McAfee ENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE Specifications

1McAfee®EndpointEncryptionEnterpriseBestPracticesGuideNovember2009

10AnObjectDirectorywith5000usersand5000systemscouldbeexpectedtogrowasfollows:TypicalGrowthof5000user/machineObjectDirectory

11GlobalDeploymentsThesingleserverapproachworkswellaslongastheendpointscanmakeandsustainaTCP/IPconnectiontotheserver.Depend

12OptimisationActionsOverviewMcAfeegenerallyrecommendsthefollowingactions(mostofwhicharedescribedinmoredetaillater):•Optimizeh

13NameIndexing(DBCFG.INI)Nameindexingshouldbeenabledonalldatabasesespeciallythosewithover1000endpointsorusers.Itwillbenoticeab

14LifeTime=86400Thetime(inseconds)forwhichtheindexwillbeusedbeforeitisautomaticallyre‐createdifsomebodylogsontothedatabase.T

15TCP/IPKeepAliveTimeReductionReducethissettingonallEEPCserversfromtwohours(thedefault)tofiveminutes.Theserverwillrequireares

161. OpenRegedit.2. GotoHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem.3. Intherightpane,lookfortheDwordnamedNtfsMf

17 WindowsPerformanceBydefaulttheWindowsperformancesettingsaresetto‘Applications’.However,testingshoulddefinethebestsetting.

18ObjectDirectoryPhysicalLocationConsiderationshouldbemadetothelocationoftheObjectDirectory.ThedefaultfinalfolderfortheEndpoi

19ObjectDirectoryMaintenanceMaintenanceIntroductionTokeepthedatabasecleanandhealthy,maintenanceisrequiredonaregularbasis.Thisma

2Copyright©2009McAfee,Inc.AllRightsReserved.Nopartofthispublicationmaybereproduced,transmitted,transcribed,storedinaretrieval

20ToexportandthenclearALLuserauditsusethiscommand:SBADMCL–Command:DumpUserAudit–Adminuser:Admin–Adminpwd:mypassword–File:c:\dump\Dum

21OrphanedObjectsTobeginacleanup,thedatabasestartswithwhatareknownas“Orphaned”objects.TheseareobjectsthatexistintheObjectDi

22DumpMachineDescriptionIfobjectsseemtohangtheManagerwhenopened,thenattempttodumpthemachinedescriptiontofindwhichobjectsarea

23UserObjects‐GeneralPerformanceTipsEEPCcansupportthousandsofuserspergroupandpermachine.Thatsaid,forperformanceandsecurityre

24GeneralAdviceDefaultProductsettings(formaximumcompatibility).InstallingtheEndpointEncryptionManager(EEM)usingthedefaultsettings

25oftheothergroupsshouldnotbeusedunlessthereisaspecificreason.Theseusuallyinclude“EEPC52OPTION:”orsimilaratthestartofthena

26• Whenusingsmartcardreadersandtokens,avoidassigningmanyoralloftheReaderorTokenfilegroupstogether.Whilsttheycanbeusedto

3ContentsINTRODUCTION 5PURPOSEOFTHISGUIDE 5RELEVANTPRODUCTS 5SOLUTIONARCHITECTURE 6DESIGNPHILOSOPHY 6SERVERCONFIGURATION 7BASIC

4OBJECTDIRECTORYMAINTENANCE 19MAINTENANCEINTRODUCTION 19ENVIRONMENT 19AUDITMAINTENANCE 19EXTRACTINGANDCLEARINGAUDITFROMTHEDATABASE

5IntroductionPurposeofthisGuideWhenplanningalargerolloutofEndpointEncryptionv5,itisimportanttounderstandtheprocessofscalingt

6SolutionArchitectureDesignPhilosophyMcAfeeEndpointEncryptionisaclient/serverapplicationdesignedtobeimplementedwithasimple,single

7ServerConfigurationBasicServerRequirementsTheEndpointEncryptionCommunicationsServerprocessrunsunderMicrosoftWindows2000/2003.Cur

8ServerRedundancyItisriskytohaveasinglephysicalserverforyourenterprise,evenifyoutakeregularbackups.Werecommendyoutotakeste

9ServerandObjectDirectoryOptimisationEndpointtoServerCommunication‐NetworkLoadEstimationEndpointEncryptionnetworktrafficistheea