Transcription
McAfee Encrypted USB Manager 3.1Deployment and Administration Guide
COPYRIGHTCopyright 2008 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any languagein any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.TRADEMARK ATTRIBUTIONSSAFEBOOT is a registered trademark or trademark of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Redin connection with security is distinctive of McAfee brand products. Microsoft and Windows are registered trademarks of MicrosoftCorporation. All other registered and unregistered trademarks herein are the sole property of their respective owners.LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERALTERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALESAND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY ASPART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE).IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TOMCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.AttributionsRefer to the product Release Notes.CONTACT INFORMATIONDownload Site http://www.mcafee.com/us/downloads/Technical Support http://www.mcafee.com/us/support/KnowledgeBase Search (includes access to product documentation)http://knowledge.mcafee.com/McAfee Technical Support ServicePortal (Logon credentials required)https://mysupport.mcafee.com/eservice enu/start.sweCustomer mlPhone — US, Canada, and Latin America toll-free: 1-888-847-8766 Monday – Friday, 8 a.m. – 8 p.m., Central TimeContact information for other countries can be accessed online by selecting a link under Worldwide Offices mlii
ContentsIntroducing McAfee Encrypted USB Manager . 5What’s new . 5Benefits . 6Capabilities . 7Supported devices . 7Supported software . 8Product overview . 8Management console . 8End-user software . 9Licensing . 10Installing and upgrading Manager . 11Setting up a Manager device database . 11Database authentication options . 12Configuring ADAM for Manager . 12Setting up Manager to use certificates . 13Configuring the Certificate template . 14Registering for an Enrollment Agent Certificate . 14Setting up a key recovery system . 14Setting up Manager to use RSA SecurID tokens . 16Controlling access to the McAfee Encrypted USB Manager RSA Web Service . 17Installing Manager . 19Contents of Installation CD . 19Configuring Manager . 19Creating a custom installation . 21Installing the client . 21Upgrading Manager . 22Deploying McAfee Encrypted USB Devices . 23The deployment cycle . 23Initialization . 23Issuance . 24Personalization . 25Usage . 25The role of the administrator . 26Initialization Officer . 26Issuance Officer . 26Help Desk Operator . 26Security Officer . 27Help Desk support . 27Initializing devices . 28Creating initialization profiles . 28Editing and deleting initialization profiles . 30Applying initialization profiles to devices . 30Erasing devices . 31Issuing devices to users . 333
ContentsMcAfee Encrypted USB Manager 3.1 Deploymentand Administration GuideCreating usage profiles . 33Password policies . 35Managing usage profiles . 36Applying new usage profiles to devices . 36Adding users to devices . 37Removing users from devices . 37Revoking users and devices . 38Revoking a user . 38Revoking a device . 38Issuing and managing credentials . 39Creating credential profiles . 39Certificate profiles . 39RSA SecurID profiles . 40Copying, editing and deleting profiles . 40Issuing credentials to users . 41Removing credentials . 42Performing a key recovery operation . 42Managing devices . 44Viewing device database statistics . 44Upgrading device firmware . 44Recovering data . 45Rescuing devices . 45Viewing device information . 46Generating reports . 46Managing portable content . 48Creating a portable content file . 48Adding and deleting content . 49Copying, renaming, and moving items in the navigation pane . 50Exporting portable content . 50Updating portable content on devices . 50Creating a portable software package . 51Distributing the portable software package . 51Installing the portable software package . 51Configuring Web Login Config . 51Creating applications . 52Adding credentials . 52Adding forms . 53Configuring the Connector menu . 54General . 55System Tray Menu . 56Configuring the client . 57Glossary . 58Index . 604
Introducing McAfee Encrypted USBManagerMcAfee Encrypted USB Manager (formerly SafeBoot for USB Enterprise) is a scalablesoftware solution for managing large deployments of Portable Security Devices fromMcAfee. With McAfee Encrypted USB Manager (referred to as Manager throughout therest of the document), you can control devices through their complete life cycle, frominitialization through to delivery to end users and eventual recycling.This guide provides a general overview of Manager and the deployment process. It alsodescribes the administrative steps involved in deploying and managing devices.This chapter contains information about the following: What’s newBenefits and capabilities of ManagerSupported devicesSupported softwareManager product overviewLicensingProfessional servicesWhat’s newManager 3.1This version provides support for McAfee Standard Driverless Encrypted USB devices.McAfee Standard Driverless Encrypted USB is a single-user device that allows onlypassword authentication. The default read-only image is built-in and cannot beupgraded or modified. You can use McAfee Standard Driverless Encrypted USB oncomputers running only Microsoft Windows. The following operations are not availablewith McAfee Standard Driverless Encrypted USB devices: partition sizing, upgradingfirmware (does not use a management code), rescuing devices, and issuing credentials.Manager 3.0 includes the following new features: Portable content file enhancements—The Portable Content Manager (PCM)application provides a graphical interface to create and manage the portable content file for the read-only partition of devices. Administrators can also use PCM toconfigure McAfee applications, such as Web Login Config, Connector, and McAfeeEncrypted USB—Managed. For more information, see “Managing portable content”on page 48.Support for credential management—Administrators can now issue certificatesand RSA SecurID tokens to users with Manager. End users can manage certificatesand RSA SecurID tokens with McAfee Encrypted USB—Managed. For more information, see “Issuing and managing credentials” on page 39.5
Introducing McAfee Encrypted USB ManagerBenefitsMcAfee Encrypted USB Manager 3.1 Deploymentand Administration Guide Built-in reporting capability—You can now generate pre-configured reports usingManager. Reports provide auditing data and information about devices, users, anddeployment status. For more information, see “Generating reports” on page 46.Enhanced data recovery options—When you create a usage profile you can setdata recovery options. When users cannot authenticate to their device, Help Deskoperators can re-establish device access (default setting) or you can permanentlyerase all device so that it is inaccessible to both the user and the administrator. Formore information, see “Creating usage profiles” on page 33.Features added in Manager 2.4: Enhanced password configuration—Allows you to add complex password rulesto a usage profile, such as retry limits, minimum password length, minimum number of characters (special, numeric, alphabetical), a password reuse threshold, anda minimum and maximum lifetime for the password. For more information, see“Password policies” on page 35.Two-factor authentication—You can now require users to authenticate usingtwo-factor (biometric and password) authentication. For more information, see“Usage profile settings” on page 33.Profile status—You can change the status of a usage or initialization profile toindicate whether it is active or inactive. For more information, see“Editing anddeleting initialization profiles” on page 30 and “Managing usage profiles” on page36.Support for Mac OS X with McAfee Encrypted USB—Managed.BenefitsManager provides the following main benefits.ControlA managed deployment of McAfee Encrypted USB Devices allows you to: Control device configurations and security policies that determine how devices canbe used.Provide help desk support when necessary for end users who have problemsauthenticating.Perform data recovery operations on a device (for audit and compliance reasons)without the user being present.Efficient administrationAdministrative tasks use concise workflows that allow you to process devices efficientlywith minimum effort. Administrators can create profiles that contain parameters fordevice configuration and user settings. Profiles allow administrators to initialize andissue devices to users in batches whereby they plug in a device, apply the appropriateprofile, and move on to the next device.Immediate end-user productivityDuring initialization, devices are pre-configured with everything end users need. Nosoftware installation on end user workstations is necessary. Client wizards guide endusers through common tasks so that user training is not required and end users canstart using devices as soon as they receive them.6
Introducing McAfee Encrypted USB ManagerCapabilitiesMcAfee Encrypted USB Manager 3.1 Deploymentand Administration GuideSimplified and scalableMinimal effort is required to deploy Manager. Other than hosting the device database,no other servers are needed. Simplified management operations ensure maximumefficiency when initializing, issuing, and updating devices.CapabilitiesManager provides the following capabilities that facilitate administrative operations.Table 1-1: Important Manager capabilitiesCapabilityDescriptionPolicies for deviceconfiguration and useYou can create multiple device profiles to define device configurationsand security policies for different user groups or departments. Profilesensure the efficiency of the initialization and issuance processes. Formore information about these processes, see “Initializing devices” onpage 28 and “Issuing devices to users” on page 33.CredentialmanagementCredential profiles let you define certificate or RSA SecurID tokensettings so that you can issue credentials to users.Device rescueHelp desk operators can securely reset the authentication mechanism ofa device over the phone to assist users who can no longer authenticateto their device.Data recoveryEncrypted data may need to be recovered for security audits or due tothe termination of employment. Security Officers can recover data froma user’s device without the user being present.Portable softwareupdatesYou can create portable software packages for end users to upgrade theread-only partitions of their devices. This lets you manage and provideadditional applications to end users as your portable application needschange.Self-enrollmentTo increase scalability and minimize administrator workload, end userscan enroll their own fingers on a device for biometric authentication. Formore information, see “Personalization” on page 25.Separation ofadministrative rolesThe management software component of Manager contains four mainfunctional modules that correspond to four administrative roles. Modulescan be installed together or separately to allow your company toseparate management roles. For more information about administrativeroles, see “The role of the administrator” on page 26.Audit trailsAll administrative operations performed using Manager are logged.Corporate directoryintegrationManager integrates directly with the existing corporate directory to bindusers to devices during the issuance process so you do not have tomaintain a separate repository for user data.Supported devicesManager supports the following McAfee Encrypted USB Devices: McAfee Zero Footprint Biometric Encrypted USB (formerly SafeBoot for USB Phantom Bio)McAfee Zero Footprint Non-Biometric Encrypted USB (formerly SafeBoot for USBPhantom Non-Bio)McAfee Standard Driverless Encrypted USBMcAfee Encrypted USB Hard Disk (formerly SafeBoot for USB Hard Disk)7
Introducing McAfee Encrypted USB ManagerSupported softwareMcAfee Encrypted USB Manager 3.1 Deploymentand Administration Guide McAfee Standard Encrypted USB (formerly SafeBoot for USB Standard)Supported softwareThe following software is supported with Manager.Table 1-2: SoftwareComponentWeb browser (required for userinterface with MicrosoftWindows only)DatabasesSupported software Microsoft Internet Explorer 7.0Internet Explorer 6.0IBM Informix Dynamic Server 9.4Microsoft SQL Server 2005 SP1Microsoft SQL Server 2000 SP4Microsoft SQL ExpressNote: Professional Services can help configure otherdatabases.User directory Windows 2003 Active DirectoryActive Directory Application Mode (ADAM)Note: Professional Services can help configure otherdirectories.Certificate authoritiesMcAfee Encrypted USB—Managed ManagerMicrosoftMicrosoft Windows 2000 SP4 (Client Help Desk isunavailable after a user authenticates)Windows XP SP2Windows Vista (Business and Enterprise editions)Mac OS XInitialization, Issuance, and Data Recovery processes: Windows XP SP2Windows Vista (Business and Enterprise editions)Help Desk processes: Windows 2000 SP4Windows XP SP2Product overviewMcAfee Encrypted USB Manager includes a management console and end usersoftware.Management consoleManager is an installed suite of utilities that administrators use to control devices andperform the following operations: Device initializationDevice issuanceDevice rescue and help desk supportData recoveryCredential (certificates and RSA SecurID tokens)8
Introducing McAfee Encrypted USB ManagerProduct overviewMcAfee Encrypted USB Manager 3.1 Deploymentand Administration Guide Generating reportsLicense managementThe initialization and issuance operations are designed as efficient workflows so thatyou can deploy many devices in a short period of time. You can have multiple Managercomputers that connect to one device database to allow distribution and delegation ofadministrative responsibilities.The following illustration demonstrates the architecture of Manager.Figure 1-1: ManagerEnd-user softwareMcAfee Encrypted USB—Managed (referred to as “client” in the rest of the document) isportable software that is pre-installed on the read-only partition of devices during theinitialization process. End users are guided through wizards and workflows to performthe following operations: Personalize a new device by enrolling fingers for biometric authentication, setting apassword, or bothManage existing authentication settings by updating finger enrollments or changingpasswordsManage digital identitiesView device status informationRescue a device with assistance from the Help DeskOther portable software programs can be installed on the device with the client toprovide necessary applications to your end users. The following illustrationdemonstrates a typical device configuration for an issued device.Figure 1-2: Issued device with the client9
Introducing McAfee Encrypted USB ManagerLicensingMcAfee Encrypted USB Manager 3.1 Deploymentand Administration GuideLicensingLicenses are distributed using license files that allow you to manage a set number ofdevices per device database. To obtain a license file, contact your sales representativeat McAfee. Manager will notify you when the device database is approaching the devicelimit and will indicate the number of devices still available to be issued. The corporatelicense is checked each time a device is added to ensure that the number of devices inthe database does not exceed the site license.When you purchase a new license file from McAfee or upgrade an existing license file,you must import the file to the device database using Manager.To view current license information From the main menu of Manager, click License Management.The Current License Information section contains details such as, license statusand maximum number of devices allowed.To import a license file1 From the main menu of Manager, click License Management.2 In the Tasks section, click Import License File.3 Select the license file, type the activation code, and then click Import.10
Installing and upgrading ManagerMcAfee Encrypted USB Manager contains four modules that you can install together ordivide among multiple workstations according to the administrative role that will usethe module. By default, Manager installs all four modules. For more information aboutadministrative roles, see “The role of the administrator” on page 26.Before you install Manager, you should create an Manager device database on yourserver and run the McAfee Encrypted USB Manager SQL script (located on theinstallation CD) to configure the database. You can also configure ADAM.Manager supports credential issuance. You can set up authentication credentials, suchas certificates or RSA SecurID tokens, so that you can issue them to end users. Formore information about issuing credentials using Manager, see “Issuing credentials tousers” on page 41.As part of the installation process, you must configure Manager to correspond to yourcompany’s network environment. You can complete the configuration using one of thefollowing methods: Modify Manager on each workstation after you install it.Modify Manager on the first workstation and use the modified version to create acustom installation. You can distribute the custom installation of Manager for eachsubsequent install.If you want to deploy McAfee Standard Encrypted USB devices, you must install theclient. You can also upgrade from a previous version of Manager.This chapter contains information about: Setting up a Manager device databaseConfiguring ADAM for ManagerSetting up Manager to use certificatesSetting up Manager to use RSA SecurID tokensInstalling ManagerConfiguring ManagerCreating a custom installationInstalling the clientUpgrading ManagerSetting up a Manager device databaseOn the device database server, create a new database to contain the Manager deviceinformation. After you create the database, run the McAfee Encrypted USB ManagerSQL script. You should create the database and run the script against the databaseserver before you install and configure Manager. Use the database script thatcorresponds to the server you are using. The script file is located in the followingdirectory path on the installation CD (where D is the CD drive):IBM Informix Dynamic Server 9.4D:\Database Configuration Scripts\Informix\9.4\McAfee Encrypted USBManager.sql11
Installing and upgrading ManagerConfiguring ADAM for ManagerMcAfee Encrypted USB Manager 3.1 Deploymentand Administration GuideMicrosoft SQL Server 2005D:\Database Configuration Scripts\Microsoft SQL Server\2005\McAfeeEncrypted USB Manager.sqlMicrosoft SQL Server 2000D:\Database Configuration Scripts\Microsoft SQL Server\2000\McAfeeEncrypted USB Manager.sqlThe script creates database tables, indexes and data on the Manager database. If youare upgrading from a previous version of Manager, the scripts are located in theUpgrade folder for the appropriate database server. For more information, see“Upgrading Manager” on page 22Note: When setting up the database, if you are not using Windows pass-throughauthentication, you should create database account(s) to be used during the connectionto the database.Database authentication optionsIt is strongly recommended that you set controls on the device database that restrictaccess to only authorized persons.Options for controlling access12Windows pass-through authentication—reuses Windows Domain Login credentialsDatabase login accounts—involves setting up database user names, passwordsand permissions on the device database server if not using Windows pass-throughauthentication.You can configure the database login to prompt the operator when using Manager,or to automatically log on to the database. When you include login credentials inthe Presenter.ini file, the system assumes that automatic login has been configured.Configuring ADAM for ManagerIf you are using Active Directory Application Mode (ADAM) as the LDAP directory, youmust configure ADAM to work correctly with Manager. Configuration involves thefollowing steps (in order): Selecting appropriate settings when you create the ADAM instanceEditing your registry settingsAllowing anonymous LDAP binding to an ADAM instanceSetting properties for the LDAP ManagerNote: LDAP Manager is an advanced Windows-based LDAP editor and browser. You candownload it from the Web. You can also use other LDAP editors to manage ADAM.To select settings when creating an ADAM instance1 Add service permission to the Windows account you specified in previous steps.2 Select the user who is currently logged on.3 Import the selected LDIF files for this instance of ADAM.4 Add all available LDF files.12
Installing and upgrading ManagerSetting up Manager to use certificatesMcAfee Encrypted USB Manager 3.1 Deploymentand Administration GuideTip: For more information about creating an ADAM instance, see documentation fromMicrosoft regarding ADAM.To edit registry settings1 On the taskbar, click Start, and then click Run.2 Type Regedit and click OK.3 In the Registry Editor, navigate to the following registry subkey:HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Control\Lsa4 In the details pane, right-click forceguest, and then click Modify.5 In Value data, type 0, and then click OK.To allow anonymous LDAP binding to an ADAM instance1 On the taskbar, click Start, point to All Programs, point to ADAM, and then clickADAM ADSI Edit.2 Connect and bind to the configuration directory partition of the ADAM instance onwhich you want to allow anonymous Lightweight Directory Access Protocol (LDAP)binding.3 In the console tree, double-click the following: 456configuration directory partition (CN Configuration,CN {GUID})services container (CN Services)Windows NT container (CN Windows NT)Right-click the directory service container (CN Directory Service), and thenclick Properties.In the Attributes area, click dsHeuristics, and then click Edit.In the Value area, modify the value of the seventh character in the attribute(counting from the left) to 2, as follows:0000002001001To set properties in LDAP Manager Include the following property settings in the LDAP Manager application: Connection Name: for example ManagerLDAP Server name: localhostUsername: admin username for user who is currently logged on to the computerPassword: your passwordSelect NTLM for authenticationAnd ConnectClick Directory, and complete any necessary steps, for example, create users.Tip: You must manually refresh the LDAP Manager application or the LDAP Editor byclicking F5 to show your changes.Setting up Manager to use certificatesIf you want to use Manager to issue certificates to end users, you must configure thecertificate template and register for an enrollment agent certificate. You can also set upa key recovery system.13
Installing and upgrading ManagerSetting up Manager to use certificatesMcAfee Encrypted USB Manager 3.1 Deploymentand Administration GuideConfiguring the Certificate templateYou must configure the certificate templates on the Certificate Se
This version provides support for McAfee Standard Driverless Encrypted USB devices. McAfee Standard Driverless Encrypted USB is a single-user device that allows only password authentication. The default read-only image is built-in and cannot be upgraded or modified. You can use McAfee Standard Driverless Encrypted USB on
