1

2007 McAfee, Inc.

2008 McAfee, Inc.
McAfee SafeBoot Security
Introduction to SafeBoot
McAfee World-wide Learning and Development
2007 McAfee, Inc.
Copyright 2008 McAfee, Inc. All Rights Reserved.
Copyright 2008 McAfee, Inc. All Rights Reserved.
The training information provided herein is the property of McAfee, Inc., and is
intended for the sole use of the individual or organization purchasing the
training. Distribution of the training material outside of the purchasing
organization is strictly prohibited.
All information contained herein is subject to change without notice. McAfee is
not responsible for errors or damages of any kind resulting fromuse of the
information contained herein. Every effort has been made to ensure the
accuracy of information presented as factual; however errors may exist.
Users are directed to countercheck facts when considering their use in other
applications. McAfee is not responsible for the content or functionality of any
technology resource not owned by the company.
The statements, comments, or opinions expressed by users through use of
McAfees technology resources are those of their respective authors, who are
solely responsible for them, and do not necessarily represent the views of
McAfee, Inc. and/or its affiliates.
2
2/21/2008
2/21/2008
3
2007 McAfee, Inc.
Objectives
At the end of this section, the student will be able to;
Define Encryption
Describe common encryption methods
Explain what data obfuscationmeans
Explain what a hash is
List the products in the SafeBoot v5 Device Security
Family
List supported operating systems for SafeBoot v5
Provide a basic description of how SafeBoot works
At the end of this section, the student will be able to;
Define Encryption
Describe common encryption methods
Explain what data obfuscation means
Explain what a hash is
List the products in the SafeBoot v5 Device Security Family
List supported operating systems for SafeBoot v5
Provide a basic description of how SafeBoot works
4
2007 McAfee, Inc.
1. Encryption
McAfee SafeBoot Security
2007 McAfee, Inc.
Common Encryption Methods
Symmetric Encryption (secret, shared-key)
Requires a secret key be shared by multiple users
Requires many keys for many user pairs
Diffie-Hellman Key Exchange (for secret,
shared-Symmetric Keys)
A method where users secretly add part of the shared encryption
key in order to increase the security of the secret shared key
Asymmetric Encryption also called Public Key
Encryption
Shared-public key used to encrypt data
Separate, private keys used for decryption
No shared-keys required
Symmetric Encryption (used in SafeBoot for user, machine, hard disk keys etc)
Before 1975, all encryption schemes forced the sender and the receiver to have the same secret key.
If Bob sends Alice an encrypted message, to read it Alice must first know Bob's key. Before 1975, all
encryption schemes linked the encryption and the decryption. If you gave away your encryption key,
you gave away your decryption key, because they were the same thing. Further, if you encrypted
something, you could later decrypt it. So secret-key systems are contradictory - they need secret keys,
but need to share them. This system also requires many keys to be created and stored. If a thousand
users have to share secrets with each other using a secret-key system, they could need half a million
shared keys---since every pair using the system might have to have their own shared secret key.
Diffie-Hellman key exchange (for secret, shared-Symmetric Keys) (used to negotiate
communication keys) [INSTRUCTOR NOTE: You may want to draw this on the whiteboard]
First, let us assume that everybody, has a three-liter bucket containing one liter of yellow paint that
represents a shared encryption key. If Alice and Bob want to agree on a secret key, each of them adds
one liter of their own secret color to their own bucket. Alice might add a shade of purple, while Bob
might add red. Each sends their own mixed bucket to the other. Finally, Alice takes Bob's mixture
and adds one liter of her own secret color, and Bob takes Alice's mixture and adds one liter of his
own secret color. Both buckets should now be the same color, because they both contain one liter of
yellow, one liter of purple and one liter of red. It is the exact color of the doubly contaminated
shared key buckets that is used as the secret key. Alice has no idea what color was added by Bob,
and Bob has no idea what color was added by Alice, but they haveboth achieved the same end, an
identical encryption/decryption key.
Asymmetric Encryption Also called Public Key Encryption, does away with the issue of
exchanging Secret Keys (used to validate servers to the client, and in RSA recovery)
Public-key cryptography, also known as asymmetric cryptography, is a form of cryptographyin
which a user has a pair of cryptographic keys- a public key and a private key. The private key is
kept secret, while the public key may be widely distributed. Thekeys are related mathematically, but
the private key cannot be practically derived from the public key. A message encryptedwith the
public key can be decrypted only with the corresponding private key.
Such a seemingly innocuous system has consequences. First, Bob and Alice no longer need either a
secure channel or a shared secret key. Second, we now need only as many keys as there are people,
rather than a key for each pair of people. A thousand of us would need only a thousand keys, rather
than half a million. Third, even Alice can't decrypt her own encrypted message to Bob; once she
encrypts a message with the public intended for Bob, not even she can open it. Fourth, Bob and Alice
don't even have to know or trust each other for the system to work.
2007 McAfee, Inc.
What is Encryption?
Transforming information with algorithms to make
it unreadable to anyone without special
knowledge
In computer data encryption, the special
knowledge usually means a decryption key
Value of data bits are changed via algorithmic
computation
A Key, or special algorithm, is required to
reverse the computation and return the data to
original form
Encryption is the process of transforming information(referred to as plaintext) using an algorithm
(called cipher) to make it unreadable to anyone except those possessing special knowledge, usually
referred to as a key. The result of the process is encrypted information (in cryptography, referred to
as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process,
decryption (e.g. software for encryption can typically also perform decryption), to make the
encrypted information readable again (i.e. to make it unencrypted).
The data encryption process generally consists of by applying acomplex algorithmic computation to
the value of data bits that represent stored information. A Key, or special computational algorithm
is required to return the data bits to their original value.
2007 McAfee, Inc.
Obfuscation and Hashes
Obfuscation to conceal meaning by making
interpretation difficult
Used to help prevent brute forceattacks
Hash One-way function that takes input and
produces a hash valueoutput similar to
checksum
Saltingthe hash by adding known but random
data before hashing, in order to obfuscate the
information
Prevents simple hash-reversal decoding of
information
Obfuscation is the concealment of meaning in communication, making it confusingand harder to
interpret.
In cryptography, obfuscation refers to encoding the input data before it is sent to a hash functionor
other encryption scheme. This technique helps to make brute force attacksunfeasible, as it is difficult
to determine the correct original data (cleartext).
Hashes (used in the application control module)
A cryptographic hash algorithm like SHA-1 or MD5 is a sophisticated one-way function that takes
some input and produces a hash value as output, like a checksum, but more resistant to collisions.
This means that it's incredibly unlikely that you'd find two messages that hash to the same value. In
any case, because a hash is a one-way function, it can be reversed. The risk is someone will go and
calculate the hash for all possible inputs, then they can simplylook up a hash and know what the
input was that created it. To get around this we use salt. Salt is a way to season the passwords
before hashing them, making the attacker's precomputed dictionary useless. We add some random
(but known) data to the input before hashing it, that way any dictionary which was made before the
salt is redundant for example if we are checking a password, if the user inputs pass1, we can
prefix in with 12345 and store the hash, 12312345324534. The next user we would prefix 54321
=if they use the same password their stored hash will be different, so we have defeated a hash table
attack.
8
2007 McAfee, Inc.
2. SafeBoot v5 Device Security Family
McAfee SafeBoot Security
2/21/2008
9
2007 McAfee, Inc.
SafeBoot v5 Device Security Family
SafeBoot Device Encryption for PC / Laptop
SafeBoot Device Encryption for PDAs
SafeBoot Device Encryption for Tablet PC
SafeBoot Content Encryption for PC
McAfee Safeboot Device Security Family
SafeBoot Device Encryption for PC / Laptop provides full disk, on-the-fly
encryption
SafeBoot Device Encryption for PDAs provides device access security and
encryption of onboard data.
SafeBoot Device Encryption for Tablet PC provides full disk, on-the-fly encryption
SafeBoot Content Encryption for PC Provides file/folder encryption at the client
2007 McAfee, Inc.
SafeBoot Device Encryption for PC/Laptop/Tablet
Does not change the way the PC is used
After logon, SafeBoot DE is transparent to end-user
Provides policy-based, full-disk encryption / decryption on-the-fly
Supports multiple logon token types, including password-only
Provides ability to manage specific file versions on SafeBoot
protected machines
Windows Single Sign-on feature handles Windows logon
Unlike other security systems, SafeBoot Device Encryption does not prevent access to specific files,
or in any way alter the way the PCs and PDAsare used.
SafeBoot Device Encryption enhances the security of devices by providing policy-based, data
encryption and a token-based logon procedure using, for example, a Smart Card via a USB,
PCMCIA, serial or parallel reader.
For end users, SafeBoot allows users to work as usual, includingthe security and network services.
Apart from the initial Logon, SafeBoot offers completely transparent security.
SafeBoot supports many different types of logon token, for example passwords, smart cards, Aladdin
eToken, and others. Before a user can use a non-password token, you must ensure any machine they
are going to use has been suitably prepared.
SafeBoot 5 Device Encryption uses central collections of files, called Deploy Sets, to manage what
versions of files are used on remote SafeBoot clients. When an administrator updates a file in the
central directory, all machines attached to that Deploy Set automatically collect the new version of
the file from the directory the next time they
synchronize. This mechanism can be used to update SafeBoot clients to future versions, or to manage
any file on a SafeBoot protected machine - for instance, updating a virus database, or, a new version
of an application.
SafeBoot can ease the logon process for users by doing the Windows logon for them, as well as
taking responsibility for screen saver logons and re-logon requests.
2007 McAfee, Inc.
Benefits of SafeBoot Device Encryption
Enhances mobile device security by providing
full-disk encryption and token-based logon
procedures.
Normal Password protection does not help
against data theft
Use HDD in another system to get the data
Start with bootable media to reset Windows account
Optional File and Media encryption included;
Content Encryption
SafeBoot supports all current Microsoft O/S and
common PDA platforms
SafeBootsproduct range enhances the security of devices by providing data encryption and a token-
based logon procedure using, for example, a Smart Card via a USB, PCMCIA, serial or parallel
reader.
Password protection does not protect against data theft; You canplace a hard disk into another
system to retrieve the data, or start the computer with bootablemedia to reset the Windows account.
Full-disk encryption protects the data even in these circumstances.
SafeBoot also has optional File and Media encryption programs (SafeBoot Content Encryption,
SafeBoot).
SafeBoot supports all current Microsoft Operating Systems, and also common PDA platforms:
Microsoft Windows 2000 through SP4
Microsoft Windows XP through SP2
Microsoft Windows 2003
Microsoft Vista 32bit and 64bit (all versions)
Microsoft Pocket Windows 2002 and 2003
Microsoft Windows Mobile 5.0/6.0
Palm OS 3.5 through 5.4
SymbianUIQ
2007 McAfee, Inc.
SafeBoot Content Encryption
Persistent encryption of files and folders on multiple
media
USB memory sticks
File servers
Removable media
Managed through SafeBoot Management Centre
Covers four security needs in one product
Local file and folder encryption
File and folder encryption on file servers
File and folder encryption on removable media
Encryption of e-mail attachments
High user transparency
The user must not be disturbed by encryption
Minimum of user interaction
The file remains encrypted regardless of where it is moved. Thus, the file will remain encrypted even
if stored on a USB memory stick, a floppy disk or on a network share - persistent encryption. This
means that even if a file is misplaced in another folder, or placed on a floppy disk, the file remains
encrypted and always secure.
With central management using the SafeBoot Administration System, and distribution of encryption
keys using the secure SafeBoot Server, it is easy to allow sharing of encrypted files within an
organization. By assigning groups of users to encryption keys, the users in the group can exchange
and read encrypted files like any other file, without noticing any difference. Users not assigned to the
key will not be able to read files encrypted with that key.
Covers four security needs in one product
Local file and folder encryption
File and folder encryption on file servers
File and folder encryption on removable media
Encryption of e-mail attachments
High user transparency
The user must not be disturbed by encryption
Minimum of user interaction
2007 McAfee, Inc.
SafeBoot Content Encryption
Supported platforms:
Windows NT4
Window 2000
Windows XP
Windows Server 2003
Novell File Server (storage only)
True on-the-fly data encryption and decryption
when writing to/reading from disk
Source file always encrypted on disk
Wide token support
Smart cards, passwords, digital certificates
Own GINA in development for integration with WinLogon
SafeBoot Content Encryption can encrypt files and folders on all FAT formatted drives, all NTFS
formatted drives and network drives attached through the MS LANMAN or Novell redirectors. Also,
SafeBoot Content Encryption supports encryption of files and folders within a Microsoft Terminal
Server environment.
SafeBoot Content Encryption encrypts folders and files transparently and on-the-fly, at the original
location of the file or folder. Thus the user interaction is very low and the user perceives the working
environment as normal.
Whenever a file is written to supported storage media the SafeBoot Content Encryption filter
executes assigned encryption policies and encrypts the file if applicable. When an application later
reads the file, the encryption filter automatically decrypts thefile when it is read into memory.
The source file always remains encrypted on disk.
Wide token support
Smart cards, passwords, digital certificates
Own GINA in development for integration with WinLogon
2007 McAfee, Inc.
SafeBoot Content Encryption
Source file always encrypted on disk only parts
in RAM decrypted
No decrypted traces in RAM
Encrypted files and folders always visible and no
special formats created
Automatic policy enforcement beyond user
control
Sharing of encrypted data
Persistent encryption
Automatic encryption of the system pagefile
Whenever a file is written to supported storage media the SafeBoot Content Encryption filter
executes assigned encryption policies and encrypts the file if applicable. When an application later
reads the file, the encryption filter automatically decrypts thefile when it is read into memory.
The source file always remains encrypted on disk.
When the application closes the file, the memory is wiped and the original file is still encrypted on
disk. No decrypted traces of the file remain in RAM.
Encrypted folders and files are always visible to the user. Thus, the user can search for, and will
recognize files and folders as before encryption. A small key hole icon can be optionally attached to
the file or folder icon, marking it as encrypted.
You can create a policy from the SafeBoot Management Centre, andthen create an install set from it.
When the SafeBoot Content Encryption client then is installed, the user that logs on will be forced to
retrieve the proper policy assigned to him/her in the central database.
With central management using the SafeBoot Administration System, and distribution of encryption
keys using the secure SafeBoot Server, it is easy to allow sharing of encrypted files within an
organization. By assigning groups of users to encryption keys, the users in the group can exchange
and read encrypted files like any other file, without noticing any difference. Users not assigned to the
key will not be able to read files encrypted with that key.
SafeBoot Content Encryption encrypts the Windows' pagefile. This feature is automatic and cannot
be configured or disabled. The pagefileis encrypted with a temporary encryption key created at each
boot occasion. Thus, the pagefileencryption key is discarded once the computer shuts down, while
the pagefilestill is encrypted.
2007 McAfee, Inc.
SafeBoot Content Encryption
Policy controlled encryption for any
removable media, e.g.
USB memory sticks
SD cards and other storage cards
Extensive set of encryption policies in
SafeBoot Admin
Support for burning encrypted data onto CD
and DVD
Fully integrated with the Windows Explorer
Encryption and Decryption of files and folders easily
managed using familiar right-clicks
Policy controlled encryption for any removable media, e.g.
USB memory sticks
SD cards and other storage cards
Extensive set of encryption policies in SafeBoot Admin
Support for burning encrypted data onto CD and DVD
Fully integrated with the Windows Explorer
Encryption and Decryption of files and folders easily managed using familiar right-
clicks
2007 McAfee, Inc.
SafeBoot Device Encryption for PDAs
Access control by PIN or
password
Device-lock and optional data
bomb
Encryption of internal databases
(contacts, e-mails, etc)
No software required on host
PCs
Central administration,
deployment and recovery from
the standard SafeBoot database
SafeBoot Device Encryption for PDAsd provides;
Access control by PIN or password
Device-lock and optional data bomb feature
Encryption of internal databases (contacts, e-mails, etc)
FIPS-140 certified AES-256 algorithm
No software required on host PCs (other than PDA synch software)
Central administration, deployment and recovery from the standard SafeBoot
database
2007 McAfee, Inc.
Overview SafeBoot

Pocket VDisk for PDAs

Pocket VDisk provides strong
encrypted virtual folders for
transparently securing information
Encryption of data stored on
external media cards (CF, SD)
Single Sign-On to SafeBoot for
PocketPC
Exchange volumes with VDisk on
Desktop PCs
FIPS-140 Certified AES-256
encryption and RC5 1024
Pocket VDisk provides strong encrypted virtual folders for transparently securing information
Encryption of data stored on external media cards (CF, SD)
Single Sign-On to SafeBoot for PocketPC
Exchange volumes with VDisk on Desktop PCs
FIPS-140 Certified AES-256 encryption and RC5 1024
Federal Information Processing Standard, publication 140-2
Advanced Encryption Standard block cipher standard adopted by US Govt May
2002.
RC5 is a fast block cipher designed to be suitable for both software and hardware
implementation.
18
2007 McAfee, Inc.
3. How SafeBoot DE Works - Overview
McAfee SafeBoot Security
2007 McAfee, Inc.
How SafeBoot Works Full Disk Encryption
(SafeBoot DE)
SafeBoot takes control of the Hard Disk from the
O/S
SafeBoot driver encrypts all data written to disk
SafeBoot driver also decrypts all data read from
disk
Hard disk contents are completely encrypted and
unreadable without the appropriate authorization
SafeBoot installs mini-O/Son the hard disk
(SafeBoot File System)
Once authenticated, SafeBoot encryption driver is
loaded and original O/S is booted.
SafeBoot protects the users PC by simply taking control of the hard disk from the operating system.
The SafeBoot driver encrypts every piece of data written to the disk; it also decrypts every piece of
information read off the disk.
If an unauthorized application broke through the SafeBoot barrier and read the disk directly, it would
find only encrypted data, even in the Windows swap file and temporary file areas.
SafeBoot installs a mini-operating system on the users hard drive, this is what the user sees when
they boot the PC. SafeBoot looks and feels like Microsoft Windows, with mouse and keyboard
support, moveable windows etc. This SafeBoot OS is completely contained and does not need to
access any other files or programs on the hard disk, and is responsible for allowing the user to
authenticate with a password, for example, or, a token such as asmart card.
Once the user has entered the correct authentication information, the SafeBoot operating system
starts the crypt driver in memory and boots the protected machines original operating system. From
this point on the machine will look and behave as if SafeBoot was not installed. The security is
invisible to the user: the only readable data on the hard disk will be the SafeBoot operating system;
the encryption key for the hard drive is itself protected with the users authentication key The only
possible way to defeat SafeBoot is to either guess the hard disk encryption key, or to guess the users
password.
On PDAssuch as Pocket Windows and PalmOS, SafeBoot installs applications and drivers to
provide authentication and encryption services. SafeBoot can protect memory cards, internal
databases (such as e-mail and contact lists), and provides secure, manageable authentication services.
2/21/2008
20
2007 McAfee, Inc.
SECTOR
1
SECTORS
2 - 62
BIOS
MBR
HDD
APPL
SafeBoot DE Installation
SBFS
(MBR)
SBR
PreBoot
Authentication
to Access
SafeBoot File
System & Boot
Windows
SafeBoot DE Disk Changes
Master Boot Record (MBR) is the first sector on the System
With the SafeBoot Installation the SBR SafeBoot Boot Record overwrites the original MBR
The SafeBoot File System (SBFS) is created between the Sectors 2-62 which includes the orginal
MBR
With the Authentication Password or Token SafeBoot can access the SBFS to load the orginal MBR
2007 McAfee, Inc.
SafeBoot DE Disk Changes
SafeBoot replaces MBR with its own
NO repartitioning of the Hard disk required like competitors using a
Linux Preboot OS
Original Master Boot Record saved in SafeBoot File System (SBFS)
SBR contains info about start of bootcode and SBFS sector chains
The SBR also has the masterSafeBoot version number
Loads SafeBoot bootcode by following sector chain (no access to
files)
After logon, loads original MBR and runs it (now updates original
MBR with current partition table)
Boot Manager option that allows choice of which primary partition to
boot instead of just running original MBR
SafeBoot replaces MBR with its own
NO repartitioning of the Hard disk required like competitors using a Linux Preboot OS
Original MBR saved in SafeBoot File System (SBFS)
SBR contains info about start of bootcodeand SBFS sector chains
The SBR also has the master SB version number
Loads SB bootcodeby following sector chain (no access to files)
After logon, loads original MBR and runs it (now updates original MBR with current partition table)
Boot Manager option that allows choice of which primary partition to boot instead of just running
original MBR
22
2007 McAfee, Inc.
4. The SafeBoot File System
McAfee SafeBoot Security
2007 McAfee, Inc.
SafeBoot File System
The SafeBoot File System (SBFS) stores data and modules
needed in pre-boot
Stored in hostfile on the normal file system (SAFEBOOT.FS) -
usually root of C: but can be root of any partition on the boot disk
Sectors that make up the file are detected by the disk driver
Host file must not be moved - we make it read
only/system/hidden and lock it using driver (RSVLOCK.SYS)
The main driver (SAFEBOOT.SYS) prevents write access to
SafeBoot File System sectors - if file moved, may result in some
sectors being marked as badbut SB will still boot
Bootcode in its own file (SAFEBOOT.COD) in same place as
SBFS host file
Bootcode file loaded by MBR following sector chain with start
sector in MBR
The SafeBoot File System (SBFS) stores all data and modulesneeded in preboot
Stored in a host file on the normal file system (SAFEBOOT.FS) - usually root of C: but can be root
of any partition on the boot disk
Sectors that make up the file are detected by the disk driver
Host file must not be moved - we make it read only/system/hidden and lock it using driver
(RSVLOCK.SYS)
The main driver (SAFEBOOT.SYS) prevents write access to SBFS sectors - if file moved, it may
result in some sectors being marked as bad but SB will still boot
Bootcodein its own file (SAFEBOOT.COD) in same place as SBFS host file
Bootcodefile loaded by MBR following sector chain with start sector in MBR
2007 McAfee, Inc.
SafeBoot File System
SBFS is standard FAT16 (faster, more reliable, multi-process)
Default size is 10MB but cannot grow dynamically - can be set (prior
to install) in defscm.ini if we need to make it bigger (max 32MB, min
8MB)
Should be big enough for hundreds or thousands of users (much less
slow down with large numbers of users)
In Windows, it is mounted like a VDisk - OS actually provides the
access just like any other disk
Normally the SBFS is not visible to users, but system can access it by
specifying a path starting with \\SafeBoot\SBFS
Client can use normal Windows file APIs to access SBFS
Modular Based structure not all function are loaded directly
SBFS is standard FAT16 (faster, more reliable, multi-process)
Default size is 10MB but can no longer grow dynamically - can be set (prior to install) in INI file /
defscm.ini if we need to make it bigger (max 32MB, min 8MB)
Should be big enough for hundreds or thousands of users (much less slow down with large numbers
of users)
In Windows, it is mounted like a VDisk- OS actually provides the access just like any other disk
Normally the SBFS is not visible to users, but system can accessit by specifying a path starting with
\\.\SafeBootfs\<directory>
Client can use normal Windows file APIs to access SBFS
Modular Based structure not all function are loaded directly
2007 McAfee, Inc.
SafeBoot File System
\DataStore - directory used to store the client object database
\Disk - directory that stores disk related client data
\Disk\OrigMbr.dat - the original MBR
\Locale - directory used to store language related things (such as keyboard maps
and language strings)
\Locale\Locale.ini - defines the available languages and keyboards
\Locale\Osk - Directory containing the data for the on-screen keyboards
\Graphics - directory used to store graphical definitions used by the boot code (e.g.
the bitmaps and fonts used to create "themes" for the boot code)
\Graphics\Graphics.ini - Defines the graphically layout of the various windows used by the boot
code.
\Boot - directory containing information for the boot process
\Boot\BootCode.ini - Options used by the boot code environment
\SbAlgs - Directory containing the algorithm modules
\SbTokens - Directory containing the token modules
\SbTokens\Data - Directory containing additional data for tokens
\DataStore - directory used to store the client object database.
\Disk - directory that stores disk related client data
\Disk\OrigMbr.dat - the original MBR.
\Locale - directory used to store language related things (such as keyboard maps and language
strings).
\Locale\Locale.ini - defines the available languages and keyboards.
\Locale\Osk - Directory containing the data for the on-screen keyboards
\Graphics - directory used to store graphical definitions used by the boot code (e.g. the bitmaps and
fonts used to create "themes" for the boot code).
\Graphics\Graphics.ini - Defines the graphically layout of the various windows used by the boot
code.
\Boot - directory containing information for the boot process.
\Boot\BootCode.ini - Options used by the boot code environment.
\SbAlgs- Directory containing the algorithm modules.
\SbTokens- Directory containing the token modules
\SbTokens\Data - Directory containing additional data for tokens
26
2007 McAfee, Inc.
5. The SafeBoot Device Encryption
Client Manager
McAfee SafeBoot Security
2007 McAfee, Inc.
The SafeBoot Device Encryption Client
Manager
Connects to Object Directory, or configuration store at boot
Uploads latest audit and password changes, downloads any central
configuration changes
End-user only sees SafeBoot Monitor icon in SysTray.
Double-click to lock workstation
Right-click to;
Lock Workstation
Show Status
Synchronize
The SafeBoot Client connects to its Object Directory, or configuration store, which may be on the
same machine, a network drive, or, via a SafeBoot Server. It does this every time the machine boots.
Once connected to the directory, the SafeBoot client uploads thelatest audit and password changes to
the directory, and if necessary downloads any configuration changes specified centrally.
The only user-visible part of SafeBoot is the SafeBoot Monitor icon in the users System Tray. By
double-clicking the icon users can lock the workstation. By right-clicking it they can select one of
three actions.
Lock Workstation
Locks the client workstation
Show Status
The configuration process within SafeBoot 5.1 is largely transparent to the user. The only evidence
of SafeBoot working can be found from the status menu available from SafeBoot'stool tray icon. The
Status window displays any on-going configuration tasks (such as encryption processes) and status
messages from the last directory
connection.
Synchronize
SafeBoot tries to establish connection with its directory duringthe boot process. In a situation where
the directory is unavailable, for example - a notebook user who is connecting via dial-up networking,
the user can establish a connection at any time, and select the Synchronize option to connect to a
remote directory and collect / upload changes.
2/21/2008
28
2007 McAfee, Inc.
SafeBoot Client Manager - Synchronization
Events
SafeBoot Client Manager is a windows service, and can be thought of as an Agent
Always started with Windows start up
Provides Synchronization between client and SafeBoot Server Database to update the client with new
policies and files
The SafeBoot client manager Log - SBClientLog.txt is stored on the client under c:\[program
files]\safeboot\SBClientLog.txt
2007 McAfee, Inc.
SafeBoot Client Manager
Client log is Unicode
Log written to SbClientLog.txt
Log max size and purge size controlled by settings in
SCM.INI
[Log]\MaxSize =Max size in KB (min 50KB, 0=unlimited)
[Log]\PurgeSize =Amount purge (in KB) when max reached (min
10%)
Tracing controlled by setting in SCM.INI
[Debug]\Trace =0 is disabled, 1 is enabled
Trace written to SbCm.Log
Delete log can be disabled
Client log is written in Unicode
Log written to SbClientLog.txt
Log max size and purge size controlled by settings in SCM.INI
[Log]\MaxSize=Max size in KB (min 50KB, 0=unlimited)
[Log]\PurgeSize=Amount purge (in KB) when max reached (min 10%)
Tracing controlled by setting in SCM.INI
[Debug]\Trace =0 is disabled, 1 is enabled
Trace written to SbCm.Log
Delete log can be disabled
2007 McAfee, Inc.
SafeBoot Client Boot and Logon Process
Boot screen allows user to select login method
User provides credentials
SafeBoot File System launches HD decrypt
process
SafeBoot Client Manager starts and performs login
(SSO enabled)
Connect to Object Directory
Events are uploaded, config updates
downloaded/applied
SafeBoot Tool Tray icon loaded
The Device Encryption boot screen allows the user to select a login method (one of the available
tokens), and then provide authentication credentials such as a user id and password. If the user can
provide the correct details, the SafeBoot boot code starts the transparent hard drive decryption
process, loads the original MBR and executes it.
When the operating system starts, the SafeBoot Configuration Manager (SCM) runs and performs a
logon to the operating system (if SSO is enabled). It then attempts to contact the Object Directory
using the Directory Manager - this can be local or remote via a SafeBoot Server and re-validates the
user against any changes that have been made between the last validation. Following this SCM
downloads and applies any configuration updates. This could include new user accounts.
If the Object Directory validation is successful (i.e. no administrator has deleted or disabled the users
account) the Windows startup completes, and the SafeBoot icon isloaded into the tool tray to allow
the user to run the screen saver, validate with the server, display status etc.
After a period of inactivity or a power event, SCM activates thescreen saver locking the user.
2007 McAfee, Inc.
SafeBoot Client Auditing (user events)
User events collected locally and transferred to Object Directory as
part of synchronization
SafeBoot Device
Encryption audits
user, machine,
and server activity
Right-clicking on
an object in the
SafeBoot Object
Directory, select
the view audit
function
User events are collected locally and transferred to Object Directory as part of
synchronization. Until that time the audit is cached internally in the encrypted
SafeBoot file system. The last 3000 entries are cached locally; when the limit is
reached the oldest 300 entries are culled. The local audit will retain approximately 2
years of normal operation before culling begins.
SafeBoot Device Encryption audits user, machine, and server activity. By right-
clicking on an object in the SafeBoot Object Directory, you can select the view
audit function to see information on user events.
Audit trails can be exported to a CDF file by using the Audit menu option, or by
right-clicking the trail and selecting Export.
32
2007 McAfee, Inc.
End Module
Introduction to SafeBoot
McAfee SafeBoot Security