2008 McAfee, Inc. McAfee SafeBoot Security SafeBoot Clients Device Encryption / Content Encryption McAfee World-wide Learning and Development 2007 McAfee, Inc. Copyright 2008 McAfee, Inc. All Rights Reserved. Copyright 2008 McAfee, Inc. All Rights Reserved. The training information provided herein is the property of McAfee, Inc., and is intended for the sole use of the individual or organization purchasing the training. Distribution of the training material outside of the purchasing organization is strictly prohibited. All information contained herein is subject to change without notice. McAfee is not responsible for errors or damages of any kind resulting fromuse of the information contained herein. Every effort has been made to ensure the accuracy of information presented as factual; however errors may exist. Users are directed to countercheck facts when considering their use in other applications. McAfee is not responsible for the content or functionality of any technology resource not owned by the company. The statements, comments, or opinions expressed by users through use of McAfees technology resources are those of their respective authors, who are solely responsible for them, and do not necessarily represent the views of McAfee, Inc. and/or its affiliates. 2 2/21/2008 2/21/2008 3 2007 McAfee, Inc. Objectives At the end of this section, the student will be able to; Force synchronization between the client and the Object Directory using the DE SysTray icon functions List the policy changes needed to enforce full disk encryption Use the Status window to determine current client disk encryption status, view installed modules, and observe synchronization events Explain how to initiate the recovery process for Content Encryption List policy changes needed to allow Windows context menu options for Content Encryption Encrypt and decrypt files on the client using Content Encryption At the end of this section, the student will be able to; Force synchronization between the client and the Object Directory List the policy changes needed to enforce full disk encryption Use the Status window to determine current client disk encryption status, view installed modules, and observe synchronization events Explain how to initiate the recovery process for Content Encryption List policy changes needed to allow Windows context menu optionsfor Content Encryption Encrypt and decrypt files on the client using Content Encryption 4 2007 McAfee, Inc. 1. SafeBoot Device Encryption Client McAfee SafeBoot Security 2007 McAfee, Inc. Review: How SafeBoot Works Full Disk Encryption (SafeBoot DE) SafeBoot takes control of the Hard Disk from the O/S SafeBoot driver encrypts all data written to disk SafeBoot driver also decrypts all data read from disk Hard disk contents are completely encrypted and unreadable without the appropriate authorization SafeBoot installs mini-O/Son the hard disk (SafeBoot File System) Once authenticated, SafeBoot encryption driver is loaded and original O/S is booted. SafeBoot protects the users PC by simply taking control of the hard disk from the operating system. The SafeBoot driver encrypts every piece of data written to the disk; it also decrypts every piece of information read off the disk. If an unauthorized application broke through the SafeBoot barrier and read the disk directly, it would find only encrypted data, even in the Windows swap file and temporary file areas. SafeBoot installs a mini-operating system on the users hard drive, this is what the user sees when they boot the PC. SafeBoot looks and feels like Microsoft Windows, with mouse and keyboard support, moveable windows etc. This SafeBoot OS is completely contained and does not need to access any other files or programs on the hard disk, and is responsible for allowing the user to authenticate with a password, for example, or, a token such as asmart card. Once the user has entered the correct authentication information, the SafeBoot operating system starts the crypt driver in memory and boots the protected machines original operating system. From this point on the machine will look and behave as if SafeBoot was not installed. The security is invisible to the user: the only readable data on the hard disk will be the SafeBoot operating system; the encryption key for the hard drive is itself protected with the users authentication key The only possible way to defeat SafeBoot is to either guess the hard disk encryption key, or to guess the users password. 2007 McAfee, Inc. The SafeBoot Device Encryption Client Connects to Object Directory, or configuration store at boot Uploads latest audit and password changes, downloads any central configuration changes End-user only sees SafeBoot Monitor icon in SysTray. Double-click to lock workstation Right-click to; Lock Workstation Show Status Synchronize The SafeBoot Client connects to its Object Directory, or configuration store, which may be on the same machine, a network drive, or, via a SafeBoot Server. It does this every time the machine boots. Once connected to the directory, the SafeBoot client uploads thelatest audit and password changes to the directory, and if necessary downloads any configuration changes specified centrally. The only user-visible part of SafeBoot is the SafeBoot Monitor icon in the users System Tray. By double-clicking the icon users can lock the workstation. By right-clicking it they can select one of three actions. Lock Workstation Locks the client workstation. Show Status The configuration process within SafeBoot 5.1 is largely transparent to the user. The only evidence of SafeBoot working can be found from the status menu available from SafeBoot'stool tray icon. The Status window displays any on-going configuration tasks (such as encryption processes) and status messages from the last directory connection. Synchronize SafeBoot tries to establish connection with its directory duringthe boot process. In a situation where the directory is unavailable, for example - a notebook user who is connecting via dial-up networking, the user can establish a connection at any time, and select the Synchronize option to connect to a remote directory and collect / upload changes. 2007 McAfee, Inc. Client Status Window Displays synchronization status messages Displays current disk encryption level Click Modules to view loaded modules Selecting Show Status from the SafeBoot DE SysTrayicon will launch the SafeBoot Client Status window. Use the Client Status Window to; View synchronization messages from past and current synch events View the current disk encryption level for this client Note that in this example, the disk has not been encrypted. The Clear Log button will clear all messages from the synch status window. You can also click the Modules button to view a list of loaded SafeBoot modules. 2007 McAfee, Inc. SafeBoot Modules Clicking the Modules button displays the Loaded Modules window. Click the Save button on this window to save the modules information to a text file. You can also use the Copy to Clipboard button to copy the information to the Windows clipboard and paste it into another document. 2007 McAfee, Inc. Enabling Full Disk Encryption Select Full encryption in the machine properties synch Client status window will display encryption progress To enable full disk encryption, edit the client properties and under the Encryption category, select the Full button to indicate full disk encryption for this client machine. Once the client synchronized, the SafeBoot Client Status window will display the current progress of the disk encryption task. Note the estimated time to encrypt in this example the disk to encrypt was 8Gb total with approx. 3Gb of existing data. Encryption time was approx. 15 minutes. 2007 McAfee, Inc. Disk Encryption Status Once encryption is complete, the status window displays the new disk encryption status (Full) Once the disk encryption task is complete, the SafeBoot Client Status window will display the new disk encryption status. 11 2007 McAfee, Inc. 2. SafeBoot Content Encryption Client McAfee SafeBoot Security 2007 McAfee, Inc. Review: SafeBoot Content Encryption Client Encrypts files/folders according to policy Acts like a filter between application and media Automatically encrypts based on policy assigned Decrypts on-the-fly into memory when accessed Source always remains encrypted on media Encryption/Decryption transparent to user The SafeBoot Content Encryption client automatically encrypts folders and files according to policies set by SafeBoot Administrators, and delivered by the SafeBoot Server. The SafeBoot Content Encryption client acts like a filter between the application creating or editing the files and the storage media, e.g. the hard disk. Whenever a file is written to supported storage media the SafeBoot Content Encryption filter executes assigned encryption policies and encrypts the file if applicable. When an application later reads the file, the encryption filter automatically decrypts thefile when it is read into memory. The source file always remains encrypted on disk. The encryption/decryption process happens automatically and is fully transparent to the user. The user does not notice any difference between working with encrypted and plaintext files; the users working procedures are not, and must not, be disturbed. 2007 McAfee, Inc. SafeBoot Content Encryption Client SafeBoot CE Icon added to SysTray Menu depends on policy Could include; About SafeBoot Content Encryption Close All Keys SafeBoot Logon SafeBoot Recovery Send Support Information Key Management With SafeBoot Content Encryption installed, there is an additional icon in the system tray menu, or added to the SafeBoot Monitor single-tray icon. The content of the menu when right-clicking the tool tray icon is defined by a policy for each user logging on. The option About Content Encryption displays important configuration data for the SBCE client in a separate window. The option Close All Keys enables users to close all the keys that have been opened to access data, thus securing (locking) the system. SafeBoot Logon opens a communication with the SafeBoot Server in order to retrieve the latest policy from the Object Directory and the SafeBoot Recovery option allows user to recover lost SBCE passwords. Key Management provides options for managing local keys, if enabled by policy. This includes creating, importing, and deleting local keys. 2007 McAfee, Inc. About SafeBoot Content Encryption Displays info about SafeBoot CE config 7 tabs; General Components Managers Plugins Keys Policies Progress About Content Encryption This option opens up a dialog with important configuration information about this installation of SafeBoot Content Encryption. Contains 7 tabs; General Version and copyright information. Components - This dialog shows the installed components constituting the SafeBoot Content Encryption client. The version number for each component is alsopresented along with a brief description. Managers - This dialog contains information about the Managers that control SafeBoot Content Encryption. The Managers are the components that manage interaction between different parts of the Content Encryption client, e.g. with providers and the kernel driver. The type of Manager is listed (Sys=System Manager, Usr=User Manager) as well as the Manager version number and the classID. Key Manager - Displays the encryption keys available to CE on this client machine. Log Manager - This Manager is responsible for the interaction with various logging systems through the Log Providers. Currently, this functionality is not fully implemented as there are no completeLog Providers available. Notification Manager - This Manager is responsible for catching and interpreting all the internal notification events in the system that affects Content Encryption; e.g. a user logging on or when a USB memorystick is inserted. Policy Enforcement Manager - This Manager is responsible for all the enforcers that are at work in the Content Encryption client. Examples of enforcers are the removable media policy enforcer and the folder encryption enforcer. This Manager tells all enforcers when to start and what to do. Policy Processing Manager - This Manager is responsible for the interpretation and processing of the policies that are assigned to the system. Policy Update Manager - This Manager receives policy updates through the interaction with the policy providers. Tray Manager - This Manager is responsible for the providers constituting the system tray menu. CONTINUED NEXT SLIDE 2007 McAfee, Inc. About SafeBoot Content Encryption Displays info about SafeBoot CE config 7 tabs; General Components Managers Plugins Keys Policies Progress CONTINUED FROM PREVIOUS Plugins - The Pluginsare the components that are managed by the Managers presented above. These components are both providers (e.g. Key Provider and Policy Provider) and various pluginmodules. The starting condition for each pluginis listed: Sys=Started by the sbceCoreService.exein System context Usr=Started by sbceCore.exein User context Ins=Started at the time of the installation of the system The version of each pluginis also listed, as well as its classID. Keys - This dialog presents information about what encryption keys areavailable to the system. Is shows the name of the key and the current status (Open/Closed). If the key is Closed, then the user needs to authenticate when trying to access the key. Informationabout what algorithm is associated with each key is also presented as well as the key length. The key inactivity timeout for each key is also listed. This parameter is controlled from SafeBoot Management Centre. When the key inactivity has elapsed, the key will close. There is also a column stating what providers provide the key and the classIDfor each encryption key. Policies - This tab contains information about the currently loaded policies. The type of policy is listed in the left-hand column. You will notice the exemptions done for certain CD/DVD burning applications, meaning that these applications will be able to write encrypted data onto CDs and DVDs. In essence, this list is a reflection of the policy as created in the SafeBoot Management Centre with all parameters. Remember that changes to a Machine policy require a restart of the client computer before they take effect. Changes to User policies only require a SafeBoot Content Encryption Logon to take effect, e.g. an authentication to an encryption key will update any User policy change, provided the computer can reach the SafeBoot Server. CONTINUED NEXT SLIDE 2007 McAfee, Inc. About SafeBoot Content Encryption Displays info about SafeBoot CE config 7 tabs; General Components Managers Plugins Keys Policies Progress CONTINUED FROM PREVIOUS Progress - This dialog shows any ongoing activities in the Content Encryption client services. For example, it is possible to monitor when the client starts encrypting a network share folder, and an estimate of when it will be completed. This monitoring is useful for support purposes. If there is a sudden increase in the CPU and/or RAM usage on the client PC, it is now possible to monitor if Content Encryption is involved and what client activity caused the increase and for approximately how long it will last. All the SafeBoot Content Encryption Enforcers run at regular intervals, checking for policy compliance. There are different enforcers for different purposes. A value of Idle until shows the time until each Enforcer will start a new round of compliance checking. 2007 McAfee, Inc. Content Encryption Recovery In order to recover password for Content Encryption, select the SafeBoot Recovery option from the CE Tray icon. You will be prompted to supply the name of the user. Once you have entered the user name and clicked Next, you will be provided with the Client Code. The remainder of the recovery process is identical to the DeviceEncryption recovery process which is detailed in the next module, User and Machine Recovery/webHelpDesk. 2007 McAfee, Inc. Explicit Encrypt/Decrypt Windows Shell File context menus determined by policy In this example, no explicit encrypt/decrypt is allowed The SafeBoot Content Encryption policy determines which context menu options are available for CE. In the example shown, explicit encrypt and decrypt of files is disabled. 2007 McAfee, Inc. Enabling Explicit Encrypt/Decrypt Modify Encryption Policy to Allow explicit encrypt and Allow explicit decrypt Apply and synchronize To enable the Encrypt / Decrypt options for file context menus, modify the Encryption Policy to Allow explicit encrypt and Allow explicit decrypt. Apply the changes and synchronize the client(s). The new selections will appear on file context menus, as shown in this example. 2007 McAfee, Inc. Manually Encrypt/Decrypt Files To manually encrypt a file, right-click the file and select Encrypt. You will be prompted to select the encryption key to use. You may be prompted for a password as well. The encrypting screen will briefly appear (not shown in this example). The encrypted file will display the keyhole icon, if enabled by policy. 2007 McAfee, Inc. Manually Encrypt/Decrypt Files Right-click, choose decrypt Keyhole icon disappears indicating the file is no longer encrypted To manually decrypt a file, right-click the file and select Decrypt. The file will be decrypted, and the Keyhole icon (if enabled by policy) will disappear. 22 2007 McAfee, Inc. End Module SafeBoot Clients Device Encryption / Content Encryption McAfee SafeBoot Security