Unofficial Quick Start Guide for McAfee® EEPC v6 …€¦ · Web viewUnofficial Quick Start Guide...

Unofficial Quick Start Guide forMcAfee® EEPC v6 Patch 1Windows 7 Deployment

INFORMACION GENERAL DEL DOCUMENTOAUTHOR Dan Larson, Sr. Sales System Engineer

FILE NAM

E

C:\Users\dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\KV8K8HW0\mailto:[email protected]?subject=Coment%C3%A1rios%20sobre%20Especifica%C3%A7%C3%A3o%20T%C3%A9cnica%20do%20Network%20Security%20Platform!Unofficial Quick Start Guide for McAfee EEPC v6 Patch 1 – Windows 7 Deployment.docx

VERSION 1.0 (230524)

LAST UPDATE

24/5/2023 A LAS 13:35:17 HORAS

IMPORTANT NOT

ES

Disclaimer 1: This process should only be done in a test environment. McAfee does not recommend testing full disk encryption software in a production environment.

Disclaimer 2: This is not an official McAfee document and McAfee is not responsible for its content. It was written by an experienced Endpoint Encryption Systems Engineer in an effort to help the user community.

Data Protection BU – McAfee EEPC

Many early adopters of EEPC have asked for step-by-step instructions for new installations. We had such a document for previous versions called the "Quick Start Guide". So in that spirit, here are the steps necessary to get EEPC v6 up and running.

High level process

Install EEPC extensions in to ePO 4.5 Check EEPC packages in to ePO 4.5 Register your Active Directory server Create ePO server task for Active Directory Sync Modify policies Create two client tasks to deploy the EEPC components Test for successful deployment and encryption on an endpoint

Before you begin

Download the EEPC v6 Patch 1 product

Ensure your ePO server version is at least 4.5 (upgrade to ePO 4.5 patch 1 if possible to address known issues listed in EEPC v6 readme)

Ensure your ePO agent version is at least 4.5 Note the hostname or IP address of an Active Directory Domain Controller / AD Server Ensure that your AD Server and ePO server use the same DNS server (this requirement

goes away in ePO 4.5 patch 1) Read the readme for known issues and other important information Consider engaging McAfee professional services to assist in your production installation

McAfee, Inc. (México) Página 1

RFP Gold Template

Step By Step ProcedureInstall the Endpoint Encryption extensions, in this order:

1. EEADMIN.ZIP2. EEPC.ZIP3. help_eepc_600.zip

This is the procedure for checking in an extension to ePO 4.5

Log on to the ePolicy Orchestrator server as an administrator. Click Menu | Software | Extensions | Install Extension The Install Extension dialog box appears. Click Browse and select the extension file (3 zip files listed above) then click OK The Install Extension page appears with the extension name and version details.

Página 2 McAfee, Inc. (Mexico)


Check in the Endpoint Encryption packages, in this order:

1. MfeEEAgent.zip2. MfeEEPC.zip

This is the procedure for checking in packages to the ePO 4.5 master repository

o Log on to the ePolicy Orchestrator server as an administrator.o Click Menu | Software | Master Repository, then click Actions | Check In Package.

The Check In Package wizard opens.o Select Product or Update (.ZIP) from the Package type list, then browse to and

select the package file (2 zip files listed above).o Click Next. The Package Options page appears.o Click Save to begin checking in the package. Wait while the package is checked in.


RFP Gold Template

o The new package appears in the Packages in Master Repository list on the Master Repository page.



Registering Windows Active Directory (this section is taken directly from the product readme)

Use this option to register a Windows Active Directory. You must have a registered AD to use Policy Assignment Rules, to enable dynamically assigned permission sets, and to enable automatic user account creation.


RFP Gold Template

This is the procedure for registering a Windows Active Directory

o Log on to the ePolicy Orchestrator server as an administrator.o Click Menu | Configuration | Registered Servers then click New Server The

Registered Server Builder wizard opens.

o From the Server type drop-down list on the Description page, select LDAP Server, specify a unique name (a user friendly name) and any details, then click Next. The Details page appears.

o Type the Server name. NOTE: The Server name is the name or IP address of the system where the Windows Active Directory is present

o Type the User name. NOTE: User name should be of the format: domain\Username for Active Directory accounts.

o Type the Password and confirm it. NOTE: Default settings for the User name attribute, Group name attribute, and Unique ID attribute are provided automatically.

o Click Test Connection to ensure that the connection to the server works, then click Save. NOTE: Fields with * mark are mandatory.



Configuring automation task for LDAP synchronization (this section is taken directly from the product readme)McAfee, Inc. (México) Página 7

RFP Gold Template

You can create many tasks that run at scheduled intervals to manage the ePO server and Endpoint software.

This is the procedure for creating the server task

o Log on to the ePolicy Orchestrator server as an administrator.o Click Menu | Automation | Server Tasks, The Server Tasks page opens.o Click Actions | New Task. The Server Task Builder wizard opens.o On the Description page, name the task, type some notes about the task, and

choose whether it is enabled, then click Next. The Actions page appears.o From the Actions drop-down list, select EE LDAP Server User/Group

Synchronization, but use “samaccountname” value for name and display name fields.

o Click Next. The Schedule page appears.o Schedule the task, then click Next. The Summary page appears.o Review the task details, then click Save.



Configure EEPC Product Settings Policy

This policy controls the behavior of the EEPC agent. It contains things like the policy for enabling encryption, enabling automatic booting, and controlling the theme for the pre-boot environment. In ePO 4.5 go to Menu | Policy | Policy Catalog. Then choose Endpoint Encryption 1.0.0 from the Product drop-down list. Then choose Product Settings from the Category drop-down list. Locate the My Default policy and click Edit Settings.

Recommended Product Settings

o General Tab - Enable the policy (check the box)o Encryption Tab

Encrypt: All Disks Encryption Provider Priority: PC Software

o LogOn Tab Enable Automatic Booting: disabled (leave unchecked) Note: if you enable

this feature, you will not see the pre-boot authentication. We refer to this as autoboot mode.

Log on Message: Put your organization's legal disclaimer here. Tip: for a pilot phase, put your admin or helpdesk phone number here.

Do not display previous user name at log on: enable


RFP Gold Template

Always display on screen keyboard: disable Add local domain users: enable - this is the option that automatically

provisions the Windows users (currently logged in and all cached profiles) as valid pre-boot accounts.

Enable SSO: enable Must match user name: enable Using smart card PIN: disable Synchronize Endpoint Encryption Password with Windows: enable

Require Endpoint Encryption logon: only enable for Vista or Windows 7 Under this scenario, you must enable.

Lock workstation when inactive: disableo Recovery Tab

Enabled: enable Key size: low Message: put your helpdesk phone number here, or instruct the user to use

the self recovery optiono Boot Options Tab

Enable Boot Manager: disable Always enable pre-boot USB support: disable Always enable pre-boot PCMCIA support: disable Graphics mode: automatic

o Theme Tab: keep the defaulto Encryption Providers Tab

User compatible MBR: enable Fix OS boot record sides: enable Use Windows system drive as boot drive: enable


RFP Gold Template


RFP Gold Template

Configure EEPC User Based Policy (UBP) Settings

This policy controls the parameters for EEPC user accounts. It contains things like the policy for selecting a token type (password, smartcard, biometric, etc.), and password content rules. In ePO 4.5 go to Menu | Policy | Policy Catalog. Then choose Endpoint Encryption 1.0.0 from the Product drop-down list. Then choose User Based Policies from the Category drop-down list. Locate the My Default policy and click Edit Settings.

Recommended User Based Policy Settings

o Authentication Tab Token type: password only Certificate rule: N/A Logon hours: disable

o Password Tab Change Default Password: disable - this leaves the default password as

12345 for all new users Password Change - disable all of these since we are using SSO and don't

want to cause conflict with Windows password requirements Enable Password history: disable Prevent change: disable Require change every: disable

Incorrect Passwords Timeout password entry after X attempts: disable Invalidate password after 10 attempts: enable

o Password Content Rules Tab Password length: use default Enforce password content: use default Password content restrictions: use default

o Self Recovery Enable self recovery: enable

Invalidate self recovery after No. of invalid attempts: enable, set to 10 Questions to be asnwered: 3 Logons before forcing user to set answers: 0 Questions: use default


RFP Gold Template



Add Group Users

Group Users are EEPC user accounts that will be provisioned to every encrypted machine. These are meant as admin accounts that can be used for troubleshooting or support. In this example, they are essentially back door accounts that can log in to any system that you encrypt. For production, we would not recommend having back door accounts but it tends to make things easier during an evaluation or proof of concept.

This is the procedure for adding Group Users

o Go to Menu | Data Protection | Endpoint Encryption Userso Click on the Group Users tab, the list will be blanko Click on Actions | Endpoint Encryption | Add Userso You can now add individual users, groups of users, or all the users in an OU.

Typically, you only want to select one or two accounts for this role.o Select the gray button in the first row; this will allow you to add individual users .o You are now browsing the Active Directory structure that we added by registering the

AD server earliero Browse AD for your account and check the box next to it. Do this again for any other

accounts that you want to have pre-boot access to all of your encrypted systems. Then click click OK.

o Click OK again to proceed.o Your Group Users list should now show the accounts you selected.


RFP Gold Template

Note: If you choose to add a group or an OU, you will not see the individual user names. Instead, you will see the DN of the group or OU.

Note: All EEPC user accounts, even Group User, accounts get assigned the default password upon creation. You will have to use 12345 the first time you login with these accounts.



Configure Client Tasks to Deploy the Endpoint Encryption Agent for Windows 1.x and Endpoint Encryption for PC 6.x in a single deployment task

It is best to create a new group in ePO for this, with a name like EEPC Test Machines. Select this group in the system tree, and go to the client tasks tab. This task must be created prior to creating a task that deploys the Endpoint Encryption for PC and Endpoint Encryption for PC 6.x components.

Procedure for creating the EE Agent deployment task

o Select New Task from the drop-down menu. The Client Task Builder wizard opens with the Description page.

o Type a Name, Notes for the task and select the Type as Product Deployment from the drop-down list and select whether the task should be sent to all computers or to tagged computers.

o Click Next. The Configuration page appears.o Select the Target platform as Windows.o Select Endpoint Encryption Agent for Windows 1.0.1.7 from the Products and

components drop-down list to specify the version of the agent to deploy and, if needed, additional command-line parameters.

o Select the Action as Install.o Add another item and Select Endpoint Encryption for PC 6.0.0.22 from the Products

and components drop-down list to specify the version of the agent to deploy and, if needed, additional command-line parameters.

o Select the Action as Install.o If you are working in a Windows environment, select whether to run the task at each

policy enforcement interval.o Click Next to open the Schedule page.o Change the Schedule Type to Run Immediately then click Next. The Summary page

appears.o Verify the task’s details, then click Save. The new deployment task is sent to the

client computers at the next agent-server communication. Thereafter, every time the task executes, it checks to determine whether it should install the specified product.

o Send an Agent wake-up call.


RFP Gold Template


RFP Gold Template

End User Experience

The deployment task will push both the Endpoint Encryption Agent and the EEPC v6 component to the selected systems. The install is silent, but the user will be prompted to reboot when the install is complete.

Installation sequence

1. End user sees message to reboot2. System reboots (you will not yet see pre-boot authentication because the EEPC software is

not yet active)3. The McAfee system tray icon will have a new option called Quick Settings and a sub-option

Show Endpoint Encryption Status.4. The status will show Inactive until the agent syncs with the ePO server. This is referred to

as an ASCI event. It can be manually triggered on the endpoint by opening the McAfee Agent Status Monitoring and clicking Collect and Send Props. It can also be triggered from the server by doing an agent wake up call. Finally, you can simply wait for the scheduled ASCI event (the default is 60 minutes).

5. After an ASCI, the status will switch to Active and encryption will start. Encryption will not start until this sync is complete. This ensures the keys are backed up in ePO so they can be used for recovery.


RFP Gold Template

6. The user can continue working during encryption. They will notice a performance impact similar to that of a scheduled, on-demand virus scan. Once the entire disk is encrypted, the technology w

7. It will be completely transparent to the end user.8. It is safe to reboot during encryption.9. When the user reboots, they will see the pre-boot authentication screen.

10.They should login with their windows username and the default password of 12345. In this example, we are using the McAfee default password of 12345, but it can be changed by policy.

11.The user will then be prompted to change their password and also register their self-recovery answers.


RFP Gold Template

12.The system then boots to Windows. This first boot also establishes SSO. On future reboots, the user will only have to login to the pre-boot environment, then the McAfee software will auto-login to Windows for the user (this is SSO).



Use ePO to Report Encryption Status

ePO provides all the management and reporting tools for EEPC.

Procedure 1 - Check the status of a disk on a single system. This is useful for incident response situations, where you simply have to prove that a "missing" laptop was fully encrypted.

o In ePO, go to System Treeo Click on name of systemo Read properties, verify that Endpoint Encryption for PC is listed under installed

productso Scroll down to see the summary information for Endpoint Encryption. This screen

lists the state of the software (active/inactive), the encryption provider, and the algorithm.

o Click the more button to get further details, this reveals two more tabs: Properties and Disks

o The Properties tab shows the same information as the summary info seen on the previous screen.

o The Disks tab shows the encryption state for all disks found in the system. If the state says anything other than "Encrypted", then the disk is not fully encrypted.


RFP Gold Template


RFP Gold Template

Procedure 2 - Track the progress of your deployment or determine the number of encrypted systems

o in ePO, go to Menu | Reporting | Querieso Expand the Shared Groups listo Select Endpoint Encryptiono Run the first query in the list: EE Disk Status

This reports the crypt state for all disks on systems that have the EE Agent installed

If you want to find systems that don't have the EE Agent installed, simply run the EE Encryption Provider query

Thank you for reading this unofficial Quick Start Guide for McAfee EEPC v6. Please use the comments for questions and feedback.



Annexes


RFP Gold Template

Recommended VirusScan Enterprise (antivirus) exclusions for Endpoint Encryption for PC 6.x

Corporate KnowledgeBase ID: KB68415Last Modified: March 09, 2010

Environment For details of all supported operating systems, see KB51109

Summary To avoid problems after installing Endpoint Encryption for PC 6.x on the client computer, McAfee recommends you create the following exceptions for every Endpoint Encryptionfor PC 6.0 Client:

What to Exclude Comments

Endpoint Encryption File System Under certain conditions, an anti-virus scanner can lock the Endpoint Encryption File System. This can cause data corruption as Endpoint Encryption attempts to write data to the file system.

Endpoint Encryption for PC v6 Endpoint Encryption for PC 6.0 Product system files

Endpoint Encryption Agent Endpoint Encryption 6.0 Agent system files

Solution McAfee recommends the following VirusScan Enterprise 8.x On-Access exclusions for supported client computers.

Example of an ePO VirusScan Enterprise exclusions policy:

What not to scan Item Exclude Folders Read/Write

c:\Program Files\McAfee\Endpoint Encryption for PC v6 Yes read / write

c:\Program Files\McAfee\Endpoint Encryption Agent Yes read / write

\Device\SafeBootFSVolumes\Disk0\ Yes read / write

Related Information KB66909 - VirusScan Enterprise exclusions (Master Article)KB61000 - Managing VirusScan Enterprise exclusions with hardware pathsKB55898 - Understanding VirusScan Enterprise ExclusionsKB59742 - Verifying VirusScan Enterprise folder exclusions using the EICAR test fileKB61143 - When to create exclusions by drive letter or device nameKB58692 - How to create low-risk and high-risk process exclusions in VirusScan EnterpriseKB54812 - How to use wildcards with exclusions in McAfee VirusScan Enterprise 8.xKB65718 - Default exclusions for Port Blocking in VirusScan 8.x



New Endpoint Encryption for PC 6.x theme does not display after applying the ePO policy

Corporate KnowledgeBase ID: KB68757Last Modified: April 21, 2010

Environment For details of all supported operating systems, see KB51109

Problem Client fails to display the new theme after creating the Endpoint Encryption for (EEPC) PC 6.x theme according to the steps provided in the EEPC 6.0 product guide. For further details, see the section "Creating a new theme" in PD22395.

The file created which ePO applies is a 1280x1024 .PNG file.

Cause The image dimensions 1280x1024, which are used to create the theme, are incorrect. The correct size is 1024x768. The current product guide does not specify the required image dimensions or the required file type.

Solution Create the theme using the image dimensions 1024x768 and ensure the file format is .PNG.


RFP Gold Template

Customized theme is not applied to new deployments of Endpoint Encryption for PC 6.0.1

Corporate KnowledgeBase ID: KB69532Last Modified: July 27, 2010

Environment McAfee Endpoint Encryption for PC 6.0 with Patch 1 (6.0.1)For details of all supported operating systems, see KB51109

ProblemNew activations are not downloading the custom theme.

New clients receiving the Endpoint Encryption for PC (EEPC) 6.0.1 agent and package do not receive the new custom theme set to be the default.

The theme is created using a supported size 1024x768 x 24-bit (Background.png). Any existing installations of EEPC 6.0.1 do receive and show the new wallpaper without issue.The new clients receive the new theme only after setting the machine that was just installed/activated to use the Default theme.

Solution This issue is resolved in the McAfee Endpoint Encryption for PC 6.1 release, which is not currently available. This article will be updated when this release is posted to the McAfee download site.



Best practices manually decrypting an encrypted hard disk

Corporate KnowledgeBase ID: KB66433Last Modified: June 10, 2010

1.1.1 Environment For details of all supported operating systems, see KB51109

1.1.2 Summary This article describes best practices for manually decrypting an encrypted hard disk.

After a successful full encryption, or during the initial encryption process, one or more bad sectors can cause Endpoint Encryption to report an error. For details about the errors that can occur in reading the disk sector, see KB65764.

NOTE: McAfee recommends that you defragment and run Chkdsk -r before enabling Endpoint Encryption full disk encryption. This is a best practice before encrypting a hard disk that can help avoid subsequent errors and potential loss of data.

1.1.3 Solution IMPORTANT: For critical data, clone the hard disk before undertaking a manual decryption of the disk.

1. Clone the hard disk to an identical piece of hardware, sector by sector, with no compression, to retain an exact replica of the disk.

NOTE: This operation requires the use of cloning or imaging software such as Symantec Ghost. For more information, see http://service1.symantec.com/SUPPORT/on-technology.nsf/docid/2001111413481325.

2. Create a WinTech CD or SafeTech Floppy/USB bootable stick. For instructions, refer to the articles and

documents below:

o KB60875 - How to manually create a bootable SafeTech floppy disk or USB sticko KB53257 - How to create a SafeTech boot disk for Endpoint Encryption using the Managero For instructions on how to create a WinTech CD, refer to the Endpoint Encryption WinTech and

SafeTech Administration Guide.

For a full list of product documents, go to the McAfee ServicePortal (http://mysupport.mcafee.com/Eservice/Default.aspx), and click Read Product Documentation.

3. Ensure that you can decrypt the data in the Workspace by loading the encrypted sectors. After you haver

verified that you can decrypt the disk, force decrypt the data by providing the start sector number and the range. Use one of the following two methods to achieve this:

o KB61117 - How to use the WinTech CD to remove the encryption and boot sector from the hard disko KB61119 - How to use the SafeTech Disk to remove the encryption and boot sector from the hard

disk

After the process is complete, the data on the hard disk should be visible.


Unofficial Quick Start Guide for McAfee® EEPC v6 …€¦ · Web viewUnofficial Quick Start Guide...

Documents

Transcript of Unofficial Quick Start Guide for McAfee® EEPC v6 …€¦ · Web viewUnofficial Quick Start Guide...