Epe 50 Student Lab Guide 100kb

SafeBoot Student Lab Guide
McAfee SafeBoot Security

02.20.2008

Title
McAfee Internal Only and Confidential page 2

The Lab Guide
How to follow the labs:
Here are some tips for successfully following the labs.
1. Do not work ahead. Doing so will desynchronize the course and you
may miss out on important steps. Only start on the next lab when the
previous lab has been successfully completed.
2. When you are finished do not change any settings. Some settings
may affect future labs.
3. Read and follow every step. Some steps may seem trivial, however;
the entire student lab guide has been designed such that future steps
may depend on previous steps.
Machine Specifications:
4. The labs in this document should be run on standard hardware listed
below. It should have Windows XP SP2 installed with all the latest
patches and updates. The Latest version of VMware should be
installed to run the VMimage provided.
5. 3 GHz P4
6. 4 GB ram
7. 80 GB HDD
VM Setup:
For these labs we have pre-developed three different VMs on VM-
Workstation 5.5.1 build-19175. Each is setup on a custom NAT virtual
network.

Local Administrator User Name: Administrator
Local Administrator Password: mcafee

Active Directory VM:
VM Name: Active Directory
OS: Windows 2003 Server SP1
IP: 192.168.208.129
Subnet: 255.255.255.0
DNS: 192.168.208.129
Gateway: 192.168.208.2
Domain Name Server
Domain Controller
Domain: InternalServer.Domain.com
Active Directory
Two Organizational Units: IT, HR
2/26/2008 Product Training Requirements Document page 3
Four created users: Student (Users); Liz.Shaw (IT); Rose.Tyler (HR); and
Admin.Daily(IT)
A copy of the Installation folder of SafeBoot 5.1.2.0 is provided on the
desktop

Client 1 VM:
VM Name: Client-1
OS: Windows XP SP2
Window Firewall turned off
IP: 192.168.208.101
Subnet: 255.255.255.0
DNS: 192.168.208.129
A standard folder called Encrypted with a simple text file is on the desktop.

Client 2 VM:
VM Name: Client-2
OS: Windows XP SP2
Window Firewall turned off
IP: 192.168.208.102
Subnet: 255.255.255.0
DNS: 192.168.208.129

Lab 1 - Installation

Installation:

1. Double click the VM folder on your desktop.

2. You should see 3 folders Client 1, Client 2 and Active directory.

3. In each of these folders, locate the VMware Configuration file and double click
it.

4. Again, for each of these VMs, click the link Start This Virtual Machine.

5. Select the Active Directory VM.

6. Login into the Windows machine by holding ctrl + Alt and hitting Insert:

a. User Name: Administrator
b. Password: mcafee
c. Domain: INTERNALTRAININ

7. For the Client Machines, use the local Computer Domain, Client-1 or Client-2.

8. On your Desktop of the Active Directory VM. There is a folder called
SafeBoot51. Double click this folder.

9. Inside the SafeBoot51 folder you should the installation file Setup.exe. Double
click this file and the installation should begin.

10. At the Welcome to SafeBoot Installation screen, click next.

11. In the product code text box, type in the following:

a. D631-65C7-8E1C-94

12. Click the Next button.

13. At the License Agreement screen, read the license and when you are finished
click Yes.

14. In the Choose Destination Location screen you are able to change the
directory in which you wish to install the SafeBoot Administration System. Leave
the default destination folder and click Next.

15. The Algorithm screen should appear. Left click the Algorithm drop-down box
and view the available options.

a. RC5-12 (1024 bit, 12 rounds)
b. RC5-18 (1024 bit, 18 rounds)
c. AES (256 bit)
d. AES (FIPS, 256 bit)

These algorithm names displayed will be the encryption algorithm that SafeBoot will
use to secure your data. Once SafeBoot is installed you will be unable to change
this option without first removing SafeBoot from all computers.

16. Choose AES (FIPS, 256 bit) and click Next.

17. In the Optional components window scroll down to view the list of available
options you may add or remove to your SafeBoot Installation. Pay particular
attention to Administration features and Tokens. Leave the default
components checked and click Next.

18. At the Start Copying Files screen, review your selection and click Next.

19. When the Installation has completed click Finish.

20. Close the SafeBoot51 folder.

Creating an Object Directory:

1. Navigated to Start > All Programs > SafeBoot Administration Tools >
SafeBoot Administration and left click it. The Create SafeBoot Database
window should appear.

Here, you can assign a description of the database name, the database driver to
use and the installation directory of the database itself.

2. Again, we will leave the defaults and click Next.

3. You can add Groups in either during installation or after installation using the
SafeBoot Management Center. We will create one group here. Select SafeBoot
User Groups and click the button Add group.

4. The Edit Default Group window, type SafeBoot IT in the Group name text box.

5. When you are finished click OK.

6. Notice the SafeBoot IT group has been created. Click Next to continue.

7. In the Root User window, we will now create the root user of the database.
Please use the following information:

a. User Name: SbAdmin
b. Token: Password Only Token
c. Password: mcafee
d. Confirm Password: mcafee

8. When you have finished filling in the form, click the Next button.

9. In the next screen you will be able to Add, Edit or remove File Groups to be
imported into the database. Located and select the group DE51 Option:
WACOM Active Tablet Pen Driver

10. If we do not use WACOM tablets we will have no need for this file group in our
database. Be sure the correct Group Name is selected and click Remove.

11. Click the Next button.

12. We are now ready to create the new database. Click the Finish button and the
current actions will begin to populate in the Creation status list box.

13. When the database creation is complete you will receive an informational pop-up
box. Click OK.

14. Immediately a logon screen will appear. Please use the following credentials:

b. Password: mcafee

15. When you are finished click OK.

The SafeBoot Administrator application should appear.

Adding a SafeBoot Server:

We will now configure the SafeBoot Server to manage communication from the
SafeBoot clients to the Object Directory database. This is a required action. You
should have SafeBoot Administrator window opened and selected. If you do,
proceed to step 2. If you do not, follow step 1 and continue normally.

1. Navigate to Start > All Programs > SafeBoot Administration Tools >
SafeBoot Administration and left click it. The Create SafeBoot Administrator
window should appear.

2. Verify that you are on the System tab located at the bottom left of the screen. If
you are not, left click the System tab.

3. Towards the upper left area of the screen, click on the + symbol next to
SafeBoot Server Groups to expand the tree.

4. Double left click on SafeBoot Servers (0). You will now see an empty window
appear to the right. This window is empty because we have not yet defined any
Servers for our SafeBoot Environment.

5. To define the server, click the Add Object button in the menu bar. This button
looks like a green + symbol. The New Server window should appear.

6. In this screen you may define the Server name, IP Address, Port number and key
size. At the bottom of the screen you may wish to add this server to the available
database connection now, or later. For training purposes, let us add this server
to the database connection manually. Uncheck the checkbox, Add to available
database connections.

7. Leave the rest of the options at their default and click Ok.

At this point SafeBoot will generate unique server keys related to this server. This
may take several minutes. Do not interrupt this process.

8. A server entry named SERVER should have populated in your SafeBoot Servers
window.

Connecting the SafeBoot Server to the Object Directory:

Since we have opted not to connect our server to the database communication
during the declaration of our SafeBoot server, no client can yet access our Object
Directory Database.

1. Right click on the SERVER entry in the SafeBoot Servers Window.

2. Click the Add to Databases listing in the menu options.

3. If successful, you should see an informational pop-up box which says, The
server details have successfully been added to the available database
connections.

4. Click OK.

Starting the SafeBoot Server:

Now that we have configured a SafeBoot Server in a server group, we will now start
the server using the SafeBoot Database Server application.

SafeBoot Database Server and left click it. The Create SafeBoot Login window
should appear. Please use the following credentials.

b. Password: mcafee

2. Once you have entered the proper credentials click OK.

3. The SafeBoot server window will appear asking you to configure the proper
Group and Name of the server you wish to start. Since we only have a single
server created only one server is listed. Leave the defaults and click OK.

4. Notice the server information that is available on this screen. By selecting the
item in the left had tree you can see information regarding the Database and
Connection information.

5. Click File and notice, but Do not click, the Start Service option. You may use
this option to start the server as a service rather than as its current application
state.

With the server started as an application or a service our clients will now be able to
communicate to the Object Directory. It is always a good idea to test our server to
make sure that the connections are working properly. To do this, follow the steps
below.

1. Go to the SafeBoot Administrator application.

2. You should be located in the System tab with an open window called SafeBoot
Server Groups SafeBoot servers. Right click on the listing titled SERVER.

3. Click the Get Status option in the menu.

4. At the bottom of the screen a Log information box should appear. This should
have information on the server such as the current connections.

Creating Users and User Groups:

SafeBoot users can be created in several different ways. Two ways we will use
during this course are to; manually add a user, and to synchronize both our users
and user groups with Active Directory users and Organizational Units. We will look
at Active Directory later in the course. For now, let us manually create a user.

1. We must start off in the SafeBoot Administrator application.

2. At the bottom left of the screen click the Users tab. This will show our current
User Groups.

3. You may need to expand the SafeBoot User Groups tree. To do this click the +
sign next to SafeBoot User Groups.

4. Notice we have 3 groups, SafeBoot Administrators, SafeBoot IT and SafeBoot
Users. Double click on SafeBoot Administrators. You should see the
sbAdmin user listed in a new open window to the right.

We now wish to create a new custom user of SafeBoot. To do this, follow the
following steps:

1. Select SafeBoot Users to the left and Double Click it.

2. Notice in the new window that appeared is empty. With SafeBoot Users still
highlighted click the Add Object button in the menu bar. This is a green +sign.

3. We will call this user CustomUser by typing it in the User name text box.

4. In the User Information fields, double click on the first empty line. The User
Information field dialog should appear.

5. In the Label text box type Message.

6. In the Content text box type This user was manually created.

7. Click OK.

8. Uncheck Force password change at next logon.

9. Leave the rest of the options at their default and click OK.

10. To view the properties of this new User we have created, right click on
CustomUser and click properties in the menu.

11. Notice the different sections of the user properties to the left hand side of the
Properties window. If we wish to disable this user such as in the event of
company departure. We can do that here.

12. Verify the General icon is selected on the left and the check box Enabled is
checked.

13. Click the Apply button and then click Close.

We have now created a custom user called CustomUser. To prepare for future labs
and to learn the process of creating a user group let us create a user group called
SafeBoot HR.

1. In the left hand tree, double click SafeBoot User Groups.

2. Click on the Add Groups button in the menu bar. It looks like two overlapping +
symbols. The New Group window should appear.

3. In the Group name, type SafeBoot HR.

4. At the bottom of this window, uncheck the box All members of the group
should have the same configuration.

5. Click OK.

6. You should now see the SafeBoot HR group in your User Group tree structure.

Creating a new Machine:

Within the SafeBoot Administrator, we may also add additional machines and
machine groups for organization and management. Again, we can manually create
these machine names or use the Connector Manager to populate machines via
services like Active Directory. The following instructions will result in the creation of
a single custom made machine in our devices tree.

1. You should be currently located in the SafeBoot Administrator application.

2. At the bottom left of the screen choose the Devices tab.

3. Expand the SafeBoot Machine Groups if it is not already done. Notice that we
do not yet have any SafeBoot Machines declared.

4. Double click on the SafeBoot Machines branch in the tree.

5. Again, notice we do not have any machines listed in the opened window.

6. In the menu bar, select the Add Object button. It looks like a green +sign.

7. Let us call this machine Client-1. Type Client-1 in the Machine Name text box.

8. Click OK.

9. Repeat steps 5-8 to create the Client-2 machine, replacing references of Client-
1 with Client-2.

10. Notice Client-1 populated in the SafeBoot machines window. Double click on
Client-1.

This is the Properties window for the client machine. Here is where you can manage
the security of the Client-1 device. Keep in mind that we have not yet synchronized
our Client-1 entry in SafeBoot with our Client-1 VM. Let us do that now.

Synchronizing a new Machine:

1. In the General section that the Boot protection drop-down box is currently
Enabled.

2. Select the Require SafeBoot Logon option.

3. Go to the Users section.

4. Click the Add button at the bottom of the Users window.

5. Notice we may select our SafeBoot groups. Select SafeBoot Administrators,
SafeBoot Users and SafeBoot IT.

6. If you have more than one group you wish to add, use the Ctrl key or hold Shift.
Click OK.

7. Now click on the Warning Text section.

8. Change the Security Warning Text to This machine is for Internal Training
only!

9. Click the Synch icon.

10. Check the box Automatically resynchronize every 60 minutes.

11. Check the box Allow remote controlled resynchronization.

12. In the address box type 192.168.208.101.

13. Click the Apply button.

14. Close the Machine Properties Window.

15. Double click on the Client-2 entry. Follow steps 1-14 replacing the IP address
with 192.168.208.102 and adding an additional user group SafeBoot HR.

Although we have set synchronization at the server, we must now provide a method
for the client machine or group to communicate to the server. Until then, the options
we have just changed will never take effect.

Creating the Device Encryption Client installation Set:

1. In the Devices tab in the SafeBoot Administrator right click on SafeBoot
Machines.

2. In the menu options click on Create Installation set.

3. Choose the bulleted option Online.

4. Click Next.

5. In the Address list box, check all the available boxes. If we had more than one
database, the SafeBoot client will try each database in top-down order until a
connection has been established.

6. Click Next.

7. Check the Automatically restart the machine option.

8. Click Finish.

9. Click OK.

10. Navigate to C:\Program Files\SBAdmin and locate SAFEBOOT51.EXE.

11. Be sure you are logged into the Client-1 VM with the user name Administrator
password mcafee on the local machine (not the domain). If not, log in now.

12. Drag the SAFEBOOT51.EXE file from the Active Directory VM to the desktop
on the Client-1 VM.

13. Double click this executable on the Client-1 desktop.

14. When the Installation has finished Client-1 should restart itself, if not, restart the
client.

15. Log into the Windows machine using the credentials

a. User Name: Liz.Shaw
b. Password: McAfee123

Now that we have installed the Device Encryption application we should now
synchronize it with the server. There are two ways to do this. For this lab, let us
manually synchronize the two.

16. In the Client-1 VM, right click on the SafeBoot icon in the system task bar.

17. Click Synchronize and then restart the computer.

18. Before the Windows logon screen you will receive two SafeBoot logon screens.
This is because of our device settings. Use these credentials:

a. User Name: CustomUser
b. Password: 12345

19. Repeat these steps 10-18 for the Client-2 VM.

Notice that the SafeBoot user name and password for Client-1 is
CustomUser:12345 while the Active Directory credentials are
Liz.Shaw:McAfee123. This is because we have not yet synchronized the active
directory users to our SafeBoot system and are using separate credentials. All
newly created users in SafeBoot will have the default password of 12345.

LAB 2 SafeBoot Connector Manager

Adding a SafeBoot Connector:

In most environments, administrators would like to synchronize their users and
machines to their existing list of resources. Services such as Active Directory
could already exist in your network setup and be used by SafeBoot to avoid
redundant and time consuming management of users.

SafeBoot Connector Manager and left click it. The Create SafeBoot Login
window should appear. Please use the following credentials.

c. User Name: sbAdmin
d. Password: mcafee

2. Click the Add Connectors icon in the menu bar. The Add New Connector
icon should appear.

3. In the Connector Type drop-Down box, select SafeBoot AD Connector.

4. The display name should read SafeBoot AD Connector.

5. The Binding Name should read SbAdCon0.

6. Click OK.

7. Expand the tree and click the General branch.

8. In the Host text box type 192.168.208.129.

9. Uncheck the Anonymous Logon.

10. For the User DN type Administrator@InternalTraining.Domain.com

11. Click the Change button.

12. Type in mcafee as the password and click OK.

13. Click the Search Settings tab.

14. Type the following in the BaseDN field: dc=InternalTraining, dc=Domain,
dc=com.

Group Mapping:

1. Click the Group Mappings branch to the left.

2. Double click on the first empty record in the Groups table.

3. Select SafeBoot IT in the SafeBoot Group drop down box

4. In the Attribute Value type OU=IT

5. Click OK.

6. Double click on the next empty record in Groups table.

7. Select SafeBoot HR in the SafeBoot Group drop down box.

8. In the Attribute Value type OU=HR

9. Click OK.

10. At the bottom of the page in the if NO mapping exists section, select
SafeBoot Users.

11. Click the User Information in the tree.

12. Click the User mapping tab.

13. In the drop down box to the right, select Ignored.

14. Click the Save button in the menu bar.

15. Select SafeBoot AD Connector in the tree. Notice the scheduling feature
located on the Schedule tab. Also, notice the Log feature where you can turn
on simple logging.

16. Click the Run Now tab.

17. Click the Run button at the bottom of the screen. This button looks like a blue
triangle or play button. Note the AD synchronization messages that display.

18. Go to the SafeBoot Administrator application. Be sure you are on the
Users tab. Also, you may wish to refresh this screen to see current data by
clicking the Refresh button in the menu bar.

19. Expand the SafeBoot User Groups and double click SafeBoot IT.

20. You should see two new Active Directory Users, Daily.Admin and Liz.Shaw.

Creating Encryption keys:

To provide encryption for the content on any individual machine we must create a
policy and an encryption key which that policy uses to encrypt/decrypt content.
The first step in this process is to create an encryption key so that when we
create the policy, we can assign the key to it.

1. In the SafeBoot Administrator application, select the Policies tab.

2. Expand the branch Encryption Keys Groups.

3. Double click on the branch Encryption Keys.

4. Click the Add object button in the menu bar.

5. Name the key Client Key and leave the rest at the default settings.

6. Click OK.

Adding Content Encryption Policies:

Now that we have successfully configured a SafeBoot encryption key for our
client machine, let us now focus on the content itself by creating an encryption
policy. To do this we will need to create a Content Encryption Policy on either an
individual machine or group.

1. In the SafeBoot Administrator application, select the Policies tab.

2. Expand the branch Content Encryption Policy Groups.

3. Double click the Content Encryption Policies branch.

4. Click the Add Object in the menu bar.

5. Let us name this policy Client Policy. Type Client Policy in the text box.

6. Click OK.

7. Double click on the Client Policy icon.

8. Click on the Folders icon on the left.

9. Click the Add button.

10. In the Folder text box, type [DESKTOPDIRECTORY]\Encrypted.

11. Click the Select button next to the Key field.

12. Select Encryption Keys on the left.

13. Select Client Key on the right.

14. Click OK.

15. Check Encrypt/decrypt existing content.

16. Click OK.

17. Click Apply.

18. Click Close.

Adding Content Encryption Policies:

1. Now we will add this policy to a User Group. First, click on the User tab.

2. Right click on SafeBoot IT in the tree.

3. Click Properties in the drop down menu.

4. Scroll down and select the Policies icon on the left of the Properties window.


6. Expand the Content Encryption Policies tree until you find Client Policy.

7. Select Client Policy and click OK.

8. Click Apply.

9. Click Close.

Creating the Content Encryption Client installation Set:

To enable our new policies we must install the Content Encryption Client on the
machines or groups we wish to manage.

2. You should be in the SafeBoot Administrator application and located in the
Policies tab.

3. Verify that the Content Encryption Policies page is open and displays your
Client Policy.

4. Right click on the Client Policy entry.

5. Select Create install set.

6. Check the CE25: Content Encryption Client Files option.

7. Click Next.

8. In the Database connections section, select all available databases and
choose Next.

9. Check the box Automatically restart the computer.

10. Click Finish.

11. Click OK.

12. We must now distribute the CE installation file to our machine. To manually
do this, navigate to C:\Program Files\SBAdmin and locate sbCE.EXE.

13. Make sure you are logged into your Client-1 VM as the local Administrator
password, mcafee. If you are not, log in now. You may first need to log into
SafeBoot using CustomUser, password 12345.

14. Drag this file over to the desktop of your Client-1 VM.

15. Double click the sbCE.EXE file on your desktop.

16. Click Next.

17. If you are asked to reboot click Yes.

18. When the two SafeBoot login screens appear, use the following credentials:

b. Password: 12345

19. Log into the local machine using Administrator, password mcafee. Due to
our new encryption policy, you will have to log into SafeBoot an additional
time.

b. Password: 12345

20. Notice we have just installed the Content Encryption application but the
Device Encryption application has not yet synchronized with the SafeBoot
server. Let us do this now so that we can take advantage of the Active
Directory synchronization we configured earlier.

21. Right click the Device Encryption icon in your task bar and click
Synchronize.

22. Restart the client virtual machine.

23. This time let us log into the SafeBoot logins with:

a. UserName: Liz.Shaw@InternalTraining.Domain.com
b. Password: 12345

Notice that the password is not necessarily synchronized with Windows or Active
Directory.

24. Repeat steps 11-23 for the Client-2 VM.

Verify the Content Encryption Client installation:

1. Logon to windows with your Active Directory user name and password

a. User Name: Liz.Shaw

2. You should now see a SafeBoot login request. Use the SafeBoot login
credentials.

a. User Name: Liz.Shaw@InternalTraining.Domain.com
b. Password: 12345

3. Notice the lock symbol on the Encrypted folder on your desktop. Double
click this folder. If you do not see this icon, very that your policy was created
successfully, the folders were named correctly and then re-synchronize. All
content in this folder should be encrypted with 256 bit encryption.

4. Open the text file Encrypted.txt.

You have now verified the content inside the folder was encrypted and you have
accessed it using your SafeBoot user name.

Lab 3 Creating Policy

Created a Policy Based on Human Resources requirements

We will now create a SafeBoot policy strictly for Human Resources. Previously
in the labs we have created a SafeBoot HR folder and mapped it to our HR
organizational unit in Active Directory. Before we get started let us determine our
requirements for this group.

I. We are only concerned with unauthorized users booting a computer and
therefore only one SafeBoot login before the windows authentication is
necessary.

II. Only HR, Administrators and IT users should be allowed to log onto HR
machines.

III. When logging into SafeBoot, the user should be warned that the machine
is authorized for Human Resources only.

IV. All Human Resources employees must keep confidential data in their My
Documents\Confidential folder and it must be encrypted with 256 bit
encryption.

1. We will need to be in the Active Directory VM.

2. Go to the SafeBoot Administrator application on your start bar.

3. We will address requirement I first by removing unnecessary SafeBoot
logins. In the SafeBoot Administrator application, go to the Devices tab.

4. Double click on SafeBoot Machines.

5. Locate Client-2 and delete it. We will recreate this machine from scratch.

6. Click OK.

7. Click on SafeBoot Machine Groups.

8. Click the Create Group button in the menu bar.

9. Name the group HR Group and click OK.

10. Double click on HR Group.

11. Click the Add Object button in the menu bar.

12. Name this object HR Client.

13. Right click on the HR Client and click Properties.

14. Click the General icon.

15. Make sure Require SafeBoot Logon under the Windows Logon section is
unchecked and Boot Protection is turned on.

16. Click the Synch icon.

17. Fill in the address field with 192.168.208.102.

We will now address requirement II, only IT, Administrators and HR are
authorized to log onto the HR computers.

1. Click the Users icon.


3. Hold Ctrl and click in the right hand box; SafeBoot Administrators,
SafeBoot IT and SafeBoot HR.

4. Click OK.

To address concern number III we will display a warning text on the SafeBoot
logon screen. To do this, follow these steps.

1. Click the Warning Text icon.

2. In the Security Text screen type Only Human Resource employees are
authorized to use this computer!

3. Click Apply and then Close.

In order to ensure that the My Documents\Confidential folder is encrypted and
using 256 bit encryption we will have to use the Client key previously created, as
it uses this level of encryption. If we wish to, we can create a new key and use
up to 1024 bit encryption.

1. Go to the Policies tab.

2. Double click on Content Encryption Policies.

3. Click Add Object.

4. Name this Policy HR Policy.

5. Click OK.

6. Double click on HR Policy.

7. Scroll down to the Folders icon and select it.


9. In the Folder drop-down box, select [MYDOCUMENTS] and append
\Confidential.

10. Click the Select button.

11. Select Encryption Keys then Client Key.

12. Click OK.

13. Check Encrypt/decrypt existing content.

14. Click OK.

15. Click on the Users tab.

16. Double click on SafeBoot HR.

17. Right click on Rose.Tyler and click Properties.

18. Click on the Policies icon.


20. Expand Content Encryption Policies to the last branch.

21. Select HR Policy and click OK.

22. Click Apply and then Close.

We have now finished creating the Policies for our Human Resources machine.
We can test our setup by synchronizing the Client-2 machine to test the settings.

1. Go to your Client-2 VM.

2. If needed, login using Liz.Shaw@InternalTraining.Domain.com as the
SafeBoot login and Liz.Shaw as the active directory login.

3. Right click on the Device Encryption icon in the task bar.

4. Click the Synchronize button in the drop down menu and then restart the
computer.

5. When the SafeBoot login returns you should see our new Security text.

6. Log in as the HR user:

a. User Name: Rose.Tyler@InternalTraining.Domain.com
b. Password: 12345

7. When the windows logon appears logon with the following credentials

a. User Name: Rose.Tyler

8. Again, when you log into windows the Content Encryption will need
authentication as well. If this is desynchronized you will need to use the
following credentials.

a. User Name: Rose.Tyler@InternalTraining.Domain.com
b. Password: 12345

9. If prompted change the password to McAfee123.

10. Go to Start and click on your My Documents page.

11. Notice the Keyhole icon on the Confidential folder.

12. In Some cases, you may need right click on the SafeBoot Content
Encryption icon in on your task bar and log in. If you do not see the Keyhole
icon on the Confidential folder in My Documents, login, and then right click
on the Device Encryption icon and click Synchronize.

Verify Content Encryption Policy and Keys

You can also verify the Content Encryption policy and keys that you have on the
local machine by using the Content Encryption installed on the desktop.

1. Double click on the Content Encryption icon in your task bar.

2. Notice the tabs that are available to you. Click on the Keys tab.

3. This tab should show the current keys that are available for this user.

4. Click on the Policies tab.

5. Scroll down until you see User Encrypt/Folders. Notice the value of this
entry should indicate that the Confidential folder in My Documents should
be encrypted.

Lab 4 SafeBoot Clients

Single Sign-on
You can configure the SafeBoot Device Encryption client to attempt an
automatic Windows logon when you logon to SafeBoot.
1. Open the SafeBoot Administrator application, provide the administrator
login if required.
2. Click the Devices tab in the lower-left corner.
3. Expand the tree and double-click the SafeBoot Machines group.
4. Double-click the entry for Client-1 to view the properties for this machine.
5. Under the General category, in the options window, select Attempt
automatic Windows logon.
6. Click Apply.
7. Click Close.
Set SSO Details
If you know the network login credentials for a user, you can provide that
data to SafeBoot. This would be common in the case of new users.
1. In the SafeBoot Administrator application, click the Users tab in the
lower-left.
2. Expand the tree in the navigation pane and double-click the SafeBoot IT
users group.
3. Right-click the entry for Liz.Shaw@InternalTraining.Domain.com.
4. Select, Set SSO details from the context menu.
5. Enter the Username, domain, and password used to authenticate with
windows;
a. Liz.Shaw
b. InternalTraining.Domain.com
c. McAfee123
6. Click OK.
7. Switch to the Client-1 VM.
8. Right-click the SafeBoot DE SysTray icon and select Synchronize.
9. Restart the virtual machine.
10.Enter the SafeBoot login credentials.
a. Liz.Shaw@InternalTraining.Domain.com
b. 12345
11.If you are prompted for Windows credentials, login to Windows and then
restart the virtual machine and try again. SafeBoot may need to cache the
Windows credentials before SSO will take effect.
12.Restart the virtual machine again. Notice that the startup screen has
changed to the SafeBoot Device Encryption-theme. Login using the
SafeBoot credentials for Liz Shaw (as listed above).
Full Disk Encryption with SafeBoot Device Encryption
1. On the Client-1 VM, right-click the SafeBoot (DE) System Tray
icon and select Show Status.
2. The SafeBoot Client Status window will appear. Note the disk
encryption status on the lower-right indicates no encryption has been
implemented.
3. Switch to the Active Directory VM and login to the SafeBoot
Administrator application.
4. Go to the Devices tab. Expand the tree and locate the SafeBoot
Machines group. Double-click to open.
5. Double-click the entry for Client-1 to view its properties.
6. Go to the Encryption category.
7. The current disk encryption settings are displayed. Notice that there
is no disk encryption enabled.
8. Click the Full button to enable Full Disk Encryption for Drive C.
9. Click Apply. Click Close.
10. Switch back to the Client-1 VM. Make sure the SafeBoot Client
Status window is still displayed. If not, right-click the SafeBoot icon and
select Show Status.
11. Right-click the SafeBoot icon and select Synchronize.
12. Note the synchronization messages in the status window.
13. Once synch is complete, the disk encryption status will change to In
Progress, and a bar displaying the disk encryption progress will appear.
Note the estimated time field. (Note: An 8Gb drive should take approx.
15-30 minutes to encrypt, in most cases.)
14. While the disk encryption is being performed, continue to the next
lab exercise. We will check back later to verify the encryption was
completed.
Using Explicit Encrypt / Decrypt with SafeBoot Content Encryption
Previously we saw SafeBoot Content Encryption can automatically encrypt files
based on policies that you defined. Content Encryption can also be optioned to allow
end-users to manually encrypt and decrypt files.

1. In the SafeBoot Administrator application, go to the Policies tab.

2. Double click on Content Encryption Policies.

3. Double-click the HR Policy to view its properties.

4. In the General category, under Explorer Integration, place check marks in
front of Allow explicit encrypt and Allow explicit decrypt.

5. Click Apply. Click Close.


a. SafeBoot User Name: Rose.Tyler@InternalTraining.Domain.com
c. Windows User Name: Rose.Tyler
d. Password: McAfee123
8. Synchronize Client-2 using the SafeBoot System Tray icon command.
9. Once Synch is complete, restart the machine.
10. Login to Client-2 with the credentials listed above.
11. Right-click any file and notice the new options available under SafeBoot
Content Encryption; Encrypt and Decrypt.
12. Select Encrypt.
13. Select the HR Key.
14. An encryption status window will display briefly. Note the Keyhole icon that
has appeared on the file icon.
15. Open the file. Notice that the decryption of the file into memory is transparent
to the end-user. Close the file.
16. Right-click the file and select SafeBoot Content Encryption and then
Decrypt.
17. The Keyhole icon should disappear from the file icon, indicating that the file is
no longer encrypted.
Full Disk Encryption Follow-up
Check the Full Disk Encryption status of the Client-1 VM. If completed, note the new
encryption status displayed: Full. If the encryption has not completed, check back in
a few minutes.

Lab 5 User Recovery / webHelpDesk

Installing an SSL certificate

To successfully use the webHelpDesk we must first install an SSL certificate so
that we can communicate with the SafeBoot server via HTTPS. These can be
purchased from SafeBoot or other certificate venders. To install an evaluation
SSL certificate do the following:

1. Go to the Active Directory VM.

2. Click Start than Run.

1. In the Run box type MMC.exe and hit Enter.

2. Go to File and then Add/Remove Snap-in.


4. Locate and select Certificates in the list.

5. Click Add.

6. Select Service account and click Next.

7. Leave Local computer selected and click next.

8. Select SafeBoot HTTP Server in the list.

9. Click Finish.

10. Click Close.

11. Click OK.

You should now see the new certificate snap-in in the MMC console. We will
now import the certificate located on your desktop into the
SafeBootHttpServer\Personal store.

1. Left click and select SafeBootHttpServer\Personal which is located under
the Certificates- Service branch.

2. Click on Action in the menu bar and click All Tasks.

3. Click on the import option in the drop down menu.

4. Click Next.

5. Click Browse.

6. Locate the HTTP Certificates folder on your desktop and double click it.

7. Select change the Files of Type to include PFX files and then choose
127.0.0.1.pfx.

8. Click Open.

9. Click Next.

10. For the Password use 12345 and click Next.

11. Leave the default certificate store and click Next.

12. Click Finish.

13. Click OK.

14. Go to Start, Administrative Tools then select Services.

15. Locate the SafeBoot HTTP Server and click the Start link to the left.

Starting the webpage

1. Open Internet Explorer and type in the address bar https://127.0.0.1

2. When prompted about viewing a secure website, click OK.

3. At the Security Alert prompt click Yes.

4. You should now see the SafeBoot webHelpDesk.

You can use the SafeBoot webHelpDesk to allow users to reset their password in
the event of loss or it can be reset by an administrator. For a user to use this
feature they must first log onto the SafeBoot webHelpDesk using their existing
password and define a series of security questions to verify their identity. To
register, use the following steps.

1. Logon to Client-1 with your SafeBoot user name and password. (Note: Single
Sign-on should be enabled.)

a. User Name: Liz.Shaw@InternalTraining.Domain.com
b. Password: 12345
2. Launch Internet Explorer. Enter the address https://192.168.208.102 If you
receive a security certificate warning, choose Continue to this web site. Turn
off automatic Phishing filters if prompted.
3. On the SafeBoot webHelpDesk page click the User Web Recovery button.
4. For a new user click the Register button.

5. We will register security questions for
Liz.Shaw@InternalTraining.Domain.com. Currently the password is 12345.
Use these credentials to register and click logon.
6. Use the following questions and answers:

a. What is your Favorite Color? - Red
b. What is your favorite place? - Italy
c. What is your pets name? - Waldo
7. Click Next.
8. The user has now registered for the SafeBoot Web Recovery tool.
9. In a normal environment, the user must connect to this webpage and supply
the Recovery Client Code. To retrieve this code open your Client-1 VM. If you
are not at a SafeBoot login, logout and re-log into the computer.
10. When you reach a SafeBoot Login dialog, cancel the login screen.
11. Click the Recover button.
12. Select the User Recovery option and type in the user name
Liz.Shaw@InternalTraining.Domain.com.
13. Click Next.
14. Notice the Recovery Client Code. This code is unique to this boot instance.
If the system is restarted the recovery code will change. Write down the
Recovery Client Code on a piece of paper.

e. User Name: Rose.Tyler@InternalTraining.Domain.com
f. Password: McAfee123
17. When the windows logon appears logon with the following credentials

g. User Name: Rose.Tyler
h. Password: McAfee123
18. Launch Internet Explorer. Enter the address https://192.168.208.102 If
you receive a security certificate warning, choose Continue to this web site.
Turn off automatic Phishing filters if prompted.
19. From the SafeBoot Web Helpdesk home page, click the User
webRecovery button.
20. Click the Reset Password button.
21. Enter the Recovery Client Code from the Client-1 VM.
22. Click Next.
23. Provide the pre-registered responses as shown;
a. What is your Favorite Color? - Red
b. What is your favorite place? - Italy
c. What is your pets name? - Waldo
24. Click Next.
25. Copy the Recovery Response code, line by line, onto a piece of paper.
26. Go to the Client-1 VM and click Next.
27. Enter the Recovery Response code, 1 line at a time. Click the Enter button
after each line entry. (Note, the response code is verified as each line is entered.)
28. Once you have entered all lines, click Finish.
29. Enter and confirm a new password. Use the password mcafee for this user.
30. Click OK. The password recovery operation success dialog appears. Click
OK.

Administrators can be configured to allow them to change passwords as well.
Administrators/HelpDesk Personnel can recover users by using the SafeBoot
Web Recovery (webHelpDesk) tool. SafeBoot Admins can also use the
SafeBoot Administrator application to perform these tasks.

1. Click on the Home link on the SafeBoot Web Recovery page in your Active
Directory VM.

2. Locate the Reset users Password button at the bottom of the page.
3. Log in using:
a. sbAdmin
b. mcafee
4. Use the User Name: Liz.Shaw@InternalTraining.Domain.com. Enter and
confirm the new password 12345.
5. Click Confirm.
6. You should receive The password was successfully changed message.
7. Login to the Client-1 VM SafeBoot logon screen with the new password
(12345) to ensure the recovery was successful.

Epe 50 Student Lab Guide 100kb

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Epe 50 Student Lab Guide 100kb

Enviado por

Direitos autorais:

Formatos disponíveis

SafeBoot Student Lab Guide

McAfee SafeBoot Security

Você também pode gostar