Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

File and Removable Media Protection 4.3.0 Best Practices

advertisement 
Best Practices Guide
McAfee File and Removable Media
Protection 4.3.0
For use with ePolicy Orchestrator 4.6.6, 4.6.7, 5.0.1, 5.1 Software
COPYRIGHT
Copyright © 2014 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy
Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,
VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other
names and brands may be claimed as the property of others.
Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
Contents
1
Introduction
5
How File and Removable Media Protection works . . . . . . . . . . . . . . . . . . . . . . 5
Purpose of this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2
General recommendations
7
Deployment and activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Database sizing considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Policy assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
Moving machines with FRP installed from one McAfee ePO server to another . . . . . . . . . .
9
Compatibility with other encryption products . . . . . . . . . . . . . . . . . . . . . . . 9
Delegated administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Encryption options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Blocking processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Key request exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3
File and Removable Media Protection use cases
13
Secure sharing with USB devices . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enforce Encryption (onsite access only) . . . . . . . . . . . . . . . . . . . . . .
Allow Encryption (with offsite access) or Enforce Encryption (with offsite access) . . . . .
Device exemptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Secure sharing with CD/DVD/ISOs . . . . . . . . . . . . . . . . . . . . . . . . . .
Protecting sensitive folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General encryption guidelines . . . . . . . . . . . . . . . . . . . . . . . . . .
Removing a folder encryption policy . . . . . . . . . . . . . . . . . . . . . . .
Encrypted parent folder — decrypted subfolder . . . . . . . . . . . . . . . . . . .
Protecting sensitive files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable search encrypted option . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protecting network share folders . . . . . . . . . . . . . . . . . . . . . . . . . . .
Securing email attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
Encryption keys
13
14
14
15
16
16
16
17
17
17
18
18
19
21
Regular and user personal keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
User local keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Index
McAfee File and Removable Media Protection 4.3.0
23
Best Practices Guide
3
Contents
4
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
1
Introduction
®
McAfee File and Removable Media Protection (FRP) delivers policy-enforced, automatic and
transparent encryption of files and folders on PCs, file servers, emails, and removable media such as
USB devices and CD/DVDs.
FRP is managed by McAfee® ePolicy Orchestrator (McAfee ePO), creating a central point of
management that ensures your data is safe wherever it goes.
Typical FRP use cases include encrypting files such as spreadsheet and sensitive documents, and
enabling secure access to a specific folder on a network file share, enabling users to securely copy
information on removable media and send self-extracting files in email attachments to partners or
clients.
Contents
How File and Removable Media Protection works
Purpose of this guide
How File and Removable Media Protection works
FRP encrypts files and folders on local drives, network shares, and removable media devices according
to the policies enforced by the McAfee ePO server.
FRP supports both user and system-based policies, and provides a single point of control to protect
data in your environment through integration with McAfee ePO. FRP relies on Microsoft Windows
credentials, so both registered domain users and local system users can be assigned product policies
and encryption keys.
When the FRP client is installed on the system, the system synchronizes with the McAfee ePO server
and fetches product policies and encryption keys. The FRP client acts like a filter between the
application creating or editing the files and the storage media. When a file is saved, the FRP filter
executes the assigned policies and encrypts the data if applicable. The product is transparent to the
end user, ensuring a seamless experience.
File and Removable Media Protection is available as part of the following suites:
•
McAfee Complete Endpoint Protection - Business (CEB)
•
McAfee Complete Data Protection - Advanced (CDA)
•
McAfee Complete Data Protection (CDB)
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
5
1
Introduction
Purpose of this guide
Purpose of this guide
This guide suggests best practices for deployment and management. It also discusses optimization
and maintenance before and after deployment.
This document encapsulates the professional opinions of FRP certified engineers, and is not an exact
science. You must understand both the product and the environment where it will be used before
deciding on an implementation strategy. Calculations and figures in this guide are based on field
evidence and not theoretical system testing; they are our best advice at the time of writing. Review
the best practices and use the guidelines that best fit your environment.
This is not intended to serve as a product guide.
6
•
For details on how to deploy and use FRP, see the McAfee File and Removable Media Product Guide
and the McAfee File and Removable Media Migration Guide.
•
For customized recommendations and optimizations for your environment, contact McAfee
Professional Services.
•
To discuss product use cases and recommendations on feature usage and to obtain the latest
information, visit the McAfee Community Forum: https://community.mcafee.com/community/
business/data/epoenc
•
For issues related to the product, contact McAfee Support.
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
2
General recommendations
Contents
Deployment and activation
Database sizing considerations
Policy assignments
Moving machines with FRP installed from one McAfee ePO server to another
Compatibility with other encryption products
Delegated administration
Encryption options
Deployment and activation
This section provides general recommendations for the deployment of FRP.
Client operating systems
•
Verify operating system support — Make sure that the client operating system, including
service pack levels, is officially supported. For details, see KB81149.
•
Prevent deployment to non-supported client operating systems — Use McAfee ePO to
prevent deployments to unsupported operation systems such as Windows XP 64 bit and Windows
Vista 64 bit. McAfee ePO together with McAfee® Agentwill ensure that the FRP client is run only on
endpoints with supported operating systems.
VDI environments
For the latest information on support for VDI environments, including installation details and
applicable constraints, see KB81478.
Deployment using third-party tools
You can manually install FRP 4.3.x locally or in conjunction with a third-party deployment tool using
the command line interface.
To upgrade from McAfee® Endpoint Encryption for Files and Folders, you must first uninstall the
existing version. You must install a supported version of McAfee Agent before using the command line
method.
The specific command depends on the operating system:
•
32-bit operating system: msiexec.exe /q /i eeff32.msi
•
64-bit operating system: msiexec.exe /q /i eeff64.msi
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
7
2
General recommendations
Database sizing considerations
After executing the command line instruction, you must restart the client to complete the installation
procedure. For details on installing FRP from the command line, see KB81433.
Deployment through McAfee ePO is the recommended approach.
Encryption key deployment
Initial key delivery following deployment to a large number of client systems can subject the Tomcat
process on the McAfee ePO server to high load, as it has to process secure data channel messages to
and from the client. To reduce the risk of overloading the Tomcat process, adopt a phased deployment
strategy so that the key delivery can be evenly distributed. Although the number of systems that can
be supported consecutively depends on a number of factors (server performance, number of keys
granted to each client, whether database is local to McAfee ePO server, and so on), we recommend
starting at 100 systems per hour and monitoring the load. Alternatively, consult McAfee Professional
Services to determine the optimal rate for your environment.
Database sizing considerations
This section provides recommendations regarding database sizing.
The main database sizing considerations for FRP relate to:
•
Encryption keys that are generated on McAfee ePO — regular and user personal keys
•
Removable Media Events (USB and CD/DVD) that are generated on FRP clients and sent to McAfee
ePO for the purpose of auditing or reporting
Encryption keys
FRP creates three tables to maintain encryption key information. For an environment with 10,000
users where a user personal key is assigned to every user (10,000 keys) and 1000 regular keys, a
combined total of ~20 MB of index space and ~6 MB of data space are required.
Events
Removable Media events are lightweight. This generic formula can be used to calculate the space
requirements:
Data Space = Number of events/per node/per day * Number of Nodes * Number of Days * 0.3 KB
Index Space = Number of events/per node/per day * Number of Nodes * Number of Days * 0.002 KB
For example, for an environment with 10,000 nodes with an average of 10 events per node per day,
for a period of 30 days:
•
Data Space required = ~900 MB
•
Index Space required = ~6 MB
Policy assignments
This section provides recommendations regarding the effective implementation of policy assignments.
Pragmatic policy assignment rules
We recommend that you simplify policy assignments by defining a baseline or default policy for your
organization, and implementing it as a system-based policy. Then, for any exceptions to the policy,
create a user-based policy assignment rule. This rule will always supersede system-based policies
8
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
General recommendations
Moving machines with FRP installed from one McAfee ePO server to another
2
(both those assigned via the System Tree and those assigned by system-based policy assignment rules),
making this the easiest way to implement complex policies. This also minimizes the amount of
processing on the McAfee ePO server.
For further information on policy assignments, see KB81441 and KB72775.
Moving machines with FRP installed from one McAfee ePO
server to another
Encryption keys and policy information must be exported and imported to the new McAfee ePOserver.
For user personal keys to continue to function seamlessly, ensure that the user domain and user name
details do not change.
If you are using Role-Based Key Management, ensure that you create equivalent roles on the new
McAfee ePO server before importing the keys. If matching roles are not found, the key import process
will fail.
Compatibility with other encryption products
FRP is not compatible with other file-level encryption products such as Microsoft Encrypted File System
(EFS).
Both FRP and products such as EFS are file encryption products that work at the same file system
level, therefore a driver conflict would occur.
Delegated administration
Role-based key management provides the ability to logically separate and compartmentalize key
management across multiple administrators. This functionality is critical for separation of duties across
business functions and subsidiaries, and also helps protect the activities of different groups from one
another.
This functionality is enabled in three steps (performed by the Global Key Administrator):
•
Creation of a role (for example, Finance)
•
Creation of a permission set (with the necessary privileges) and its assignment to a role
•
Creation of a McAfee ePO user to serve as the Key Admin (for example, Finance Key Admin) and
associating the user with the appropriate permission set
The permission set binds the role (Finance) with the McAfee ePO user (Finance Key Admin).
Any McAfee ePO Global Administrator can play the role of Global Key Administrator. The Global Key
Administrator is assigned the "Default" role and does not have access to keys associated with other
roles. If, for example, the HR Finance Key Admin leaves the organization, Global Key Administrator can
create a new McAfee ePO user and assign the user the necessary role and permission set required for
managing the HR Group.
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
9
2
General recommendations
Encryption options
An audit trail is created to enable the monitoring of key management and policy assignment functions
performed by administrators to ensure compliance and prevent abuse by administrators.
Encryption options
Blocking processes
FRP acts as a persistent encryption engine. When a file is encrypted, it remains encrypted even if the
file is moved out of an encrypted directory.
Nonetheless, in certain scenarios encrypted data might be unintentionally exposed in plaintext. For
example, when uploading files to an FTP server, encrypted files are uploaded in plain text format. This
is because socket communication is used for the file operation instead of Windows I/O file operation.
To allow encrypted data to be uploaded with persistent encryption, you can configure the FTP process
as a blocked process. Blocked processes (applications) always receive files in cipher text from the FRP
filter driver, meaning that the files are not decrypted for the blocked processes.
The main purpose of process blocking is to prevent encrypted data from being unintentionally exposed
in plaintext; this is done by circumventing the FRP encryption engine. Consider the process exemption
feature as a prevention feature, a part of the concept of digital rights management, rather than a way
for users to share encrypted data over Internet or web-mail.
10
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
General recommendations
Encryption options
2
Processes that can be safely blocked
•
FTP processes
•
File sharing processes
•
File backup processes
Processes that are risky to block
•
Internet browser processes
•
Email client processes
The data remains encrypted, but the applications might alter the file and render the data unreadable
when sent to a network resource or email recipient. The source file remains intact at all times.
Processes that must never be blocked
•
Data compression applications like WinZip
•
FRP client processes
•
Windows Explorer
•
Virus scanning processes
•
Windows processes
•
Processes for other McAfee products
Key request exclusions
You can define key request exclusions so that specific processes are not stopped when they trigger an
authentication prompt and an encryption key is not available.
For example, if there are encrypted files for which the key is unavailable (or there are files encrypted
using user local keys), applications like virus scanners might get "stuck" on encrypted files because it
cannot access the files, and the scanning process stops. To avoid such situations, make sure that you
define key request exclusions for any process that automatically gets an Access Denied message if keys
are unavailable.
Key request exclusions should never be defined for Windows Explorer and FRP client processes.
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
11
2
General recommendations
Encryption options
12
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
3
File and Removable Media Protection use
cases
Contents
Secure sharing with USB devices
Secure sharing with CD/DVD/ISOs
Protecting sensitive folders
Protecting sensitive files
Enable search encrypted option
Protecting network share folders
Securing email attachments
Secure sharing with USB devices
FRP offers a number of protection options for USB devices. Select the protection level based on the
requirements of your environment.
•
To restrict access to the encrypted USB devices to within the company's environment only, select
the Enforce Encryption (onsite access only) option.
•
To enable users to access encrypted USB devices on systems without having to install any McAfee
encryption software, select either Allow Encryption (with offsite access) or Enforce Encryption (with offsite access)
options.
•
The Enforce Encryption (with offsite access) option allows a file to be copied to the USB device only when it
is encrypted, otherwise the device is rendered read-only. If the User Managed option is selected,
files can be copied only to the encrypted portion of the device.
•
To define the use of USB sticks as read-only, select the Block Write Operations option.
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
13
3
File and Removable Media Protection use cases
Secure sharing with USB devices
Enforce Encryption (onsite access only)
These encryption options are relevant for the Enforce Encryption (onsite access only) setting.
•
No automatic decryption of existing files — If a removable media device is already subject to
an Enforce Encryption (onsite access only) policy, the data on the USB device remains encrypted even if
you disable it by setting the policy to Allow Unprotected Access. To decrypt the data on the device, set
the Key Field option to Decrypt. Changing the policy to Allow Unprotected Access affects new devices only
(devices not previously subject to the Enforce Encryption (onsite access only) policy).
•
New files keep getting encrypted — Disabling the Enforce Encryption (onsite access only) option does
not mean that new files created on a removable media that have been subject to the removable
media encryption policy will be in plaintext. New files are still encrypted when written to the media
(the encryption policy is still applied to the USB device itself). To remove an applied encryption
policy on removable media, set the Key Field option to Decrypt.
•
Ignore existing content on media — When the Ignore existing content on media option is disabled, all
existing files on the attached removable media become encrypted (not ignored). Therefore, they
can no longer be read from systems without FRP. Beware of leaving this option disabled. When this
setting is enabled, only new files are encrypted when placed on a USB device where this policy is
applied.
Allow Encryption (with offsite access) or Enforce Encryption
(with offsite access)
It is possible to initialize the entire device or part of it based on the selected Protected Area setting.
With the full device policy in place, if the end user chooses to back up the existing data, the data on
the device is first copied to the system drive on the local computer. An encrypted container is then
created on the removable device, and finally the data is copied back from the local computer to the
encrypted container (removable device). In this process, there might be limitations in terms of free
space on the local machine and the time required for the copy operations (back and forth) might be
substantial.
We recommend that the Administrator select the User Managed option. This allows the end user to
determine the size of the encrypted container. The maximum size of the encrypted container that the
user can create is equal to the free space on the USB device.
Using the user personal key as the recovery key
We recommend that the recovery key be configured as a recovery method, and that the user personal
key be used for this purpose.
Using a regular key as the recovery key allows all users with access to that recovery key to perform
recovery on other users’ devices where the same recovery key is in use. Assigning the user personal
key as the recovery key for removable media encryption ensures that the USB media can be recovered
only by the user who encrypted it.
Support for large files in the encrypted container
Enable the Allow large file support (> 4 GB) option to allow files of size larger than 4 GB to be copied to the
encrypted container.
When a device that is initialized with EEFF 4.2 or below is inserted on to a FRP 4.3 client with the Allow
large file support (> 4 GB) option enabled, the container format is automatically updated to support larger
files (wherever applicable). There is no need to reinitialize the device.
14
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
File and Removable Media Protection use cases
Secure sharing with USB devices
3
Clients running on EEFF 4.2 or below cannot recognize the new FRP 4.3 container format. Start by
upgrading clients to FRP 4.3 with the Allow large file support (> 4 GB) option turned off. Once a critical mass
of clients is on FRP 4.3, apply the new container format by enabling the policy.
Machines running an earlier version FRP (EEFF) do not have the intelligence to detect the new container
format. Files on the encrypted device can be read on these machines using the offsite application but
this is not advisable.
Mac OS X offsite browser for USB media
Offsite support on Mac OS X clients has been introduced in FRP 4.3. Any encrypted device using the
offsite access options (formerly known as EERM) can now be accessed on Mac OS X clients.
In addition to being able to read files on the device, it is possible to do in-place edits and copy files to
and from the encrypted USB device.
Previously encrypted devices are automatically provisioned with the Mac offsite browser when the USB
devices are inserted on to a FRP 4.3 client. There is no need to reinitialize existing encrypted devices.
Auditing and reporting
FRP provides rich auditing and reporting capabilities where end-user activity related to the use of USB
media is captured and transmitted back to McAfee ePO.
The product provides a rich reporting framework that allows administrators to run custom queries on
the audit event database.
Device exemptions
Device exemptions are based on the Device Instance Path ID. Devices are exempted based on a substring
match.
For example, if the Device Instance Path ID was identified as USBSTOR
\DISK&VEN_KINGSTON&PROD_DATATRAVELER_G3&REV_1.00\001CC0EC321DFBC0B717268 6&0,
then these strings can be configured to exempt devices:
•
KINGSTON — Exempts all KINGSTON devices
•
DATATRAVELER — Exempts all DATATRAVELER models regardless of whether the MAKE is
KINGSTON
•
G3 — Exempts any device with G3
•
DISK&VEN_KINGSTON&PROD_DATATRAVELER_G3&REV_1.00, and so on
The example above demonstrates the use of a single entry in the exclusion list to indicate string-based
matching. For more details, see KB81519.
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
15
3
File and Removable Media Protection use cases
Secure sharing with CD/DVD/ISOs
Secure sharing with CD/DVD/ISOs
The protection level options offered for CD/DVDs are similar to the ones provided for USB devices.
Select the protection level based on the requirements of your environment.
Enforce Encryption (onsite access only)
•
Burning applications — Make sure that the burning software is on the list of supported CD/DVD
burning applications in the FRP documentation. Using a non-supported burner can render CD/DVDs
as plaintext, even though the policy stipulates encryption. For more details, see KB81450.
•
CD/DVD format limitations — Make sure that the CD/DVD media is on the list of supported
CD/DVD formats. For more details, see KB76478.
Protecting sensitive folders
FRP enables you to encrypt the contents of entire folders thus protecting any sensitive data they
contain.
Encryption can be either policy-driven or user-driven. When encryption is policy-driven, the
Administrator can enforce encryption of a folder by specifying the location and selecting the encryption
key that is to be used for that folder. The Administrator can specify several folders (and select the
corresponding encryption keys) in the same folder encryption policy. Alternatively, the Administrator
can allow users to selectively encrypt or decrypt folders by enabling the Explicit Encrypt and Explicit Decrypt
options.
A folder encrypted by an Administrator-enforced policy cannot be decrypted by the end user using the
Explicit Decrypt option.
Folder encryption policy is single slot in nature. You can specify only one folder encryption policy
referencing a particular system or a particular user. However, both of these can co-exist. For example,
if user X logs in to system Y, the folder encryption policy applicable to system Y and user X is enforced
provided that they do not conflict. If they do conflict, the user-based policy overrides the
system-based policy.
General encryption guidelines
•
Local volumes — Do not encrypt entire local volumes and in particular the system volume; doing
so can cause deadlocks on the client systems.
•
Do not encrypt entire local drives — FRP is file and folder encryption software, not full disk
encryption software. Thus, except for removable media, we do not recommend its use to encrypt
entire drives.
®
For full disk encryption with McAfee ePO management, review the capabilities of either McAfee
Drive Encryption or McAfee Management of Native Encryption (MNE).
®
16
•
Program Files directory — Do not encrypt the Program Files; doing so can cause deadlocks on
the client systems.
•
Microsoft Outlook data directories — Do not encrypt the Microsoft Outlook data directories
containing the OST and PST files. Instead, we recommend the use of Windows EFS for this
purpose.
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
File and Removable Media Protection use cases
Protecting sensitive files
3
•
User profile folder — Do not encrypt the entire “User” profile. Although the User profile is a folder
per se, it is not recommended to encrypt that entire folder with a folder encryption policy as it
might cause deadlocks. Instead, try to isolate the folders that actually might contain sensitive data.
If this is a real concern, consider deploying McAfee HostDLP to assess the content of each file and
have sensitive files encrypted via the FRP-HDLP integration.
•
Desktop folder — Be careful if you plan to encrypt the Desktop folder. Only do this if you’re sure
you don’t have static links to other drives on the desktop. LNK-linked shortcuts are fine, but static
hard links to other drives will render these targets being encrypted if the shortcuts are on the
Desktop. It is a best practice to specify specific directories in the FRP folder policy screen. This is
done by selecting [Desktop] and then adding the specific paths like [Desktop]\FolderA and
[Desktop]\FolderB. Choose [Desktop] only if you’re sure that there are no static links to other
drives on the desktop.
•
Whenever possible, select only folders containing sensitive files — Always try to pinpoint
the folders containing sensitive data rather than generalizing on a high directory level. If this is a
real concern, use file extension encryption or consider deploying McAfee HostDLP to assess the
content of each file and have sensitive files encrypted via the FRP-HDLP integration.
Removing a folder encryption policy
Removing a folder encryption policy does not automatically decrypt the content of that folder.
To decrypt an encrypted folder, you must specify a policy pointing to the folder location and select
Decrypt in the Encryption key field.
Encrypted parent folder — decrypted subfolder
By default, all sub-folders in a folder that is assigned an "encrypt" policy are also encrypted. However,
it is possible to set a subfolder as decrypted even if (any) parent folder is set to be encrypted. For
example, it is possible to encrypt the My Documents folder through a folder encryption policy and have
it contain the My Video subfolder in plain text format using the Decrypt option.
Protecting sensitive files
FRP enables you to encrypt the contents of files based on the file extension.
As with folder encryption, file encryption can be either policy-driven or user-driven.
It is possible to add as many processes and extensions as you like within a single file encryption
policy. It is also possible to mix encryption keys for different processes, as long as it is done in a
rational manner.
File encryption policy is single slot in nature similar to Folder encryption policy.
Example of policy-driven file encryption
This example assumes that you want to encrypt files created by Microsoft Excel.
Enter both the process name and the [exe] extension, for example, “excel.exe”. Process names can
easily be identified by starting the corresponding application and then locating the process name in
the Windows Task Manager. Only the extension should be entered ("xls"); wildcards or dots (*.xls", or
".xls") should be omitted.
Specify the encryption key with which files created by the Excel application should be encrypted.
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
17
3
File and Removable Media Protection use cases
Enable search encrypted option
Avoid using the wildcard (“*”) as extension
The wildcard (“*”) extension in file extension encryption is very powerful — every file created by the
stated application will be encrypted, including templates, index files, and so on. Despite its appeal, we
strongly recommend that you carefully define the file types might be created and contain sensitive
data worth encrypting. Make a serious attempt to list the file types created in your organization that
might contain sensitive data. For example, a template file (e.g., <text>*.dot) does not normally
contain any sensitive data. If this is a real concern, consider deploying McAfee HostDLP to assess the
content of each file and have sensitive files encrypted via the FRP-HDLP integration.
Enable search encrypted option
FRP policy includes the Enable search encrypted option, which makes it is possible to list files encrypted by
FRP.
The Search encrypted option is available as a context menu option on the FRP client. In the search dialog,
if <any key = encrypted> is selected, all encrypted files/folders in the selected location are listed.
Protecting network share folders
FRP enables you to protect your network share folders by applying encryption policies to these shares.
There are a number of steps that can be taken to optimize network and system performance in the
process.
Explicitly encrypt large shares in advance
For large network folders that require encryption, apply a folder encryption policy that points to the
network share location on a single dedicated machine where FRP is already deployed.
Initiating encryption from this single machine prevents multiple systems from attempting to
enumerate, fetch, encrypt and upload files simultaneously over the network, thus minimizing the risk
of network bandwidth failure and file server payload overflow.
Depending on the size of the share folder, this initial encryption task may be set to run overnight, at
the weekend, or whenever typical network usage will be minimal.
Tune network parameters
When encrypting large folders on a network share through a policy, we strongly recommend adjusting
the following policy options for optimal performance. These values are recommended:
18
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
3
File and Removable Media Protection use cases
Securing email attachments
•
I/O utilization: 20% (set in Encryption Options policy). This option controls the amount of I/O
bandwidth used by each system during encryption, and while not specific to network shares, the
bandwidth will be higher when large encrypted folders are processed.
•
Bandwidth limit: 100 KB/sec (set in Network policy. This option controls the network bandwidth used
by each system during encryption. Introducing a limit helps distribute the encryption load of a
network share between the client systems, while also preventing network overload).
•
Network latency: 600 ms (set in Network policy). This option prevents encryption attempts when the
network performance is already degraded.
Enable file size limitation
The Enable limiting of file size... option enables you to exclude (very) large files from encryption through
policy enforcement. This is particularly important for network shares where the encryption of large
files can cause heavy network traffic.
This option applies only to files contained in folders encrypted according to a Folder Encryption policy.
Explicitly encrypted files are not subject to this limitation, nor are files encrypted by a file extension
encryption policy. Files drag-dropped to encrypted folders and files saved to encrypted folders are also
not affected.
Restrict maximum number of clients
You might want to tune the network folder encryption based on the capacity of the client machines
and the overall network traffic. For example, you might set the parameter Maximum number of clients allowed
to encrypt folder to 10 to increase the encryption intensity if there is generous network capacity.
Securing email attachments
FRP enables you to secure email attachment using self-extractors.
•
Use Allow creation of Self-extractors or Enable sending of encrypted email attachments to help end users secure
email-attachments.
The Enable sending of encrypted email attachments restricts the encrypted attachments to be accessed within
the company's environment. Self-extractors can be used to share information with an external party.
•
Maximum data input size — The maximum data input size for a self-extractor is 10 MB. Although larger
data input can be used, the recommended maximum input is 10 MB because the self-extractor
code is optimized for this maximum data input.
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
19
3
File and Removable Media Protection use cases
Securing email attachments
20
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
4
Encryption keys
This chapter provides best practice recommendations related to the use of encryption keys.
Contents
Regular and user personal keys
User local keys
Regular and user personal keys
FRP enables the use of regular and user personal keys.
Deactivate encryption keys instead of deleting them
In McAfee ePO, we strongly advise against deleting keys. Instead, it is sufficient to just deactivate
keys. This is to safeguard against any eventuality where a document is encrypted with a key that is no
longer in the system. A deleted encryption key cannot be restored.
User personal keys
User personal keys give the Administrator the ability to create unique keys for users. These keys are
created on the McAfee ePO server when the user logs on to the client system for the first time after
the policy is enforced. User personal keys can be referenced in the Grant Key policy generically (as a
single key), but create unique keys for each of the assigned users.
Use personal keys and multiple McAfee ePO databases
Avoid using user personal keys in a multi-database McAfee ePO environment. This is only safe to do if
a user only registers with one McAfee ePO database and always gets policies and keys from the same
single McAfee ePO instance.
User local keys
A local key is limited to the user and client system where it was created.
Permission to create local keys must be assigned to the users by the Administrator as part of a policy.
User local keys vs. user personal keys
Note the differences between user local key and user personal key features. Users manually create
their own user local keys on their local machines and share them via export and import processes.
These user local keys are not uploaded to the McAfee ePO database and therefore do not transfer with
the user to other computers via default FRP functionality.
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
21
4
Encryption keys
User local keys
The availability of the user local key functions is subject to policy control. User personal keys are
individual keys for each user automatically created in McAfee ePO and also managed centrally in
McAfee ePO. The user is never engaged in creating and managing user personal keys – user personal
keys are managed in McAfee ePO.
Delete user local keys with caution
Exercise caution when allowing users to delete local user encryption keys. Once deleted, there is no
way to restore that key or any data encrypted with that key.
22
McAfee File and Removable Media Protection 4.3.0
Best Practices Guide
Index
A
format limitations 16
Allow Encryption
onsite access only 14
with offsite access 14
auditing 15
B
G
global key administrator 9
I
blocking processes 10
I/O utilization 18
ISOs 16
C
K
CDs 16
compatibility, other encryption products 9
key request exclusions 11, 21
keys
encryption 7, 21
recovery 14
user local keys 21
user personal 14
user personal keys 21
D
data input size, self-extractors 19
decryption, automatic 14
delegated administration 9
deployment 7
Desktop folder 16
device exemptions 15
drives, encryption 7
DVDs 16
L
large file support 14
latency 18
local volumes 16
E
M
email attachments 19
encryption
general guidelines 16
encryption keys
deactivating vs. deleting 21
key request exclusions 11
encryption keys, deployment 7
Enforce Encryption 14
enforce encryption, CD/DVD/ISOs 16
exemptions, device 15
Mac X OS offsite browser 15
Microsoft Outlook data directories 16
migration, between ePO servers 9
F
file extension encryption 17
file size limitation, network share folders 18
folder encryption 16
guidelines 16
parent and child folders 17
removing from policy 17
McAfee File and Removable Media Protection 4.3.0
N
network parameters
tuning 18
network share encryption, intensity 18
network share folders
bandwidth limit 18
explicit encryption, large folders 18
file size limitation 18
maximum number of clients 18
protection 18
O
operating systems 7
Best Practices Guide
23
Index
P
U
policy assignment rules 8
process blocking 10
Program Files directory 16
purpose 6
USB devices 13
Allow Encryption (with offsite access) 14
auditing 15
Enforce Encryption (onsite access only) 14
Enforce Encryption (with offsite access) 14
exemptions 15
ignore existing content 14
large file support 14
Mac X OS offsite browser 15
user local keys
deleting 21
user personal keys 14, 21
multi-database environment 21
R
recovery keys 14
removable media 13
reporting 15
role-based key management 9
S
search encrypted option 18
secure sharing 13, 16
self-extractors 19
System Tree
policy assignment rules 8
24
McAfee File and Removable Media Protection 4.3.0
W
wildcards, file extensions 17
Best Practices Guide
00
Related documents
Laptop Encryption Project Update
Laptop Encryption Project Update
Abstract - Chennaisunday.com
Abstract - Chennaisunday.com
Comparison Crypto Email and its analogues
Comparison Crypto Email and its analogues
June 23, 2014
June 23, 2014
Download
advertisement