Epe 50 05 Clients de Ce 1mb

8/12/2019 Epe 50 05 Clients de Ce 1mb

1/22

2007 McAfee, Inc. 2008 McAfee, Inc.

McAfee SafeBoot Securi ty

SafeBoot Clients Device Encryption / Content Encryption

McAfee World-wide Learning and Development


2/22

2007 McAfee, Inc.

Copyright 2008 McAfee, Inc. All Rights Reserved.

Copyright 2008 McAfee, Inc. All Rights Reserved.

The training information provided herein is the property of McAfee, Inc., and is

intended for the sole use of the individual or organization purchasing thetraining. Distribution of the training material outside of the purchasing

organization is strictly prohibited.

All information contained herein is subject to change without notice. McAfee is

not responsible for errors or damages of any kind resulting from use of the

information contained herein. Every effort has been made to ensure the

accuracy of information presented as factual; however errors may exist.

Users are directed to countercheck facts when considering their use in other

applications. McAfee is not responsible for the content or functionality of any

technology resource not owned by the company.

The statements, comments, or opinions expressed by users through use of

McAfees technology resources are those of their respective authors, who are

solely responsible for them, and do not necessarily represent the views of

McAfee, Inc. and/or its affiliates.

2

2/21/2008


3/22

2/21/20

2007 McAfee, Inc.

Objectives

At the end of this section, the student will be able to;

Force synchronization between the client and the Object

Directory using the DE SysTray icon functions

List the policy changes needed to enforce full disk encryption

Use the Status window to determine current client disk

encryption status, view installed modules, and observe

synchronization events

Explain how to initiate the recovery process for Content

Encryption

List policy changes needed to allow Windows context menu

options for Content Encryption

Encrypt and decrypt files on the client using Content Encryption

At the end of this section, the student will be able to;

Force synchronization between the client and the Object Directory

List the policy changes needed to enforce full disk encryption

Use the Status window to determine current client disk encryption status, view installed modules, and

observe synchronization events

Explain how to initiate the recovery process for Content Encryption

List policy changes needed to allow Windows context menu options for Content Encryption

Encrypt and decrypt files on the client using Content Encryption


4/22

2007 McAfee, Inc.

1. SafeBoot Device Encryption Client

McAfee SafeBoot Security


5/22

2007 McAfee, Inc.

Review: How SafeBoot Works Full DiskEncryption (SafeBoot DE)

SafeBoot takes control of the Hard Disk from the O/S

SafeBoot driver encrypts all data written to disk

SafeBoot driver also decrypts all data read from disk

Hard disk contents are completely encrypted and unreadable without

the appropriate authorization

SafeBoot installs mini-O/S on the hard disk (SafeBoot File System)

Once authenticated, SafeBoot encryption driver is loaded and original

O/S is booted.

SafeBoot protects the users PC by simply taking control of the hard disk from the operating system.The SafeBoot driver encrypts every piece of data written to the disk; it also decrypts every piece ofinformation read off the disk.

If an unauthorized application broke through the SafeBoot barrier and read the disk directly, it wouldfind only encrypted data, even in the Windows swap file and temporary file areas.

SafeBoot installs a mini-operating system on the users hard drive, this is what the user sees whenthey boot the PC. SafeBoot looks and feels like Microsoft Windows, with mouse and keyboard

support, moveable windows etc. This SafeBoot OS is completely contained and does not need toaccess any other files or programs on the hard disk, and is responsible for allowing the user toauthenticate with a password, for example, or, a token such as a smart card.

Once the user has entered the correct authentication information, the SafeBoot operating systemstarts the crypt driver in memory and boots the protected machines original operating system. Fromthis point on the machine will look and behave as if SafeBoot was not installed. The security isinvisible to the user: the only readable data on the hard disk will be the SafeBoot operating system;the encryption key for the hard drive is itself protected with the users authentication key The only

possible way to defeat SafeBoot is to either guess the hard disk encryption key, or to guess the userspassword.


6/22

2007 McAfee, Inc.

The SafeBoot Device Encryption Client

Connects to Object Directory, or configuration store at boot

Uploads latest audit and password changes, downloads any centralconfiguration changes

End-user only sees SafeBoot Monitor icon in SysTray.

Double-click to lock workstation

Right-click to;

Lock Workstation

Show Status

Synchronize

The SafeBoot Client connects to its Object Directory, or configuration store, which may be on thesame machine, a network drive, or, via a SafeBoot Server. It does this every time the machine boots.

Once connected to the directory, the SafeBoot client uploads the latest audit and password changes tothe directory, and if necessary downloads any configuration changes specified centrally.

The only user-visible part of SafeBoot is the SafeBoot Monitor icon in the users System Tray. Bydouble-clicking the icon users can lock the workstation. By right-clicking it they can select one ofthree actions.

Lock Workstation

Locks the client workstation.

Show Status

The configuration process within SafeBoot 5.1 is largely transparent to the user. The only evidenceof SafeBoot working can be found from the status menu available from SafeBoot's tool tray icon. TheStatus window displays any on-going configuration tasks (such as encryption processes) and statusmessages from the last directory

connection.

Synchronize

SafeBoot tries to establish connection with its directory during the boot process. In a situation wherethe directory is unavailable, for example - a notebook user who is connecting via dial-up networking,the user can establish a connection at any time, and select the Synchronize option to connect to aremote directory and collect / upload changes.


7/22

2007 McAfee, Inc.

Client Status Window

Displays

synchronization

status messages

Displays current

disk encryption

level

Click Modules to

view loaded

modules

Selecting Show Status from the SafeBoot DE SysTray icon will launch the SafeBoot Client Status

window.

Use the Client Status Window to;

View synchronization messages from past and current synch events

View the current disk encryption level for this client Note that in this example, the disk has not

been encrypted.

The Clear Log button will clear all messages from the synch status window.

You can also click the Modules button to view a list of loaded SafeBoot modules.


8/22

2007 McAfee, Inc.

SafeBoot Modules

Clicking the Modules button displays the Loaded Modules window.

Click the Save button on this window to save the modules information to a text file. You can also use

the Copy to Clipboard button to copy the information to the Windows clipboard and paste it into

another document.


9/22

2007 McAfee, Inc.

Enabling Full Disk Encrypt ion

Select Full encryption in themachine properties synch

Client status window willdisplay encryption progress

To enable full disk encryption, edit the client properties and under the Encryption category, select the

Full button to indicate full disk encryption for this client machine.

Once the client synchronized, the SafeBoot Client Status window will display the current progress of

the disk encryption task.

Note the estimated time to encrypt in this example the disk to encrypt was 8Gb total with approx.

3Gb of existing data. Encryption time was approx. 15 minutes.


10/22

2007 McAfee, Inc.

Disk Encryption Status

Once encryption

is complete, the

status window

displays the new

disk encryption

status (Full)

Once the disk encryption task is complete, the SafeBoot Client Status window will display the new

disk encryption status.


11/22

2007 McAfee, Inc.

2. SafeBoot Content Encryption Client



12/22

2007 McAfee, Inc.

Review: SafeBoot Content Encryption Client

Encrypts files/folders according to policy

Acts like a filter between application and media Automatically encrypts based on policy assigned

Decrypts on-the-fly into memory when accessed

Source always remains encrypted on media

Encryption/Decryption transparent to user

The SafeBoot Content Encryption client automatically encrypts folders and files according to policies

set by SafeBoot Administrators, and delivered by the SafeBoot Server. The SafeBoot Content

Encryption client acts like a filter between the application creating or editing the files and the storage

media, e.g. the hard disk.

Whenever a file is written to supported storage media the SafeBoot Content Encryption filter

executes assigned encryption policies and encrypts the file if applicable. When an application later

reads the file, the encryption filter automatically decrypts the file when it is read into memory.

The source file always remains encrypted on disk.

The encryption/decryption process happens automatically and is fully transparent to the user. The

user does not notice any difference between working with encrypted and plaintext files; the users

working procedures are not, and must not, be disturbed.


13/22

2007 McAfee, Inc.

SafeBoot Content Encryption Client

SafeBoot CE Icon added to SysTray

Menu depends on policy

Could include;

About SafeBoot Content Encryption

Close All Keys

SafeBoot Logon

SafeBoot Recovery

Send Support Information

Key Management

With SafeBoot Content Encryption installed, there is an additional icon in the system tray menu, or

added to the SafeBoot Monitor single-tray icon.

The content of the menu when right-clicking the tool tray icon is defined by a policy for each user

logging on.

The option About Content Encryption displays important configuration data for the SBCE client

in a separate window.The option Close All Keys enables users to close all the keys that have been opened to access data,

thus securing (locking) the system.

SafeBoot Logon opens a communication with the SafeBoot Server in order to retrieve the latest

policy from the Object Directory and the

SafeBoot Recovery option allows user to recover lost SBCE passwords.

Key Management provides options for managing local keys, if enabled by policy. This includes

creating, importing, and deleting local keys.


14/22

2007 McAfee, Inc.


Displays info about

SafeBoot CE config

7 tabs;

General

Components

Managers

Plugins

Keys

Policies

Progress

About Content Encryption

This option opens up a dialog with important configuration information about this installation ofSafeBoot Content Encryption.

Contains 7 tabs;

General Version and copyright information.

Components - This dialog shows the installed components constituting the SafeBoot Content

Encryption client. The version number for each component is also presented along with a briefdescription.

Managers - This dialog contains information about the Managers that control SafeBoot ContentEncryption. The Managers are the components that manage interaction between different parts of theContent Encryption client, e.g. with providers and the kernel driver. The type of Manager is listed(Sys=System Manager, Usr=User Manager) as well as the Manager version number and the classID.

Key Manager - Displays the encryption keys available to CE on this client machine.

Log Manager - This Manager is responsible for the interaction with various logging systemsthrough the Log Providers. Currently, this

functionality is not fully implemented as there are no complete Log Providers available.

Notification Manager - This Manager is responsible for catching and interpreting all the internalnotification events in the system that affects

Content Encryption; e.g. a user logging on or when a USB memory stick is inserted.

Policy Enforcement Manager - This Manager is responsible for all the enforcers that are at work inthe Content Encryption client. Examples

of enforcers are the removable media policy enforcer and the folder encryption enforcer. ThisManager tells all enforcers when to start and what

to do.

Policy Processing Manager - This Manager is responsible for the interpretation and processing ofthe policies that are assigned to the

system.

Policy Update Manager - This Manager receives policy updates through the interaction with thepolicy providers.

Tray Manager - This Manager is responsible for the providers constituting the system tray menu.

CONTINUED NEXT SLIDE


15/22

2007 McAfee, Inc.


Displays info about

SafeBoot CE config

7 tabs;

General

Components

Managers

Plugins

Keys

Policies

Progress

CONTINUED FROM PREVIOUS

Plugins - The Plugins are the components that are managed by the Managers presented above. Thesecomponents are both providers (e.g. Key Provider and Policy Provider) and various plugin modules.The starting condition for each plugin is listed:

Sys=Started by the sbceCoreService.exe in System context

Usr=Started by sbceCore.exe in User context

Ins=Started at the time of the installation of the systemThe version of each plugin is also listed, as well as its classID.

Keys - This dialog presents information about what encryption keys are available to the system. Isshows the name of the key and the current status (Open/Closed). If the key is Closed, then the userneeds to authenticate when trying to access the key. Information about what algorithm is associatedwith each key is also presented as well as the key length.

The key inactivity timeout for each key is also listed. This parameter is controlled from SafeBootManagement Centre. When the key inactivity has elapsed, the key will close. There is also a columnstating what providers provide the key and the classID for each encryption key.

Policies - This tab contains information about the currently loaded policies. The type of policy islisted in the left-hand column. You will notice the exemptions done for certain CD/DVD burningapplications, meaning that these applications will be able to write encrypted data onto CDs andDVDs. In essence, this list is a reflection of the policy as created in the SafeBoot ManagementCentre with all parameters.

Remember that changes to a Machine policy require a restart of the client computer before theytake effect. Changes to User policies only require a SafeBoot Content Encryption Logon to takeeffect, e.g. an authentication to an encryption key will update any User policy change, provided thecomputer can reach the SafeBoot Server.

CONTINUED NEXT SLIDE


16/22


17/22

2007 McAfee, Inc.

Content Encryption Recovery

In order to recover password for Content Encryption, select the SafeBoot Recovery option from the

CE Tray icon.

You will be prompted to supply the name of the user. Once you have entered the user name and

clicked Next, you will be provided with the Client Code.

The remainder of the recovery process is identical to the Device Encryption recovery process which

is detailed in the next module, User and Machine Recovery/webHelpDesk.


18/22

2007 McAfee, Inc.

Explicit Encrypt/Decrypt Windows Shell

File context

menus

determined by

policy

In this example,

no explicit

encrypt/decrypt is

allowed

The SafeBoot Content Encryption policy determines which context menu options are available for

CE. In the example shown, explicit encrypt and decrypt of files is disabled.


19/22


20/22

2007 McAfee, Inc.

Manually Encrypt/Decrypt Files

To manually encrypt a file, right-click the file and select Encrypt.

You will be prompted to select the encryption key to use. You may be prompted for a password as

well.

The encrypting screen will briefly appear (not shown in this example).

The encrypted file will display the keyhole icon, if enabled by policy.


21/22

2007 McAfee, Inc.

Manually Encrypt/Decrypt Files

Right-click, choose decrypt

Keyhole icon disappears indicating

the file is no longer encrypted

To manually decrypt a file, right-click the file and select Decrypt. The file will be decrypted, and the

Keyhole icon (if enabled by policy) will disappear.


22/22

2007 McAfee, Inc.

End ModuleSafeBoot Clients Device Encryption /Content Encryption


Documents

Epe 50 05 Clients de Ce 1mb