machine groups. When the machine synchronizes
it compares its local user list with that in its Object Directory entry. Any changes are
made in real time, including disabling the current user if their account status becomes
removed or disabled.

Machine Administration Functions (right-click menu)


Create Machine
The Create Machine option creates a new “placeholder” machine definition. If in the
future a new machine with the same network name tries to install itself into the group,
it will take over the placeholder object and use the configuration set within it.

Rename
This option changes the Endpoint Encryption name of the machine.

This does not affect the machines network name which can be seen from the General
Properties page.

| 27
Creating and Configuring Machines

Delete
This option deletes the machine entry – you will be given the opportunity to
“Permanently Delete” the machine, or to move the machine to the Recycle Bin (where
it can be later restored, if necessary).

Import Machines
This option imports a machine definition into the group - This definition could be from
a machine created using an Offline Install (see Offline Package Installs for further
information) or from an export from another database.

Export Configuration
This option exports the configuration information for a machine (.sdb file) which can
be used for diagnostic or troubleshooting tasks or for import into an alternate
database.

Create Install Set


Creates a package of all the files and configuration needed to install Endpoint
Encryption - for more information, see Installing, Upgrading and Removing Endpoint
Encryption for PC.

Force Synchronization
You can elect to force a machine (or group of machines), which are online to perform
immediate configuration synchronization. You would perhaps do this if you have
removed a user from a group (or disabled them) and it is imperative that they are
disabled immediately, or a user has a configuration issue that needs resolving.

To do this, select the machine (or machine group) in question, and use the "Force
Synchronization" option from the window menu or right-click menu. The Endpoint
Encryption Manager sends a short message to the machine in question (using its
stored DNS or IP address) telling it to perform an immediate synchronization to update
its policies.

If you "Force Sync" a machine that is not online, or refuses the request because
Endpoint Encryption is no longer installed, an error message is generated. If Endpoint
Encryption is already in the process of performing a configuration change on the
remote machine, the sync request is ignored.

Reboot Machine
You can select the “Reboot Machine” option to attempt to reboot one or many
machines – this sends a message to the machines in question telling them to perform

28 |
Creating and Configuring Machines

an immediate shutdown. Users may not be given enough time to save their work, so
this feature should be used with caution.

You can configure the messages and timeout of the reboot option by editing the
SCM.ini file, as explained in Endpoint Encryption Configuration Files chapter of this
guide.

There are some instances when Windows will prevent remote rebooting of a system,
e.g. while the screen-saver is active.

Lock Machine
You can remotely activate the screen saver on a given machine by using the “Lock
Machine” command. Both machines and groups of machines can be locked in this way.

Add Users
You can add a number of users to a collection of machines using this option – You can
select the machine, or combination of machines you want to add users to from a group
or search window.

View Audit
This option displays the audit for the machine. For more information see the Auditing
chapter.

Reset to Group Configuration


Resets the configuration of the Machine, or all the machines in the group, to the
groups configuration. Optionally, it sets the user list to match the group user list.

Create Copy
Creates a new object based on the selected object.

Properties
This option displays the properties of the selected object.

Machine Configuration Options


The following configuration options can be set for machines, or groups of machines.

Machine Groups
Description

You can enter a text description for a machine group, such as the physical location of
the machines.

| 29
Creating and Configuring Machines

General

Figure 6. Boot Protection and General Options 

Boot Protection

The status of Endpoint Encryption can be set in one of four modes. Both the desired
and current protection status is shown.

Disabled – Endpoint Encryption is installed and listening, but is not securing


the computer. You can change the status to another mode and this will be
reflected at the next synchronization

Enabled – Endpoint Encryption is protecting the machine, and requiring users


to logon.

Remove – Endpoint Encryption will decrypt and uninstall itself at the next
synchronization

Remove and Reboot – as above, with the addition that Endpoint Encryption
will automatically reboot the machine after uninstalling.

Removed – Endpoint Encryption is no longer installed on the machine, and its


entry can be deleted from the directory.

Note: If you select Remove and let the machine uninstall Endpoint Encryption, remember to delete the 
entry from the directory, or, set the protection back to Enable before re‐installing Endpoint Encryption. If 
you forget this, then as soon as the new install connects, it will remove itself again.  

Description

This field allows you to enter a text description of the machine, such as its
specification, model or physical location.

30 |
Creating and Configuring Machines

Network Name

The machines logical network name - you can find and filter the Machine tree for the
machines name using the “Object/Filter” option.

Options

Windows Logon

Require Endpoint Encryption Logon – Endpoint Encryption takes control of the


normal windows logon screen, and screen saver logon. Users will be prompted for
their Endpoint Encryption for PC credentials.

Attempt automatic Windows Logon – Endpoint Encryption tracks the user’s


Windows id, password and domain, and presents these automatically to windows logon
boxes. This mechanism means once the user has authenticated to Endpoint Encryption
at the boot screen, they do not need to enter any more passwords for Windows.

NOTE: If the user’s Windows credentials are different from their Endpoint Encryption for PC credentials, 
Endpoint Encryption stores the windows credentials the first time they are used. It may take two reboots 
before the single sign on becomes active. 

Require Endpoint Encryption re-logon – If the user logs out of Windows, Endpoint
Encryption will control the login box for the next login.

Automatically logon as boot user – If there are no stored Windows credentials for
the user, Endpoint Encryption tries to login to Windows with the user’s Endpoint
Encryption credentials.

Endpoint Encryption logon component always active – If selected, the Endpoint


Encryption login component is kept active on the machine even if all the other options
are disabled. This means that it can be reactivated mid-session during synchronization
with the Object Directory. If all options are deactivated, the Endpoint Encryption logon
component can only be reactivated after a reboot.

Set Endpoint Encryption Password to Windows Password – If the Windows and


Endpoint Encryption login passwords differ, Users will be prompted to set the Endpoint
Encryption password to the Windows password. Also, if the user changes their
password in Windows, their Endpoint Encryption password will be set to match.

Must Match Windows user name – If a users Endpoint Encryption and Windows
user ID’s do not match, no SSO credentials will be stored for the user if this option is
enabled. This prevents an administrators Windows credentials being associated with a
normal user’s Endpoint Encryption account in the case that the normal user logged in
at pre-boot, but then an administrator authenticated to Windows.

| 31
Creating and Configuring Machines

Booting

Allow Booting from the hard disk – If disabled, users will have to boot the machine
with a machine bootable token such as a Endpoint Encryption Floppy Disk. This adds
the additional security in that the machine is inaccessible without the token. NOTE:
This option is not available with Endpoint Encryption version 4.1 or later.

Virus Protection

Enable MBR Virus protection – Endpoint Encryption monitors boot sector activity,
and prevents any program writing to it. Endpoint Encryption also monitors the bios
signature to further prevent boot viruses.

NOTE: If you have this option enabled and you move a protected hard disk between two machines, 
Endpoint Encryption will detect this as a possible virus and prevent the machine being used until a virus 
reset has been performed. For information on this procedure, see the chapter on WinTech and SafeTech. 

Miscellaneous

Do not display previous user name – Hides the ID of the last logged on user in all
Endpoint Encryption logon dialogs, and changes the “Incorrect Password” and
“Unknown User ID” error messages to a generic message.

Reject Suspend/Hibernate Requests – This option stops the machine from


entering hibernation mode. Note: this option is not supported in Vista.

Disable Checking for T - This option switches off the $autoboot$ user support on
this machine. If the machine has many users assigned, this option can speed up the
boot time.

Do not lock after AutoBoot is removed – normally Endpoint Encryption locks the
workstation if the current logged in user is removed, or disabled, as part of a
synchronization event. This is to prevent the machine being used in the event that
there is no current user. Switching this option on stops the autolock happening if the
$autoboot$ user is removed, and may be useful in the case of automated software
updates.

Allow AutoBoot user to be managed locally – enables support for the “-


disablesecurity” and “-reenablesecurity” options of the Endpoint Encryption
Automation library – for more information on these options see the SBAdmCL Users
Guide.

Disable Clearing of status log – Prevents users from clearing the Client side status
log.

32 |
Creating and Configuring Machines

Always display On-screen keyboard – Forces the pre-boot to always display a


clickable on screen representation of the keyboard. This option is of most benefit to
TabletPC users.

Enable Boot Disk Compatibility – Some machines have BIOS code which mounts
USB disks as physical drives. This is an unusual mode of operation and means that
after Endpoint Encryption has finished it’s authentication, Windows will hang trying to
access the drive through the BIOS physical interface (because Endpoint Encryption is
also a 32 bit platform, it unloads all BIOS drives when it finishes). This option forces
the low-level Endpoint Encryption drivers to block access to disks other than the boot
disk meaning Windows will not detect these USB drives until the USB stack is
initialized. An alternate solution would be to unplug all USB drives before booting the
machine.

Always enable pre-boot USB support – This option forces the Endpoint Encryption
pre-boot code to always initialize the USB stack. Normally this option should not be
enabled as Endpoint Encryption will dynamically enable USB on demand.

Do Not Lock Workstation if no User is Authenticated – This option will stop the
client manager from locking the workstation after a synchronization if it finds there is
no current Endpoint Encryption user logged on, e.g. after the first synchronization
during the install or if the Endpoint Encryption user that is currently logged on is
removed.

Do Not Lock Workstation if User is Disabled – This prevents the client manager
from locking the workstation after a synchronization if the currently logged on
Endpoint Encryption user is disabled.

Encryption

| 33
Creating and Configuring Machines

Figure 7. Setting Drive Encryption 

Before a machine has first synchronized with the Object Directory, or in the case of
the properties of a machine group, the Object Directory does not know what drives
and partitions are available to be encrypted. The Endpoint Encryption Manager
provides the ability to specify any partition name and elect to encrypt it.

Once the machine has synchronized, only the partitions present on it will be shown.

You can specify one of three encryption modes – “Full” encrypts the entire partition,
“Partial” encrypts only the first 10% of the drive, “None” leaves the drive in plain text
with no security. The “Last Reported Setting” can be used to verify if the machine has
applied recent configuration changes.

The “Last Reported Setting” for a drive is the exact state of encryption the last time
the machine reported to the Database.

NOTE: Partial encryption is designed to encrypt the directory structure and file allocation table on FAT 
drives – it does not stop a competent hacker reassembling file data from the drive.  

Encryption Mode

The Encryption Mode drop down menu lets you specify an encryption type for all drives
in a machine group:

Manually select the drives to encrypt

This option allows you to manually select the encryption type for each drive
using the Full, Partial or None buttons.

Never encrypt any drives

This option ensures no drives in the machine group will be encrypted.

Automatically encrypt all drives partially

This option will set all drives in the machine group to be partially encrypted.

Automatically encrypt all drives fully

This option will set all drives in the machine group to be fully encrypted.

Recovery key

You can boot a machine, or close the Endpoint Encryption screen saver without logging
on using the recovery process – this involves the user reading a small “challenge” of
18 characters from the machine to an administrator, then typing in a larger “response”
from the administrator. The recovery key size defines the exact length of this code

34 |
Creating and Configuring Machines

exchange. For more information see the Recovery Key chapter. A recovery key size of
“0” disables the machine recovery system.

Removable Devices

You can configure Endpoint Encryption for PC to also encrypt removable drives such as
USB/Firewire hard disks, Flash drives etc. Normally, Endpoint Encryption for PC only
protects physically attached hard disks, for example, IDE or SCSI hard disks. This is
because Endpoint Encryption for PC is related to the machine, not the user – it’s
impossible to share drives encrypted with Endpoint Encryption for PC between
different machines. If you need to share data amongst users and machines, please
consider using Endpoint Encryption for Files and Folders.

• Manually Select – Normally removable drives will not be show in the


encryption list. Selecting this option makes them visible.

• Always Encrypt – Forces encryption of removable drives.

• Never Encrypt – Prevents Endpoint Encryption from attaching its drivers to


removable disks – this is the default option.

Users

Figure 8. Allowed Users 

You can add groups of users, and individual users, to a machine (or machine group).
Either drag and drop the user(s) from the user tree into the machine properties User
tab, or, use the “user picker” to select them. Although Endpoint Encryption supports
many hundreds of users on a single machine, we STRONGLY recommend that the
actual number of users assigned is minimized to the fewest possible. Every user added
to a machine is another possible account for a hacker to gain entry. There is no

| 35
Creating and Configuring Machines

purpose in adding entire departments of users to laptops which are used by only one
person.

Auto-boot users
Special user IDs containing the name “$autoboot$” with a password of “12345” can be
used to auto-boot a protected machine. This option is useful if an auto boot of a
machine is needed; for example, when updating software using a distribution package
such as SMS or Zenworks. These IDs should be used with caution however, as they
effectively bypass the security of Endpoint Encryption.

Any ID containing the string “$autoboot$” can be used, for example, “my$autoboot$”,
“$autoboot$123” etc.

By using more than one ID, you can improve database performance if many machines
are synchronizing the $autoboot$ account at the same time.

The process for creating an $autoboot$ user is:

1. Create the user.

2. Uncheck the Force password change at next logon.

3. Click the Devices tab.

4. Right-click the machine group (or machine, if preferred), and select


Properties.

5. Ensure the Disable checking for AutoBoot option is unchecked.

6. Ensure the Allow AutoBoot user to be managed locally and Allow


AutoBoot to be cancelled options are checked.

7. Click the Apply button to save these options.

The AutoBoot user is now ready. For further explanation of steps 5 and 6 see the
General section of Machine Configuration Options chapter.

You can also change the default password for the $autoboot$ accounts, to do so see
the section Autoboot.ini in Endpoint Encryption Configuration Files.

WARNING: It is quite possible to create a machine, or machine group, with no users assigned.  If this 
configuration is deployed then no one will be able to log on to that machine. To resolve this issue, use the 
recovery “boot once” procedure, add some users to the machine in question, and then synchronize it again 
to update the configuration.  

36 |
Creating and Configuring Machines

Figure 9. Client Warning Text 

Security Warning

Text displayed to the user in the Endpoint Encryption login box.

Recovery Message

Text displayed to the user when they select the “Recover” button. This may include
information such as their help desk telephone number.

Synchronization Settings

Figure 10. Synchronization Settings 

| 37
Creating and Configuring Machines

Endpoint Encryption machines try to keep their local configuration the same as their
central directory configuration; they do this by periodically synchronizing changes with
the Object Directory. The default behavior is to synchronize on boot, but further
options can be set.

Automatically Resynchronize

Endpoint Encryption tries to contact the Object Directory every specified number of
minutes. If the directory cannot be contacted, the sync sleeps until the next period.

Allow Local Resynchronization

By right clicking on the Endpoint Encryption tool tray icon, the user can force a
synchronization event by selecting the Synchronize option. This feature can be
disabled.

Resynchronize when RAS connection is detected

This option causes a synchronization event to occur if the user dials up to the internet
/ intranet. Endpoint Encryption checks for new RAS (Remote Access Service)
connections every second.

Synchronize time with directory

This option sets the local machine time to the time of the server / directory it is
synchronizing with. If the user’s machine is in a different time zone to the server, the
correct local time will be set as long as their time zone is correct.

WARNING: This option is useful when logon hour restrictions are in place – without this time check the 
user could set their system clock back to gain extra hours of machine use. 

Disable Synchronization of Files

This option stops Endpoint Encryption monitoring file group changes and deploying
updates to the remote machines.

Allow remote controlled synchronization

This option allows an administrator initiate a synchronization event using the “Force
Sync” option. The Endpoint Encryption client sends its IP address to the Object
Directory each time it connects to enable the communication channel. The
communication port can be set between 0 and 65535. Note: The client IP will appear
in the Address field within the Synchronize settings screen of the machine’s Properties
screen.

Disable Access if not synchronized…

38 |
Creating and Configuring Machines

If a machine does not connect to its server within the specified number of days, then
all accounts will become disabled. This option prevents users continuing to use
machines offline from the Endpoint Encryption Object Database for extended periods
of time. Also, if a machine is stolen or lost, you can be assured that it will disable itself
after the timeout has passed.

Delay Sync at boot for…

You can specify an optional offset and random offset for the initial boot sync. This may
speed up the machine, and will also ensure any network load created by “9am
syndrome” is distributed over a longer period of time. You can set a value of Zero for
the delay time, this disables the initial synchronization.

The synchronization settings take effect once Endpoint Encryption has connected and
picked up its policy from the central object directory. You can pre-set the parameters
that Endpoint Encryption will use while it is trying to establish the initial first time
connection through settings in the file SCM.ini. More information on this file can be
found in Endpoint Encryption Configuration Files.

Files

Figure 11. Client File Groups 

Select which groups of files need to be deployed to the machine. Typically the
Endpoint Encryption Client File group is deployed, along with optional token and
language files.

Some file groups may not be displayed in the list - Only file groups with the property
“Client File Sets” will be show.

| 39
Creating and Configuring Machines

You can add your own file groups for deployment to the Endpoint Encryption Object
Database – see the following chapter for more information.

If your Endpoint Encryption user account has group permissions set, Some file groups
assigned to the machine may be outside your control - in this case they will be marked
as locked groups. To gain the ability to change them, remove any “Group”
administration restrictions on your account.

Screen Saver

Figure 12. Screen Saver Properties 

Enable Secure Screen Savers

Endpoint Encryption will take control over all screen savers, providing secure
authentication services. On Windows 2000, and XP, the “Windows Logon” options also
need to be configured.

Allow user access…

This option allows the user to change the local screen saver properties.

Run screen saver if token is removed…

If the current user’s token supports dynamic removal, e.g. a smart card or eToken,
then the screen saver will be activated if they remove the token from the machine.

Set Endpoint Encryption screen saver as default

This option sets the current selected screen saver to be the Endpoint Encryption
Screen Saver.

Allow logon of administrators…

40 |
Creating and Configuring Machines

This option allows administrators with accounts on machines greater than the specified
admin level to unlock a screen saver that has locked by a different user. If this option
is not set, then only the user who locked the machine can unlock it.

Set screen saver inactivity…

This option sets the timeout period for the screen saver.

Boot

Figure 13 ‐ Boot Properties 

Boot Manager

Enable boot Manager

Switches on the built in pre-boot partition boot manager. Users can select which
primary partition on the hard disk they wish to boot.

You can control the display of the partitions which the user can select to via the file
“bootmanager.ini”. For information about this file, see the Endpoint Encryption
Configuration Files chapter of this guide.

Auto select After... seconds

This option allows you to select a period, which once it has expired, will cause the boot
manager to select the last used partition.

Graphics Mode

This menu allows you to specify the screen resolution for a machine or machines
within a group. The default option is “Default Graphics Mode” which supports
resolutions up to 1024x768. Note: if the selected mode is not supported on the
machine it will fall back to the default mode.

| 41
File Groups and Management

File Groups and Management

Figure 14. Endpoint Encryption File Groups 

Endpoint Encryption for PC uses central collections of files, called Deploy Sets, to
manage what versions of files are used on remote Endpoint Encryption clients. When
an administrator updates a file in the central directory, all machines attached to that
Deploy Set automatically collect the new version of the file from the directory the next
time they synchronize. This mechanism can be used to update Endpoint Encryption
clients to future versions, or to manage any file on a Endpoint Encryption protected
machine - for instance, updating a virus database, or, a new version of an application.

You can assign multiple file sets to be used on each machine. Typically two are used,
the first for the core Endpoint Encryption files, the second for the language files. All
assigned sets are processed in the same way.

When the Endpoint Encryption Manager is installed, it automatically adds the entire
standard Endpoint Encryption administrator and client files into two core file groups:
Administration Center Files and Endpoint Encryption for PC 5 Client Files; it
also may create language sets, for example, English Language; two INI files -
ADMFILES.INI for the administrator files (determines the contents of the core groups)
and SBCLIENTFILESET.INI for the client files. These INI files can be edited to allow
custom collections of files to be quickly imported and then applied using the "Import

42 |
File Groups and Management

file list" menu option. For more information on ADMFILES.ini and SbClientFileSet.ini,
see the Endpoint Encryption Configuration Files chapter of this guide.

Other file sets created as standard include those to support login tokens, such as
smart card readers, and USB Key tokens.

Setting file group functions

Figure 15. File Group Content 

You can specify the function of a file group by right-clicking it and selecting its
properties. Some file selection windows, for example the file selector for machines,
only display certain classes of file group (in this example, those marked as “Client
Files”).

Importing new files


New files can be imported one by one into an existing deploy set using the "Import
files" menu option. Simply select the file. The Endpoint Encryption Manager will then
import it into the directory and add it to the deploy set. The default options for the file
mean that those machines using this deploy set it will NOT automatically receive a
download when they synchronize. This chapter contains further information on how to
achieve this. You can also import File Sets, for instance, to add a new option to the
Endpoint Encryption database.

Exporting Files
You can export a file group, or an individual file back to a directory. This may be
useful, for example if you have an out of date administration system driver and there
is an updated file in the Object Directory.

| 43
File Groups and Management

Deleting Files
You can delete individual files from a file set. In this case all machines that are
maintaining a link to the file through association will delete it from their local directory
at the next synchronization event.

Clients maintain a link to a particular file via its object id, not its name. If you delete a
file and re-import it, its id changes, clients will still delete the original and download
the new copy.

Setting File Properties


To see the properties of a file, right click on the file in question and select "Properties".
Two screens of information are available: File Information and Advanced.

The name of the file is the actual name, which will be used when deploying the file on
the remote machine. The ID is the Object Directory object ID which is used as a
reference for the file from the client PC.

The version number is an incremental version of the file. When the file is updated, the
version is incremented. This is used by the clients to check whether an update is
needed. Other information such as the name of the user who imported the file and its
size may be shown.

Figure 16. File Properties, Advanced 

File Types

Sets the type of the file.

Operating System

44 |
File Groups and Management

Because some files are only applicable to some operating system(s), the target
operating system(s) for the file must be selected. This is to prevent Windows NT
drivers being installed on Windows 98 machines, or windows 9x registry files being run
on Windows 2000 servers.

App ID

If you are installing file which is shared between multiple Endpoint Encryption
applications, you can specify this applications ID. This prevents one application from
installing files shared by another.

Update

Specify when Endpoint Encryption should update the file.

| 45
Adding components to a Machine

Adding components to a Machine


To add new options, such as tokens, smart card readers, or other ancillary files to an
existing machine, or group of machines, simply check the desired options on their
Files tab.

Some combinations of options may be incompatible – for further information please


visit our web site, www.mcafee.com.

46 |
Using Endpoint Encryption as a File Deploy System

Using Endpoint Encryption as a File


Deploy System
Endpoint Encryption’s internal file update mechanism can be used to synchronize any
file on an Endpoint Encryption protected machine.

When the Endpoint Encryption client performs synchronization, it compares its internal
file revision list with the revision of the files in the Object Directory. If any files have
been superseded (or are in the directory list but not in the local list), the Endpoint
Encryption downloads them.

The file type assigned in the Object Directory determines what happens to a file when
it is downloaded. The action can be summarized simply:

• Endpoint Encryption Registry File: Processed into registry

• Windows Registry File: Processed into registry using RegEdit

• Pre/post Installation Executable: Copied to specified location and Run either


before or after Endpoint Encryption.

• Any other file: Copied to specified location

Example - Copying a new file to the desktop


This example shows how to set up a new text file that will be copied to the user’s
desktop when they synchronize.

Step 1. Checking the File Group settings

From the properties of the machine (or controlled machine group) you want to update,
check which file groups are assigned. The default file group is EEPC1: Endpoint
Encryption for PC 5.1.2 Client Files. You can create new file groups specifically for
your custom files and assign them to machines if you so wish.

Step 2. Adding the new text file

1. Select the file group from step 1, and then use the Import Files option (right-
click inside the File Group window).

2. Select the new file you want to import, for example, "message.txt". Once
imported, select the new file and go to its Advanced Properties box.

Because we are importing a "Known" file type, the file location will be set
automatically to [appdir]. We will override this with the location we want to send the
file to, in this case c:\windows\desktop. We also want this file to be deployed on all
operating systems, so we check all the boxes.

| 47
Using Endpoint Encryption as a File Deploy System

Figure 17. Setting the new text file permissions. 

Now, next time the machine synchronizes, it will notice the new file, and download it
into its c:\windows\desktop directory. If the file was defined as a type of Endpoint
Encryption or Windows Registry file, it would be applied. If it was marked as an
"Installation Executable", it would be run.

You can test this behavior by forcing the machine to resynchronize using either the
"Force Sync" option from the Endpoint Encryption Manager, or from the Endpoint
Encryption client tool tray Icon right-click menu.

The file "message.txt" should appear on the desktop, and the status window of the
client should reflect the change.

More information on the Endpoint Encryption file deployment mechanism can be found
in the File Groups and Management chapter.

48 |
Creating an Install Package

Creating an Install Package


Endpoint Encryption client is installed by running a special archive file created from the
Endpoint Encryption Manager. This archive file contains all the components necessary
to install Endpoint Encryption.

The Endpoint Encryption Manager compresses the files needed into a single self-
contained executable for ease of management. Deploy sets can be created for Machine
groups, and individual machines for both fully online, and temporary offline situations.
This chapter deals with creating the install package, for information on how to apply it,
see the Installing, Upgrading and Removing Endpoint Encryption for PC chapter.

Selecting the Group / Machine


The First step in creating an install set is to select the object you want to create the
set for, e.g. an individual machine or a machine group. Install sets created for a
machine can only be used to install that one machine - the target PC always takes the
database entry the install set was created for. Sets created for groups of machines can
be used to install any number of machines in that group - each machine looks in the
deployed group for its name - if found it uses that object. If not, it creates a new
object based on its network name.

Select the Install Set type

Figure 18. Creating an Installation Set 

For the second step you need to determine whether you expect the machine to be
online or offline at the time of install.

| 49
Creating an Install Package

Online Installs
Online installations expect the master Object Directory (the directory the administrator
is currently connected to) to be available via the LAN during the install process. Once
Endpoint Encryption for PC is installed, after the next boot, Endpoint Encryption will
contact the Object Directory and download all the configuration and object data for the
machine and users.

If a "placeholder" object for the machine name exists (a machine object created, but
not installed), it will use the configuration stored in that object. If no placeholder
exists, the machine will obtain its configuration from the machine group that the install
set was created for.

If the machine name is already used in the directory, and the existing machine is not a
“placeholder”, the new machine will append a four digit number to the end of its name
and install. For example, where a machine called “JSMACHINE” already exists, an
object “JSMACHINE0001” will be created.

NOTE: By editing the file scm.ini on the client before Endpoint Encryption is activated (i.e. after setup, 
but before the first reboot) the group can be changed.   

Offline Installs
If the machine is expected to be disconnected from the Endpoint Encryption Server
during the install, an "offline" install set can be created. In this case a "transport
directory" containing the necessary objects and configuration data will be included in
the deploy set. After local configuration, the transport directory will need to be re-
imported into the master directory before the machine can be recovered.

Selecting an Offline install mode allows the additional choice to include the "individual
objects" in the transport directory. If they are included, then all users and machines in
the set will be deployed with the transport directory (and therefore will be available
immediately, even before the machine connects back to the master directory). If they
are not included, then there will be no login prompt until the machine has performed
its first connection and brought down its user list.

NOTE: Until the transport directory containing the machine’s completed configuration is imported back 
into the master directory, no connection or configuration of the client can be performed. Also, in the case 
where the offline install set was created from a group, it will not be possible to recover the machine until it 
has successfully synchronized with its master database. In the case where the offline install set was created 
for an individual machine, or in the case of users, synchronization is not necessary for the machine to be 
recovered. 

50 |
Creating an Install Package

Importing a Transport Directory


The Transport directory is a file called sbxferdb.sdb, and can be found in the
directory the Endpoint Encryption client is installed into. To import the details in this
directory back into the master, select the machine group you want to contain the
entries, and use the Import Machines right-click option. This brings the keys and
configuration from the machine into the master database, giving the ability to
synchronize with, reconfigure, and recover the machine.

Summary of Offline Install set contents


Machine Group Sets
An Install set created from a machine group can contain the following items:

• The Machine Group object.

• User objects assigned to the group, and user objects assigned to machines in
that group.

If the group contains machines, the following items are included in the set:

• Individual Machine objects (live or placeholder).

• User objects assigned to the individual machines.

Individual Machine Sets


The following items are included:

• The machine object.

• Users assigned to that machine.

| 51
Creating an Install Package

Select the Master Directory

Figure 19. Selecting the Master Object Directory 

Step 3 involves selecting the final Object Directory that the new client will
communicate with to synchronize configuration details. The default is the directory
that the administrator is currently using, but could be any directory the administrator
has access to. Usually the clients will access the Object Directory via a Endpoint
Encryption server, rather than locally.

Connections via a Endpoint Encryption Server have the category type called Remote.
You can specify multiple connection points for machines, if you have more than one
server defined.

You can also change the order that the client will look for servers, and enable
automatic random selection of servers by using the wizard.

NOTE: For information on setting up a Endpoint Encryption Server, see the Endpoint Encryption Manager 
Guide. 

52 |
Creating an Install Package

Set install options and create the set

Figure 20. Saving the Install Set 

In Step 4, you specified the location the completed install file will be saved to; also,
the directory on the client you wish Endpoint Encryption to be installed into.

Two options for the "visibility" of the set-up process can be set. Silent installs, for
example, do not give the user any visible display of the install process and are used in
automatic deployment environments, such as Microsoft SMS.

After the install file has been run on a client machine, it needs to be restarted before
Endpoint Encryption can be activated. An automatic restart option is included,
however, be aware if ”perform installation silently” and “automatically restart
machine” are enabled, the machine will restart with no user intervention - this may
cause users to lose work, for example, if they have open documents when this
process occurs.

| 53
Installing, Upgrading, and Removing Endpoint Encryption for PC

Installing, Upgrading, and Removing


Endpoint Encryption for PC
Running an “Install Package” created by the Endpoint Encryption administrator on the
target machine enables and installs Endpoint Encryption for PC.

For information on creating install packages see the Creating an Install Package
chapter.

Offline Package Installs


Create the install file as per the Creating an Install Package chapter; selecting Offline
install, and including the users and machines required. Run the package on the target
client and let it reboot.

Once restarted, you must retrieve the file sbxferdb.sdb which needs to be imported
back into the master directory. For information on this procedure see the Creating an
Install Package chapter.

Once the transport directory has been imported into the master database; if there is a
network connection between the client and a Endpoint Encryption Server, you will be
able to remotely manage the machine. If you do not retrieve the transport directory,
then you will not be able to recover or reconfigure the machine.

If your machines are unable to connect to the master database after install, for
example, and you are working in a permanently disconnected environment, you may
want to retrieve the .sdb file AFTER encryption has finished – the status of encryption
will then be properly reflected in the master database. In the case of machines which
connect to the master database after offline install, this property will be automatically
updated during the sync process.

Online Package Installs


Create an Online install package as per the Creating an Install Package chapter.
Simply run this file on the target machine(s). Once they have installed and rebooted,
they will contact one of the Endpoint Encryption Servers specified and create their
directory entries.

Removing / Uninstalling Endpoint Encryption Client


You can specify four modes of operation for Endpoint Encryption in the machine’s
General properties page. For full details of these modes per the General section.

54 |
Installing, Upgrading, and Removing Endpoint Encryption for PC

To disable Endpoint Encryption, i.e. put it into a mode where it is applying no


protection but can be easily re-enabled, set the machine status to Disable. You can
then at a future time set the status to Enable and Endpoint Encryption will re-apply
the protection specified.

To completely remove Endpoint Encryption, select either Remove or Remove and


Reboot – Endpoint Encryption Client will perform the action after the next
synchronization event.

Upgrading Endpoint Encryption from previous versions.


Where 5.x is mentioned, version Endpoint Encryption 5.1 and above should be
assumed.

Upgrading Endpoint Encryption 4.2 Clients to 5.x


Please see the Endpoint Encryption Update and Migration Guide.

Upgrading existing 5.x clients to a later service pack or patch


version
To upgrade between service pack or patch levels, for example, from v5.0 to v5.1 you
can create a new file set in the Endpoint Encryption Object Directory.

1. Update your database and administration system as described in chapter 8 of


the Endpoint Encryption Manager Administration Guide.

2. Create a new file group for the new 5.x files.

3. You have to set the File Group Properties to Client files to have it available
under the Files section in the machine properties. Therefore right-click the file
group, choose Properties Æ Content and check the Client Files box. In
case of new language file groups you need to check client files and language
as properties.

4. Right-click the new group and select Import File Set. Select the file
SBClientFileSet.ini from the administration system directory (usually
c:\program files\sbadmin).

5. Deselect the Endpoint Encryption 5.x Client Files file set from the
machines you wish to upgrade, and select Endpoint Encryption 5.1x Client
Files instead. During the next synchronization, the machine will download the
latest files and code and apply the upgrade.

WARNING: The deselection of all old Endpoint Encryption file groups and the selection of all new 
Endpoint Encryption file groups MUST be done at the same time, e.g. if you deselect the Endpoint 

| 55
Installing, Upgrading, and Removing Endpoint Encryption for PC

Encryption 4.x Client Files and the English (British) KB/Language file group without selecting the new 
Endpoint Encryption 5.x Client File groups then you risk corrupting your client. 

If you have other options selected, such as the File Encryptor, or Token modules, be
sure to also deselect the v4 modules, and select the appropriate 5.x versions of these
as well.

6. For each machine you want to upgrade, deselect the machines current client
file set, and select the new 5.x file set you created in step 2.

Removing Endpoint Encryption 5.x from a machine


1. Set Endpoint Encryption to either Remove or Remove and Reboot from the
machines General properties. The next time the machine synchronizes with
the database it will remove all encryption and authentication; it will then
uninstall the Endpoint Encryption program files. If you simply want to disable
the Endpoint Encryption protection, set the Client to Disable instead.

If the machine is unable to synchronize, perhaps because of a network or Windows


issue, you can still remove Endpoint Encryption by performing an emergency SafeTech
removal followed by the Sbsetup –Uninstall command from the Endpoint
Encryption program files directory.

2. Set Endpoint Encryption to either Remove or Remove and Reboot from the
machines General properties. The next time the machine synchronizes with
the database, it will remove all encryption and authentication,

3. Now, uninstall the Endpoint Encryption program files. If you simply want to
disable the Endpoint Encryption protection, set the Client to Disable instead.

If the machine is unable to synchronize, perhaps because of a network or Windows


issue, you can still remove Endpoint Encryption by performing an emergency SafeTech
removal, followed by the Sbsetup –Uninstall command from the Endpoint
Encryption program files directory.

56 |
Client Software

Client Software
The Endpoint Encryption Client connects to its Object Directory, or configuration store,
which may be on the same machine, a network drive, or, via the Endpoint Encryption
Server. It does this every time the machine boots and optionally at set time intervals
or when a RAS session is initiated.

Once connected to the directory, the Endpoint Encryption client uploads the latest
audit and password changes to the directory, and if necessary downloads any
configuration changes specified centrally.

The Tool Tray Icon


The only user-visible part of Endpoint Encryption is the “Endpoint Encryption Monitor”
icon in the user’s tool-tray. By double-clicking the icon users can start the system
screen saver (which may be protected by Endpoint Encryption). By right-clicking it
they can select one of four actions.

Activate Screen Saver


The default action when the Endpoint Encryption tray icon is clicked is to bring up a
password protected screen saver.

Show Status
The configuration process within Endpoint Encryption is largely transparent to the
user. The only evidence of Endpoint Encryption working can be found from the status
menu available from Endpoint Encryption's tool tray icon

Figure 21. Endpoint Encryption Client Status Window 

The Status window displays any on-going configuration tasks (such as encryption
processes) and status messages from the last directory connection.

| 57
Client Software

Synchronize

Endpoint Encryption tries to establish connection with its directory during the boot
process. In a situation where the directory is unavailable, for example - a notebook
user who is connecting via dial-up networking, the user can establish a connection at
any time, and select the Synchronize option to connect to a remote directory and
collect / upload changes.

For details of the supported functions within the Endpoint Encryption client, please see
the User and Machine configuration sections in the Endpoint Encryption Manager
Administration Guide, and also this guide.

Client Auditing
User events are audited locally and then transferred to the Object Directory as part of
the synchronization process. For more information on the events tracked see the
chapter on Auditing.

Boot and Logon Process


The Endpoint Encryption for PC boot screen allows the user to select a login method
(one of the available tokens), and then provide authentication credentials such as a
user id and password. If the user can provide the correct details, the Endpoint
Encryption boot code starts the transparent hard drive decryption process, loads the
original MBR and executes it.

When the operating system starts, the Endpoint Encryption Configuration Manager
(SCM) runs and performs a logon to the operating system (if SSO is enabled). It then
attempts to contact the Object Directory using the Directory Manager - this can be
local or remote via a Endpoint Encryption Server and re-validates the user against any
changes that have been made between the last validation. Following this SCM
downloads and applies any configuration updates. This could include new user
accounts.

If the Object Directory validation is successful (i.e. no administrator has deleted or


disabled the users account) the Windows startup completes, and the Endpoint
Encryption icon is loaded into the tool tray to allow the user to run the screen saver,
validate with the server, display status etc.

After a period of inactivity or a power event, SCM activates the screen saver locking
the user.

If the user logs out of the operating system, they may be required to authenticate to
Endpoint Encryption when they log back into windows.

58 |
Client Software

Endpoint Encryption Screen Saver


The Endpoint Encryption for PC Client includes a simple logo screen saver. You can use
any screen saver written to the Microsoft Screen Saver standards on the system,
Endpoint Encryption will still protect the logon of them using the standard Endpoint
Encryption logon window.

NOTE: You can change the logo displayed in the screen saver by adding a file called “logo.bmp” to the 
Windows directory. You can also deploy logo.bmp using the File Update technology built into Endpoint 
Encryption. You may find extra graphics on your Endpoint Encryption CD in the “tools” directory. 

Users can start the screen saver through any of the normal Windows mechanisms, or
by double-clicking on the Endpoint Encryption tool tray icon.

Windows Sign-On and Logon Mechanisms.


Endpoint Encryption includes many options to reduce the numbers of passwords users
have to remember. These options are used to ensure that when the user changes their
Windows password, their Endpoint Encryption password is changed to the same. This
happens without user interaction.

Changing the Password


The Endpoint Encryption for PC password can only be changed in the pre-boot
environment. To change the password:

1. Restart the PC.

2. Enter the current user ID and password in the login dialog.

3. Tick the change box, and click OK.

4. Follow the on-screen prompts to change the password.

Section 508: Logon Accessibility


US legislation 508 requires that information technology is accessible to people with
disabilities. To comply with 508 the pre-boot logon needs to be accessible by blind or
partially sighted people.

There are a limited range of sounds which enable access to the basic logon. Other
options, e.g. About and Recovery screens are not accessible.

As the user tabs (or shitf-tabs) between controls, the pre-boot will emit various beep
sequences to indicate where they are. Other beep sequences will be used when an
error is displayed, when password timeouts are displayed and when a logon is
successful.

| 59
Client Software

The sequences are:

User name field: beep

Password field: beep-beep

Change password checkbox: beep-pause-beep

OK button: beep-pause-beep-beep

Cancel button: beep-pause-beep-beep-beep

Token selection list: beep-beep-beep-beep

Error: beep-pause-beep-beep-pause-beep

Password timeout: beep-beep-beep-beep-beep

Logon successful: beep-beep-beep

60 |
Windows Sign-on and SSO

Windows Sign-on and SSO


Endpoint Encryption can ease the logon process for users by doing the Windows logon
for them, as well as taking responsibility for screen saver logons and re-logon
requests. The features available can be configured by clicking on the “General” icon of
a machine or machine group object.

Windows Logon Features


Require Endpoint Encryption Logon – Endpoint Encryption takes control of the
normal windows logon screen, and screen saver logon. Users will be prompted for
their Endpoint Encryption credentials rather than their Windows Credentials.

Attempt automatic Windows Logon – Endpoint Encryption tracks the users


Windows id, password and domain, and presents these automatically to windows logon
boxes. This mechanism means once the user has authenticated to Endpoint Encryption
at the boot screen, they do not need to enter any more passwords for Windows.

If the user’s Windows id and password are different from their Endpoint Encryption id
and password, Endpoint Encryption stores the windows credentials the first time they
are used. It may take two boots before the single sign on becomes active.

Require Endpoint Encryption re-logon – If the user loges out of Windows,


Endpoint Encryption will control the login box for the next login.

Automatically logon as boot user – If there are no stored Windows credentials for
the user, Endpoint Encryption tries to login to Windows with the user’s Endpoint
Encryption credentials.

Endpoint Encryption logon component always active – If selected, the Endpoint


Encryption login component is kept active on the machine even if all the other options
are disabled. This means that it can be reactivated mid-session during synchronization
with the Object Directory. If all options are deactivated, the Endpoint Encryption logon
component can only be reactivated after a reboot.

Set Endpoint Encryption Password to Windows Password – If the Windows and


Endpoint Encryption login passwords differ, Users will be prompted to set the Endpoint
Encryption password to the Windows password. This option also captures the Windows
Change Password event, and again, sets the users Endpoint Encryption password to
match.

If you are using this option, it is important to ensure that the password template and
quality rules in Endpoint Encryption are identical, or more lenient than those in

| 61
Windows Sign-on and SSO

Windows, otherwise a failed password change may occur and the user will be reset to
“12345”.

Must Match Windows User Name – This option ensures the SSO details are only
captured in the situation that the user’s Endpoint Encryption and Windows IDs match.
If they are different, no SSO details will be stored.

How Windows Logon works


Endpoint Encryption intercepts the Windows Logon mechanism, using a “Pass through
Shim Gina” on Windows NT, 2000 and XP, and a Credential Provider on Vista. On
Windows 2000, and XP operating systems a custom .ini file (SBGINA.INI) is used to
help Endpoint Encryption analyze the logon screen and paste the credentials into the
correct boxes on screen.

In Windows VISTA Microsoft has replaced the original MSGINA (Graphical Identification
and Authentication) with a new method called Microsoft Credential Provider. Endpoint
Encryption has modified the Single Sign On architecture and implemented a Credential
Provider to communicate with Windows. We display each of the Endpoint Encryption
Tokens as a potential logon method. If you logon to Endpoint Encryption, you will be
asked for your Windows credentials only for the first time and Endpoint Encryption will
store the Windows Credentials securely within Endpoint Encryption. On subsequent
logon events, Endpoint Encryption will use the stored Windows credentials to logon.

You can find out more about Microsoft Vista Credential Providers from the Microsoft
MSDN Website:

http://msdn.microsoft.com/msdnmag/issues/07/01/CredentialProviders/default.aspx
8

For more information on Endpoint Encryption ini files, see the Endpoint Encryption
Configuration Files chapter of this guide. Also, see the Endpoint Encryption
Configuration Files chapter of this guide SBGina.ini if you wish to enable smartcard
based Single-Sign-On to Microsoft. Note: this feature is not supported under Vista.

First Boot
The first time a user starts their newly Endpoint Encryption protected machine,
Endpoint Encryption authenticates them at boot time. If successful, the operating
system starts.

Normally they would next presented with a Windows logon – if the Endpoint
Encryption Windows Logon architecture is fully activated, Endpoint Encryption will
automatically present the user’s stored SSO id and password to windows. If these
details are accepted, Endpoint Encryption stores a record of these credentials in a
special encrypted area of the user’s profile. If Windows fails the SSO credentials, for

62 |
Windows Sign-on and SSO

example, if they have not been set, Windows displays the standard login box and the
user is forced to enter their Windows id and password.

Again, once a valid login has taken place, Endpoint Encryption stores the correct
credentials in the user’s encrypted profile, which are uploaded to the central Object
Directory on the next synchronization.

Second Boot
The second and subsequent times the user starts the machine, they login to the
Endpoint Encryption boot screen, then Endpoint Encryption supplies the stored
Windows credentials to the Windows login box.

Failed Windows Password


If/When the Windows Logon credentials become invalid, for instance if the user
changes their windows password on another system, or has it reset by an
administrator, the automatic login will fail and the standard Windows login box will
appear. Once again, once a successful login has occurred, the correct details are
stored encrypted in the user profile and uploaded on synchronization with the central
Object Directory.

Re Logon
If a user chooses to “log off” windows, they would normally expect to see the standard
Windows logon box. Endpoint Encryption takes control of this in the same way as the
initial logon screen, forcing the next user to login with their Endpoint Encryption
credentials.

If you want to logon to Windows using a different account than your stored
credentials, they simply cancel the default login window, then clear the “Automatically
logon to Windows” box.

Once cleared, simply select the token you want to login with.

Setting and Changing a users SSO details


You can pre-set or change the SSO details associated with a user by right-clicking
their object and selecting “Set SSO Details”.

| 63
Auditing

Auditing
Introduction
Endpoint Encryption Endpoint Encryption for PC audits user, machine, and server
activity. By right-clicking on an object in the Endpoint Encryption Object Directory, you
can select the view audit function.

Audit trails are uploaded to the central directory each time a machine synchronizes.
Until that time the audit is cached internally in the encrypted Endpoint Encryption file
system. In SB4.1.1 and above, the last 3000 entries are cached locally; when the
limit is reached the oldest 300 entries are culled. The local audit will retain
approximately 2 years of normal operation before culling begins.

The permission to view or clear an audit log can be controlled on a user or group
basis. Both the administration level and administration function rights are checked
before allowing access to a log. For more information on setting these permissions see
the 12chapter.

Audit trails can be exported to a CDF file by using the “Audit” menu option, or by
right-clicking the trail and selecting “Export”. Also, the entire audit of the directory can
be exported using the “SBAdmCL” tool. For information on this option please contact
your Endpoint Encryption representative.

The Object Directory audit logs are open-ended, i.e. they continue to grow indefinitely,
but can be cleared on mass again using SBAdmCL.

Common Audit Events


The text displayed in the audit log will depend on your localization and language
settings. The following table lists the common events and their ID codes for the
American English version of Endpoint Encryption. Many events can appear at multiple
places, for example the “Login Successful” event will be logged both in the user
account doing the login, and the machine being logged into simultaneously.

Information Events
Description  Event 

Audit cleared  01000000 

Boot started  01000001 

Boot complete  01000002 

64 |
Auditing

Description  Event 

Booted non‐secure  01000003 

Backwards Date Change  01000005 

Booted from floppy  01000004 

Token battery low  01000010 

Power fail  01000011 

A virus was detected  01000013 

Synchronization Event  01000014 

Crypt Start  01000015 

Crypt End  01000016 

Add group  01000082 

Add object  01000083 

Delete group  01000084 

Delete object  01000085 

Import object  01000086 

Export object  01000087 

Export configuration  01000088 

Update object  01000089 

Import file set  01000090 

Create token  01000091 

Reset token  01000092 

Export key  01000093 

Recover  01000094 

Create database  01000095 

| 65
Auditing

Description  Event 

Reboot machine  01000096 

Move Object between groups  01000098 

Rename Object  01000099 

Server started  010000C0 

Server stopped  010000C1 

Table 1. Information Audit Events 

Try Events
Description  Event 

Logon attempt  02000001 

Change password  02000002 

Forced password change  02000003 

Recovery started  02000016 

Database logon attempt  02000081 

Logon successful  04000001 

Password changed successfully  04000002 

Boot once recovery  04000016 

Password reset  04000017 

Password timeout  04000018 

Lockout recovery  04000018 

Change token recovery  04000019 

Screen saver recovery  0400001A 

Database logon successful  04000081 

Logon failed  08000001 

Password change failed  08000002 

66 |
Auditing

Description  Event 

Password invalidated  08000005 

Recovery failed  08000017 

Database logon failed  08000081 

Machine configuration expired  Undefined 

A virus was detected  Undefined 

Table 2. Try Audit Events 

Succeed Events
Description  Event 

Logon successful  04000001 

Password changed successfully  04000002 

Boot once recovery  04000016 

Password reset  04000017 

Password timeout  04000018 

Lockout recovery  04000018 

Change token recovery  04000019 

Screen saver recovery  0400001A 

Database logon successful  04000081 

Table 3. Succeed Audit Events 

Failure Events
Description  Event 

Logon failed  08000001 

Password change failed  08000002 

Password invalidated (too many  08000005 
incorrect attempts) 

| 67
Auditing

Description  Event 

Machine configuration expired  08000012 

Recovery failed  08000017 

Database logon failed  08000081 

Table 4. Failure Audit Events 

68 |
Recovering Users and Machines

Recovering Users and Machines


You can recover users using the Endpoint Encryption Manager, WebHelpdesk, or the
procedure documented below. For information on recovery via the Endpoint Encryption
Center WebRecovery and WebHelpdesk options, please see the Endpoint Encryption
Manager Administration Guide.

Warning: Recovery cannot be used for resetting or changing the pin codes of smart cards.  

Offline Recovery
Resetting a remote user’s password or replacing their logon token if it has been lost
requires a challenge/response procedure to be followed. The user starts their machine,
cancels any logon dialogues that may appear; they must then click Options in the
bottom left-hand part of the screen followed by the Recovery option from the menu.
This process can be used at the boot screen, windows logon, or screen saver logon.

 
Figure 22. The user selects Machine Recovery or User Recovery 

After (optionally) entering their user name, a set of codes is displayed on the user’s
screen. The user needs to telephone their helpdesk and read the codes to the
administrator. The user code is time based, and unique to the user and machine.

| 69
Recovering Users and Machines

Figure 23. Starting the recovery process 

The administrator must log into the Endpoint Encryption Manager and select any
machine group. This will activate the Recovery button options on the toolbar and the
top menu. The administration should then click the Recovery button. Note: there is no
need to find the correct user beforehand.

The administrator will be prompted to enter the user code in the wizard, and if correct
will be given the opportunity to check the user’s profile if the administrator has
sufficient access rights to recover the user (based on their level and group
memberships). The administrator should use this opportunity to validate the user by
asking them questions based on the hidden information stored in their account. Only if
successful should the helpdesk actually allow the user’s password to be reset.

If the administrator is happy that the user on the telephone is legitimate, they can
proceed with the next step in recovery.

70 |
Recovering Users and Machines

Figure 24. Selecting the recovery option 

The administrator selects the option they want to perform. If a user name was entered
a user recovery proceeds, if no user name was entered, then a machine recovery can
be performed.

Boot Once - The machine boots with no user logged in.

Unlock Screen Saver – The screen saver is cleared.

Reset the user’s password – The user’s password is reset to the token default. The
user can then change this to a new password – This option will not function if the user
is disabled due to too many invalid passwords – to resolve this issue see “Change
Token”.

NOTE: Some tokens do not support password resets through Endpoint Encryption, examples of this include 
the DataKey Smartcard, RSA Smartcard, and Aladdin eToken Pro. For information on how to reset the 
password on these devices contact the appropriate manufacturer.  

To recover an Endpoint Encryption user who has forgotten their password in this case, either issue them 
with a new token, or temporarily switch them to use a password using the “Change Token” recovery option. 

Unlock a disabled user – If a user account is marked as disabled in the object


database, it can be temporarily activated using this option. When the machine
synchronizes with the Object Directory, the account will be re-disabled if their security
profile in the Directory still indicates this.

Create Token – If supported by the token, this option allows administrators to


remotely create a new token for the user to replace a lost one. The Endpoint
Encryption Password login always supports remote recreation. For further information
on other tokens see the Using Tokens with Endpoint Encryption for PC.

| 71
Recovering Users and Machines

Change the user’s token to – Changes or resets the user’s token to the one
specified. The administrator needs to have pre-generated the token for the user. If a
user has invalidated their password account through too many invalid attempts,
changing their token to “password only” recreates their “soft token” and allows them
to enter the default password again.

WARNING: If you change a user’s token using this method, remember that next time their machine 
synchronizes with the Endpoint Encryption directory, their token will be set to whatever is specified in their 
user properties stored currently in the database. If you want the change to be permanent remember to set 
their token type in the user properties window. 

Figure 25. User’s recovery code 

The final step is to read the recovery code back to the user. The length of this code is
controlled by their token recovery key set in the user’s “token” properties, or in the
case of a machine, the recovery key set in the encryption properties.

The user simply enters the code line by line into the pre-boot dialog. Each line is check
summed. Once the code has been entered, the elected action will occur.

Local Recovery
The Local Recovery option allows the user to reset a forgotten password by answering
a set of security questions.

The full list of security questions is set by the administrator using the Endpoint
Encryption Manager. Note: Endpoint Encryption contains a generic set of questions.

When the user first sets up their local recovery feature they will be prompted to select
a number of questions and provide the answers to them. These form the basis for
their local self recovery feature.

72 |
Recovering Users and Machines

Setting Local Recovery for a user name or user group


Using Endpoint Encryption Manager, the administrator assigns the local recovery
option to the user’s logon, or, to a user group. The local recovery options are available
from the user logon or group Properties screen. See below.

Figure 26 ‐ Setting the Local Recovery options 

Enable Local Recovery

Selecting this check box will set Local Recovery for the specified user or user group.

Require ? questions to be answered

This option determines how many questions the user must select to perform a Local
Recovery.

Allow ? logons before forcing user to set answers

This option determines how many times a user can logon without setting their Local
Recovery questions and answers.

Add

The Add button will load the Local Self Recovery Question dialog box and allow you
to create a new question. You can also specify the language that question should be in
and the minimum number of characters the user must specify when configuring the
answer to this question.

Remove

The Remove button will remove a selected question from the list.

| 73
Recovering Users and Machines

Edit

The Edit button will allow you to edit the configuration of a selected question.

Apply

The Apply button will save any changes that have been made.

Restore

The Restore button will undo your changes and restore the Local Recovery options to
the previous settings (providing you have not clicked the Apply button).

User Local Recovery Procedures


Configuring your Local Recovery Questions
The Local Recovery option allows the user to reset a forgotten password by answering
a set of security questions. The user must configure these questions, i.e. provide the
answers to a selected set of questions. In the event that the user forgets their
password they can run a local self recovery to gain access to their machine.

When the user logs on, they will be prompted to specify a set of questions and
answers; this exercise is performed once only.

1. Enter your username and password at the logon screen.

2. From the Local Recovery Enrollment screen, select a question from the
drop down list.

3. Enter the answer to the question into the Answer box.

4. Click Next.

5. Repeat this process until you have answered all the questions. Note: the
Endpoint Encryption administrator will determine how many questions you
need to answer.

6. When you have answered all the questions click the Finish button. Local
Recovery is now set.

Performing a Local Recovery


These are the steps the client user must follow to perform a local self recovery.

1. At the preboot screen, cancel the Endpoint Encryption Logon.

2. Click the Options button on the preboot screen.

3. Click Recovery from the menu followed by Local Recovery.

4. Enter your username into the User name field and click Next.

74 |
Recovering Users and Machines

5. Enter the answer to each question in turn, clicking the Next button to move
forward.

6. Enter a new password and confirm it.

7. Click the OK button to complete the process.

8. Select the Password Only Token option from the preboot screen.

9. Enter your username and new password to logon.

Online Recovery
If a user’s machine is online when they forget their password or lose their token,
simply create a new token for them in the Endpoint Encryption directory, and force
sync their machine to make the appropriate change.

You can reset a user’s password by simply generating a new password token for them.

| 75
Trusted Applications

Trusted Applications
Endpoint Encryption’s client has the capability to restrict which applications and code
users will be allowed to run. Using this mechanism, you can restrict access for a few
users to certain applications, or, prevent users running any applications that are not
pre-defined.

With this system you can apply untrusted control, for example, to prevent access to
pre-defined tools such as “regedit.exe” for all but administrators. With untrusted
control, unknown applications are allowed to run - known applications are blocked.
You can also apply trusted control where ONLY pre-defined code can run, and
unknown control is blocked. This is useful, for example, when you want to restrict an
entire build image so it becomes impossible for users to run any application other than
the ones distributed in the “gold build”.

Endpoint Encryption application control takes effect once a user has logged into
Windows – it does not affect code run in the context of booting the operating system.
To prevent applications and code being run at this stage Endpoint Encryption
recommends appropriate operating system security settings be used, for example,
disallowing device driver updates etc.

Hash Sets
The first step in applying application control to Endpoint Encryption users is to create
sets of “hashes” for the code modules using the Endpoint Encryption Hash Generator
(see the Hash Generator chapter).

A hash set contains a unique digital signature for each file in the scope of the set. This
digital signature is unique to the file – no two files will ever have the same signature.
When Endpoint Encryption applies control to applications, it calculates the “hash” of
the code (.exe file, .dll etc) that the user is trying to run, and compares it to the list of
hashes applied to the user. The actual location of the code does not matter, only its
content - so, if a user moves a restricted application to another directory, it will still be
blocked.

After creating a hash set for the files or directories containing the sample code
modules you can create an “Endpoint Encryption Hashes Group” in the Endpoint
Encryption database to contain them. Within the group, create new hashes objects to
contain your hash sets created previously.

76 |
Trusted Applications

Figure 27. Hash Group 

Hash Set Properties


General
Hash Count

Displays the number of file hashes stored in this object. You can remove duplicates
using the File Hashes/Compact function.

Description

A text description of this hash set – for example its source.

File Hashes
Import

Allows you to import one or many hash sets created with the Endpoint Encryption
Hash Generator into this hash object.

Export

Saves the contents of this hash object as a hash set.

Compact

Removes duplicate entries from this hash object – As Endpoint Encryption Application
Control is driven by the hash (or digital signature) of a file, not its location, only one
entry per file is required.

Remove

The option removes a single file entry from this hash object.

WARNING: You can add entries only by importing hash files. 

| 77
Trusted Applications

Using Hash Sets


After creating hash sets, you can assign both hash objects, and hash groups to users
through their “application control” properties.

You can specify one of two modes of application control – “Untrusted” and “Trusted”:-

Untrusted
In the case of untrusted control, if the hash is known then the code is prevented from
running.

Trusted
In the case of trusted control, if the code is know it is allowed to run, whereas all
unknown code is blocked.

These options can be summarized in the following table:

  Known Applications   Unknown Applications 

Untrusted Application  Optionally Blocked  Allowed 


Control 

Trusted Application  Allowed  Optionally Blocked 


Control 

Table 5. Trusted Application Logic 

You can also set whether to actually block the untrusted code, or to simply log it for
future analysis – this option (log with no blocking) is useful when debugging hash sets
which do not block appropriately.

78 |
Hash Generator

Hash Generator
Introduction
Endpoint Encryption Hash Generator creates “Hash Sets” for use with the application
control feature of Endpoint Encryption. For more information on application control,
see the Using Hash Sets section.

The generator creates MD5 hashes of the selected files and packages them into an
Endpoint Encryption hash set (HSH file).

Using Hash Generator


Open the Hash Generator by selecting Start Æ McAfee Æ Endpoint Encryption
Manager Æ Endpoint Encryption File Hash Generator.

After selecting the output file name, add the files (or folders) you want to include in
the hash set. Finally, select Hash – the specified HSH file will be generated.

The progress window shows the activity. Once completed, you can import the resultant
hash set into your Endpoint Encryption directory.

| 79
Common Criteria EAL4 Mode Operation

Common Criteria EAL4 Mode


Operation
CESG in the United Kingdom, has certified the following products to the standard
EAL4:

• Endpoint Encryption for PC Client

To apply this standard to your implementation of Endpoint Encryption, you need to


ensure the following criteria are met:

Administrator Guidance
• Endpoint Encryption must be installed using the Endpoint Encryption AES
(FIPS) 256bit algorithm.

• Administrators must enforce the following Policy Settings

- A minimum password length of 5 characters or more

- Disabling of accounts after 10 or less invalid password attempts

- All data and operating system partitions on the machines where


Endpoint Encryption client has been installed MUST be fully encrypted.
You can check the conformance to this issue by viewing the Endpoint
Encryption client status window – if any drives are highlighted in red
then they are not fully encrypted.

- Administrators must enforce use of the Endpoint Encryption Secure


Screen Saver Mode

- Use of “Autoboot Mode” is prohibited

- Machine and User recovery key sizes must be non-zero


(Machine/Encryption properties and User/Token properties)

To comply with CC regulations, these policy settings must be applied before installing
any clients.

• There must be a system in place for maintaining secure backups that are
separately encrypted or physically protected to ensure data security is not
compromised through theft of, or unauthorized access to, backup information.

• Backups should be regular and complete to enable system recovery. This is


essential in the event of loss or damage to data as a result of the actions of a
threat agent and to avoid vulnerability through being forced to use less secure
systems.

80 |
Common Criteria EAL4 Mode Operation

• Users (including administrators) must protect all access credentials, such as


passwords or other authentication information in a manner that maintains IT
security objectives.

• Customers implementing a Endpoint Encryption enterprise must ensure that


they have in place a database of authorized TOE-users along with user-specific
authentication data for the purpose of enabling administrative personnel to
verify the identity of a user over a voice-only telephone line before providing
them with support or initiating recovery. Endpoint Encryption provides the
means to display personal information such as the users ID number as part of
the “User Information Fields” – but any other appropriate system is
acceptable.

• Administrators should ensure their users are fully trained in the use of the
Endpoint Encryption for PC Client software as described in the Client Software
chapter of this guide, and should remind them of the security procedures
detailed in the User Guidance Below.

User Guidance
• Users must maintain the confidentiality of their logon credentials, such as
passwords and tokens.

• Users must not leave a Endpoint Encryption protected PC unattended in a


logged on state, unless it is protected by the secure screen saver.

• Users must be informed of the process that they need to go through to contact
their administrator in the event that they need to recover their PC, if, for
example, they forget their password, or, their user account becomes disabled;
this could be through the actions of the administrator or repeated incorrect
login attempts.

Common Criteria EAL4 Certificate


You can find the official recognition of this certification on CESG’s website:

http://www.cesg.gov.uk/products_services/iacs/cc_and_itsec/media/certreps/
CRP227.pdf

Algorithm Certificate Numbers


AES
Cert 21 and 170 ECB(e/d; 256); CBC(e/d; 256); CFB8(e/d; 256)

http://csrc.nist.gov/cryptval/aes/aesval.html
1

| 81
Common Criteria EAL4 Mode Operation

SHA1
Cert 71 and 254

http://csrc.nist.gov/cryptval/shs/shaval.htm
1

DSA/DSS
DSS cert 53 and 112 Sig(ver) Mod(all)

http://csrc.nist.gov/cryptval/dss/dsaval.htm
1

RNG
Cert 15 AES, DSA., SHA, RNG on AMD Athalon XP, Windows XP SP1, PentiumIII
Windows 2000

http://csrc.nist.gov/cryptval/rng/rngval.html
1

DES

Cert 145 CBC(e/d); CFB( 8 bits;e/d)

http://csrc.nist.gov/cryptval/des/desval.html

82 |
Endpoint Encryption Configuration Files

Endpoint Encryption Configuration


Files
Endpoint Encryption uses many .ini files to maintain information about the
configuration of various components. Some of the more important files are listed here.

sbgina.ini
Used by the Endpoint Encryption for PC client to control the Windows logon
mechanism. SBGina.ini contains the references used to populate the user id, password
and domain boxes of a login dialog, and also the id of the Ok button.

The Trace option is an aid to implementing SSO to further dialogs. If this option is set
to "Yes", then information about every window that is created during the logon
process is output to the defined trace file.

If you want to activate smart card based single sign on with the possibility to pass
through the smart card PIN to Windows you will need to add the [Smartcard] section
as specified in the example below:

[Global]
;Version 5110

;
; This option is an aid to implementing SSO to further dialogs. If this
option
; is set to "Yes", then information about every window that is created when
; a logon dialog is expected is saved to the file specified (or
"LOGONWND.TXT"
; if not supplied). Note the file will always be in the SafeBoot directory.
;
Trace.LogonWindowInfo=No
Trace.FileName=LOGONWND.TXT

;
; This is an option (NT only) that controls the behaviour of SafeBoot's Gina
; when unlocking a locked workstation. The possible values are
;
; SbOnly = only a SafeBoot logon is used (the
default)
;
; SbWindowsSso = a SafeBoot logon is required then SSO is
atempted
; to the original Gina.
;
;Option.UnlockWorkstationMode=SbOnly

;
; This options (NT only) controls the ability of the user to cancel the
; Windows SSO attempt from the SafeBoot logon dialog. Possible values are
;
; Yes - Allows the user to cancel the SSO attempt (the default)
;

| 83
Endpoint Encryption Configuration Files

; No - Prevents the user from cancelling the SSO attempt


;
;Option.AllowSsoCancel=Yes

;
; These options control how the user names are treated when they are
compared.
; The UPN (User Principal Name) format is of the form user@domain.com. To
; successfully compare the user names, the format needs to be the same for
; both the Windows and SafeBoot names.
;
; Note that Windows will always supply the user name to the SafeBoot Gina
; module as a user name and domain name (i.e. not DNS name).
;
; If the DetectUPN option is set to "Yes", then SafeBoot will attempt if the
; user names are in UPN format by looking for an "@" character. If this is
; set to any other value, SafeBoot will not manipulate the user names in any
; way.
;
; Examples:-
;
; SB user name = "user@domain.com"
; Windows user name = "user"
; Windows domain = "domain"
;
; Comparision will be between SB="user" and Win="user".
;
; SB user name = "user"
; Windows user name = "user@domain.com"
; Windows domain = "domain"
;
; Comparision will be between SB="user" and Win="user".
;
; SB user name = "user@domain.com"
; Windows user name = "user@domain.com"
; Windows domain = "domain"
;
; Comparision will be between SB="user" and Win="user".
;
;Option.Username.DetectUPN=Yes

[SmartCard]
;
; This option enables looking for smart cards used for Windows logon. It
; can be either "On" or "Off". If this is set to "On", the SB Gina will
; attempt to detect the presence of a smart card and allow the user to
; choose to logon with the smart card or with the standard user name and
; password.
;
;Enabled=Off

;
; If the smart card check is enabled, then this option can be used to force
; the use of smart cards or the standard password. This can be "Off" to
; automatically determine which to use, "Pin" to force the use of a smart
; card or "Pwd" to force the use fo a smart card.
;
;Force=Off

;
: This options controls the number of seconds the gina will wait for the
; user to decide which logon method to use (smart card or password). If this
; is set to a zero, then the user will not be prompted at all.

84 |
Endpoint Encryption Configuration Files

;
;TimeoutSecs=5

;
; This option controls whether the SafeBoot SSO detsils are updated when
; the user logs on with a smart card. If this is set to "No", then the SSO
; details are not changed if the user logs on with a smart card. This will
; prevent the smart card PIN being used as to automatically logon to Windows.
;
;EnableSso=Yes

;
; If this option is set to "Yes", then if a smart card is inserted when
; a user logs off and back on again, the SafeBoot logon will not be displayed
; even if it is set to do so in the configuration. If a smart card is not
; present, then the SafeBoot logon will be displayed.
;
;DontSbRelogonIfSc=No

[Windows.NT.Logon]
;
; Lists all the sections that contain information about the logon windows for
; the NT derived versions of Windows (NT4/2000/XP).
;
; The keys should be of the form "Window" with an incrementing number
appended.
; The sections are checked in incrementing numerical order. The numbering
; cannot contain any gaps.
;
Window1=MSGina.NT4.LogonDialog
Window2=MSGina.W2K.LogonDialog
Window3=MSGina.XP.LogonDialog
Window4=MSGina.WIN2003.LogonDialog
Window5=NWGina.NT.LogonDialog
Window6=NWGinaJP.NT.LogonDialog
Window7=FSSGina.XP.LogonDialog
Window8=CSGina.W2K.LogonDialog
Window9=CSCOGina.W2K.LogonDialog
Window10=ODYGINA.W2K.LogonDialog
Window11=PRM_GINA.XP.LogonDialog
Window12=IPASS.XP.LogonDialog
Window13=TRYIT.XP.LogonDialog

[Windows.NT.Locked]
;
; Lists all the sections that contain information about the workstation
locked
; logon windows for the NT derived versions of Windows (NT4/2000/XP).
;
; The keys should be of the form "Window" with an incrementing number
appended.
; The sections are checked in incrementing numerical order. The numbering
; cannot contain any gaps.
;
Window1=MSGina.XP.LockedDialog
Window2=FSSGina.XP.LockedDialog

[Windows.9x.Logon]
;
; Lists all the sections that contain information about the logon windows for
; the Windows 9x versions of Windows (95/98/ME).
;

| 85
Endpoint Encryption Configuration Files

; The keys should be of the form "Window" with an incrementing number


appended.
; The sections are checked in incrementing numerical order. The numbering
; cannot contain any gaps.
;
Window1=MSNP.9x.LogonDialog
Window2=NWNP.9x.LogonDialog
window3=NWNPJP.9x.LogonDialog

;----------------------------------------------------------------------------
; The logon window definition sections for NT/W2K/XP
;
[MSGina.NT4.LogonDialog]
;
; The operating system version to which this section applies. You can specify
; the value of "Any" for either field (which is the default if not
specified).
;
OS.MajorVersion=4
OS.MinorVersion=Any

;
; The original DLL to which this section applies. If the name is not
; specified or set to "Any", all original DLLs match. If any part of the
; for digit file version is set to "x", then then all values for that
; component are matched (e.g. 4.1.0.x).
;
OrigDll.Name=MSGINA.DLL
OrigDll.FileVersion=x.x.x.x

;
; Specifies information about the window that we can use to indentifiy it.
; For both the class and title, setting a value of "Any" will match any
; window. Starting the value with a "*" means the remainder of the value
; is treayed as a substring, and hence if it occurs anywhere in the window
; title/class it is matched. Otherwise the whole value must match (case
; insensitive).
;
Window.Title=Any
Window.Class=#32770

;
; The control identifiers of controls that are used by the SSO module to
; simulate logons.
;
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1453
Dlg.CtrlId.Password=1454
Dlg.CtrlId.Domain=1455

;
; Optional entries which list up to 10 IDs that must come before the ID
; specified above and up to 10 IDs that must come after. The IDs are
specified
; as a comma-seperated list.
;
;Option.CtrlId.OK.Preceeding=1,2,3
;Option.CtrlId.OK.Following=5,6,7

;Option.CtrlId.UserName.Preceeding=1,2,3
;Option.CtrlId.UserName.Following=5,6,7

86 |
Endpoint Encryption Configuration Files

;Option.CtrlId.Password.Preceeding=1,2,3
;Option.CtrlId.Password.Following=5,6,7

;Option.CtrlId.Domain.Preceeding=2204,2203
;Option.CtrlId.Domain.Following=5,6,7

;
; If this is set to "Yes" then the user/password fields are captured from the
; dialog box rather than using the values supplied by the original gina.
;
Option.CaptureFromDlg=Yes

;
; These options define how text is entered into the various fields when
; simulating a logon. Mode 0 sets the text directly into the controls, while
; mode 1 sends characters one at a time (simulating pressing keys) and mode 2
; selects from a combo box.
;
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2

[MSGina.W2K.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=0
OrigDll.Name=MSGINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1502
Dlg.CtrlId.Password=1503
Dlg.CtrlId.Domain=1504
Option.CaptureFromDlg=No
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2

[CSCOGINA.W2K.LogonDialog]
;This section for Ciscos Gina for Windows 2000 which is the same as the
standard one, but
;has a different extention.
OS.MajorVersion=5
OS.MinorVersion=0
OrigDll.Name=CSCOGINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1502
Dlg.CtrlId.Password=1503
Dlg.CtrlId.Domain=1504
Option.CaptureFromDlg=No
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2

[ODYGINA.W2K.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=0
OrigDll.Name=ODYGINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1

| 87
Endpoint Encryption Configuration Files

Dlg.CtrlId.UserName=1502
Dlg.CtrlId.Password=1503
Dlg.CtrlId.Domain=1504
Option.CaptureFromDlg=No
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2

[PRM_GINA.XP.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=1
OrigDll.Name=PRM_GINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1502
Dlg.CtrlId.Password=1503
Dlg.CtrlId.Domain=1504
Option.CaptureFromDlg=No
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2

[CSGina.W2K.LogonDialog]
;This section for Ciscos Gina for Windows 2000 which is the same as the
standard one, but
;has a different extention.
OS.MajorVersion=5
OS.MinorVersion=0
OrigDll.Name=CSGINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1502
Dlg.CtrlId.Password=1503
Dlg.CtrlId.Domain=1504
Option.CaptureFromDlg=No
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2

[MSGina.XP.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=01
OrigDll.Name=MSGINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1502
Dlg.CtrlId.Password=1503
Dlg.CtrlId.Domain=1504
Option.CaptureFromDlg=Yes
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2

[IPASS.XP.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=1
OrigDll.Name=ipgina.dll
Window.Title=Any

88 |
Endpoint Encryption Configuration Files

Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1502
Dlg.CtrlId.Password=1503
Dlg.CtrlId.Domain=1504
Option.CaptureFromDlg=No
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2

;this one just trys the standard settings...


[TRYIT.XP.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=1
OrigDll.Name=Any
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1502
Dlg.CtrlId.Password=1503
Dlg.CtrlId.Domain=1504
Option.CaptureFromDlg=No
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2

[MSGina.XP.LockedDialog]
OS.MajorVersion=5
OS.MinorVersion=01
OrigDll.Name=MSGINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1953
Dlg.CtrlId.Password=1954
Dlg.CtrlId.Domain=1956
Option.CaptureFromDlg=Yes
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2

[MSGina.WIN2003.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=02
OrigDll.Name=MSGINA.DLL
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1502
Dlg.CtrlId.Password=1503
Dlg.CtrlId.Domain=1504
Option.CaptureFromDlg=Yes
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=2

[NWGina.NT.LogonDialog]
OS.MajorVersion=Any
OS.MinorVersion=Any
OrigDll.Name=NWGINA.DLL
OrigDll.FileVersion=x.x.x.x
Window.Title=Any

| 89
Endpoint Encryption Configuration Files

Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1202
Dlg.CtrlId.Password=1204
Dlg.CtrlId.Domain=1001
Option.CaptureFromDlg=Yes
Option.EntryMode.UserName=0
Option.EntryMode.Password=1
Option.EntryMode.Domain=2

Option.CtrlId.UserName.Preceeding=1201
Option.CtrlId.Password.Preceeding=1203
Option.CtrlId.Domain.Preceeding=2204,2203

[NWGinaJP.NT.LogonDialog]
OS.MajorVersion=Any
OS.MinorVersion=Any
OrigDll.Name=NWGINA.DLL
OrigDll.FileVersion=x.x.x.x
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=3002
Dlg.CtrlId.Password=3004
Dlg.CtrlId.Domain=1001
Option.CaptureFromDlg=Yes
Option.EntryMode.UserName=0
Option.EntryMode.Password=1
Option.EntryMode.Domain=2

[FSSGina.XP.LogonDialog]
OS.MajorVersion=5
OS.MinorVersion=01
OrigDll.Name=FSSGINA.DLL
Window.Title=Any
Window.Class=Any
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=0
Dlg.CtrlId.Password=1001
Dlg.CtrlId.Domain=0
Option.CaptureFromDlg=Yes
Option.EntryMode.UserName=0
Option.EntryMode.Password=1
Option.EntryMode.Domain=2

[FSSGina.XP.LockedDialog]
;This Section for Macnica specifc FSS Gina
OS.MajorVersion=5
OS.MinorVersion=01
OrigDll.Name=FSSGINA.DLL
Window.Title=Any
Window.Class=Any
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=0
Dlg.CtrlId.Password=1001
Dlg.CtrlId.Domain=0
Option.CaptureFromDlg=Yes
Option.EntryMode.UserName=0
Option.EntryMode.Password=1
Option.EntryMode.Domain=2

90 |
Endpoint Encryption Configuration Files

;----------------------------------------------------------------------------
; The logon window definition sections for Win9x/ME
;
[MSNP.9x.LogonDialog]
OS.MajorVersion=4
OS.MinorVersion=Any
OrigDll.Name=MSNP32.DLL
OrigDll.FileVersion=x.x.x.x
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=21
Dlg.CtrlId.Password=23
Dlg.CtrlId.Domain=25
Option.CaptureFromDlg=Yes
Option.EntryMode.UserName=0
Option.EntryMode.Password=0
Option.EntryMode.Domain=0

[NWNP.9x.LogonDialog]
OS.MajorVersion=4
OS.MinorVersion=Any
OrigDll.Name=NOVELLNP.DLL
OrigDll.FileVersion=x.x.x.x
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=1202
Dlg.CtrlId.Password=1204
Dlg.CtrlId.Domain=1001
Option.CaptureFromDlg=Yes
Option.EntryMode.UserName=0
Option.EntryMode.Password=1
Option.EntryMode.Domain=0

[NWNPJP.9x.LogonDialog]
OS.MajorVersion=4
OS.MinorVersion=Any
OrigDll.Name=NOVELLNP.DLL
OrigDll.FileVersion=x.x.x.x
Window.Title=Any
Window.Class=#32770
Dlg.CtrlId.OK=1
Dlg.CtrlId.UserName=3002
Dlg.CtrlId.Password=3004
Dlg.CtrlId.Domain=1001
Option.CaptureFromDlg=Yes
Option.EntryMode.UserName=0
Option.EntryMode.Password=1
Option.EntryMode.Domain=0

sberrors.ini
This file is used to increase the detail available in on-screen error messages. You can
add further descriptions to errors by amending this file.

| 91
Endpoint Encryption Configuration Files

sbhelp.ini
This file is used to match on-screen windows to their help file sections.

sbfeatur.ini
This file controls the feature set available to Endpoint Encryption. This file is digitally
signed by the Endpoint Encryption team and must not be modified.

scm.ini
Configuration manager file, controls options such as which directory to connect to, and
which group to install into.

[Install]
GroupID=the ID of the group this machine will relate to
[Databases]
DatabaseID1=1
TryLastGoodFirst=Yes
LastGoodConnection=1
[Uninstall]
Sbsetup.exe=sbsetup.exe

You can specify the maximum number of lines to hold in the SCMLOG.txt file using the
following parameters. If scmlog reaches a size of beyond 10,000 lines, performance of
your machine can suffer.

[Log]
MaxSize=number of KB keep in log (128).
PurgeSize=number of KB to delete when log reaches MaxSize (16).
You can specify the pre-configuration connection behavior by setting the following
parameters

[Defaults]
;this section defines settings that apply before the SafeBoot is
;actually active on the machine.

BootSynchDelay=0 ; delay before synching on boot in minutes


RandSynchDelay=0 ; an extra max random delay to synch in

minutes
SynchInterval=0 ; time between automatically retrying synch

You can turn on tracing of the Endpoint Encryption client with the following section.
Trace is output to SBCM.log in the same directory of the application.

[Debug]
Trace=1 ;Trace activity, 1 = on, 0 = off

You can set a message to be displayed and a timeout when an administrator performs
a remote shutdown of the client (using the machine/Reboot menu option).

[Reboot]
Message=some text to display
Timeout=10 (seconds)

92 |
Endpoint Encryption Configuration Files

[disk]
Sbfs.defaultsize=10 ;Default size of SafeBoot.FS (in
MB)
Install.clearcryptlist=1(0) ;Determines whether to clear the
cryptlist

;for a drive on install, or to leave it set.

Boot.message=Starting SafeBoot %d%d


;The default starting message

[boot]
Hookflags=… ;Internal use only –
do not change.

defscm.ini
You can pre-set parameters used in the SCM.ini file created within install sets by
creating a file “defscm.ini” in the Administration system directory containing the lines
and sections you want to pre-define. defscm.ini is used as a seed to create the unique
scm.ini file for the install set.

sdmcfg.ini
This file is used by the Endpoint Encryption Client to control the connection to the
Object Directory. There may be many connections listed in the file, the multi-
connection behavior is controlled through scm.ini.

[Databases]

Database1=192.168.20.57
The ip address for
the remote server.
This can be a DNS
name.

[Database1]
Description=SH-DELL-W2K
IsLocal=No
Authenticate=Yes
Port=5555
ServerKey=…
The public key for
the remote
Server. This is
used to stop a
hacker putting a
rogue server in
place and
intercepting the
traffic.
ExtraInfo=…
Padding for the
| 93
Endpoint Encryption Configuration Files

serverkey.

TrivialPwds.dat
This file provides a dictionary of forbidden passwords. Simply create a Unicode text
file, with one password per line, and deploy it to the client machines. You need to
enable the user template option “no simple passwords”

The file needs to be deployed to the “[appdir]\SBTokens\Data” folder.

NOTE: It is more effective to restrict passwords using a template which insists on numeric or special 
characters, rather than supply a long list of forbidden words.  

Bootcode.ini
Bootcode.ini defines the behaviour of the Endpoint Encryption pre-boot environment.
This file is not commonly modified by the end user as it is a system only file. The file is
stored in Endpoint Encryption’s pre-boot environment in the \boot directory.

[TokenSelect]
; the token type id of the last token the user selected.
Default=0x01000000
[Locale]
;
; the user selected language to use (reference a key in the [Languages]
section
; of the \Locale\Locale.ini file).
;
Language=EnglishUS
;
; the user selected keyboard to use (reference a key in the [Keyboards]
section
; of the \Locale\Locale.ini file).
;
Keyboard=US
[Audit]
;
; The maximum alllowed audit events
;
MaxEvents=3000
;
; The number of events to remove when the maximum is reached
;
PurgeCount=300

BootManager.INI
This file controls the partition names specified when the Endpoint Encryption Boot
Manager is enabled. The file is stored in Endpoint Encryption’s pre-boot environment in
the \boot directory.

[Partition.Names]
Partition0=My secure partition
Partition1=My Insecure partition

94 |
Endpoint Encryption Configuration Files

Errors.XML
This is an XML version of SBErrors.ini to allow Unicode translation. Endpoint Encryption
for PC uses SBErrors.XML instead of SBErrors.ini if both exist.

AutoBoot.ini
The autoboot.ini file allows you to set a unique default password for the $autoboot$
user(s). The file is created in the [appdir]\Boot directory in the following format:

[AutoBoot]
Password=mypassword

SbClientFileSet.ini
The SbClientFileSet.ini file is used to define what files are imported into the database.

SBWinLogonOpts.XML
This file can be used to exclude users from single-sign-on logon, e.g. VMware user
accounts can overwrite the single-sign-on even though the “Must Match the Window
user name” option has been selected.

- <SafeBoot>
- <SetSbPwd>
- <Exclusions>
<User name="__Vmware_User__" />
</Exclusions>
</SetSbPwd>
</SafeBoot>

SBCP.INI
Microsoft has introduced a new logon method for the Vista operating system: a
credential provider (CP) that will replace the MSGina.dll. This CP works differently to
the MSGina, for example, each credential provider, rather than be cascaded, can be
active next to each other. If you enable the Require Endpoint Encryption logon
option in the Machine Æ General Æ Windows Logon options, then the Endpoint
Encryption credential provider is activated on the client's Windows logon; be aware
that all other credential providers will also be available.

The SBCP.ini activates the CP. If a customer requires another CP to run in parallel,
this can be defined in the SbCp.ini (in the Endpoint Encryption client directory).

Create the SBCP.ini; to enable all other credential providers add:

[CredentialProvider.Filter]
DefaultAction=Enable
If you want to enable/disable specific credential providers, then add entries to the
section [CredentialProvider.Filter.Providers] containing the credential provider's

| 95
Endpoint Encryption Configuration Files

GUID on the left and either "Enable" or "Disable" on the right. For example, to enable
just MS password credential provider you would add:

[CredentialProvider.Filter]

DefaultAction=Disable

[CredentialProvider.Filter.Providers]

{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}=Enable

Setting up other multiple domains in the logon dialog box


The WindowCredentials.Domains section of the SBCP.ini allows you to specify other
domains which the user can select during single sign on.

The content of this section will determine what appears in the logon dialog box. See
example below.

[WindowsCredentials.Domains]
;
; Lists the domains to be added to the domain list. Note that the left
side of the equals can be any value - it is ignored (of course it must be
unique for this section).
;
1=MyDomain1
2=MyDomain2
3=MyDomain3
[WindowsCredentials.Options]
;
; Set this to "No" to prevent the local computer name automatically being
added to the list of domains.
;
AddLocalComputerToDomains=Yes
;
; Sets the domain to select as the default. If this is not specified, the
current domain for the system is selected if there is one or the local
computer name if there is not.
;
DefaultDomain=MyDomain1
;
; If set to "Yes", the domain box will only list domains that the system
marks as domain controllers. If set to "No" (the default), all servers
will be listed.
;
DomainControllersOnly=No
;
; If set to "Yes", then the username and the domain of the last logged on
user is automatically filled in (if it is available).
;
SelectLastUsed=Yes

Deploying the SBCP.ini file


When you create this file, you can import it into the Endpoint Encryption for PC Client
Files file group, or alternatively, create a new file group, specify its function as “Client
Files” and assign it to a machine. See the File Groups and Management chapter for
further information.

96 |
Endpoint Encryption Program and Driver Files

Endpoint Encryption Program and


Driver Files
EXE Files
SafeTech
SafeTech is the disaster recovery tool for Endpoint Encryption client.

Setup
Setup.exe is the core executable in Endpoint Encryption’s' packaging mechanism. It is
used as an exe stub for the install package and also handles the de-install process.
Setup takes one parameter "-Uninstall" which prompts it to walk through
sbfiles41.lst, deleting files (or marking them for deletion if they are in use) and
reversing registry settings. Setup also re-runs any installation executables with the -
Uninstall flag to remove programs. The order of removal is reverse to the install, i.e.
Installation executables, registry settings, files.

SBTokWatch
The SBTokWatch.exe file notifies Endpoint Encryption for PC when a token has been
removed. This is for Vista installations only.

DLL Files
sbalgxx
The Utility Encryption algorithm module.

sbgina
Windows login pass through GINA driver for NT / 2000.

Usually Endpoint Encryption monitors the GINA settings in the registry to ensure that
nothing removes or disables the login system. You can change the behavior of this
system by editing the SB-NoUpdateGina DWORD key in
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]. The following
values can be set:

0 - SafeBoot will install and remove it's Gina


1 - SafeBoot will *not* install it's Gina, but will
remove it.
2 - SafeBoot will *not* remove it's Gina, but will
install it.
3 - SafeBoot will *not* install or remove it's Gina.

| 97
Endpoint Encryption Program and Driver Files

You can use these settings to force compatibility with other GINA replacement login
systems. If you use option 1,2,3 you are responsible for keeping the GINA chain
correct, as Endpoint Encryption will not be monitoring some aspects of it .

SYS Files
SafeBoot.SYS
The core device driver for Endpoint Encryption, handling crypt of the disk, and
management functions.

You can block the use of Safe Mode when Endpoint Encryption is installed by setting
the following parameters. These options are included in the BlockSafeMode file group
option in Endpoint Encryption for PC.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SafeBoot]
;Prevent Safe Mode access if SafeBoot is activated
PreventSafeMode=dword:00000001
;The warning message to display (default if not set)
;PreventSafeModeMsg=""

;The screen background color (default red)


;PreventSafeModeBkCol=dword:00000000

;The Screen forground color (default white)


;PreventSafeModeFgCol=dword:0000000f

Endpoint Encryption for PC uses several sectors of the hard disk between 1 and 63 -
commonly termed the “partition gap” - to store power fail information while encryption
and decryption is in progress. If you have other applications also using these sectors,
you can exclude them from the range used by specifying registry settings as below.

For each sector you need to exclude, add a DWORD value of 1 with a name of the
decimal sector number to the following registry key as follows:

[HKLM\Software\SafeBoot
International\SafeBoot\DiskManager\ExcludedSectors]
14=dword:1
15=dword:1
You can specify any number of exclusions using this method, but be aware that at
least two sectors are required, and the smaller the number available, the slower
encryption processes will run.

You can add this information to the client NTDRV.SRG registry file to ensure it is
applied on all machines at point of install.

SBALG.SYS
This file is Endpoint Encryption’s device driver crypto algorithm module.

98 |
Endpoint Encryption Program and Driver Files

SafeBoot.CSC/RSV
Endpoint Encryption pre-boot sector chain for the boot loader. The SafeBoot.csc file
was renamed to SafeBoot.RSV in v5.01 for better defrag protection.

SafeBoot.FS
This file is the encrypted pre-boot environment (stored as a single file).

SbRegFlt
This file is applicable to Vista installations only. It allows the administrator to properly
support auto logon, i.e. ensure the control-alt-delete behavior is correct for single sign
on.

Other Files
srg files
Endpoint Encryption registry files – these are standard regedit files which are
processed into the registry by Endpoint Encryption, without using the windows regedit
utility.

| 99
WinTech and SafeTech

WinTech and SafeTech


WinTech and SafeTech are Endpoint Encryption’s disaster recovery and diagnostic
tools. They should only be used in the event of a catastrophic failure of the machine,
for example, after severe hard disk corruption, virus attack, or, a complete OS failure.

WinTech and SafeTech can perform the following functions:

• Decrypt the drive using information obtained from the Endpoint Encryption
Manager.

• Start the Endpoint Encryption Emergency Repair process.

• Perform forensic analysis on encrypted data.

These tools should only be used by trained Endpoint Encryption staff. For more
information, and access to the WinTech and SafeTech Administration Guide, please
contact your McAfee representative.

100 |
Themes & Localization

Themes & Localization


Endpoint Encryption for PC is the most flexible product of its kind in terms of
localization capabilities. It supports unlimited numbers of pre-boot languages and
keyboards, and offers full localized pre-boot on screen keyboard and automatic
language detection.

You can also restyle almost any aspect of the pre-boot interface, from changing colors
and graphics, to moving buttons and text on the screen.

Endpoint Encryption provides full localization and customization services, but for those
interested, the following information is provided to help you gain experience of how all
the components fit together. We provide numerous languages and graphical layouts
(themes) with our product. Readers are strongly advised to look to those while
reading these sections to understand how they work.

A tip to future theme designers – the Endpoint Encryption for PC client will synchronize
any file changes found in the [appdir]\locale and [appdir]\graphics trees into the
Endpoint Encryption pre-boot file system on every policy sync event, so, rather than
making your changes and uploading them to the Endpoint Encryption Manager, you
can simply change the files directly on a Endpoint Encryption client and perform a sync
event to load them into the pre-boot. A successful sync is not required – only an
attempt.

Themes
Endpoint Encryption for PC uses graphical “Themes” to control the look and feel of the
pre-boot environment. These Themes are stored as “Client File” type file sets within
the Endpoint Encryption Object Directory. Only one theme can be assigned to a
machine at any time.

To assign a theme to a Endpoint Encryption for PC machine, simply enable its file set
from the “Files” tab of either the machine, or machine group properties.

Themes are comprised of the following components:

File or Directory  Description 

Graphics  Master definition file for the graphical theme. This file 
dictates the overall look of the theme, the button an d 
Graphics.ini  window positions, and the various graphical elements which 
are used for each resolution.  

ENGLISH  The English language font files 

| 101
Themes & Localization

File or Directory  Description 

640x480  Images for this resolution 

800x600  Images for this resolution 

1024x768  Images for this resolution 

1280x960  Images for this resolution 

1280x1024  Images for this resolution 

1400x1050  Images for this resolution 

1440x900  Images for this resolution 

1440x1050  Images for this resolution 

1600x1200  Images for this resolution 

1680x1050  Images for this resolution 

1680x1280  Images for this resolution 

1920x1440  Images for this resolution 

Shared  Shared images used in all modes 

Locale  Language Translations. This file sets all the options re various 
language and keyboard support options. The options in 
Locale.ini  Local.ini determine which font sets from Graphics.ini are 
used.  

Table 6. Theme Overview 

For information about the parameters in the Graphics.ini and Local.ini files, see the
example theme which has fully commented versions.

Keyboards
Physical Keyboard Layouts
Endpoint Encryption for PC supports many physical keyboard layouts, and also
supports automatic detection of the Windows keyboard layout in an attempt to choose
the most appropriate pre-boot layout.

102 |
Themes & Localization

Having the correct pre-boot layout selected is essential when authenticating, for
example, imagine the user has the French keyboard enabled in Windows, but has the
USA keyboard enabled in Endpoint Encryption for PC Pre-Boot.

Row 2 of the French keyboard begins “azerty…” whereas row 2 of a USA keyboard
begins “qwerty…” – so if the users password contains either “a” or “z”, then they will
not be able to press the same keys in pre-boot to authenticate.

Defining and adding layouts to the Endpoint Encryption PBA

Endpoint Encryption for PC can support an unlimited number of different keyboard


layouts. To define which layouts are available, usually you simply need to select the
appropriate file group for a machine and the layout will be added.

The PBA determines which layouts are installed by considering the Locale\Locale.ini
file in the pre-boot environment. This file is synchronised along with the entire [app-
dir]\locale directory each time the machine performs a sync operation.

An example keyboard layout is defined as follows in Locale.ini:

Node  Description 

;Norwegian Stub  
;B5100

[Settings] Defines the default keyboard if no mapping in 
[LanguageIDMap] can be determined 
DefaultKeyboard=0414

[Keyboards] Defines the list of possible keyboards. In this 
example, two keyboards are defined (0414 and 
0414=Keyboard.0414
043B), which are described in the sections 
043B=Keyboard.043B keyboard.0414 and keyboard.043b. The definition 
names and section names are arbitary, but we 
recommend you use the actual keyboard ID for 
consistency.  

[Keyboard.0414] This is a keyboard definition section, it describes 
the name of the keyboard (displayed in the 
name=Norwegian
selection list), the map file to use (stored in 
mapfile=0414_E.MAP \Locale), and the On screen keyboard file to use 
OSK=0414_OSK.XML (again, stored in \locale) 

Instead of using the “name” tag, you can use 
NameW which takes a comma separated list of 

| 103
Themes & Localization

Node  Description 

hex char codes, for example: 

NameW=32,54,23,6A,43DF 

With NameW you can display Unicode chars which 
are useful when defining double‐byte languages.  

[Keyboard.043B]  
name=Norwegian with
Sami

mapfile=043B_E.MAP

OSK=043B_OSK.XML

[LanguageIDMap] This section describes how the client should 
attempt to map the selected Windows keyboard 
0414.Keyboard=0414
to the pre‐boot keyboards.  
043B.Keyboard=043B
0414.Keyboard=0414 indicates if Windows is using 
a keyboard with the ID 0414, Endpoint Encryption 
should use the keyboard described in [keyboards] 
under the definition name 0414.  

Table 7. Keyboard definition in Locale.ini 

Locale.ini
Normally Language and keyboard layouts are defined within the Endpoint Encryption
Database, and each language has a locale.ini file configured as a Merge INI. This
system enables administrators to add and remove languages without having to define
the exact set prior to distribution. As all keyboards and Languages are defined in the
same Locale.ini file, without merge INIs you would have to create a locale.ini file
describing the exact combination of keyboards and locales prior to sending it to a
Endpoint Encryption for PC client.

For examples of how to define a Locale.ini, see one of the supplied languages stored in
the Endpoint Encryption Manager install directory \Languages tree.

NOTE: If the language is changed in Windows, then auto detect will not work. The new language file for 
preboot and keyboard should be deployed using file groups. Select the language file from file groups and 
apply it to the machine or group. The machine or machine group must then synchronize with the admin 
system. 

104 |
Themes & Localization

The user(s) must then restart their machines. In the preboot screen they must select
“Options”. This will load a menu. They must then select “Options” from this menu.
From the “Options” screen you can then specify the preboot language and the
keyboard language.

Creating your own Keyboard Layout


Keyboard layouts are compiled from a source text file with the following structure:

Name=the keyboard name


Flags=keyboard flags
Scancode=Unicode char number, mask, keystate…
For example:

flags=0x8000007C
NAME=Norwegian with Sami

;----
0x02=0x0031,0x009F,0x0000 ;-normal
0x02=0x0021,0x009F,0x0010 ;-shift
0x02=0x0000,0x009F,0x0009 ;-altgr
0x02=0x0031,0x009F,0x0080 ;-caps
0x02=0x0000,0x009F,0x0090 ;-shiftcaps
0x02=0x0000,0x009F,0x0019 ;-shiftaltgr
0x02=0x0000,0x009F,0x0089 ;-altgrcaps
0x02=0x0000,0x009F,0x0099 ;-shiftaltgrcaps

The keyboard map source file is comprised of the following components:

Node  Description 

flags  Operational flags which control the behaviour of this 
keyboard map. Defined flags include: 

0x00000001 Caps is Shift 

0x00000002 Shift unsets Caps 

0x00000004 Acute  

0x00000008 Grave 

0x00000010 Circumflex 

0x00000020 Umlaut (Diaresis) 

0x00000040 Tilde  

0x00000080 Caron 

0x00000100 Apostrophe 

| 105
Themes & Localization

Node  Description 

0x00000200 Cedliia 

0x00000400 Breve 

0x00000800 Ogonek 

0x00001000 Dotabove 

0x00002000 DoubleAcute 

0x00004000 Degree 

0x00008000 Tonos 

0x00010000 Middle Dot 

0x00020000 Low Nine 

0x00040000 Dialytika 

0x00080000 Quotation 

0x00100000 Polish Programmers Tilde 

0x00200000 Ring Above 

0x00400000 Macron 

0x80000000 Extended Mode (should always be enabled) 

Name  The keyboard name 

Key definitions  Each key (scan code) behaviour is defined in a number of 
entries which state the Unicode character which should be 
produced. Each key may have many states (normal, shifted, 
caps etc) so there may be multiple entries per key.  

The possible states are defined with a mask (which keys to 
consider) and a state (the key state itself) 

The possible keys you can use in the mask and keystate are:

RIGHT_ALT_PRESSED      0x0001 

LEFT_ALT_PRESSED        0x0002 

106 |
Themes & Localization

Node  Description 

RIGHT_CTRL_PRESSED    0x0004 

LEFT_CTRL_PRESSED      0x0008 

SHIFT_PRESSED             0x0010 

NUMLOCK_ON                0x0020 

SCROLLLOCK_ON           0x0040 

CAPSLOCK_ON               0x0080 

ENHANCED_KEY              0x0100 

So as an example, to define key 2 (the number 1 key on a 
USA keyboard) you would add an entry for scan code 0x02 
(the scan code of this key) followed by a number of 
possible key states.  

0x02=0x0031,0x009F,0x0000 

Would define the number 1 key to display the char “1” in 
the situation that none (keystate of 0x000) of the modifiers 
capslock, shift, left‐alt, right‐ctrl, left‐ctrl and right‐alt 
(0x09F) is pressed.  

To define the behaviour of this key when shift alone is 
pressed we use the following line: 

0x02=0x0021,0x009F,0x0010 

As above, if key 2 is pressed, create a quotation mark 
(Unicode char 21) if shift (0x0010) is pressed out of the 
combination of capslock, shift, left‐alt, right‐ctrl, left‐ctrl 
and right‐alt (0x09F).  

| 107
Themes & Localization

Node  Description 

Of course, in both the cases above, the keys not considered 
in the keystate must not be pressed. 

The Mask defines which keys to consider, and the keystate 
defines the state of each of those keys.  

Table 8. Keyboard map source file 

If you wish to create a custom keyboard map, you will need to have it compiled by
Endpoint Encryption before it can be used.

On Screen Keyboards
On-Screen keyboards provide visual representation of the physical keyboard. Each
keyboard map can be defined to provide either its own OSK, or, the system default
OSK (US English). The symbols on each key can be defined for the normal, alt, altgr,
shift, caps, and ctrl states, and also any combination of states.

OSK’s are defined in Endpoint Encryption pre-boot using an XML file which controls the
layout (key spacing, number of rows etc), and the display char for each key. The OSK
file (keyboardID_OSK.XML) is usually stored in the SBFS\Locale directory.

The can be many OSK’s installed, and each physical keyboard map can choose one of
the installed OSK’s to display on request.

Administrators can choose to always display an OSK for the user by selecting the
“always display on-screen keyboard” option of the Machine/General properties.

NOTE: Though the OSK displays the character for each possible state, the OSK sends the scan code and 
modifier (shift/alt etc) to the selected keyboard driver for conversion, so the actual character printed will be 
a result of the keyboard driver, NOT necessarily the one displayed on the OSK. 

A Sample OSK Keyboard could be defined as follows:

<?xml version="1.0" encoding="UTF-16"?>


<keyboard>
<options col="lightgray" button_col="lightgray"
border_col="black" txt_col="black"
font="System"
down_col="blue" button_style="square"
border_width="3">
</options>
<layout id="English (US)">
<layout>
<row>

108 |
Themes & Localization

<key id="18" obey-caps="true" scancode="0x11">


<default display="w" />
<shifted display="W" />
<caps display="W" />
<alt_gr display="GR" />
<text state="alt+shift" display="AS" />
<text state="alt+shift+ctrl" display="ASC" />
<text state="shift+ctrl" display="SC" />
<text state="caps+shift" display="PS" />
<text state="altgr+ctrl" display="GC" />
</key>

<key id=”19” obey-caps=”false” scancode=”0x056”>



</key>
<row>

</row>
</layout>
</keyboard>

The following nodes should be considered:

Node  Description 

Options/font  The name of the font used by this OSK. This should be 
defined in graphics.ini and needs to be an OnTime Binary 
font 

Layout ID  The name of this OSK layout – displayed in the title bar of 
the OSK 

Key/ID   

  A decimal representation of the key – usually the decimal 
scan code ID 
 
 

Key/Obey‐Caps  If this key is subject to any caps state switching, this 
should be set to true. 

Key/Scancode  The Scancode produced by this key 

Key/default  The default display char 

Key/shifted  The shifted display char 

Key/caps  The caps lock state char 

Key/alt_gr  The alt_gr state char 

Key/text/state  The combination states for this key – The text/state 
attribute takes precedence over the key/default key/shift 

| 109
Themes & Localization

Node  Description 

etc states. You can specify single states, for example 

Text state=”shift” display=”Q” 

Or combination states, for example 

Text state=”shift+altgr” display=”%” 

For any key to consider any caps behaviour, the 
key/obey_caps needs to be true.  

Table 9. On Screen Keyboard Source 

To set which OSK is displayed per keyboard map, add an “OSK=” tag to the keyboard
definition in locale.ini, for example:

[Keyboard.043B]
name=Norwegian with Sami
mapfile=043B_E.MAP
OSK=043B_OSK.XML

Node  Description 

Name  The display name of the Keyboard 

Mapfile  The name of the map file to use to map the key presses to 
chars 

OSK  The name of the OSK file to display 

Table 10. On Screen Keyboard Definition 

Pre-Boot Language
Endpoint Encryption for PC supports many languages, and also supports automatic
detection (Note: this is only during Endpoint Encryption activation) of the Windows
Language in an attempt to choose the most appropriate pre-boot language.

NOTE: If the language is changed in Windows, then auto detect will not work. The new language file for 
preboot and keyboard should be deployed using file groups. Select the language file from file groups and 
apply it to the machine or group. The machine or machine group must then synchronize with the admin 
system. 

110 |
Themes & Localization

The user(s) must then restart their machines. In the preboot screen they must select “Options”. This will 
load a menu. They must then select “Options” from this menu. From the “Options” screen you can then 
specify the preboot language and the keyboard language. 

The selectable languages are defined in the SBFS Locale\Locale.ini file, for example:

Node  Description 

Chinese Stub  
;B5100

[Settings] The default language to use if no mapping 
DefaultLanguage=0804 is found in the [LanguageIDMap] section 

[Languages] The defined languages – Both the 
0804=Lang.0804 definition name and section name are 
arbitrary.  
0404=Lang.0404

[LanguageIDMap] The Windows language to Endpoint 
0804.Language=0804 Encryption Pre‐Boot language map.  

0404.Language=0404 For example, if Windows is using the 
Locale 0404, then the Pre‐boot should use 
0004.Language=0804
the definition 0404 for its language.  
0C04.Language=0404
Both the major and minor language can be 
0404.Keyboard=0404
checked, so in this example both Windows 
0804.Keyboard=0804 languages 0804 and 0004 use the Endpoint 
Encryption pre‐boot definition section 
0804. If the primary variant for example 
0F04 is found in Windows, then 0004 will 
be used in Endpoint Encryption 

[Lang.0804] This section defines a language.  
;Name=Chinese Simplified (PRC)
The Name tag is the name displayed in the 
NameW=,0020,0050,0052,0043,0029 pre‐boot selection list. You can supply a 
NameW tag instead which takes a comma 
ID=0804
separated list of char codes. This enables 
StringFile=0804.STR you to set a Unicode name for the list.  
FontSection=Fonts.SuperFont
The ID describes the Locale ID, this should 
be the ANSI recognised ID for this 

| 111
Themes & Localization

Node  Description 

languages.  

The StringFile describes the actual 
compiled definition file to use (stored in 
\locale).  

The FontSection describes the section in 
Graphics.ini which contains the fonts to be 
used for this particular language.  

Each language can use its own fonts, or can 
use fonts shared by other languages.  

Table 11. Pre‐Boot Language Definition 

Creating your own Language file


Endpoint Encryption for PC Language files are created from a Unicode master which
describes the text to display for each defined pre-boot message, for example:

Name=Chinese (Simplified)
ID=0804

1=确定
2=取消
3=SafeBoot
4=是
5=否
50=请插入一张引导用的软盘或者按取消从硬盘引导。
100=SafeBoot登录
101=用户名:
102=密码:
103=修改密码
51=您不允许从软盘引导,系统将从硬盘引导。

You can obtain a pre-boot English master text file from your Endpoint Encryption
distributor. Once translated, the file needs to be compiled by Endpoint Encryption.

Normally Language and keyboard layouts are defined within the Endpoint Encryption
Database, and each language has a locale.ini file configured as a “Merge Ini”. This
system enables administrators to add and remove languages without having to define
the exact set prior to distribution. As all keyboards and Languages are defined in the
same Locale.ini file, without merge INIs you would have to create a locale.ini file
describing the exact combination of keyboards and locales prior to sending it to a
Endpoint Encryption for PC client.

112 |
Themes & Localization

For examples of how to define a Locale.ini, see one of the supplied languages stored in
the Endpoint Encryption Manager install directory \Languages tree.

Pre Boot Token Descriptions


You can localise the token names used in the Endpoint Encryption for PC by adding a
XML definition file to the [appdir]\SBTokens\Languages directory. The client searches
for resources in the following order:

• The [appdir]\SBTokens\Languages \LanguageID directory

• The [appdir]\SBTokens\Languages \LanguageMajor directory

• The [appdir]\SBTokens\Languages directory

For example, on a US English system (Language ID 0409) Endpoint Encryption for PC


will look for token resources in [appdir]\SBTokes\Languages\0409, then [appdir]\
SBTokens\ Languages\ 0009, then [appdir]\ SBTokens\ Languages then
[appdir]\ SBTokens\Languages.

The definition file for each token is described in an XML file with the name
Token_tokenID.xml as follows:

Node  Description 

<SbTokenInformation>  

<Token type="xxxxxxxx"> The ID of the Token  ‐ see the Tokens 


section of this guide.   

<PromptName>prompr The text to display in the login box 
text</PromptName>

<ListName>list The text to display in the list of 
text</ListName> tokens 

</Token>  
</SbTokenInformation>

Table 12. Token Translation File 

Windows Languages
Endpoint Encryption for PC uses resource DLL’s and other files to convert its Windows
components to display in alternate languages.

The client searches for resources in the following order:

• Looks to the [appdir]\Languages\LanguageID directory

• Looks to the [appdir]\Languages\LanguageMajor directory

| 113
Themes & Localization

• Looks to the [appdir]\Languages directory

• Looks to the [appdir] directory and uses built in resources

For example, on a US English system (Language ID 0409) Endpoint Encryption for PC


will look for resources in [appdir]\Languages\0409, then [appdir]\Languages\0009,
then [appdir]\Languages then [appdir]

The following components are supported for localization:

• DLL resources (Windows resources)

• SBErrors.XML (Unicode Error code descriptions)

• SBErrors.INI (ASCII Error code descriptions)

• SBClient.CHM (Help file)

• SBHelp.INI (Help file index)

114 |
Troubleshooting PCs

Troubleshooting PCs
For the latest information on Endpoint Encryption issues, patches and information
please see our web site, www.mcafee.com. We maintain several sections with the
latest tips from our implementation teams, and any suggested changes and updates.
You can also subscribe to an update list which uses e-mail to keep you informed of any
significant issues.

| 115
Error Messages

Error Messages
Please see the file sberrors.ini for more details of these error messages. You can also
find more information on error messages on our web site, www.mcafee.com.

Module codes
The following codes can be used to identify from which Endpoint Encryption module
the error message was generated.

Error Code  Module 

1c00  IPC 

5501  SBHTTP Page Errors 

5502  SBHTTP User Web Recovery 

5c00  SBCOM Protocol 

5c02  SBCOM Crypto 

a100  ALG 

c100  Scripting 

db00  Database Misc 

db01  Database Objects 

db02  Database Attributes 

e000  Endpoint Encryption General 

e001  Endpoint Encryption Tokens 

e002  Endpoint Encryption Disk 

e003  Endpoint Encryption SBFS 

e004  Endpoint Encryption BootCode 

e005  Endpoint Encryption Client 

e006  Endpoint Encryption Algorithms 

e007  Endpoint Encryption Users 

116 |
Error Messages

Error Code  Module 

e010  Endpoint Encryption Keys 

e011  Endpoint Encryption File 

e012  Endpoint Encryption Licenses 

e013  Endpoint Encryption Installer 

e014  Endpoint Encryption Hashes 

e015  Endpoint Encryption App Control 

e016  Endpoint Encryption Admin 

1C000 IPC Errors


Code  Message and Description 

[1c000001]  Timeout during IPC 

[1c000002]  IPC terminated 

[1c000003]  Unable to initialise IPC 

[1c000004]  Unknown or unsupported function 

[1c000005]  Request to send data that is too big 

[1c000006]  Timeout sending data 

[1c000007]  Timeout waiting for reply 

[1c000008]  Out of memory 

5C00 Communications Protocol


Code  Message and Description 

[5c000000]  Unsupported version 

The server and client are not talking the same communications 
protocol version 

[5c000005]  Out of memory 

| 117
Error Messages

Code  Message and Description 

[5c000008]  A corrupt or unexpected message was received 

[5c000009]  Unable to load the Windows TCP/IP library (WSOCK32.DLL) 

Check that the TCP/IP protocol is installed 

[5c00000a]  Communications library not initialised 

This is an internal programmatic error 

[5c00000c]  Unable to create TCP/IP socket 

[5c00000d]  Failed while listening on a TCP/IP socket 

[5c00000e]  Unable to convert a host name to an IP address 

Check the host file or the DNS settings 

[5c00000f]  Failed to connect to the remote computer 

The computer may not be listening or it is too busy to accept 
connections 

[5c000010]  Failed while accepting a new TCP/IP connection 

[5c000011]  Failed while receiving communications data 

The remote computer may have reset the connection 

[5c000012]  Failed while sending communications data 

[5c000013]  Invalid communications configuration 

[5c000014]  Invalid context handle 

[5c000015]  A connection has already been established 

[5c000016]  No connection has been established 

[5c000017]  Request for an unknown function has been received 

[5c000018]  Unsupported or corrupt compressed data received 

[5c000019]  Data block is too big 

[5c00001a]  Data of an unexpected length has been received 

118 |
Error Messages

Code  Message and Description 

[5c00001b]  Message too big to be received 

This may occur if an attempt is made to import large amounts of 
data into the database (e.g. a file) 

[5c00001c]  Unable to create thread mute 

[5c00001d]  Message too big to be sent 

This may occur if an attempt is made to import large amounts of 
data into the database (e.g. a file) 

[5c00001e]  Wrong Endpoint Encryption Communications Protocol Version 

  You are most likely trying to connect to a v4 Endpoint Encryption 
Server using a v5 Server definition with server authentication 
enabled.  

Check that you do not have both v4 and v5 servers running 
(perhaps as a service) at the same time. 

5C02 Communications Cryptographic


Code  Message and Description 

[5c020000]  The Diffie‐Hellmen data is invalid or corrupt 

[5c020001]  An unsupported encryption algorithm has been requested 

[5c020002]  An unsupported authentication algorithm has been requested 

[5c020003]  Unable to sign data 

[5c020004]  Authentication signature is not valid 

[5c020005]  Authentication parameters are invalid or corrupt 

[5c020006]  Failed while generating DSA parameters 

[5c020007]  No session key has been generated 

[5c020008]  Unable to authenticate user 

[5c020009]  Session key too big 

| 119
Error Messages

A100 Algorithm Errors


Code  Message and Description 

[a1000000]  Not enough memory 

[a1000001]  Unknown or unsupported function 

[a10000002]  Invalid handle 

[a1000003]  Encryption key is too big 

[a1000004]  Encryption key is too small 

[a1000005]  Unsupported encryption mode 

[a1000006]  Invalid memory address 

[a1000007]   Invalid key data 

DB00 Database Errors


Code  Message and Description 

[db000000]  Out of memory 

[db000001]  More data is available 

[db000002]  The database has not been created or initialised yet 

Check the database path or create a new database. To force the 
new database wizard to be run, delete the SDMCFG.INI file and 
restart the administration program. 

[db000003]  Invalid context handle 

[db000004]  The name was not found in the database 

db000005]  Authentication was not successful.  

Check that you have the correct token for this database 

[db000006]   Unknown database 

[db000007]   Invalid database type 

[db000008]   The database could not be found. Check the database path 

120 |
Error Messages

Code  Message and Description 

settings 

[db000009]   Database already exists. 

Choose a different database path 

[db00000a]   Unable to create the database  

Check the path settings and make sure you have write access to 
the directory 

[db00000b]  Invalid database handle 

[db00000c]  The database is currently in use by another entity 

You cannot delete a database while someone is using it 

[db00000d]   Unable to initialise the database 

[db00000e]   User aborted 

[db00000f]  Memory access violation 

[db000010]   Invalid string 

[db000011]  No default group has been defined 

[db000012]  The group could not be found 

[db000013]  File not found 

[db000014]  Unable to read file 

[db000015]  Unable to create file 

[db000016]  Unable to write to file 

[db000017]  File corrupt 

[db000018]  Invalid function 

[db000019]  Unable to create mutex 

[db00001a]  Invalid license  

| 121
Error Messages

Code  Message and Description 

The license has been modified so that the signature is now invalid

[db00001b]  License has expired 

[db00001c]  The license is not for this database  

Check the database ID and ensure it is the same as the one 
specified in the license. Each time you create a new database, a 
different ID is generated. There is no way to change the ID of a 
database. 

[db00001d]  You do not have permission to access the object 

[db00001e]  Endpoint Encryption is currently busy with another task. Please 
wait for it to complete and try again. 

This usually means that your hard disks are in the process of 
being encrypted or decrypted. You can check the current 
Endpoint Encryption status from the right‐click menu of the 
Endpoint Encryption task bar icon. 

[db00001f]  Endpoint Encryption is still installed on this machine 

[db000020]  Buffer too small 

[db000021]  The requested function is not supported 

[db000022]  Unable to update the boot sector 

The disk may be in use by another application or Explorer itself. 
The disk may be protected by an anti‐virus program. 

DB01 Database Objects


Code  Message and Description 

[db010000]  The object is locked 

Someone else is currently updating the same object 

[db010001]  Unable to get the object ID 

[db010002]  Unable to change the object's access mode 

Someone else may by accessing the object at the same time. If 

122 |
Error Messages

Code  Message and Description 

you are trying to write to the object while someone else has the 
object open for reading, you will not be able to change to write 
mode. 

[db010003]  Object is in wrong access mode 

[db010004]  Unable to create the object in the database 

The disk may be full or write protected 

[db010005]  Operation not allowed on the object type 

[db010006]  Insufficient privilege level 

You do not have the access rights required to access the object. 

[db010007]  The object status is disabled 

This is usually associated with User objects. Disabling the user's 
object prevents them logging on until their account is re‐enabled. 

[db010008]  The object already exists 

[db01000f]  The object is in use 

[db010010]  Object not found 

The object has been deleted from the database 

[db010011]  License has been exceeded for this object type 

Check that your licenses are still valid and if not obtain further 
licenses if necessary 

DB02 Database Attributes


Code  Message and Description 

[db020000]  Attribute not found 

[db020001]  Unable to update attribute 

[db020002]  Unable to get attribute data 

[db020003]  Invalid offset into attribute data 

| 123
Error Messages

Code  Message and Description 

[db020004]  Unable to delete attribute 

[db020005]  Incorrect attribute length 

[db020006]  Attribute data required 

E000 Endpoint Encryption General


Code  Message and Description 

[e0000000]  User aborted 

[e0000001]  Insufficient memory 

[e0000002]  Invalid date/time 

[e0000010]  Invalid date/time. Clock is reporting a time before 1992 or after 
2038. 

E001 Tokens
Code  Message and Description 

[e0010000]  General token error 

[e0010001]  Token not logged on 

[e0010002]  Token authentication parameters are incorrect 

[e0010003]  Unsupported token type 

[e0010004]  Token is corrupt 

[e0010005]  The token is invalidated due to too many invalid logon attempts 

[e0010006]  Too many incorrect authentication attempts 

[e0010007]  Token recovery key incorrect  

[e0010010]  The password is too small 

[e0010011]  The password is too large 

[e0010012]  The password has already been used before. Please choose a 

124 |
Error Messages

Code  Message and Description 

new one. 

[e0010013]  The password content is invalid 

[e0010014]  The password has expired 

[e0010015]  The password is the default and must be changed. 

[e0010016]  Password change is disabled 

[e0010017]  Password entry is disabled 

[e0010020]  Unknown user 

[e0010021]  Incorrect user key 

[e0010022]  The token is not the correct one for the user 

[e0010023]  Unsupported user configuration item 

[e0010024]  The user has been invalidated 

[e0010025]  The user is not active 

[e0010026]  The user is disabled 

[e0010027]  Logon for this user is not allowed at this time 

[e0010028]  No recovery key is available for the user 

[e0010030]  The algorithm required for the token is not available 

[e0010040]  Unknown token type 

[e0010041]  Unable to open token module 

[e0010042]  Unable to read token module 

[e0010043]  Unable to write token module 

[e0010044]  Token file not found 

[e0010045]  Token type not present 

[e0010046]  Token system class is not available 

| 125
Error Messages

Code  Message and Description 

[e0018000]  Sony Puppy requires fingerprint 

[e0018001]  Sony Puppy requires password 

[e0018002]  Sony Puppy not trained 

E002 Endpoint Encryption Disk


Code  Message and Description 

[e0000002]  Invalid date/time 

[e0020000]  No more data is available 

[e0020001]  No more data is available 

[e0020002]  Unsupported disk driver function 

[e0020003]  Invalid disk driver request 

[e0020004]  Disk request buffer too small 

[e0020005]  Unsupported encryption algorithm 

[e0020006]  Unknown disk number 

[e0020007]  Error reading disk sector 

[e0020008]  Error writing disk sector 

[e0020009]  Unable to get disk partition information 

[e002000a]  Endpoint Encryption disk information not present 

[e002000b]  Not enough space for the Endpoint Encryption disk information 

[e002000c]  The Endpoint Encryption disk information is invalid 

[e002000d]  Sector not valid for Endpoint Encryption disk information use 

[e002000e]  Sector chain is invalid 

[e002000f]  Sector chain type incorrect 

[e0020010]  Sector chain sequence number incorrect 

126 |
Error Messages

Code  Message and Description 

[e0020011]  Sector chain checksum invalid 

[e0020012]  Crypt state information too big for available space 

[e0020013]  Crypt list full 

[e0020014]  Crypt range too big. 

[e0020015]  Attempt to crypt while in power fail state not allowed 

[e0020016]  Attempt to crypt in‐progress I/O 

[e0020017]  Error communicating with Endpoint Encryption disk driver 

[e0020018]  Endpoint Encryption disk driver not present 

[e0020019]  Unsupported disk driver version 

[e002001a]  No encryption has been key set 

[e002001b]  Unable to find the system boot disk 

[e002001c]  Unknown message slot 

[e002001d]  Message slot data too large 

[e002001e]  Unable to lock floppy disk driver for access 

[e002001f]  Unable to access floppy disk 

[e0020020]  The boot disk type is not supported 

[e0020021]  Access to driver not permitted 

E003 Endpoint Encryption SBFS


Code  Message and Description 

[e0030001]  The SafeBot File System is already mounted 

[e0030002]  Unable to mount the Endpoint Encryption File System 

[e0030003]  Unable to unmount the Endpoint Encryption File System 

[e0030004]  The Endpoint Encryption File System is not mounted 

| 127
Error Messages

Code  Message and Description 

[e0030005]  Error reading Endpoint Encryption File System sector 

[e0030006]  Error writing Endpoint Encryption File System sector 

[e0030007]  Endpoint Encryption File System too fragmented 

[e0030008]  Endpoint Encryption File System size invalid 

[e0030009]  Error creating Endpoint Encryption File System host file 

[e003000a]  Error reading Endpoint Encryption File System host file 

[e003000b]  Error writing Endpoint Encryption File System host file 

[e003000c]  Error setting Endpoint Encryption File System host file pointer 

[e003000d]  Unable to locate sectors corresponding to the Endpoint 
Encryption File System host file 

[e003000e]  No host driver found for the Endpoint Encryption File System 

E004 Boot Code Image


Code  Message and Description 

[e0040001]  Unable to open boot code image file 

[e0040002]  Error reading boot code image file 

[e0040003]  Boot code image file too big 

[e0040004]  Error creating boot code image host file 

[e0040005]  Error reading boot code image host file 

[e0040006]  Error writing boot code image host file 

[e0040007]  Error setting boot code image host file pointer 

[e0040008]  Unable to locate boot code image host file sectors 

[e0040009]  No host driver found for boot code image file 

[e004000a]  Unhandled instruction 

128 |
Error Messages

[e004000b]  Invalid instruction 

[e004000c]  Protected mode General Protection Fault 

E005 Client
Code  Message and Description 

[e0050001]  Endpoint Encryption Client not activated 

[e0050002]  The Endpoint Encryption Client is already activated 

[e0050003]  The Endpoint Encryption Client activation is already in progress 

[e0050004]  The wrong version of the Endpoint Encryption Client is currently 
active 

[e0050005]  Unable to save original MBR 

[e0050006]  Disk Manager not open 

[e0050007]  Unable to load MBR copy 

[e0050008]  Unable to load the Endpoint Encryption MBR 

[e005000a]  Too many work items to perform encryption. 

[e005000b]  Endpoint Encryption MBR invalid 

[e005000c]  Endpoint Encryption Client sync failed to start 

[e005000d]  Endpoint Encryption Client sync already in progress 

[e005000e]  Key not available to the Endpoint Encryption Client 

[e005000f]  The recovery key is incorrect 

[e0050010]  Failed to start cryption 

[e0050011]  Cryption already in progress 

[e0050012]  The hard disk key is incorrect 

[e0050013]  The machine configuration is corrupt or invalid 

[e0050014]  Unable to load string data 

| 129
Error Messages

Code  Message and Description 

[e0050015]  String data is invalid 

[e0050016]  Incorrect user logon 

[e0050017]  The isolation period has expired 

[e0050018]  A possible virus has been detected 

[e0050019]  Recovery data is invalid 

[e005001a]  Recovery file version unsupported 

[e005001b]  Invalid recovery command 

[e005001c]  Invalid recovery type 

[e005001d  Recovery data not found 

[e005001d]  Client not initialized for emergency boot 

[e0050020]  Unable to open the client data store 

[e0050021]  The client data store is not open 

[e0050022]  The client data store already exists 

[e0050023]  Error creating client data store 

[e0050024]  Unable to create client data store directory 

[e0050025]  Client data store in use 

[e0050026]  Unable to delete client data store 

[e0050027]  The client data store is corrupt 

[e0050028]  Unsupported client data store version 

[e0050030]  Client data store object not found 

[e0050031]  Client data store object not open 

[e0050032]  Client data store object not exclusive 

[e0050033]  Client data store object ID invalid 

130 |
Error Messages

Code  Message and Description 

[e0050034]  Client data store object ID already exists 

[e0050035]  Unable to create client data store object directory 

[e0050036]  Client data store object name already exists 

[e0050037]  Unable to read client data store object name 

[e0050038]  Unable to write client data store object name 

[e0050040]  Unable to remove client data store object 

[e0050041]  Client data store attribute not found 

[e0050042]  Client data store attribute not open 

[e0050043]  Unable to open client data store attribute 

[e0050044]  Unable to create client data store attribute 

[e0050045]  Unable to read client data store attribute 

[e0050046]  Unable to write data store attribute 

[e0050047]  Client data store attribute version incorrect 

[e0050048]  Client data store attribute corrupt 

[e0050049]  Invalid size of client data store attribute 

[e005004a]  Access denied to client data store attribute 

[e0050060]  Upgrade of client is not possible 

[e0050061]  Upgrade old SbFs is invalid 

[e0050062]  Upgrade old SbFs not found 

[e0050063]  Upgrade old SbFs drive not found 

[e0050064]  Upgrade, unable to read old SbFs 

[e0050065]  Upgrade, old machine configuration invalid 

[e0050066]  Upgrade, invalid user data. 

| 131
Error Messages

Code  Message and Description 

[e0050067]  Upgrade, user directory version invalid 

[e0050068]  Upgrade, invalid user directory 

[e0050069]  Upgrade, unable to get original MB 

[e005006a]  Upgrade, unable to get audit data 

E006 Algorithms
Code  Message and Description 

[e0060001]  Unknown encryption algorithm 

[e0060002]  Unable to install pre‐boot encryption algorithm module 

[e0060003]  Error relocation 16‐bit encryption algorithm code 

[e0060004]  Error initializing 16‐bit encryption algorithm module 

[e0060005]  16‐bit encryption algorithm module invalid 

E007 Readers
Code  Message and Description 

[e0070001]  Unknown reader type 

[e0070002]  Unable to open reader module 

[e0070003]  Unable to read reader module 

[e0070004]  Unable to write reader module 

[e0070005]  Reader failure 

[e0070006]  Unable to create reader context 

[e0070007]  Invalid reader parameter 

[e0070008]  Reader not present 

[e0070009]  Reader timeout 

[e007000a]  Reader sharing violation 

132 |
Error Messages

Code  Message and Description 

[e007000b]  Token not present in reader 

[e007000c]  Reader protocol mismatch 

[e007000d]  Reader communications error 

[e007000e]  Token not powered in reader 

[e007000f]  Token not reset in reader 

[e0070010]  Token removed from reader 

E008 Users
Code  Message and Description 

[e0080001]  User configuration invalid or corrupt 

[e0080002]  User information field index invalid 

[e0080003]  User has no hard disk encryption key  

E010 Keys
Code  Message and Description 

[e0100001]  Encryption key too big 

[e0100002]  Encryption key size invalid 

E011 Files
Code  Message and Description 

[e0110001]  Unable to create file 

[e0110002]  Unable to open file 

[e0110003]  Error reading file 

[e0110004]  Error writing file 

[e0110005]  Error setting file pointer 

| 133
Error Messages

Code  Message and Description 

[e0110006]  Error getting file size 

E012 Licences
Code  Message and Description 

[e0120001]  License invalid 

[e0120002]  License expired 

[e0120003]  License is not for this database 

[e0120004]  License count exceeded 

E013 Installer
Code  Message and Description 

[e0130002]  No installer executable stub found 

[e0130003]  Unable to read installer executable stub 

[e0130004]  Unable to create file  

[e0130005]  Error writing file 

[e0130006]  Error opening file 

[e0130007]  Error reading file 

[e0130008]  Installer file invalid 

[e0130009]  No more files to install 

[e013000a]  Install archive block data too large 

[e013000b]  Install archive data not found 

[e013000c]  Install archive decompression failed 

[e013000d]  Unsupported installer archive compression type 

[e013000e]  Installation error 

134 |
Error Messages

Code  Message and Description 

[e013000f]  Unable to create temporary directory 

[e0130010]  Error registering module 

E014 Hashes
Code  Message and Description 

[e0140001]  Insufficient memory 

[e0140002]  Error opening hashes file 

[e0140003]  Error reading hashes file 

[e0140004]  Hashes file invalid 

[e0140005]  Unable to create hashes file 

[e0140006]  Error writing hashes file 

[e0140007]  Hashes file is not open 

[e0140008]  Hashes file data invalid 

[e0140009]  Hashes file data too big 

[e014000a]  User aborted 

E015 Application Control


Code  Message and Description 

[e0150001]  Insufficient memory 

[e0150002]  Application control invalid parameter 

[e0150003]  Error communicating with application control driver 

[e0150004]  Application control driver not installed 

[e0150005]  Error opening application control log file 

[e0150006]  Invalid hashes object list 

| 135
Error Messages

E016 Administration Center


Code  Message and Description 

[e0160001]  Invalid plugin information 

xxH: BIOS
If Endpoint Encryption’s boot loader detects a hardware error from the BIOS, it reports
the standard error code in the format “Endpoint Encryption ?? Error code H??”

The following list of codes may be reported:

Code  Message and Description 

01H  Invalid function call  

02H  Address mark not found  

03H  Disk is write protected  

04H  Sector not found  

05H  Reset failed (hard disk)  

06H  Diskette has been changed  

07H  Drive parameter activity failed (hard disk)  

08H  DMA overrun  

09H  DMA attempted across 64K boundary  

0AH  Bad sector flag detected (hard disk)  

0BH  Bad track detected (hard disk) 

0CH  Unsupported track or invalid media  

0DH  Invalid number of sectors for Format (hard disk)  

0EH  Control data address mark detected (hard disk)  

0FH  DMA arbitration level out of range (hard disk) 

10H  Uncorrectable CRC or ECC error on read  

11H  ECC corrected data error (hard disk)  

136 |
Error Messages

Code  Message and Description 

20H  Disk controller failure 

31H  No media in drive  

32H  Drive does not support media type  

40H  Seek failed  

80H  Timeout (disk not ready)  

AAH  Drive not ready  

B0H  Volume not locked in drive (INT 13 extensions)  

B1H  Volume locked in drive (INT 13 extensions)  

B2H  Volume not removable (INT 13 extensions)  

B3H  Volume in use (INT 13 extensions)  

B4H  Lock count exceeded (INT 13 extensions)  

B5H  Valid eject request failed (INT 13 extensions)  

BBH  Undefined error (hard disk)  

CCH  Write fault (hard disk)  

E0H  Status register error (hard disk)  

FFH  Sense failed (hard disk) 

| 137
Technical Specifications and Options

Technical Specifications and Options


The following options are available from Endpoint Encryption but may not be included
on your install CD, or be appropriate for your version of Endpoint Encryption. Please
contact your Endpoint Encryption representative for information if you wish to use one
of these optional components.

Encryption Algorithms
Endpoint Encryption supports many custom algorithms. Only one algorithm can be
used in a Endpoint Encryption Enterprise.

Algorithm performance is based on the “PassMark” rating which gives an overall


indication of system performance. All tests were performed on a K6-II-300 machine
running NT4.0. This test platform has a PassMark of 20.7. The closer to this figure an
algorithm gets, the less the impact of Endpoint Encryption on the user. Faster
machines will achieve correspondingly faster passmark ratings, but the percentage
difference between them will be comparable.

RC5-12 (FASTEST)
CBC Mode, 1024 bit key, 12 rounds, 64 bit blocks. PassMark 20.7 (100%)

RC5-18
CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks, PassMark 20.7 (100%)

The 18 round RC5 variant is designed to prevent the theoretical “Known Plaintext”
attack.

AES-FIPS (FIPS 140-2 Approved) - RECOMMENDED


CBC Mode, 256 bit key, 128 bit blocks, PassMark 19.3 (93%)

This algorithm is approved for FIPS 140-2 use.

Smart Card Readers


The following smart card readers are supported.

PCMCIA Smart Card Readers


• SCR243 / SCR201 and compatibles such as HP DC350B, ActivIdentity and
others)

• PCMCIA smart card reader.

See http://www.scmmicro.com/security/SCR243.html for more information.


1

138 |
Technical Specifications and Options

• SCR201 and compatibles such as PCSR and Cisco PCMCIA readers

Generic USB CCID Smart Card Reader and compatibles


This module provides support for the following devices:

• Universal CCID USB smart card reader support (supports all industry standard
CCID readers)

• Dell D620 Integrated Smart Card Reader

• Gemplus GemPC430 USB Smart Card Reader

• Omnikey 3121 USB Smart Card Reader

• ACR38 USB Smart Card Reader

USB Smart Card Reader non CCID


Mako DT3500 Desktop smart card reader with USB Interface.

PCI Smart Card Readers


• HP 6400 Integrated Smart Card Reader

• Dell D610/810 Integrated Smart Card Reader

Tokens
Please see the Using Tokens with Endpoint Encryption for PC chapter for further
information.

For the latest list of authentication methods using smart cards, tokens, fingerprint
readers please consult your McAfee representative.

Language Support
Client
Pre‐Boot Languages (auto detect) 

Arabic  Italian 

Czech  Japanese 

Chinese (Simplified)  Korean 

Chinese (Traditional)  Polish 

Dutch  Portuguese 

| 139
Technical Specifications and Options

English (United Kingdom)  Russian 

English (United States)  Slovak Republic 

Estonian  Swedish 

German  Spanish 

Hungarian  Turkish 

Pre‐Boot Keyboards (auto detect) 

Arabic 101  Greek 319 

Arabic 102   Greek 220 Latin 

Arabic AZERTY  Greek 319 Latin 

Belgian Comma  Hebrew 

Belgian Period   Hungarian 

Canadian Multilingual  Italian  

Canadian French  Icelandic 

Canadian French Legacy  Irish 

Chinese Bopomofo  Japanese 

Chinese ChaiJei  Kazakh 

Croatian   Korean 

Czech (Czech Republic)  Latin American 

Czech (QWERTY)  Norwegian 

Czech (Programmers)  Norwegian with Sami 

Danish  Polish 214 

Dutch   Polish Programmers 

English (United States)  Portuguese Brazil 

English (United Kingdom)  Portuguese Portugal 

140 |
Technical Specifications and Options

Pre‐Boot Keyboards (auto detect) 

English (US International)   Romanian 

English (UK Extended)  Russian 

Estonian  Russian Typewriter 

French (Belgium)  Slovak 

French (France)   Slovak QWERTY 

French (Canada)  Slovenian 

French (Swiss)  Spanish (Spain) 

Finnish   Spanish (International) 

Gaelic  Spanish Variant 

German (Standard)  Swedish 

German (IBM)  Swiss German 

Greek  Thai Kedmanee 

Greek Latin  Turkish F  

Greek 220  Turkish Q 

US Dvorak 

Most of the keyboard layouts also support On-Screen representations.

Please note – other languages are available on request. We are continuously updating
our language translations and encourage feedback from our users.

Windows Languages (auto detect) 

English (United Kingdom)   

English (United States) 

System Requirements
Implementation documentation discussing appropriate hardware for typical
installations of Endpoint Encryption is available from your representative.

| 141
Technical Specifications and Options

Client
• Windows 2000, XP, 2003 Server, Vista 32bit (all versions), Vista 64bit (all
versions)

• 128MB RAM, or OS Minimum specification

• 5-35MB Free hard disk space depending on localization and number of desired
users)

• Pentium compatible processor, multi-processor (up to 32 way), dual-core and


hyper threading processors, Pentium-compatible processors such as AMD
processors.

• For remote administration, a TCP/IP network connection is required.

142 |
Appendix

Appendix
Legal Notices:
McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766,
www.mcafee.com

McAfee, SafeBoot and/or other noted McAfee related products contained herein are
registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US
and/or other countries. McAfee Red in connection with security is distinctive of McAfee
brand products. Any other non-McAfee related products, registered and/or
unregistered trademarks contained herein is only by reference and are the sole
property of their respective owners. © 2007 McAfee, Inc. All rights reserved.

Your rights to install, run, copy, reproduce, distribute or make any other use of the
accompanying software is subject to your license agreement with McAfee, Inc. If you
have any questions, please review your software license or contact your McAfee
representative.

McAfee SafeBoot products make use of the following third party open source
technologies:

• ZLIB, a general compression library

• OpenSSL/OpenSSLeay - a general SSL/PKI communications library

• OpenLDAP - a general LDAP library

Open Source Components License Details

Communications Layer - ZLIB


==================

License
/* zlib.h -- interface of the 'zlib' general purpose compression library
version 1.2.2, October 3rd, 2004

Copyright (C) 1995-2004 Jean-loup Gailly and Mark Adler

This software is provided 'as-is', without any express or implied


warranty. In no event will the authors be held liable for any damages
arising from the use of this software.

Permission is granted to anyone to use this software for any purpose,


including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not

| 143
Appendix

claim that you wrote the original software. If you use this software
in a product, an acknowledgment in the product documentation would
be
appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not
be
misrepresented as being the original software.
3. This notice may not be removed or altered from any source
distribution.

Jean-loup Gailly jloup@gzip.org


Mark Adler madler@alumni.caltech.edu

*/

Communications Layer and LDAP Connector - OpenSSL/OpenSSLEAY


=========================================

LICENSE ISSUES
==============

The OpenSSL toolkit stays under a dual license, i.e. both the
conditions of
the OpenSSL License and the original SSLeay license apply to the
toolkit.
See below for the actual license texts. Actually both licenses are BSD-
style
Open Source licenses. In case of any license issues related to OpenSSL
please contact openssl-core@openssl.org.

OpenSSL License
---------------

/* ====================================================================
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used
to

144 |
Appendix

* endorse or promote products derived from this software without


* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/

Original SSLeay License


-----------------------

/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)


* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given
attribution

| 145
Appendix

* as the author of the parts of the library used.


* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the
distribution.
* 3. All advertising materials mentioning features or use of this
software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the
library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof)
from
* the apps directory (application code) you must include an
acknowledgement:
* "This product includes software written by Tim Hudson
(tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE
LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available
version or
* derivative of this code cannot be changed. i.e. this code cannot
simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/

Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.


This software is not subject to any license of the American Telephone
and Telegraph Company or of the Regents of the University of California.

146 |
Appendix

Permission is granted to anyone to use this software for any purpose on


any computer system, and to alter it and redistribute it, subject
to the following restrictions:

1. The author is not responsible for the consequences of use of this


software, no matter how awful, even if they arise from flaws in it.

2. The origin of this software must not be misrepresented, either by


explicit claim or by omission. Since few users ever read sources,
credits must appear in the documentation.

3. Altered versions must be plainly marked as such, and must not be


misrepresented as being the original software. Since few users
ever read sources, credits must appear in the documentation.

4. This notice may not be removed or altered.

Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.


This software is not subject to any license of the American Telephone
and Telegraph Company or of the Regents of the University of California.

Permission is granted to anyone to use this software for any purpose on


any computer system, and to alter it and redistribute it, subject
to the following restrictions:

1. The author is not responsible for the consequences of use of this


software, no matter how awful, even if they arise from flaws in it.

2. The origin of this software must not be misrepresented, either by


explicit claim or by omission. Since few users ever read sources,
credits must appear in the documentation.

3. Altered versions must be plainly marked as such, and must not be


misrepresented as being the original software. Since few users
ever read sources, credits must appear in the documentation.

4. This notice may not be removed or altered.

LDAP Connctor - OpenLDAP


=================

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
/*-
* Copyright (c) 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the

| 147
Appendix

* documentation and/or other materials provided with the


distribution.
* 3. All advertising materials mentioning features or use of this
software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its
contributors
* may be used to endorse or promote products derived from this
software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS''
AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)COPYRIGHT 8.1 (Berkeley) 3/16/94
*/

LDAP Connector
==========

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
/*-
* Copyright (c) 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the
distribution.
* 3. All advertising materials mentioning features or use of this
software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.

148 |
Appendix

* 4. Neither the name of the University nor the names of its


contributors
* may be used to endorse or promote products derived from this
software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS''
AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)COPYRIGHT 8.1 (Berkeley) 3/16/94
*/

LDAP Connector - The OpenLDAP Public License


=============================
Version 2.0.1, 21 December 1999
Copyright 1999, The OpenLDAP Foundation, Redwood City, California, USA.
All Rights Reserved.

Redistribution and use of this software and associated documentation


("Software"), with or without modification, are permitted provided
that the following conditions are met:

1. Redistributions of source code must retain copyright


statements and notices. Redistributions must also contain a
copy of this document.

2. Redistributions in binary form must reproduce the


above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other
materials provided with the distribution.

3. The name "OpenLDAP" must not be used to endorse or promote


products derived from this Software without prior written
permission of the OpenLDAP Foundation. For written permission,
please contact foundation@openldap.org.

4. Products derived from this Software may not be called "OpenLDAP"


nor may "OpenLDAP" appear in their names without prior written
permission of the OpenLDAP Foundation. OpenLDAP is a trademark
of the OpenLDAP Foundation.

| 149
Appendix

5. Due credit should be given to the OpenLDAP Project


(http://www.openldap.org/).

THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS


``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.

Making Endpoint Encryption for PC FIPS Compliant


The following procedures must be followed to operate McAfee Endpoint Encryption for
PCs cryptographic module in a FIPS Approved mode

1. The module software must be operating in “FIPS” mode. This is done by


setting the FIPS registry key value from 0 (disabled) to 1 (enabled). The first
step is to create a FIPS registry script (see Appendix A for details). Once the
file is created right-click on the newly created .reg file and select Merge from
the drop down menu.

2. To verify that the registry has been updated properly the user must install a
registry editor and navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLoc
k\Verifier and verify the value of FipsMode equals 1. .

3. All application databases and external media on the device where McAfee
Endpoint Encryption for PCs has been installed MUST be fully encrypted. This is
performed by setting the module’s internal memory encryption parameter to
Encrypt Entire Device.

4. The PC used to run McAfee Endpoint Encryption for PCs Client must be built
using production grade components and configured in a single operator

mode. To do this, the following operating system services must be


disabled:

• Fast user switching

• Terminal services

• Remote registry service

150 |
Appendix

• Secondary logon service

• Telnet service

• Remote desktop and Remote assistance services

Creating the FIPS enable script


The following needs to be saved to a text file with the extension “.reg” and then
merged into the registry as a requirement for installing the module in a FIPS-
compliant mode of operation:

REGEDIT4
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Ver
ifier]
"FipsMode"=dword:00000001

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Ver
ifier\1]
"Path"="c:\\windows\\system32\\drivers\\SafeBoot.sys"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RsvLock\Ver
ifier\2]
"Path"="c:\\windows\\system32\\drivers\\SbAlg.sys"

| 151
Index

Index

decrypt, 31 
A  Default Password, 13, 14, 37, 74 
deploy, 10, 11, 44, 45, 52, 61 
Active Directory, 10 
disable, 40, 57, 58 
ActivIdentity, 20, 141 
disabling users. See Users 
algorithm, 5, 8, 12, 83, 99, 100, 140 
DNS, 29, 95 
Attributes 
DSA, 7 
explained, 6 
Auditing, 66 
authentication, 5, 7, 9  E 
Authentication 
enabling users. See Users 
with a smart card, 5 
encryption, 35 
AutoBoot User, 33, 34 
Encryption 
Auto‐boot users 
algorithms, 140 
autoboot user, 14, 37 
windows swap file, 5 
Encryption Algorithm, 5, 8, 12, 99, 100, 140 
B  Encryption Algorithms 
RC5, 140 
BIOS 
Endpoint Encryption. See Client 
Error codes, 138 
Endpoint Encryption CE Server, 8 
boot once, 73 
Endpoint Encryption Components 
boot process, 60 
Endpoint Encryption File Encryptor, 4 
boot protection status, 31 
VDisk, 4 
Endpoint Encryption File Encryptor, 4 
C  Endpoint Encryption Server 
cache, 66  overview of, 7 
CE Server, 8  Entities 
challenge / response, 71  explained, 6 
Client  error codes, 93, 118, 138 
creating an install set, 51  error messages, 118 
installing, 56 
overview of, 8  F 
synchronising, 60 
File Encryption 
using, 59 
overview of, 9 
Connector Manager 
file group management, 44 
overview of, 10 
Files 
cryptography, 2 
deleting and exporting, 45 
Cryptography 
importing new, 45 
decryption, 60 
ini files, 85 
encryption, 5, 9, 35, 100 
program and driver files, 99 
properties, 46 
D  FIPS Approved, 152 
Data Recovery, 5  force sync, 15, 50, 77 

152 |
Index

Force Sync, 29, 40, 50, See Machines  Q 
G  quickstart guide, 3 

groups, 13, 28, 30, 31, 37, 41, 44, 49, 51, 68, 80  R 
I  RC5, 140 
Reboot Machine. See Machines 
Importing Machines  recovery, 5, 8, 9, 36, 38, 71, 72, 73, 74, 99 
Importing a transfer database. See Offline Installs  Recovery 
IP Address, 6, 7, 8, 29, 144  offline, 71 
online, 77 
L  registry, 11, 47, 49, 99, 101 
Registry File, 49 
LDAP, 8, 10  relogon, 65 
removing Endpoint Encryption, 56 
M  reset password, 73 
RSA, 8, 9 
Machines 
adding users to, 37 
configuring, 31 

creating, 28  SafeTech, 99 
Forcing Syncronization, 29  SBAdmCL, 66 
rebooting, 30  screen saver, 61 
recovering, 71  service, 39 
synchronisation of, 39  smart card. See Authentication 
Microsoft, 5, 55, 61, 99  smartport, 141 
Smarty, 140 
N  synchronising machines, 39 

NT Domain, 10 

O  TCP/IP, 6, 7, 8, 144 
Tokens 
object directory, 6, 7, 8, 9, 10, 11, 12, 15, 28, 33, 35, 39,  changing during recovery, 74 
40, 46, 49, 52, 54, 59, 60, 63, 65, 66, 73, 95  transport database, 53 
Objects  troubleshooting, 117 
explained, 6 
Offline Installs, 52 

P  US legislation 508, 61 
user status, 6 
Password  Users 
Default, 13, 14, 37, 74  device access, 15 
passwords, 5, 7, 9, 32, 61, 63  enabling and disabling, 14 
Reset, 73  recovering, 71 
Pentium, 144 
performance, 8, 140 
Placeholder, 28, 52, 53 

Pocket Windows  virus protection, 33 
2002, 8 
privileges, 7 

| 153
Index

W  Windows Logon 
how it works, 64 
warning text, 38 
Windows 2000, 47  X 
Windows CE, 8 
windows logon, 32, 61, 63  X500, 8, 10 

154 |