2008 McAfee, Inc. McAfee SafeBoot Security Introduction to SafeBoot McAfee World-wide Learning and Development 2007 McAfee, Inc. Copyright 2008 McAfee, Inc. All Rights Reserved. Copyright 2008 McAfee, Inc. All Rights Reserved. The training information provided herein is the property of McAfee, Inc., and is intended for the sole use of the individual or organization purchasing the training. Distribution of the training material outside of the purchasing organization is strictly prohibited. All information contained herein is subject to change without notice. McAfee is not responsible for errors or damages of any kind resulting fromuse of the information contained herein. Every effort has been made to ensure the accuracy of information presented as factual; however errors may exist. Users are directed to countercheck facts when considering their use in other applications. McAfee is not responsible for the content or functionality of any technology resource not owned by the company. The statements, comments, or opinions expressed by users through use of McAfees technology resources are those of their respective authors, who are solely responsible for them, and do not necessarily represent the views of McAfee, Inc. and/or its affiliates. 2 2/21/2008 2/21/2008 3 2007 McAfee, Inc. Objectives At the end of this section, the student will be able to; Define Encryption Describe common encryption methods Explain what data obfuscationmeans Explain what a hash is List the products in the SafeBoot v5 Device Security Family List supported operating systems for SafeBoot v5 Provide a basic description of how SafeBoot works At the end of this section, the student will be able to; Define Encryption Describe common encryption methods Explain what data obfuscation means Explain what a hash is List the products in the SafeBoot v5 Device Security Family List supported operating systems for SafeBoot v5 Provide a basic description of how SafeBoot works 4 2007 McAfee, Inc. 1. Encryption McAfee SafeBoot Security 2007 McAfee, Inc. Common Encryption Methods Symmetric Encryption (secret, shared-key) Requires a secret key be shared by multiple users Requires many keys for many user pairs Diffie-Hellman Key Exchange (for secret, shared-Symmetric Keys) A method where users secretly add part of the shared encryption key in order to increase the security of the secret shared key Asymmetric Encryption also called Public Key Encryption Shared-public key used to encrypt data Separate, private keys used for decryption No shared-keys required Symmetric Encryption (used in SafeBoot for user, machine, hard disk keys etc) Before 1975, all encryption schemes forced the sender and the receiver to have the same secret key. If Bob sends Alice an encrypted message, to read it Alice must first know Bob's key. Before 1975, all encryption schemes linked the encryption and the decryption. If you gave away your encryption key, you gave away your decryption key, because they were the same thing. Further, if you encrypted something, you could later decrypt it. So secret-key systems are contradictory - they need secret keys, but need to share them. This system also requires many keys to be created and stored. If a thousand users have to share secrets with each other using a secret-key system, they could need half a million shared keys---since every pair using the system might have to have their own shared secret key. Diffie-Hellman key exchange (for secret, shared-Symmetric Keys) (used to negotiate communication keys) [INSTRUCTOR NOTE: You may want to draw this on the whiteboard] First, let us assume that everybody, has a three-liter bucket containing one liter of yellow paint that represents a shared encryption key. If Alice and Bob want to agree on a secret key, each of them adds one liter of their own secret color to their own bucket. Alice might add a shade of purple, while Bob might add red. Each sends their own mixed bucket to the other. Finally, Alice takes Bob's mixture and adds one liter of her own secret color, and Bob takes Alice's mixture and adds one liter of his own secret color. Both buckets should now be the same color, because they both contain one liter of yellow, one liter of purple and one liter of red. It is the exact color of the doubly contaminated shared key buckets that is used as the secret key. Alice has no idea what color was added by Bob, and Bob has no idea what color was added by Alice, but they haveboth achieved the same end, an identical encryption/decryption key. Asymmetric Encryption Also called Public Key Encryption, does away with the issue of exchanging Secret Keys (used to validate servers to the client, and in RSA recovery) Public-key cryptography, also known as asymmetric cryptography, is a form of cryptographyin which a user has a pair of cryptographic keys- a public key and a private key. The private key is kept secret, while the public key may be widely distributed. Thekeys are related mathematically, but the private key cannot be practically derived from the public key. A message encryptedwith the public key can be decrypted only with the corresponding private key. Such a seemingly innocuous system has consequences. First, Bob and Alice no longer need either a secure channel or a shared secret key. Second, we now need only as many keys as there are people, rather than a key for each pair of people. A thousand of us would need only a thousand keys, rather than half a million. Third, even Alice can't decrypt her own encrypted message to Bob; once she encrypts a message with the public intended for Bob, not even she can open it. Fourth, Bob and Alice don't even have to know or trust each other for the system to work. 2007 McAfee, Inc. What is Encryption? Transforming information with algorithms to make it unreadable to anyone without special knowledge In computer data encryption, the special knowledge usually means a decryption key Value of data bits are changed via algorithmic computation A Key, or special algorithm, is required to reverse the computation and return the data to original form Encryption is the process of transforming information(referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. software for encryption can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted). The data encryption process generally consists of by applying acomplex algorithmic computation to the value of data bits that represent stored information. A Key, or special computational algorithm is required to return the data bits to their original value. 2007 McAfee, Inc. Obfuscation and Hashes Obfuscation to conceal meaning by making interpretation difficult Used to help prevent brute forceattacks Hash One-way function that takes input and produces a hash valueoutput similar to checksum Saltingthe hash by adding known but random data before hashing, in order to obfuscate the information Prevents simple hash-reversal decoding of information Obfuscation is the concealment of meaning in communication, making it confusingand harder to interpret. In cryptography, obfuscation refers to encoding the input data before it is sent to a hash functionor other encryption scheme. This technique helps to make brute force attacksunfeasible, as it is difficult to determine the correct original data (cleartext). Hashes (used in the application control module) A cryptographic hash algorithm like SHA-1 or MD5 is a sophisticated one-way function that takes some input and produces a hash value as output, like a checksum, but more resistant to collisions. This means that it's incredibly unlikely that you'd find two messages that hash to the same value. In any case, because a hash is a one-way function, it can be reversed. The risk is someone will go and calculate the hash for all possible inputs, then they can simplylook up a hash and know what the input was that created it. To get around this we use salt. Salt is a way to season the passwords before hashing them, making the attacker's precomputed dictionary useless. We add some random (but known) data to the input before hashing it, that way any dictionary which was made before the salt is redundant for example if we are checking a password, if the user inputs pass1, we can prefix in with 12345 and store the hash, 12312345324534. The next user we would prefix 54321 =if they use the same password their stored hash will be different, so we have defeated a hash table attack. 8 2007 McAfee, Inc. 2. SafeBoot v5 Device Security Family McAfee SafeBoot Security 2/21/2008 9 2007 McAfee, Inc. SafeBoot v5 Device Security Family SafeBoot Device Encryption for PC / Laptop SafeBoot Device Encryption for PDAs SafeBoot Device Encryption for Tablet PC SafeBoot Content Encryption for PC McAfee Safeboot Device Security Family SafeBoot Device Encryption for PC / Laptop provides full disk, on-the-fly encryption SafeBoot Device Encryption for PDAs provides device access security and encryption of onboard data. SafeBoot Device Encryption for Tablet PC provides full disk, on-the-fly encryption SafeBoot Content Encryption for PC Provides file/folder encryption at the client 2007 McAfee, Inc. SafeBoot Device Encryption for PC/Laptop/Tablet Does not change the way the PC is used After logon, SafeBoot DE is transparent to end-user Provides policy-based, full-disk encryption / decryption on-the-fly Supports multiple logon token types, including password-only Provides ability to manage specific file versions on SafeBoot protected machines Windows Single Sign-on feature handles Windows logon Unlike other security systems, SafeBoot Device Encryption does not prevent access to specific files, or in any way alter the way the PCs and PDAsare used. SafeBoot Device Encryption enhances the security of devices by providing policy-based, data encryption and a token-based logon procedure using, for example, a Smart Card via a USB, PCMCIA, serial or parallel reader. For end users, SafeBoot allows users to work as usual, includingthe security and network services. Apart from the initial Logon, SafeBoot offers completely transparent security. SafeBoot supports many different types of logon token, for example passwords, smart cards, Aladdin eToken, and others. Before a user can use a non-password token, you must ensure any machine they are going to use has been suitably prepared. SafeBoot 5 Device Encryption uses central collections of files, called Deploy Sets, to manage what versions of files are used on remote SafeBoot clients. When an administrator updates a file in the central directory, all machines attached to that Deploy Set automatically collect the new version of the file from the directory the next time they synchronize. This mechanism can be used to update SafeBoot clients to future versions, or to manage any file on a SafeBoot protected machine - for instance, updating a virus database, or, a new version of an application. SafeBoot can ease the logon process for users by doing the Windows logon for them, as well as taking responsibility for screen saver logons and re-logon requests. 2007 McAfee, Inc. Benefits of SafeBoot Device Encryption Enhances mobile device security by providing full-disk encryption and token-based logon procedures. Normal Password protection does not help against data theft Use HDD in another system to get the data Start with bootable media to reset Windows account Optional File and Media encryption included; Content Encryption SafeBoot supports all current Microsoft O/S and common PDA platforms SafeBootsproduct range enhances the security of devices by providing data encryption and a token- based logon procedure using, for example, a Smart Card via a USB, PCMCIA, serial or parallel reader. Password protection does not protect against data theft; You canplace a hard disk into another system to retrieve the data, or start the computer with bootablemedia to reset the Windows account. Full-disk encryption protects the data even in these circumstances. SafeBoot also has optional File and Media encryption programs (SafeBoot Content Encryption, SafeBoot). SafeBoot supports all current Microsoft Operating Systems, and also common PDA platforms: Microsoft Windows 2000 through SP4 Microsoft Windows XP through SP2 Microsoft Windows 2003 Microsoft Vista 32bit and 64bit (all versions) Microsoft Pocket Windows 2002 and 2003 Microsoft Windows Mobile 5.0/6.0 Palm OS 3.5 through 5.4 SymbianUIQ 2007 McAfee, Inc. SafeBoot Content Encryption Persistent encryption of files and folders on multiple media USB memory sticks File servers Removable media Managed through SafeBoot Management Centre Covers four security needs in one product Local file and folder encryption File and folder encryption on file servers File and folder encryption on removable media Encryption of e-mail attachments High user transparency The user must not be disturbed by encryption Minimum of user interaction The file remains encrypted regardless of where it is moved. Thus, the file will remain encrypted even if stored on a USB memory stick, a floppy disk or on a network share - persistent encryption. This means that even if a file is misplaced in another folder, or placed on a floppy disk, the file remains encrypted and always secure. With central management using the SafeBoot Administration System, and distribution of encryption keys using the secure SafeBoot Server, it is easy to allow sharing of encrypted files within an organization. By assigning groups of users to encryption keys, the users in the group can exchange and read encrypted files like any other file, without noticing any difference. Users not assigned to the key will not be able to read files encrypted with that key. Covers four security needs in one product Local file and folder encryption File and folder encryption on file servers File and folder encryption on removable media Encryption of e-mail attachments High user transparency The user must not be disturbed by encryption Minimum of user interaction 2007 McAfee, Inc. SafeBoot Content Encryption Supported platforms: Windows NT4 Window 2000 Windows XP Windows Server 2003 Novell File Server (storage only) True on-the-fly data encryption and decryption when writing to/reading from disk Source file always encrypted on disk Wide token support Smart cards, passwords, digital certificates Own GINA in development for integration with WinLogon SafeBoot Content Encryption can encrypt files and folders on all FAT formatted drives, all NTFS formatted drives and network drives attached through the MS LANMAN or Novell redirectors. Also, SafeBoot Content Encryption supports encryption of files and folders within a Microsoft Terminal Server environment. SafeBoot Content Encryption encrypts folders and files transparently and on-the-fly, at the original location of the file or folder. Thus the user interaction is very low and the user perceives the working environment as normal. Whenever a file is written to supported storage media the SafeBoot Content Encryption filter executes assigned encryption policies and encrypts the file if applicable. When an application later reads the file, the encryption filter automatically decrypts thefile when it is read into memory. The source file always remains encrypted on disk. Wide token support Smart cards, passwords, digital certificates Own GINA in development for integration with WinLogon 2007 McAfee, Inc. SafeBoot Content Encryption Source file always encrypted on disk only parts in RAM decrypted No decrypted traces in RAM Encrypted files and folders always visible and no special formats created Automatic policy enforcement beyond user control Sharing of encrypted data Persistent encryption Automatic encryption of the system pagefile Whenever a file is written to supported storage media the SafeBoot Content Encryption filter executes assigned encryption policies and encrypts the file if applicable. When an application later reads the file, the encryption filter automatically decrypts thefile when it is read into memory. The source file always remains encrypted on disk. When the application closes the file, the memory is wiped and the original file is still encrypted on disk. No decrypted traces of the file remain in RAM. Encrypted folders and files are always visible to the user. Thus, the user can search for, and will recognize files and folders as before encryption. A small key hole icon can be optionally attached to the file or folder icon, marking it as encrypted. You can create a policy from the SafeBoot Management Centre, andthen create an install set from it. When the SafeBoot Content Encryption client then is installed, the user that logs on will be forced to retrieve the proper policy assigned to him/her in the central database. With central management using the SafeBoot Administration System, and distribution of encryption keys using the secure SafeBoot Server, it is easy to allow sharing of encrypted files within an organization. By assigning groups of users to encryption keys, the users in the group can exchange and read encrypted files like any other file, without noticing any difference. Users not assigned to the key will not be able to read files encrypted with that key. SafeBoot Content Encryption encrypts the Windows' pagefile. This feature is automatic and cannot be configured or disabled. The pagefileis encrypted with a temporary encryption key created at each boot occasion. Thus, the pagefileencryption key is discarded once the computer shuts down, while the pagefilestill is encrypted. 2007 McAfee, Inc. SafeBoot Content Encryption Policy controlled encryption for any removable media, e.g. USB memory sticks SD cards and other storage cards Extensive set of encryption policies in SafeBoot Admin Support for burning encrypted data onto CD and DVD Fully integrated with the Windows Explorer Encryption and Decryption of files and folders easily managed using familiar right-clicks Policy controlled encryption for any removable media, e.g. USB memory sticks SD cards and other storage cards Extensive set of encryption policies in SafeBoot Admin Support for burning encrypted data onto CD and DVD Fully integrated with the Windows Explorer Encryption and Decryption of files and folders easily managed using familiar right- clicks 2007 McAfee, Inc. SafeBoot Device Encryption for PDAs Access control by PIN or password Device-lock and optional data bomb Encryption of internal databases (contacts, e-mails, etc) No software required on host PCs Central administration, deployment and recovery from the standard SafeBoot database SafeBoot Device Encryption for PDAsd provides; Access control by PIN or password Device-lock and optional data bomb feature Encryption of internal databases (contacts, e-mails, etc) FIPS-140 certified AES-256 algorithm No software required on host PCs (other than PDA synch software) Central administration, deployment and recovery from the standard SafeBoot database 2007 McAfee, Inc. Overview SafeBoot
Pocket VDisk for PDAs
Pocket VDisk provides strong encrypted virtual folders for transparently securing information Encryption of data stored on external media cards (CF, SD) Single Sign-On to SafeBoot for PocketPC Exchange volumes with VDisk on Desktop PCs FIPS-140 Certified AES-256 encryption and RC5 1024 Pocket VDisk provides strong encrypted virtual folders for transparently securing information Encryption of data stored on external media cards (CF, SD) Single Sign-On to SafeBoot for PocketPC Exchange volumes with VDisk on Desktop PCs FIPS-140 Certified AES-256 encryption and RC5 1024 Federal Information Processing Standard, publication 140-2 Advanced Encryption Standard block cipher standard adopted by US Govt May 2002. RC5 is a fast block cipher designed to be suitable for both software and hardware implementation. 18 2007 McAfee, Inc. 3. How SafeBoot DE Works - Overview McAfee SafeBoot Security 2007 McAfee, Inc. How SafeBoot Works Full Disk Encryption (SafeBoot DE) SafeBoot takes control of the Hard Disk from the O/S SafeBoot driver encrypts all data written to disk SafeBoot driver also decrypts all data read from disk Hard disk contents are completely encrypted and unreadable without the appropriate authorization SafeBoot installs mini-O/Son the hard disk (SafeBoot File System) Once authenticated, SafeBoot encryption driver is loaded and original O/S is booted. SafeBoot protects the users PC by simply taking control of the hard disk from the operating system. The SafeBoot driver encrypts every piece of data written to the disk; it also decrypts every piece of information read off the disk. If an unauthorized application broke through the SafeBoot barrier and read the disk directly, it would find only encrypted data, even in the Windows swap file and temporary file areas. SafeBoot installs a mini-operating system on the users hard drive, this is what the user sees when they boot the PC. SafeBoot looks and feels like Microsoft Windows, with mouse and keyboard support, moveable windows etc. This SafeBoot OS is completely contained and does not need to access any other files or programs on the hard disk, and is responsible for allowing the user to authenticate with a password, for example, or, a token such as asmart card. Once the user has entered the correct authentication information, the SafeBoot operating system starts the crypt driver in memory and boots the protected machines original operating system. From this point on the machine will look and behave as if SafeBoot was not installed. The security is invisible to the user: the only readable data on the hard disk will be the SafeBoot operating system; the encryption key for the hard drive is itself protected with the users authentication key The only possible way to defeat SafeBoot is to either guess the hard disk encryption key, or to guess the users password. On PDAssuch as Pocket Windows and PalmOS, SafeBoot installs applications and drivers to provide authentication and encryption services. SafeBoot can protect memory cards, internal databases (such as e-mail and contact lists), and provides secure, manageable authentication services. 2/21/2008 20 2007 McAfee, Inc. SECTOR 1 SECTORS 2 - 62 BIOS MBR HDD APPL SafeBoot DE Installation SBFS (MBR) SBR PreBoot Authentication to Access SafeBoot File System & Boot Windows SafeBoot DE Disk Changes Master Boot Record (MBR) is the first sector on the System With the SafeBoot Installation the SBR SafeBoot Boot Record overwrites the original MBR The SafeBoot File System (SBFS) is created between the Sectors 2-62 which includes the orginal MBR With the Authentication Password or Token SafeBoot can access the SBFS to load the orginal MBR 2007 McAfee, Inc. SafeBoot DE Disk Changes SafeBoot replaces MBR with its own NO repartitioning of the Hard disk required like competitors using a Linux Preboot OS Original Master Boot Record saved in SafeBoot File System (SBFS) SBR contains info about start of bootcode and SBFS sector chains The SBR also has the masterSafeBoot version number Loads SafeBoot bootcode by following sector chain (no access to files) After logon, loads original MBR and runs it (now updates original MBR with current partition table) Boot Manager option that allows choice of which primary partition to boot instead of just running original MBR SafeBoot replaces MBR with its own NO repartitioning of the Hard disk required like competitors using a Linux Preboot OS Original MBR saved in SafeBoot File System (SBFS) SBR contains info about start of bootcodeand SBFS sector chains The SBR also has the master SB version number Loads SB bootcodeby following sector chain (no access to files) After logon, loads original MBR and runs it (now updates original MBR with current partition table) Boot Manager option that allows choice of which primary partition to boot instead of just running original MBR 22 2007 McAfee, Inc. 4. The SafeBoot File System McAfee SafeBoot Security 2007 McAfee, Inc. SafeBoot File System The SafeBoot File System (SBFS) stores data and modules needed in pre-boot Stored in hostfile on the normal file system (SAFEBOOT.FS) - usually root of C: but can be root of any partition on the boot disk Sectors that make up the file are detected by the disk driver Host file must not be moved - we make it read only/system/hidden and lock it using driver (RSVLOCK.SYS) The main driver (SAFEBOOT.SYS) prevents write access to SafeBoot File System sectors - if file moved, may result in some sectors being marked as badbut SB will still boot Bootcode in its own file (SAFEBOOT.COD) in same place as SBFS host file Bootcode file loaded by MBR following sector chain with start sector in MBR The SafeBoot File System (SBFS) stores all data and modulesneeded in preboot Stored in a host file on the normal file system (SAFEBOOT.FS) - usually root of C: but can be root of any partition on the boot disk Sectors that make up the file are detected by the disk driver Host file must not be moved - we make it read only/system/hidden and lock it using driver (RSVLOCK.SYS) The main driver (SAFEBOOT.SYS) prevents write access to SBFS sectors - if file moved, it may result in some sectors being marked as bad but SB will still boot Bootcodein its own file (SAFEBOOT.COD) in same place as SBFS host file Bootcodefile loaded by MBR following sector chain with start sector in MBR 2007 McAfee, Inc. SafeBoot File System SBFS is standard FAT16 (faster, more reliable, multi-process) Default size is 10MB but cannot grow dynamically - can be set (prior to install) in defscm.ini if we need to make it bigger (max 32MB, min 8MB) Should be big enough for hundreds or thousands of users (much less slow down with large numbers of users) In Windows, it is mounted like a VDisk - OS actually provides the access just like any other disk Normally the SBFS is not visible to users, but system can access it by specifying a path starting with \\SafeBoot\SBFS Client can use normal Windows file APIs to access SBFS Modular Based structure not all function are loaded directly SBFS is standard FAT16 (faster, more reliable, multi-process) Default size is 10MB but can no longer grow dynamically - can be set (prior to install) in INI file / defscm.ini if we need to make it bigger (max 32MB, min 8MB) Should be big enough for hundreds or thousands of users (much less slow down with large numbers of users) In Windows, it is mounted like a VDisk- OS actually provides the access just like any other disk Normally the SBFS is not visible to users, but system can accessit by specifying a path starting with \\.\SafeBootfs\<directory> Client can use normal Windows file APIs to access SBFS Modular Based structure not all function are loaded directly 2007 McAfee, Inc. SafeBoot File System \DataStore - directory used to store the client object database \Disk - directory that stores disk related client data \Disk\OrigMbr.dat - the original MBR \Locale - directory used to store language related things (such as keyboard maps and language strings) \Locale\Locale.ini - defines the available languages and keyboards \Locale\Osk - Directory containing the data for the on-screen keyboards \Graphics - directory used to store graphical definitions used by the boot code (e.g. the bitmaps and fonts used to create "themes" for the boot code) \Graphics\Graphics.ini - Defines the graphically layout of the various windows used by the boot code. \Boot - directory containing information for the boot process \Boot\BootCode.ini - Options used by the boot code environment \SbAlgs - Directory containing the algorithm modules \SbTokens - Directory containing the token modules \SbTokens\Data - Directory containing additional data for tokens \DataStore - directory used to store the client object database. \Disk - directory that stores disk related client data \Disk\OrigMbr.dat - the original MBR. \Locale - directory used to store language related things (such as keyboard maps and language strings). \Locale\Locale.ini - defines the available languages and keyboards. \Locale\Osk - Directory containing the data for the on-screen keyboards \Graphics - directory used to store graphical definitions used by the boot code (e.g. the bitmaps and fonts used to create "themes" for the boot code). \Graphics\Graphics.ini - Defines the graphically layout of the various windows used by the boot code. \Boot - directory containing information for the boot process. \Boot\BootCode.ini - Options used by the boot code environment. \SbAlgs- Directory containing the algorithm modules. \SbTokens- Directory containing the token modules \SbTokens\Data - Directory containing additional data for tokens 26 2007 McAfee, Inc. 5. The SafeBoot Device Encryption Client Manager McAfee SafeBoot Security 2007 McAfee, Inc. The SafeBoot Device Encryption Client Manager Connects to Object Directory, or configuration store at boot Uploads latest audit and password changes, downloads any central configuration changes End-user only sees SafeBoot Monitor icon in SysTray. Double-click to lock workstation Right-click to; Lock Workstation Show Status Synchronize The SafeBoot Client connects to its Object Directory, or configuration store, which may be on the same machine, a network drive, or, via a SafeBoot Server. It does this every time the machine boots. Once connected to the directory, the SafeBoot client uploads thelatest audit and password changes to the directory, and if necessary downloads any configuration changes specified centrally. The only user-visible part of SafeBoot is the SafeBoot Monitor icon in the users System Tray. By double-clicking the icon users can lock the workstation. By right-clicking it they can select one of three actions. Lock Workstation Locks the client workstation Show Status The configuration process within SafeBoot 5.1 is largely transparent to the user. The only evidence of SafeBoot working can be found from the status menu available from SafeBoot'stool tray icon. The Status window displays any on-going configuration tasks (such as encryption processes) and status messages from the last directory connection. Synchronize SafeBoot tries to establish connection with its directory duringthe boot process. In a situation where the directory is unavailable, for example - a notebook user who is connecting via dial-up networking, the user can establish a connection at any time, and select the Synchronize option to connect to a remote directory and collect / upload changes. 2/21/2008 28 2007 McAfee, Inc. SafeBoot Client Manager - Synchronization Events SafeBoot Client Manager is a windows service, and can be thought of as an Agent Always started with Windows start up Provides Synchronization between client and SafeBoot Server Database to update the client with new policies and files The SafeBoot client manager Log - SBClientLog.txt is stored on the client under c:\[program files]\safeboot\SBClientLog.txt 2007 McAfee, Inc. SafeBoot Client Manager Client log is Unicode Log written to SbClientLog.txt Log max size and purge size controlled by settings in SCM.INI [Log]\MaxSize =Max size in KB (min 50KB, 0=unlimited) [Log]\PurgeSize =Amount purge (in KB) when max reached (min 10%) Tracing controlled by setting in SCM.INI [Debug]\Trace =0 is disabled, 1 is enabled Trace written to SbCm.Log Delete log can be disabled Client log is written in Unicode Log written to SbClientLog.txt Log max size and purge size controlled by settings in SCM.INI [Log]\MaxSize=Max size in KB (min 50KB, 0=unlimited) [Log]\PurgeSize=Amount purge (in KB) when max reached (min 10%) Tracing controlled by setting in SCM.INI [Debug]\Trace =0 is disabled, 1 is enabled Trace written to SbCm.Log Delete log can be disabled 2007 McAfee, Inc. SafeBoot Client Boot and Logon Process Boot screen allows user to select login method User provides credentials SafeBoot File System launches HD decrypt process SafeBoot Client Manager starts and performs login (SSO enabled) Connect to Object Directory Events are uploaded, config updates downloaded/applied SafeBoot Tool Tray icon loaded The Device Encryption boot screen allows the user to select a login method (one of the available tokens), and then provide authentication credentials such as a user id and password. If the user can provide the correct details, the SafeBoot boot code starts the transparent hard drive decryption process, loads the original MBR and executes it. When the operating system starts, the SafeBoot Configuration Manager (SCM) runs and performs a logon to the operating system (if SSO is enabled). It then attempts to contact the Object Directory using the Directory Manager - this can be local or remote via a SafeBoot Server and re-validates the user against any changes that have been made between the last validation. Following this SCM downloads and applies any configuration updates. This could include new user accounts. If the Object Directory validation is successful (i.e. no administrator has deleted or disabled the users account) the Windows startup completes, and the SafeBoot icon isloaded into the tool tray to allow the user to run the screen saver, validate with the server, display status etc. After a period of inactivity or a power event, SCM activates thescreen saver locking the user. 2007 McAfee, Inc. SafeBoot Client Auditing (user events) User events collected locally and transferred to Object Directory as part of synchronization SafeBoot Device Encryption audits user, machine, and server activity Right-clicking on an object in the SafeBoot Object Directory, select the view audit function User events are collected locally and transferred to Object Directory as part of synchronization. Until that time the audit is cached internally in the encrypted SafeBoot file system. The last 3000 entries are cached locally; when the limit is reached the oldest 300 entries are culled. The local audit will retain approximately 2 years of normal operation before culling begins. SafeBoot Device Encryption audits user, machine, and server activity. By right- clicking on an object in the SafeBoot Object Directory, you can select the view audit function to see information on user events. Audit trails can be exported to a CDF file by using the Audit menu option, or by right-clicking the trail and selecting Export. 32 2007 McAfee, Inc. End Module Introduction to SafeBoot McAfee SafeBoot Security