McAfee Encrypted USB Manager 3.1 Deployment and Administration Guide

(1)

(2)

COPYRIGHT

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

SAFEBOOT is a registered trademark or trademark of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Microsoft® and Windows® are registered trademarks of Microsoft Corporation. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

Attributions

Refer to the product Release Notes. CONTACT INFORMATION

Download Sitehttp://www.mcafee.com/us/downloads/

Technical Supporthttp://www.mcafee.com/us/support/

KnowledgeBase Search (includes access to product documentation) http://knowledge.mcafee.com/

McAfee Technical Support ServicePortal (Logon credentials required) https://mysupport.mcafee.com/eservice_enu/start.swe

Customer Service

Web

http://www.mcafee.com/us/support/index.html http://www.mcafee.com/us/about/contact/index.html Phone — US, Canada, and Latin America toll-free:

+1-888-847-8766 Monday – Friday, 8 a.m. – 8 p.m., Central Time

Contact information for other countries can be accessed online by selecting a link under Worldwide Offices at:

(3)

Introducing McAfee Encrypted USB

Manager

McAfee Encrypted USB Manager (formerly SafeBoot®_{for USB Enterprise) is a scalable}

software solution for managing large deployments of Portable Security Devices from McAfee. With McAfee Encrypted USB Manager (referred to as Manager throughout the rest of the document), you can control devices through their complete life cycle, from initialization through to delivery to end users and eventual recycling.

This guide provides a general overview of Manager and the deployment process. It also describes the administrative steps involved in deploying and managing devices. This chapter contains information about the following:

What’s new

Benefits and capabilities of Manager

Supported devices

Supported software

Manager product overview

Licensing

Professional services

What’s new

Manager 3.1

This version provides support for McAfee Standard Driverless Encrypted USB devices. McAfee Standard Driverless Encrypted USB is a single-user device that allows only password authentication. The default read-only image is built-in and cannot be upgraded or modified. You can use McAfee Standard Driverless Encrypted USB on computers running only Microsoft Windows. The following operations are not available with McAfee Standard Driverless Encrypted USB devices: partition sizing, upgrading firmware (does not use a management code), rescuing devices, and issuing credentials.

Manager 3.0 includes the following new features:

Portable content file enhancements—The Portable Content Manager (PCM)

application provides a graphical interface to create and manage the portable con-tent file for the read-only partition of devices. Administrators can also use PCM to configure McAfee applications, such as Web Login Config, Connector, and McAfee Encrypted USB—Managed. For more information, see “Managing portable content” on page 48.

Support for credential management—Administrators can now issue certificates

(6)

Introducing McAfee Encrypted USB Manager

Benefits

McAfee Encrypted USB Manager 3.1 Deployment and Administration Guide

Built-in reporting capability—You can now generate pre-configured reports using

Manager. Reports provide auditing data and information about devices, users, and deployment status. For more information, see “Generating reports” on page 46.

Enhanced data recovery options—When you create a usage profile you can set

data recovery options. When users cannot authenticate to their device, Help Desk operators can re-establish device access (default setting) or you can permanently erase all device so that it is inaccessible to both the user and the administrator. For more information, see “Creating usage profiles” on page 33.

Features added in Manager 2.4:

Enhanced password configuration—Allows you to add complex password rules

to a usage profile, such as retry limits, minimum password length, minimum num-ber of characters (special, numeric, alphabetical), a password reuse threshold, and a minimum and maximum lifetime for the password. For more information, see “Password policies” on page 35.

Two-factor authentication—You can now require users to authenticate using

two-factor (biometric and password) authentication. For more information, see “Usage profile settings” on page 33.

Profile status—You can change the status of a usage or initialization profile to

indicate whether it is active or inactive. For more information, see“Editing and deleting initialization profiles” on page 30 and “Managing usage profiles” on page 36.

Support for Mac OS X with McAfee Encrypted USB—Managed.

Benefits

Manager provides the following main benefits.

Control

A managed deployment of McAfee Encrypted USB Devices allows you to:

Control device configurations and security policies that determine how devices can

be used.

Provide help desk support when necessary for end users who have problems

authenticating.

Perform data recovery operations on a device (for audit and compliance reasons)

without the user being present.

Efficient administration

Administrative tasks use concise workflows that allow you to process devices efficiently with minimum effort. Administrators can create profiles that contain parameters for device configuration and user settings. Profiles allow administrators to initialize and issue devices to users in batches whereby they plug in a device, apply the appropriate profile, and move on to the next device.

Immediate end-user productivity

(7)

Capabilities

Simplified and scalable

Minimal effort is required to deploy Manager. Other than hosting the device database, no other servers are needed. Simplified management operations ensure maximum efficiency when initializing, issuing, and updating devices.

Capabilities

Manager provides the following capabilities that facilitate administrative operations.

Supported devices

Manager supports the following McAfee Encrypted USB Devices:

McAfee Zero Footprint Biometric Encrypted USB (formerly SafeBoot for USB

Phan-tom Bio)

McAfee Zero Footprint Non-Biometric Encrypted USB (formerly SafeBoot for USB

Phantom Non-Bio)

McAfee Standard Driverless Encrypted USB

McAfee Encrypted USB Hard Disk (formerly SafeBoot for USB Hard Disk)

Table 1-1: Important Manager capabilities Capability Description

Policies for device

configuration and use You can create multiple device profiles to define device configurations and security policies for different user groups or departments. Profiles ensure the efficiency of the initialization and issuance processes. For more information about these processes, see “Initializing devices” on page 28 and “Issuing devices to users” on page 33.

Credential

management Credential profiles let you define certificate or RSA SecurID token settings so that you can issue credentials to users. Device rescue Help desk operators can securely reset the authentication mechanism of

a device over the phone to assist users who can no longer authenticate to their device.

Data recovery Encrypted data may need to be recovered for security audits or due to the termination of employment. Security Officers can recover data from a user’s device without the user being present.

Portable software

updates You can create portable software packages for end users to upgrade the read-only partitions of their devices. This lets you manage and provide additional applications to end users as your portable application needs change.

Self-enrollment To increase scalability and minimize administrator workload, end users can enroll their own fingers on a device for biometric authentication. For more information, see “Personalization” on page 25.

Separation of

administrative roles The management software component of Manager contains four main functional modules that correspond to four administrative roles. Modules can be installed together or separately to allow your company to separate management roles. For more information about administrative roles, see “The role of the administrator” on page 26.

Audit trails All administrative operations performed using Manager are logged. Corporate directory

(8)

Supported software

McAfee Standard Encrypted USB (formerly SafeBoot for USB Standard)

Supported software

The following software is supported with Manager.

Product overview

McAfee Encrypted USB Manager includes a management console and end user software.

Management console

Manager is an installed suite of utilities that administrators use to control devices and perform the following operations:

Device initialization

Device issuance

Device rescue and help desk support

Data recovery

Credential (certificates and RSA SecurID tokens)

Table 1-2: Software

Component Supported software

Web browser (required for user interface with Microsoft Windows only)

Microsoft Internet Explorer 7.0 Internet Explorer 6.0

Databases IBM Informix Dynamic Server 9.4

Microsoft SQL Server 2005 SP1 Microsoft SQL Server 2000 SP4 Microsoft SQL Express

Note: Professional Services can help configure other databases.

User directory Windows 2003 Active Directory

Active Directory Application Mode (ADAM)

Note: Professional Services can help configure other directories.

Certificate authorities Microsoft

McAfee Encrypted USB— Managed

Microsoft Windows 2000 SP4 (Client Help Desk is

unavailable after a user authenticates)

Windows XP SP2

Windows Vista (Business and Enterprise editions) Mac OS X

Manager Initialization, Issuance, and Data Recovery processes:

Windows XP SP2

Windows Vista (Business and Enterprise editions)

Help Desk processes:

(9)

Product overview

Generating reports

License management

The initialization and issuance operations are designed as efficient workflows so that you can deploy many devices in a short period of time. You can have multiple Manager computers that connect to one device database to allow distribution and delegation of administrative responsibilities.

The following illustration demonstrates the architecture of Manager.

Figure 1-1: Manager

End-user software

McAfee Encrypted USB—Managed (referred to as “client” in the rest of the document) is portable software that is pre-installed on the read-only partition of devices during the initialization process. End users are guided through wizards and workflows to perform the following operations:

Personalize a new device by enrolling fingers for biometric authentication, setting a

password, or both

Manage existing authentication settings by updating finger enrollments or changing

passwords

Manage digital identities

View device status information

Rescue a device with assistance from the Help Desk

Other portable software programs can be installed on the device with the client to provide necessary applications to your end users. The following illustration demonstrates a typical device configuration for an issued device.

(10)

Licensing

Licensing

Licenses are distributed using license files that allow you to manage a set number of devices per device database. To obtain a license file, contact your sales representative at McAfee. Manager will notify you when the device database is approaching the device limit and will indicate the number of devices still available to be issued. The corporate license is checked each time a device is added to ensure that the number of devices in the database does not exceed the site license.

When you purchase a new license file from McAfee or upgrade an existing license file, you must import the file to the device database using Manager.

To view current license information

_{From the main menu of Manager, click}License Management_.

The Current License Information section contains details such as, license status and maximum number of devices allowed.

To import a license file

1 From the main menu of Manager, click License Management.

2 In the Tasks section, click Import License File.

(11)

Installing and upgrading Manager

McAfee Encrypted USB Manager contains four modules that you can install together or divide among multiple workstations according to the administrative role that will use the module. By default, Manager installs all four modules. For more information about administrative roles, see “The role of the administrator” on page 26.

Before you install Manager, you should create an Manager device database on your server and run the McAfee Encrypted USB Manager SQL script (located on the installation CD) to configure the database. You can also configure ADAM.

Manager supports credential issuance. You can set up authentication credentials, such as certificates or RSA SecurID tokens, so that you can issue them to end users. For more information about issuing credentials using Manager, see “Issuing credentials to users” on page 41.

As part of the installation process, you must configure Manager to correspond to your company’s network environment. You can complete the configuration using one of the following methods:

Modify Manager on each workstation after you install it.

Modify Manager on the first workstation and use the modified version to create a

custom installation. You can distribute the custom installation of Manager for each subsequent install.

If you want to deploy McAfee Standard Encrypted USB devices, you must install the client. You can also upgrade from a previous version of Manager.

This chapter contains information about:

Setting up a Manager device database

Configuring ADAM for Manager

Setting up Manager to use certificates

Setting up Manager to use RSA SecurID tokens

Installing Manager

Configuring Manager

Creating a custom installation

Installing the client

Upgrading Manager

Setting up a Manager device database

On the device database server, create a new database to contain the Manager device information. After you create the database, run the McAfee Encrypted USB Manager SQL script. You should create the database and run the script against the database server before you install and configure Manager. Use the database script that corresponds to the server you are using. The script file is located in the following directory path on the installation CD (where D is the CD drive):

IBM Informix Dynamic Server 9.4

(12)

Installing and upgrading Manager

Configuring ADAM for Manager

Microsoft SQL Server 2005

D:\Database Configuration Scripts\Microsoft SQL Server\2005\McAfee Encrypted USB Manager.sql

Microsoft SQL Server 2000

D:\Database Configuration Scripts\Microsoft SQL Server\2000\McAfee Encrypted USB Manager.sql

The script creates database tables, indexes and data on the Manager database. If you are upgrading from a previous version of Manager, the scripts are located in the Upgrade folder for the appropriate database server. For more information, see “Upgrading Manager” on page 22

Note: When setting up the database, if you are not using Windows pass-through authentication, you should create database account(s) to be used during the connection to the database.

Database authentication options

It is strongly recommended that you set controls on the device database that restrict access to only authorized persons.

Options for controlling access

1 Windows pass-through authentication—reuses Windows Domain Login

creden-tials

2 Database login accounts—involves setting up database user names, passwords

and permissions on the device database server if not using Windows pass-through authentication.

You can configure the database login to prompt the operator when using Manager, or to automatically log on to the database. When you include login credentials in the Presenter.ini file, the system assumes that automatic login has been config-ured.

Configuring ADAM for Manager

If you are using Active Directory Application Mode (ADAM) as the LDAP directory, you must configure ADAM to work correctly with Manager. Configuration involves the following steps (in order):

Selecting appropriate settings when you create the ADAM instance

Editing your registry settings

Allowing anonymous LDAP binding to an ADAM instance

Setting properties for the LDAP Manager

Note: LDAP Manager is an advanced Windows-based LDAP editor and browser. You can download it from the Web. You can also use other LDAP editors to manage ADAM.

To select settings when creating an ADAM instance

1 Add service permission to the Windows account you specified in previous steps.

2 Select the user who is currently logged on.

3 Import the selected LDIF files for this instance of ADAM.

(13)

Setting up Manager to use certificates

Tip: For more information about creating an ADAM instance, see documentation from Microsoft regarding ADAM.

To edit registry settings

1 On the taskbar, click Start, and then click Run.

2 Type Regedit and click OK.

3 In the Registry Editor, navigate to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

4 In the details pane, right-click forceguest, and then click Modify.

5 In Value data, type 0, and then click OK.

To allow anonymous LDAP binding to an ADAM instance

1 On the taskbar, click Start, point to All Programs, point to ADAM, and then click

ADAM ADSI Edit.

2 Connect and bind to the configuration directory partition of the ADAM instance on

which you want to allow anonymous Lightweight Directory Access Protocol (LDAP) binding.

3 In the console tree, double-click the following:

configuration directory partition (CN=Configuration,CN={GUID}) services container (CN=Services)

Windows NT container (CN=Windows NT)

4 Right-click the directory service container (CN=Directory Service), and then

click Properties.

5 In the Attributes area, click dsHeuristics, and then click Edit.

6 In the Value area, modify the value of the seventh character in the attribute

(counting from the left) to 2, as follows: 0000002001001

To set properties in LDAP Manager

Include the following property settings in the LDAP Manager application:

Connection Name: for example Manager

LDAP Server name: localhost

Username: admin username for user who is currently logged on to the

com-puter

Password: your password

Select NTLM for authentication

And Connect

Click Directory, and complete any necessary steps, for example, create users.

Tip: You must manually refresh the LDAP Manager application or the LDAP Editor by clicking F5 to show your changes.

Setting up Manager to use certificates

(14)

Configuring the Certificate template

You must configure the certificate templates on the Certificate Server before you can issue certificates to users in Manager. The certificate templates must allow an Enrollment Agent to issue the certificate to a user on their behalf.

To configure the certificate template

1 Right-click the certificate template and click Properties.

2 Click the Issuance Requirements tab, and then select the This number of

authorized signatures check box. Use the default settings for the other options.

3 Click Apply.

Registering for an Enrollment Agent Certificate

The Enrollment Agent administrator must have an Enrollment Agent certificate so that the administrator can issue certificates using Manager. You must complete the

registration process before you install or start Manager. The following procedure describes one way to register. However, you should use the method that is appropriate to your business practices.

To register for an Enrollment Agent certificate

1 Log on as the domain administrator to the computer where Manager is installed.

2 In a Web browser, type the following URL:

http://<servername>/certsrv

3 Click Request a certificate, and then click Advanced certificate request.

4 Click Create and submit a request to this CA.

5 From the Certificate Template list, click Enrollment Agent.

Use the default settings for the other options.

6 Click Submit. If a Warning dialog box appears, click Yes to continue.

7 Click Install this certificate.

Setting up a key recovery system

If you want to provide a method for key recovery, you must do the following:

Create a Key Recovery Certificate

Enable key recovery on the Certificate Authority

Create a Key Recovery Certificate

The key recovery certificate is used by the Certificate Authority to protect the private decryption keys of users. You must complete the following three steps to create the key recovery certificate:

Create and submit a request for a key recovery certificate

Approve the certificate request in the Microsoft Management Console (MMC)

Install the key recovery certificate

To create and submit a request for a key recovery certificate

1 Log on to the Certificate Server as the user who will perform the key recovery

(15)

2 In a Web browser, type the following URL:

If asked for credentials, use the domain credentials for the user who will perform the certificate recovery operation.

If a message appears that indicates “Content is blocked for security reasons”, add the Web page to the “trusted” zone.

3 Click Request a certificate, and then click Advanced certificate request.

4 Click Create and submit a request to this CA.

5 From the Certificate Template list, click Key Recovery Agent.

6 Click Submit. If a Warning dialog box appears, click Yes to continue.

A page will display to indicate that the request has been received.

To approve the certificate request

1 In the MMC, click to the expand the Certification Authority node by clicking the

Plus (+) sign.

2 Click the Certificate Authority and then double-click the Pending Requests

folder to view the request you submitted in the procedure “To create and submit a request for a key recovery certificate” on page 14.

3 Right-click the request, click All Tasks, and then click Issue.

To install the key recovery certificate

1 In a Web browser, return to the following URL by typing,

2 Click View the status of a pending certificate request.

3 Click the certificate that you approved in the procedure “To approve the certificate

request” on page 15.

4 Click Install this certificate. If a Warning dialog box appears, click Yes to continue.

Note: It is recommended that you create a backup of the certificate and private key by exporting them to a file. Save the file in a secure location. Creating a backup ensures that you can still perform a key recovery operation if the existing key recovery certificate and key pair become lost or damaged.

Enable key recovery on the Certificate Authority

Once you install the key recovery certificate, you must set up the certificate server for key recovery. For information about performing a key recovery operation, see

“Performing a key recovery operation” on page 42.

To enable key recovery

1 In the MMC, click to the expand the Certification Authority node by clicking the

Plus (+) sign.

2 Right-click the name of your Certificate Authority and click Properties.

3 Click the Recovery Agents tab, and then click Archive the Key.

4 Click Add.

5 Select your key recovery certificate and click Apply.

Note: You can verify that the certificate status has changed to “valid” by closing the

Properties window and reopening it to the Recovery Agents tab to view the

(16)

Setting up Manager to use RSA SecurID tokens

Setting up Manager to use RSA SecurID tokens

The McAfee Encrypted USB Manager RSA Web Service is an optional component of Manager. You must install the Web Service if you want to issue RSA SecurID tokens to end users. RSA SecurID tokens are used for strong authentication when a user logs on to access network or corporate resources remotely.

You must install the McAfee Encrypted USB Manager RSA Web Service on the server where RSA Authentication Manager is installed. RSA Authentication Manager must be installed with an Internet Information Services (IIS) Web server on a Windows Server 2003 operating system. You must also ensure that the IIS server is configured to allow ASP.net extensions.

After you install the McAfee Encrypted USB Manager RSA Web Service, you must configure the TokenIssuance file to define Host Agents used with RSA Authentication Manager. Host Agents are the IP addresses of Agents that are installed with an

application to control security for that application. The end user can authenticate to the Agent using the RSA SecurID token and gain access to the application, for example Citrix. The TokenIssuance file contains other variables that you can configure if necessary.

You can also control access to the McAfee Encrypted USB Manager RSA Web Service.

To install the McAfee Encrypted USB Manager RSA Web Service

1 On the Manager Installation CD, in the RSAWebServiceSetup folder, double-click

the Setup.exe file to start the installation and follow the instructions in the Install wizard.

2 If you have multiple Sites, select the Site where you want to install the Web service

application.

3 You must also provide a name for the Virtual Directory of the Web service Web

application.

4 When the wizard prompts you for a User ID and password, type the same User ID

and password that was used to log on to Windows when RSA Authentication Man-ager was installed (if necessary, use the Administrator account ID and password).

5 Complete the remaining steps in the installation wizard.

After you finish the installation, your McAfee Encrypted USB Manager RSA Web Ser-vice address is:

http://[Site]/[Virtual Directory]/RSAManagerService.asmx

Site is the Web address or DNS name of the Web site that you selected during the installation. Virtual Directory was created in Step 3.

To enable ASP.net extensions on the IIS Server

1 Click Start, click Control Panel, and then double-click Administrative Tools.

2 Double-click Internet Information Services (IIS) Manager, and then

double-click the computer running IIS.

3 Double-click the Web Service Extensions folder.

4 Ensure that the status of the ASP.net server extensions is set to Allowed.

If the status is Prohibited, click the server extension, and then click Allow.

To configure Host Agents

1 In a text editor, open the TokenIssuance.ini file that is located in the following

directory:

(17)

2 In the Agents area, after the Equal (=) sign, type the IP addresses for each Agent

that is used with RSA Authentication Manager. You can add agents if you require more than the default number that is listed.

To configure other variables in the TokenIssuance file

1 In a text editor, open the TokenIssuance.ini file that is located in the following

directory:

C:\Program Files\McAfee\RSA Webservice Setup\Config (where C is the drive on which you installed the RSA WebService)

2 Locate the variable you want to configure and after the Equal (=) sign, type the

action that you want to occur. The following table provides a list of variables, possi-ble actions that you can set, and the default action that is currently set.

Controlling access to the McAfee Encrypted USB Manager RSA Web

Service

You can secure the McAfee Encrypted USB Manager RSA Web Service by granting access to designated:

Users—by enabling Windows Integrated Authentication

Workstations, workstation groups, or workstations in a particular domain—by

set-ting IP address and domain name restrictions

Granting access to designated users

You can permit only designated users to access the McAfee Encrypted USB Manager RSA Web Service using Windows Integrated Authentication. Windows Integrated Authentication allows transparent, user-based authentication between the client workstation and Web server. You must perform the following steps to enable Windows Integrated Authentication.

Set the authentication mode in the configuration file for the McAfee Encrypted USB

Manager RSA Web Service

Table 1-1: Variables in TokenIssuance.ini file

Variable Name Possible Actions Default Action

UserAlreadyPresent User exists in RSA Server

ERROR

REUSE REUSE

UserNotPresent

User does not exist in RSA Server

ERROR

CREATE CREATE

SoftTokenPresent

Action to take if the user already has a token ADD REPLACE RESCIND REVOKE ERROR RESCIND ReplaceToken

Action to take for the PIN when the token is replaced

KEEPIN

NEWPIN NEWPIN

MinTimeToDeath

Minimum time (in days) for which the token is valid

Any non-negative number 30 days

(18)

Set the authentication mode for the McAfee Encrypted USB Manager RSA Web

Ser-vice virtual directory

Configure the list of users who can access the McAfee Encrypted USB Manager RSA

Web Service

To set the authentication mode in the configuration file

1 Click Start, click Control Panel, and then double-click Administrative Tools.

2 Double-click Internet Information Services (IIS) Manager, and then

double-click the computer running IIS.

3 Double-click the Web Sites folder and click McAfee Encrypted USB Manager

RSA Web Service.

4 Right-click the Web Config folder and click Properties.

5 Click the ASP.NET tab and click Edit Configuration.

6 Click the Authentication tab and then in the Authentications Settings area,

select Windows from the Authentication Mode list.

To set the authentication mode for the McAfee Encrypted USB Manager RSA Web Service virtual directory

1 Right-click the McAfee Encrypted USB Manager RSA Web Service virtual

direc-tory and click Properties.

2 Click the Directory Security tab.

3 In the Authentication and access control area, click Edit.

4 Click to clear the Enable anonymous access check box.

5 In the Authentication access area, click the Integrated Windows

authentica-tion check box.

To configure the list of users

direc-tory and click Permissions.

2 Do one of the following:

To add users, select the user/group and click Add.

To remove users, select the user/group and click Remove.

Granting access to designated workstations, groups, or workstations in a

specific domain

(19)

Installing Manager

To set IP address or domain-based access

direc-tory and click Properties. See step one of the “To set the authentication mode for the McAfee Encrypted USB Manager RSA Web Service virtual directory” on page 18.

2 Click the Directory Security tab.

3 In the IP address and domain name access area, click Edit.

4 Click the Denied access option to deny Web Service access to computers that are

not included in the list.

5 If you want to add other exceptions to the list, click Add and select the appropriate

settings.

Installing Manager

You can install Manager using the setup wizard on the Installation CD. The installation allows you to select which modules—Device Initialization, Device Issuance, Data Recovery, and Help Desk—to install.

Contents of Installation CD

The following software, documentation, and utilities are included on the Manager Installation CD.

Installation executable file

Database configuration scripts to create the device database

Documentation

ManagerSetup for Manager

RSAWebServiceSetup to install the McAfee Encrypted USB Manager RSA Web

Ser-vice for RSA SecurID token issuance

To install Manager

On the Manager Installation CD, in the ManagerSetup folder, double-click the Setup.exe file to start the installation and follow the instructions in the Install wizard.

Note: After you install Manager, you must set parameters such as, e-mail and LDAP settings, and the database connection string. For more information, see “Configuring Manager” on page 19.

Configuring Manager

After you install Manager, you must configure Manager by completing the following steps:

1 Creating an ODBC Data Source Name (DSN) on each workstation where Manager is

installed (if one does not already exist). The Encrypted USB Manager Configuration Assistant references the database connection string for the ODBC DSN.

2 Setting the following parameters using the Encrypted USB Manager Configuration

Assistant:

E-mail settings—used when issuing devices; settings include the e-mail server,

user name, password, and e-mail address.

Database connection

(20)

Configuring Manager

3 Customizing the e-mail message (if required) that users receive when the device is

ready for use.

Note 1: You must also configure the Help Desk contact number that appears in the client. End users will dial this number for assistance if they cannot authenticate to their device. For more information, see “Configuring the client” on page 57.

Note 2: For information about installing the configured version of Manager on other computers, see “Creating a custom installation” on page 21.

To create the ODBC DSN

Follow the instructions in the Microsoft Windows ODBC Data Source Administrator

wizard and select the following settings where appropriate:

Use SQL Server as the driver for which you want to set up a data source.

The data source name should match the ODBC DSN string to be used in the

Encrypted USB Manager Configuration Assistant where the default name is Manager.

Change the default database to the Manager database that you created on the

SQL Server.

To set parameters in the Encrypted USB Manager Configuration Assistant

1 On the Start menu, click Programs, McAfee, and then click Encrypted USB

Manager Configuration Assistant.

2 Follow the instructions in the configuration wizard.

For the Database Connection String, you can leave username and password

data blank if the workstations used are part of the Active Directory Domain and the Windows SQL Server has been set up with pass-though authentication enabled. You can also leave these parameters blank if the user is to be asked for credentials.

For LDAP settings, you can leave username and password boxes blank if the

workstations used are part of the Active Directory Domain.

Note: If you are using Active Directory Application Mode (ADAM), you must configure it correctly before running the Encrypted USB Manager Configuration Assistant. For more information, see “Configuring ADAM for Manager” on page 12.

To customize the e-mail message

1 If you want to change the text in the subject line of the generated e-mail message,

open the Presenter.ini file in a text editor from the following location:

C:\Program Files\McAfee\McAfee Encrypted USB Manager 3.1\Config (where C is the drive on which you installed Manager)

2 In the EMAIL section, replace the text “New McAfee Device” for the

IssuedSub-ject= setting with your customized subject text.

3 If you want to customize the text of the e-mail message, open the

IssuedMes-sage.txt file in a text editor and edit the text. The file is located in the following directory path:

(21)

Creating a custom installation

Creating a custom installation

When you install Manager on multiple computers, you can manually configure each installation or you can modify the first installation and install the modified version on subsequent computers.

Creating a custom installation involves copying the original contents of the Manager installation CD to your workstation. After you install and configure the first instance of Manager, you replace the original files with the configured version, and then create a new installation CD.

To create a custom Manager installation

1 Copy the CD image from the installation CD to your workstation.

2 Complete all of the steps in the section “Configuring Manager” on page 19.

3 Copy the Presenter.ini and IssuedMessage.txt files from the following location:

4 Replace the original Presenter.ini and IssuedMessage.txt files in the CD image

folder on your workstation by pasting the configured files (copied in step three). The copied CD image folder is located in the following directory path:

C:\Manager\ManagerSetup\Config (where C:\Manager is the directory to which you copied the CD image).

5 If you customized the Help Desk contact number in the McAfee Encrypted USB—

Managed, you can include the change in the custom installation. Copy the

Porta-bleContentFiles folder from the following location:

C:\Program Files\McAfee\McAfee Encrypted USB Manager 3.1(where C is the drive on which you installed Manager).

Replace the original PortableContentFiles folder in the CD image folder on your workstation, located in the following directory path:

C:\Manager\ManagerSetup (where C:\ is the directory to which you cop-ied the CD image).

6 The installation setup has now been configured to your company’s environment.

You can create a new installation CD based on the custom install configuration.

Note: You must create the ODBC DSN on each workstation where you want to install a custom version of Manager.

Installing the client

For most devices, the client requires no installation as it is loaded on the read-only partition of the device during the initialization process. However, McAfee Standard Encrypted USB does not have a read-only partition on which to load the client. Therefore, for this device, you must install the client on the client workstation.

To install the client

1 On the client Installation CD, in the ClientSetup folder, double-click the Setup.exe

file to start the installation.

If the CD AutoRun feature is enabled on your computer, the installation starts auto-matically.

2 Follow the instructions in the Install wizard.

(22)

Upgrading Manager

Upgrading Manager

Manager

You can upgrade to McAfee Encrypted USB Manager 3.1 from a previous version using the setup wizard on the Installation CD.

To upgrade Manager

1 Uninstall the previous version of Manager. You must back up the

issuedmes-sage.txt file. You should also copy the database, LDAP, and e-mail settings in the presenter.ini file (for future reference). The issuedmessage.txt and presenter.ini file are located in the following folder:

C:\Program Files\McAfee\McAfee Encrypted USB Manager 2.x\Config (where C is the drive on which you installed Manager)

2 On the Manager Installation CD, in the ManagerSetup folder, double-click the

Setup.exe file to start the upgrade process and follow the instructions in the Install

wizard.

Note 1: After you upgrade Manager, you must reconfigure all previously set

parameters, such as e-mail and LDAP settings, and the database connection string. For more information, see “Configuring Manager” on page 19.

Note 2: If you backed up the old Presenter.ini file, do not use it to replace the new file that installed during the upgrade process. Otherwise, required settings in the new file will be overwritten.

Note 3: You can access the upgrade scripts for the server in the Upgrade folder, for example, D:\Database Configuration Scripts\Microsoft SQL

Server\2005\Upgrade\McAfee Encrypted USB Manager.sql (where D is the CD drive).

The client

When you upgrade Manager, a new default portable content file that contains the client is automatically installed. You can configure this file and then create a new software package to distribute and install on devices. For more information, see “Updating portable content on devices” on page 50.

(23)

Deploying McAfee Encrypted USB

Devices

Understanding the administrative tasks involved in each phase of the deployment cycle can help you plan and administer your device deployment. You can assign tasks to administrators based on four defined roles.

This chapter contains the following information:

A description of a typical deployment cycle

An outline of the different administrative roles

The role of the Help Desk

The deployment cycle

Before you deploy McAfee Encrypted USB Devices, it is important to understand the stages involved in a deployment cycle. One administrator can perform all tasks or you can separate the tasks among multiple administrators. For more information, see “The role of the administrator” on page 26.

The following illustration provides a visual overview of a managed deployment cycle.

Figure 1-1: Deployment cycle

Initialization

(24)

Deploying McAfee Encrypted USB Devices

The deployment cycle

Create initialization profiles

Before you can initialize a device, you must create an initialization profile. Initialization profiles contain the policies that determine how a device is configured, for example, the size of a partition and the software to put on the device. Initialization Officers set the following parameters when creating a profile:

Public and read-only partition size

Read-only drive type

Read-only partition contents (including the client and other portable software)

Management code

Initialize devices

Once you create the initialization profiles, you can then initialize many devices efficiently using a selected profile. McAfee Encrypted USB Manager configures the device with the parameters you set in the profile. Each time you initialize a device, Manager checks the corporate license to verify that the total number of initialized devices does not exceed the site license.

The initialization process binds a device to your company and configures the read-only partition with the portable software you want to deploy. The read-only partition software must include the client (does not apply to McAfee Standard Encrypted USB).

Other initialization tasks

Erasing a device

Creating software update packages

Updating an existing device with a different device profile

Upgrading firmware for existing devices

Importing an existing device that is not currently managed by Manager

Note: For more information about how to perform the tasks during this phase of deployment, see “Initializing devices” on page 28.

Issuance

Issuance is the next phase of deployment following initialization where device users are defined along with security policies. During this phase, an issuance officer configures the device with security policies and other settings that prepare the device for usage. Security policies and other settings are created and maintained in usage profiles. The issuance officer also binds devices to corporate users prior to delivery to the end user. The issuance process involves the following operations.

Create a usage profile

When you create a usage profile, you can set the following policies: Method used to deploy devices to users

(provisioning mode)

Number of device users

Ability to share private partitions Password parameters

Number of finger enrollments allowed

Security level for biometric authentication Retry limit for biometric authentication Data Recovery options

Authentication mode—one-factor or

two-factor

Credential issuance settings for certificates

(25)

The deployment cycle

Issue devices to users

You issue devices by adding users to the device. When you add a user, you can specify the private partition size (if applicable). The usage profile is applied to the device when you create the first user. The usage profile determines whether or not the end user must be present during the issuance process to personalize the device with a fingerprint, password, or both. You can also allow users to personalize their own devices—called user self-personalization. For more information, see “Personalization” on page 25.

When you issue devices to users, you can also issue credentials. For more information, see “Issuing and managing credentials” on page 39.

Deliver devices to recipients

A generated e-mail notifies end users of their device delivery (and its initial password if applicable). However, you must still ensure that the correct device is delivered to the target end user. Since devices contain no physical markings to identify the user to whom it has been issued, it is recommended that you tag each issued device. Tags can be a paper printout or sticker that identifies the intended recipient. If you want

assistance in setting up this process, contact McAfee Professional Services.

Other issuance tasks:

Remove users from devices

Manage usage profiles including applying a new profile, editing, deleting, or

deacti-vating a profile

Revoke users or devices

Personalization

The personalization phase prepares a device for daily use by end users once they receive an issued device. Personalization tasks can include enrolling fingers for biometric authentication, changing the initial password, or both. The following two types of deployment are available to complete the personalization process:

Face-to-face—the end user must be physically present with the Issuance Officer

to personalize the device. Face-to-face deployment provides strong identity proof-ing because Issuance Officers can verify that the correct user is authorized for the device.

User self-personalization—users personalize their devices independently using a

self-serve wizard in the client. Users who must authenticate with only one factor will automatically receive a notification e-mail with a temporary password once a device has been issued. The temporary password is required to complete the self-serve wizard. Users who require two-factor authentication, must call the Help Desk to receive an authorization code to complete the self-personalization process. The user will provide the Help Desk Operator with a confirmation code when the self-personalization process is complete.The phone call allows the Help Desk Operator to confirm the identity of the user and ensure that they are added to the Manager system.

Usage

(26)

The role of the administrator

Revoking a device—flags the device in the device database to alert administrators

and Help Desk operators. Administrators must physically remove the device to stop a user from using it.

Revoking a user—flags the user in the device database to alert administrators and

Help Desk operators that the user should not be using a device. This will also pre-vent the same user from being issued other devices. Administrators must physically remove the device to stop a user from using it.

Removing a user—removes a user from the device. This does not affect other users

if there are multiple users on the device.

Recovering data—the process by which a security officer can get data off of a

device without the user being present

Rescuing devices—the process by which a Help Desk operator assists an end user

who cannot authenticate to the device.

Updating software on the read-only partition

The role of the administrator

You can separate administrative tasks into roles so that each role is responsible for a different set of tasks. Separating roles is useful when you want to control access to specific tasks. It also ensures that one person does not have control over the entire deployment process.

For auditing purposes, Manager creates a log of all administrative operations. When you install Manager, you can separate it into four modules according to the following roles:

Initialization Officer

Issuance Officer

Help Desk Operator

Security Officer

Initialization Officer

Initialization officers can erase devices and perform tasks involved in the Initialization phase of deployment. For more information, see “Initialization” on page 23.

Issuance Officer

Issuance Officers can perform tasks involved in the Issuance phase of deployment, including setting user profiles, creating users and corporate administrators and security policies. They can also remove users or revoke users or devices. For more information, see “Issuance” on page 24 and “Personalization” on page 25.

Help Desk Operator

Help Desk Operators provide authorization codes to users to complete the

(27)

Help Desk support

Security Officer

Security Officers perform data recovery operations. Data recovery is different from device rescue operations. Data recovery is done for auditing purposes where user information needs to be examined. The device user is not required to be present. In contrast, during a device rescue the Help Desk Operator cannot access or examine private user data. For more information about data recovery, see “Recovering data” on page 45.

Help Desk support

When a user calls the Help Desk, it is important that the Help Desk Operator confirms the identity of the user using acceptable corporate criteria. Manager can help the Operator confirm that the user has the correct device by matching the serial number to the user.

To ensure the security of this process, a Help Desk Operator must do the following before providing the authorization code to end users to rescue the device:

Have users identify themselves and the serial number of their device.

Confirm that this information is consistent with the data in the device database.

Apply other corporate identification criteria as specified by your company.

(28)

Initializing devices

Device initialization is the first phase in a deployment of McAfee Encrypted USB Devices. McAfee Encrypted USB Manager configures each device with the parameters set in the initialization profile that you apply to the device. The initialization officer is responsible for creating initialization profiles and applying them to devices.

This chapter contains information about:

Creating initialization profiles

Editing and deleting initialization profiles

Applying initialization profiles to devices

Erasing devices

Note: While initialization profiles control the device configuration, usage profiles control how users and private partitions are configured on a device. In an initial deployment, Issuance Officers apply usage profiles to devices during the second phase of

deployment where devices are issued to users. For more information see, “Issuing devices to users” on page 33.

Creating initialization profiles

You must create an initialization profile before you can initialize a device. Initialization profiles contain the policies that determine how a device is configured. As a general guideline, create one company profile and apply this to most devices.

Initialization profiles are created by entering the parameter information in a new profile or by copying an existing profile and saving it as a new name. You can set the following parameters in a initialization profile.

Table 1-1: Initialization profile settings

Profile setting Description

Profile name Provide a descriptive name for the profile.

Device Type Indicates the type of device, such as McAfee Zero Footprint Biometric Encrypted USB, to which you want to add the profile.

Allow Public Partition Lets you set up a public partition. The default setting is “NO”. Public Partition Size

(MB) If you set up a public partition, type the size in the text box. Read-Only Drive Type Specifies whether the device is recognized as a removable or fixed

(29)

Initializing devices

Creating initialization profiles

Note 1: To update a device with a new portable content file after the device has been issued to users, you must create a portable software package and install it on the device. For more information, see “Creating a portable software package” on page 51.

Note 2: McAfee Standard Encrypted USB does not have a read-only partition. You must install the client on the client workstation for this device. For more information, see “Installing the client” on page 21.

Note 3: McAfee Standard Driverless Encrypted USB does not support partition sizing. The read-only image is built-in and you cannot upgrade or modify it. Also, this device does not use a management code.

To create a new initialization profile

1 From the main menu of Manager, click Device Initialization.

2 In the Other Tasks area, click Manage Initialization Profiles.

3 Click Add and follow the instructions on the Device Initialization Profiles page.

To copy an initialization profile

1 Follow steps one and two from the “To create a new initialization profile” on page

29.

2 From the Existing Profiles list, click the profile you want to copy, and then click

Copy.

3 Follow the instructions on the Device Initialization Profiles page to complete the

procedure.

Read-Only Partition Size

When sizing the read-only partition, include adequate space to accommodate the addition of future programs. Resizing later can be difficult if there is no available space on the device since resizing a partition requires you to reformat the drive. The recommended space allocation for the read-only partition is 80MB to 100MB.

Read-Only Volume

Name Specifies the name that is assigned to the read-only drive when you open a file manager, such as Microsoft Windows Explorer. Image Type Specifies if the content to add to the read-only partition is saved to a

directory or a portable content file. A default portable content file is included with Manager to use as a template. The file includes McAfee applications that you can configure using the Portable Content Manager. You can also add other applications. For more information, see “Creating a portable content file” on page 49.

Portable Software

Image Browse to the location of the portable software image that you want to load on the read-only partition of the device. Device Management

Code If you want to change the default management code, “RECYCLE”, type a new code in the text box. The management code is required to perform device management processes such as, erasing the device, upgrading firmware, or updating device software.

Profile Status Indicates whether the profile is active or inactive. Inactive profiles cannot be applied to devices.

Table 1-1: Initialization profile settings

(30)

Editing and deleting initialization profiles

Editing and deleting initialization profiles

For auditing reasons you cannot edit or delete an initialization profile that has been applied to a device; you can only view them in read-only mode. To modify an existing initialization profile you can copy it to a new profile and edit the new copy. For more information see, “To copy an initialization profile” on page 29.

You can change the status of a profile from active to inactive. Only active profiles can be added to devices. By default, when you create an initialization profile the profile status is active. Deactivating a profile removes it from the list of active profiles but does not delete it from Manager.

To edit an initialization profile

3 From the Existing Profiles list, click the profile you want to edit, and then click

Edit.

4 Follow the instructions on the Device Initialization Profiles page to complete the

procedure.

To delete an initialization profile

3 From the Existing Profiles list, click the profile you want to delete, and then click

Delete.

If the initialization profile has been applied to a device, you cannot delete it.

To deactivate an initialization profile

3 From the Existing Profiles list, click the profile you want to deactivate, and then

click Edit.

4 In the Profile Status area, click to clear the Active check box.

Note 1: If you want to reactivate a profile, repeat the first 3 steps in the procedure “To deactivate an initialization profile”. In Step 4, click the Active check box.

Note 2: To view a list of active or inactive profiles, on the Manage Initialization Profiles page, click the appropriate option button.

Applying initialization profiles to devices

You initialize a new device by applying an initialization profile to the device. New devices are not registered in the Manager system and have no device users.

You can update registered devices—those that are part of the Manager system and may have device users—by applying a different initialization profile. Non-registered

(31)

Erasing devices

Important If you import a non-registered device you cannot rescue the device or recover data from existing users. You can erase a device when you import it. For information about removing all users and device data, see “Erasing devices” on page 31.

Note: For information about creating initialization profiles, see “Creating initialization profiles” on page 28.

To apply an initialization profile to a new device

1 Plug the device into the USB port of the initialization computer.

2 In Manager, click Device Initialization and then click Manage Devices.

3 Follow the instructions on the New Device Initialization page.

To update a registered device with a different profile

2 In Manager, click Device Initialization, and then click Manage Devices.

3 Follow the instructions on the Update Device page.

To import a non-registered device and apply an initialization profile

3 Follow the instructions on the Import Device page.

Note 1: If the device requires a firmware upgrade, Manager displays the Firmware

Upgrade page. You must upgrade the firmware before you can proceed. For more

information, see “Upgrading device firmware” on page 44. McAfee Standard Driverless Encrypted USB does not allow you to upgrade its firmware.

Note 2: For non-registered devices that are locked, you will be required to unlock the device by authenticating to it as an administrator.

Erasing devices

Erasing a device deletes all current device users, keys, and authentication mechanisms from the device and resets it to a default state. All data on the device will be

unrecoverable. You can erase users on a registered or non-registered device that you want to import or re-initialize.

Once you erase a device, you can initialize it as a new device. For registered devices, if you do not initialize the device after erasing it, the device remains in the Manager system and is marked as “erased”. However, for licensing purposes, the erased device still uses a device license. You can initialize the device at a later time. For information about initializing a new device, see “To apply an initialization profile to a new device” on page 31.

To erase a device

One of the following pages will be displayed depending on the state of the device:

Import Device—if the device is not registered in the Manager system Update Device—if the device is registered in the Manager system