McAfee ENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE User manual

Type
User manual

This manual is also suitable for

1
McAfee®EndpointEncryption
EnterpriseBestPracticesGuide
November2009
2
Copyright©2009McAfee,Inc.AllRightsReserved.
Nopartofthispublicationmaybereproduced,transmitted,transcribed,storedinaretrievalsystem,or
translatedintoanylanguageinanyformorbyanymeanswithoutthewrittenpermissionofMcAfee,Inc.,or
itssuppliersoraffiliatecompanies
.
3
Contents
INTRODUCTION 5
PURPOSEOFTHISGUIDE 5
RELEVANTPRODUCTS 5
SOLUTIONARCHITECTURE 6
DESIGNPHILOSOPHY 6
SERVERCONFIGURATION 7
BASICSERVERREQUIREMENTS 7
RECOMMENDEDSERVERHARDWARE 7
SERVERREDUNDANCY 8
HOTBACKUPDATABASES 8
CLUSTERING 8
LOADBALANCING 8
SERVERANDOBJECTDIRECTORYOPTIMISATION 9
ENDPOINTTOSERVERCOMMUNICATIONNETWORKLOADE STIMATION 9
ESTIMATINGTHESIZEOFTHEOBJECTDIRECTORY 9
TYPICALGROWTHOF5000USER/MACHINEOBJECTDIRECTORY 10
VIRTUALSERVERS 10
GLOBALDEPLOYMENTS 11
OPTIMISATIONACTIONS 11
OPTIMISATIONACTIONSOVERVIEW 12
NAMEINDEXING(DBCFG.INI) 13
WARNINGS 13
DBCFG.INI 13
GROUPSIZES 14
TCP/IPKEEPALIVETIMEREDUCTION 15
LASTACCESSTIMESTAMP(NTFSDISABLELASTACCESSUPDATE) 15
WINDOWSSERVERASAFILESERVER 15
OBJECTDIRECTORYBACKUPTOOLSETUP 16
ANTIVIRUSSCANNER 16
WINDOWSPERFORMANCE 17
MANAGINGAUDITS 17
FILECACHEONRAIDHARDDRIVECONTROLLER 17
CONNECTIONSPEED 17
OBJECTDIRECTORYPHYSICALLOCATION 18
OBJECTDIRECTORYACCESS 18
SEARCHINGFOROBJECTS 18
CLEARINGDELETEDOBJECTS 18
SBSERVER.INI 18
4
OBJECTDI
RECTORYMAINTENANCE 19
MAINTENANCEINTRODUCTION 19
ENVIRONMENT 19
AUDITMAINTENANCE 19
EXTRACTINGANDCLEARINGAUDITFROMTHEDATABASE 19
CLEARINGTHEAUDIT 19
DELETEDITEMSCLEANUP 20
CHECKINGFORDATABASECORRUPTION 20
WHYDOESTHEDATABASEGETCORRUPTED? 20
ORPHANEDOBJECTS 21
RESTORECOMMANDS 21
CLEANUPCOMMANDS 21
DUMPMACHINEDESCRIPTION 22
USEROBJECTS‐GENERALPERFORMANCETIPS 23
GENERALADVICE 24
DEFAULTPRODUCTSETTINGS(FORMAXIMUMCOMPATIBILITY). 24
THINGSTOAVOID 25
5
Introduction
PurposeofthisGuide
WhenplanningalargerolloutofEndpointEncryptionv5,itisimportanttounderstandtheprocessofscaling
thebackendObjectDirectoryandtheassociatedEndpointEncryptionCommunicationsServerprocessesto
meetrequirements.ThisguideoutlinestheconsiderationsaroundEndpointEncryption5implementationand
suggestspossiblesolutions.
Theguidealsodiscussesconsiderationsono
ptimizationandmaintenancebeforeandafteritsimplementation.
Italsoassumesthereaderhassomeknowledgeofenterprisesystems(configurationandmanagement)and
someknowledgeofEndpointEncryptioncomponents(EndpointEncryptionManagerv5.x,EndpointEncryption
forPCv5.xandotherMcAfeeEndpointEncryptioncomponents)thatwillbenefitfromgoodpra
cticeand
ObjectDirectoryoptimization(seebelow).
ThisguideisacollationoftheprofessionalopinionsofEndpointEncryptioncertifiedengineers,andnotthe
exactscience.Becauseeveryimplementationisunique,itiscriticaltounderstandboththeproductandthe
environmentinwhichitisbeingused,befor
earrivingatanydecisiononimplementationstrategy.
Calculationsandfiguresinthisguidearebasedonfieldevidenceandnottheoreticalsystemtestingandare
our“bestadvice”atthetimeofwriting.
WerecommendyoutodiscussyourrequirementswithyourMcAfeerepresentative.McAfeehaswide
experienceindeployi
ngrealworldimplementations.
Thankstoalltheauthorswhohavecontributedtowardsthisguide.
RelevantProducts
Thisguidediscussesconfigurationandmaintenanceofthebackendservercomponents,EndpointEncryption
Managerv5.xanditsObjectDirectorytogether,whichmanageandgovernthefollowingversion5client
componentsofEndpointEncryption:
EndpointEncryptionforPC(EEPC)
EndpointEncryptionforFilesandFolders(EEFF)
EndpointEncryptionforMobile(E
EMO)
EndpointEncryptionforRemovableMedia(EERM)
Othercomponentsthatmaybenefitindirectly:
EndpointEncryptionScriptingTool
EndpointEncryptionReportingTool
EndpointEncryptionObjectDirectoryBackup
However,thevastmajorityoftheguideisconcernedwithEndpointEncryptionforPCasoptimizationsof
theManagerandObjectDirectorywillmak
ethemostimpactonthiscomponent.
6
SolutionArchitecture
DesignPhilosophy
McAfeeEndpointEncryptionisaclient/serverapplicationdesignedtobeimplementedwithasimple,single
serverarchitecture.ThissingleserverhostsanencrypteddatabaseknownastheObjectDirectory,andruns
servicestoallowconnectionstothedatabasefromboththeEncryptedEndpointsandtheManagementCenter
applications.Communicationwiththeda
tabaseoccursinasecureway(detaileddescriptionsareprovidedin
theManagementCenterAdministrationGuide).Thissingleservercanhostallcomponentsofthe
ManagementCenter,eveninenterpriseenvironments.
Whileitismostcommontoimplementtheproductwithasingleserver,therearealsootheroptions.The
compon
entsaremodularandareinstalledinadistributedway.Forexample,theWebHelpdeskcomponent
canbeinstalledonadedicatedwebserverwhiletherestofthecomponentsareonaseparateEndpoint
EncryptionServer.However,themajorityofourimplementationsaredonewithasingleserverbecausethisis
usuallyth
ebestapproach.
NOTE:Thisguidehasallrecommendations,assumingasingleserverapproach.
Whenreadingthefollowingsections‐eventhoughourrecommendationmaybetouseasingleserverwith
DirectAttachedStorage(DAS),avirtualserverwithNASbasedstorageisusableandwillhavesome
advanta
gesinyourenvironmentforsmallnumbersofendpointsorwithlimitedsynceventsandlimitedusers
perclient.However,weadviseagainstusingsuchimplementationsandrecommendyoudiscussyour
requirementswithMcAfeebeforeimplementation.
IftheperformanceoftheMcAfeesolutionisbelowtheacceptablelimits,migratingtowa
rdsour
recommendationsissuretolendimprovement.
7
ServerConfiguration
BasicServerRequirements
TheEndpointEncryptionCommunicationsServerprocessrunsunderMicrosoftWindows2000/2003.
CurrentlysomecustomersreportthatitworkswellunderWindows2008,howeverMcAfeehasnotofficially
certifiedthis.PleaseseetheMcAfeeKnowledgeBasearticleKB53698forcurrentinformationonsupported
environments.
Theperformancerequireddependsprimarilyuponthenumberofc
oncurrentconnectionsanenterprisecan
experienceandthenumberofconcurrentobjectcreationevents.Realworldimplementationssuggestthe
followingminimumandrecommendedconfigurations.
Notetheterm“ObjectDirectory”usedthroughoutthisguidereferstothedatabaseorstoreforusers,
endpointsandothersettings,andfilesforEndpointEncryptionmanagement.
RecommendedServerHardware
202000users/systems
Minimumsingleserverconfiguration
DedicatedServer
2GHzDualcoreprocessor
2GBRam
4GBfreeharddisk,RAID1
100MbNetwork
VirtualorSharedServercanbeusedforlownumbers.
PleaseseeVirtualServersectioninthisguide.Vir
tual
hardwarehastobeofhigherspecificationif
resourcesareshared.SeePage11.
20005000users/systems
Recommendedsingleserverconfiguration
DedicatedServer
2.4GHz2Dualor1Quadcoreprocessor
4GBRam
4GBfreeharddisk,RAID5
100MbNetwork
500050,000users/systems
Recommendedsingleserverconfiguration
DedicatedServer
3GHz2Dual/1Quadcoreprocessor
4GBRAM
RAID510KRPMDirectattachedStorage,100GB
Gigabitor3x100MbNetwork
50,000150,000users/systems
Recommendedsingleserverconfiguration
DedicatedSe
rver
3.0GHzorhigher2Quad/4Dualcore(8cores).
6GBRAM
RAID5DirectattachedStorage.15KRPM.250GB 
Gigabitor4x100MbNetwork
MentionedRAIDreferstohardwareRAID,notsoftware.EnablecachingonRAIDifpossible,butensure
suitableUPSpowerisavailable.
Migratinganenvironmentbetweenhardwareplatformsissimplesoitispossibletostartwithaminimal
configurationandlaterextendittoahigherconfigurationinaccordancewithperformancemonitoringand
capa
cityplanning.
NOTE:Thesemayvarydependingonotherconfigurationsettings.
8
ServerRedundancy
Itisriskytohaveasinglephysicalserverforyourenterprise,evenifyoutakeregularbackups.Werecommend
youtotakestepstoexpediterecoveryfromanoutageinaccordancewithanestablishedBusinessContinuity
andDisasterRecovery(BCDR)plan.
HotBackupDatabases
IncreasetheredundancyofthesystembyreplicatingtheEndpointEncryptionObjectDirectorytoasecond
physicalserver.Adedicatedreplicationtool“ObjectDirectoryBackup”whichisoptimizedtofollowthe
changelogofanEndpointEncryptionv5ObjectDirectoryissuppliedwiththeproductsuite.
Inthiscasesetuparesilientsystemusingtwophysicalboxes,bothhostingEndpointEncryptionServersone
hostingthemasterOD
Bandtheotherhavingahotbackup.Incasethemasterserverfails,theEndpoint
EncryptionServeronthesecondbackupboxcanberestartedin“master”mode.Thenrebuildorreplacethe
affectedmachineandcreateanewmaster.
TheODBBackuputilitycanalsobeusedtomakeregularbac
kupsoftheODB,givingfurtherrecoveryoptions
incaseofadisaster.Thismethodhowever,requiresmanualinteractiontostartthefailover.
AHotBackupdocumentdiscussingthisscenarioisavailable.
Clustering
Fullyautomatedfailoversforapplicationsusuallyemployaclusterserverenvironment.AlthoughtheMcAfee
EndpointEncryptionObjectDirectoryandManagercanrunonacluster,werecommendagainstusing‘shared’
resourceswherepossible.AsperMcAfeeKB53698,WindowsClusterenvironmenthasnotbeenfullytestedat
thistimeinengineering.
LoadBalancing
GiventhebestconfigurationisusuallyasinglehighperformanceserverwithDASthentheleastoptimalwayto
performclusteringistoputtheObjectDirectoryonanetworkshare(NAS)andtheninstalltheManagement
Centerontwoserverswhichaccessthesharesimultaneously.
NOTE:Thelatterwillfunctio
n,butitwillbesignificantlydetrimentaltoserverperformance.
Youshouldnotethatifyouusespecialloadbalancingswitchestosplitnetworkload,youshouldsetthemto
alloweachclientactiveconnectiontooccurwiththesameswitchthroughoutthesyncevent(andnot
split/distributeeachpacketdu
ringasinglesync).
Makingremoteconnectionstothedatabaseisslowerthanlocalconnections,sothisdesignisoftentooslow
toworkeffectively.
IfDASisnotusedandthereareissuessuchasperformance,objectcorruption(especiallyasobjectnumbersin
theMcAfeeEndpointEncryptionObjectDire
ctoryincrease)McAfeesupportwillrecommendmovingtoDAS
andhighperformancededicatedserver.
IfaSANistheonlyoptionavailable,pleasenoteSANarrayscanprioritizetheconnectionstothephysicalbox
inwhatisknownasTierlevels.Tier1isthehighestpriority,Tier3isthelo
west.McAfeeEndpointEncryption
needsoptimaldiskaccesssowouldneedTier1prioritywithdedicatedLUNStoprovidethehighestspeed
connection.Thisisnecessaryforfullandpromptservicesynchronizationrequestsandadministration.This
avoidscorrupteddatabases,objects,clientsandslowadministrationperformance.RunningonSANisnot
recommended,bu
tifitmustbedone,thentheconnectionmustbeTier1.
9
ServerandObjectDirectoryOptimisation
EndpointtoServerCommunication‐NetworkLoadEstimation
EndpointEncryptionnetworktrafficistheeasiesttoconsiderintermsof“synchronizationevents”.Eachtimea
systemstartsittriestoconnecttoadesignatedEEPCdatabasecommunicationserverandupdateitsprofile.It
mayalso(dependinguponconfiguration)trytoconnectperiodically.Inlargedeployments,thefirststepin
estimatingth
enetworkloadcausedbyEndpointEncryptionistoestimatethepeaknumberofconcurrent
synchronizationevents.Thisisrelatedtotheuserworkingpractices.Forexample,if2000usersswitchtheir
systemsonat9A.M,the“9A.M.”effectcanbedilutedbysettingoptionalbootsyncdelayandof
fsettimesto
spreadtheloadacross,forexampleonehour.
Oncepeakflowisestimated,doubleittogivesomesafety,thenworkonanestimateof7KBperuserpersync
(thisisaveryhighapproximationbasedontotalupdateoftheusereverytwosyncevents).AtypicalWindows
server,inourexp
erience,canaccept100connectionspersecondperserver,withadefaultmaximumwait
timeof30secondsforpendingconnections.
ThemaximumcapabilityofasingleCommunicationsServer,takingthecapacityofthenetworktobe100
Mbps(1millionbitspersec
ond)is20synchronizationsofdataasecond.AWindowsserverOScanestablish
connectionsaboutevery10ms,andcanhandleunlimitedconnections(althougheventuallyitwillrunoutof
clockcyclesandmemory).
Onceestablished,aconnectioncantakeanunlimitedamountoftimetofinish,thoughthedef
aulttimeouton
establishingaconnectionis30seconds.Iftherearemorethan100attemptedconnectionspersecond,the
queuecannotbelongerthan3,000connections.
ThedefaultsettingsoftheCommunicationServerlimitthequeueto200entries(abalancebetweentaking
connectionsandprocessingconnections).Afterthatpoin
t,theconnectionsarerefused.Thisisareasonable
“realworld”setting.Aslongastheprofileofthesystemissettoretrytheconnectionafter,forexample,four
hours,thereisnolossoffunction.Settingthequeuelengthtomorethan1500canresultinpoorperformance
fromtheserverasittriestose
rvicesomanyconnections.
Inrealtermswecansaythatasageneralmaximumcase,theEndpointEncryptionServerislimitedto100
connectionspersecond,withasustainedload.Saturationinourexperienceisreachedwhenthereismore
than1400synchronizationev
entsperminute(1200acceptedandprocessed,200queued).Achievingthisload
intherealworldrequiresamassive,badlyplannedandconfiguredpopulationofsystems.Currentcustomers
with40000+installationsrarelyexceedthe200currentconnectionpoints,mostofwhichareadministrators
performingconfigurationchanges.
Theoperatingsystemordiskcontrollercac
hesmostofEndpointEncryption’sdatabase,soeventuallythe
commonfileswillbesuppliedfromRAMratherthanacrosstheconnectiontothedatabasehost,or,fromdisk.
Usingthecompressedversionofthedatabasecanimproveperformancebyasmallamount,however,itis
usefulwhenco
rporatebackupsoftwarehasdifficultyarchivingthedatabase.
ThisroughcalculationtellsusthatweneedoneEndpointEncryptionServerper1400eventsaminute
minimum;however,experiencingthesysteminactionwillgivetruefeedback.Itisoftenthecasethatmodern
hardwareoutperformspaperestimations.
EstimatingtheSizeoftheObjectDirectory
ThebasesizeofanEndpointEncryption5.xObjectDirectoryisaround150MB.Becauseyouaddnewusers
andsystems,theODBgrowsaccordingly.Italsogrowsinsizeassystemssynchronizeanduploadaudit
information.
10
AnObjectDirectorywith5000usersand5000systemscouldbeexpectedtogrowasfollows:
TypicalGrowthof5000user/machine ObjectDirectory
Day DataSize ApproxDiskSpaceUsed
1 83MB 143MB
5 89MB 143MB
20 204MB 403MB
50 396MB 745MB
100 747MB 1050 MB
365 2455MB 3900 MB
Usersandsystemsarethemostprevalentobjecttypesinalargedatabase.Typically,oncreation,thesetypes
ofobjectstake4000bytes.Aday’sauditaddsaroundanadditional700bytesofdataperobject.Although
thesefiguresareverysmall,becauseofwastedspaceontheObjectDirectoryServer’sharddisk,th
eactual
disksizeoccupiedbytheObjectDirectorycanbe4xormorelarger.
VirtualServers
McAfeeEndpointEncryptionManagercanberunfromaVirtualServerforlowernumbersofEndpoints.
McAfeerecommendsphysicallydedicatedhardwareforhighnumbersofEndpoints.
Performanceofvirtualsystemsisdependentonmanyfactorsthatcansignificantlyaffecttheoverallproduct
performancewhencomparedtophysicallydedicatedhardware.Highspeeda
ccesstothedatawithinthe
ObjectDirectoryisrequiredandmustbecarefullyconsideredandevaluatedinaVirtualServerEnvironment.
CurrenttestingofVirtualServersrunningEEPCoperateswithinasetnumbersofdatabaseobjects.McAfee’s
experienceshowsthatperformancesissuearisingfromtheuseofVirtualServersisaresultof:
Lackofresour
cesdedicatedtothevirtualserver.
Dynamicallyassignedresourcestothevirtualserverwhichstarvesitofthenecessaryperformance
duringpeakperiods.
Sloworreduceddiskaccess,resultinginasloweraccesstotheObjectDirectory.
McAfeesupportstheuseofVirtualServersrunningtheadministrativef
unctionalityofEEPCprovidedthe
appropriateresourcesarefullydedicatedtotheVirtualServeratalltimes.Ifperformanceproblemsare
experienced,theresourcesavailabletotheVirtualServerneedtobeincreased.Pleaserefertothe
recommendedserverspecificationsastheminimumresourcesfullyassi
gnedtotheVirtualServeratalltimes.
Theseresourcesapplytothespecificimage,andnottotheoverallresourcesofthehost.
CustomersneedtofollowtherecommendationsofMcAfeeSupportandraiseasupportticketfortheissues
relatedtoaVirtualServer.Theserecommendationscanvaryfromtwea
kingofserverandmachinesettingsas
specifiedinthisguideallthewaytomovingtheEEPCmanagementenvironmenttophysicalhardwareasalast
resortifnecessary.
ByengagingMcAfeeprofessionalservices,theywillassistyouinadequatelyscopingyourdeployment
hardwareneedsandcanrecommendabes
tpracticesapproach.
AsthetechnologyisevolvingandbetterVMfarmsarecomingonline,virtualhardwaresupportforgreater
numbersshouldbepossible.PleaseseeMcAfeeKB65747formoreinformation.
Thiswillbereviewedforthenextmajorrelease(version6.0ePOintegrated).
11
GlobalDeployments
ThesingleserverapproachworkswellaslongastheendpointscanmakeandsustainaTCP/IPconnectionto
theserver.DependingonthequalityoftheWANlink,someglobaldeploymentswillrequiremultipleservers.
Eachoftheseisessentiallyitsownenvironment,withitsownObjectDirectory.Manycustomershaveone
serverineachregion:oneforNorthAmeric
a,oneforEuropeandAfrica,andoneforAsia.Todetermine,ifthis
multiserverstrategyisnecessary,itisbettertoincludeendpointsfromallregionsinthepilotphase.
OptimisationActions
NOTE:Thesearegenericrecommendationsbasedonexperiencebutnotalwaysbesuitableforyourentire
specificenvironment.Fordatabasemaintenanceandperformance,itisalwaysrecommendedyouengage
McAfeeprofessionalservicespriortoimplementingthesesuggestions.
TheObjectDirectoryissmallinsize,butcontainsahighnumberoffiles.Forexample,aty
pical10,000node
deploymenthas1.7millionfilesinitsObjectDirectory.Foroptimalperformance,wemustconfigurethe
operatingsystemandthehardwaretoprovidefastaccesstolotsofsmallfiles.
12
OptimisationActionsOverview
McAfeegenerallyrecommendsthefollowingactions(mostofwhicharedescribedinmoredetaillater):
OptimizeharddisksforI/Operformance.Asabove,15KRPMdisksarethebest.Thedisksshouldbeina
RAID5arraywithacontroller,withthemaximumamountofcacheavailable.UPSba
ckupis
recommended.Seechaptersabove.

UseDASratherthananetworklocationSAN/NAS.Seechaptersabove.
EnableindexingoftheObjectDirectorywithdbcfg.ini.
Keepnumberofobjectspergrouptoaminimumwithintheobjectdirectoryandminimizenumberof
usersassignedtoclients.Als
olessaggressivesyncpolicyforclientscaneaseserverload.

ReducetheTCP/IPKeepAliveTimetofiveminutes.
DisableNTFSLastAccessUpdatewitharegistrychange.
IncreasethesizeoftheNTFSMasterFileTable(MFT)witharegistrychange.
Optimizebackups.
Exclu
detheObjectDirectoryandtheassociatedservicesfromvirusscans.
SetWindowsserverperformancessettingstobackgroundservicesandsystemcache.

ManageAudits.
UseHardDrivecontrollercaching.
UsegoodnetworkconnectionstoObjectDirectoryservers.
StoretheObjectDirectory(usuallystoredinSB
DATAfolder)onaseparatedriveorpartitiontotheOS.
Don’tallowthedatabasetobeshared.
CheckthateveryadministratorgoesthroughtheEEPCDatabaseserver,notdirectthroughlocal
connection.
Limittheuseofthe‘Find’functionin20K+databasesduringnormalworkinghoursasitca
nslowaccess.
Clearobjectitemsfromdeleteditems,regularlywhennotneeded.
IncreasemaxconnectionsinSBServer.ini(insomecases).
13
NameIndexing(DBCFG.INI)
Nameindexingshouldbeenabledonalldatabasesespeciallythosewithover1000endpointsorusers.Itwill
benoticeablyfasterandimproveperformance.
Todothis,createabasictextfilecalledDBCFG.INI;fileandcopyittotheSBDATAfolder(assumingdefault
locationforObjectDirectory)andeditasbel
ow:
Warnings
DonotuseSingleFilemodeasshownintheoptionsbelow.Itcanbeusedforsmalldatabasesbutnot
recommendedasitcanbemuchslower.
TheFindfunctiondoesnotusethenamecacheandthereforesearchesthecompletedatabase
sequentially.
DBCFG.INI
Sectionsareaddeddefinedby[]withtheoptionsineachsectionaddedasbelow.
[NameIndex]
Enabled=Yes
Thismustbesetto"Yes"forthenameindex/cachingtobeusedbyprogramsrunningforthisdirectory.
LockTimeout=3000
Thisoptioncontrolshowlongtheprocesswillretryaccesstotheindexfileifitislocked.Youcandecreasethis
valueiftheadministratorexperienceslongwaitingtimesdurin
ginstallation,forexample1000,however,
onlyindatabasessmallerthan5000systems,otherwiseyoufindthenumberbymultiplyingthenumberof
usersorsystemsinthedatabaseby0.6.
Example:Ifthenumberofusersinthedatabaseis10,000,theLocktimeoutshouldbe6000.
Thedefaultval
ueis3000.
Thevalueisin100thsofasecond.
Incaseofmultipleservers,thetimeoutcanexceedduetomanysimultaneousconnections.Inthatcasethe
valueneedstobeincreasedto30000.
LockSleep=10
Thisoptioncontrolshowlongtheprocesswillsleep(wait)beforeretryingopeningalo
ckedfile.Thevalueisin
1000thsofasecond.Incaseofmultipleservers,thelocksleepmightneedtobeincreasedduetomanylock
timeouts.Inthatcasethevalueneedstobeincreasedto100oreven1000.
HashCount=16
Thisoptioncontrolshowmany"buckets"thehas
hofthenameissplitinto.Itshouldbebetween1and256
(default16).Generally,agoodvaluecanbecalculatedbytakingthesquarerootofthenumberofusers.
However,foroptimalperformancethisvalueshouldbetunedbytesting.
MinEntrySize=16
Thisistheminimumspacetoallocateperobjectnameintheindexfile.Thedefa
ultof16isagoodvalueifthe
namesdonotexceed16characters.Youdonotneedtospecifythevalueifthenamesdonotexceed16
characters.
14
LifeTime=86400
Thetime(inseconds)forwhichtheindexwillbeusedbeforeitisautomaticallyrecreatedifsomebodylogson
tothedatabase.Thedefaultis30minutesbutisneverrecommended.Avalueofzeromeansthatitnever
expiresautomatically,andthevalueof86400meanson
eday.
Avalueofzerogivesyoufullcontrolbutthissettingneedsaseparateprocesstorecreatetheindex.Thiscould
beasimplebatchfilethatrunsovernight‐removestheindexfilesandforcesarecreate.Thiscansometimes
producethebestresultandperformance.
Recreationofth
eindexfileswilltakeperformance.Itwillcausethelogontobedelayedforquitesometime
dependantondatabasesizeandperformance,andcancauseissuesifthecreationofsystemsoccursduring
thisrebuildtime.Therefore,dependingonthesizeofthedatabase,itisrecommendedthispro
cessissetto
runveryearlyinthemorning.Forexample,removename*filesinSBDATA00000001and00000002folders
especiallythroughascriptearlymorning2A.M.Followingthat,runanadminlogonusingthecommandline
tool(SBADMCL)andperformacommandsuchasgetcountsthroughscripttorebuildthecac
heearly,before
thesystemssynchronize.
Youcanuseabatchfilesforthis,oneexampleiscalledRecreateCache.bat.Examplesofscriptsareinthe
optionalEEPCToolsdownload,or,availablefromyourMcAfeerepresentative.
[Attribs]
SingleFile=No
IfthisissettoYes,theattributesforobjectswillbeplacedintoasinglefileinsteadofeachonehavingtheir
ownfile.Notgenerallyusedalthoughitsimplifiesandspeedsupbackup,thiswillmakethedatabasetwiceas
slow!
AutoConvert=No
IfthisissettoYesandSingleFileisalsosettoYes,thena
ttributesareautomaticallyconvertedtoasinglefile
whentheobjectisopenedforwriting.Otherwise,onlynewobjectswillhavetheirattributesinasinglefile.
NOTE:Attributesarenotconverteduntiltheyareopenedforwriting.Again,thiscanproducefewerfil
esper
objecttoaidbackupsbutisslightlylessresilienttofailure.
[Tracking]
ObjectChanges=No
Objectchangetrackingforthebackuptoolmightdecreasetheperformanceofthedatabasebyabout100%
thusitisnotrecommendedtousethisinbigenvironments.
Groupsizes
Thesizeofausergrouporsystemsgroupshouldnotbetoobig.Ausergroupof5000cantake20secondsor
moretoopenevenonafastserver.Werecommendkeepingthesizeunder2000.Optimally1000orlesswill
workwellinmanycasesforfasteraccesstogrou
psonanyserver.
Alsoassigninglargegroupofusersdirectlytoaclientcanhaveperformanceimplications(network/server
performance,slowclientbootupandsynctimesandinstallationprocesses)sosmallergroupsarebetter.
Userscanbeassignedindividuallytoo.Thefewerusersassignedthebetterfromasecurityperspec
tive.See
UserObjectsGeneralPerformanceTipssectionlater.
15
TCP/IPKeepAliveTimeReduction
ReducethissettingonallEEPCserversfromtwohours(thedefault)tofiveminutes.Theserverwillrequirea
restart.Oncethisisdone,ifanendpointclientlosestheconnectionwiththeserver,theserverwillreleasethe
lockafterapproximately5minutes.Thiswillalsopreventbrokenremotesbadmclcon
nectionsfromlocking
thescriptinguseraccountfor2hours.
Procedure
1. OpenRegedit
2. Goto:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
3. OpenorcreatetheDwordKeepAliveTime
4. Changethevalueto300000indecimals(Timeinmilliseconds)
Extrainfo
TheKeepAliveTimesettingcontrolshowoftenkeepalivepacketsaresentinmilliseconds(30
0,000is
recommended).ItcontrolshowoftenTCPsendsakeepalivepackettoverifythatanidleconnectionisstill
intact.Iftheremotecomputerisstillreachable,itacknowledgesthekeepalivepacket.
MSKBarticle:http://support.microsoft.com
/default.aspx?scid=kb;enus;324270#EQACAAA
Key:Tcpip\Parameters
ValueType:REG_DWORD(Timeinmilliseconds)
ValidRange:10xFFFFFFFF
Default:7,200,000(twohours)
NOTE:AsimilarsettingKeepAliveIntervalhasadefault1000(=1second),thissettingiscorrectsodonot
changethis.
LastAccessTimeStamp(NtfsDisableLastAccessUpdate)
Withlargedatabases,itispossiblethatsomegroupsmaybecomeoverpopulated.Whenalargegroupis
opened(forexampleonewithover5000users),itcantakesometimetoopen.Toreduceharddiskreadand
writetime,aregistrysettingcanbesettopreventtheLastAccesstimest
ampfrombeingupdatedoneveryfile
access.Theperformanceboostwillbeabout50%!Arestartisneededafterthechange.
Procedure
1. Openregedit.
2. GotoHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem.
3. CreateanewDWORDvalue,ormodifytheexistingvalue,named"NtfsDisableLastAccessUpdate"and
setitto"1".
Microsoftarticle:http://technet2.microsoft.com/Wind
owsServer/en/library/80dc50667f134ac38da8
48ebd60b44471033.mspx?mfr=true
WindowsServerasaFileServer
TuneMicrosoftWindows2003servertobeafileserver.
SeetheMicrosoftarticlehttp://support.microsoft.com/kb/174619
aboutthis.
Theory
IncreaseNTFSMFT(MasterFileTable,usedtobeFAT)to50%ofthediskspace.Theresultisthatsmallfiles
arebeingstoredintheMFTandnotasseparatefilesintheNTFS.Thishelpsalotbecausewehavethousands
ofsmallfiles.
Procedure
16
1. OpenRegedit.
2. GotoHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem.
3. Intherightpane,lookfortheDwordnamedNtfsMftZoneReservation.
4. IfexistschangetheDwordto4.
5. Ifnotexists,createanewDWORDNtfsMftZoneReservationintheregistryandsetitsvalueto4.
EXTRAINFO
Thedefaultvalueforth
iskeyis1.Thisisgoodforadrivethatwillcontainrelativelyafewlargefiles.Other
optionsinclude:
2—Mediumfileallocation
3—Largerfileallocation
4—Maximumfileallocation
Unfortunately,Microsoftdoesn'tgiveanyclearguidelinesastowhatdistinguishesMediumfromLargerand
Maximumlevelsoffiles.Suffi
ceittosay,ifyouplantostorelotsoffilesonyourworkstation,youmaywantto
consideravalueof3or4insteadofthedefaultvalueof1.
ObjectDirectoryBackupToolSetup
IfyousetupyourObjectDirectorybackuptool,makesureitisnotrunningtoomanytimesadaybecausethe
inbetweentimewillbetooshort.Thiswillcausethetooltorunconstantlycausingoverload.Donotusethe
objectchangetrackerinbigdatabase.Itwilldecreasethedatab
asespeedabout100%!
AntiVirusScanner
Itisnotnecessarytouseavirusscanneronthedatabase(SBDATA).Mostofthedataisencrypted,sothereis
nothingtobescannedandscanningwillreducemuchoftheperformance.Switchoffanyscanningofthe
SBDATAontheEEPCDatabaseserver.Also,excludetheSbDbServerexecutablefromsc
anning.
AlsoifyourAntiVirusprogramhashighrisk/lowriskprocessdetectionmarkingalltheEEM/EEPCmain
executablesontheserveraslowriskanddisablescanningonreads/writesmayhelpfurther(seescreen
shots).
ExamplesetupusingMcAfeeVSE8.5:

17

WindowsPerformance
BydefaulttheWindowsperformancesettingsaresetto‘Applications’.However,testingshoulddefinethe
bestsetting.TherecommendedsettingsunderControlPanel,System,Advanced,performanceare:
LetWindowschoosewhat’sbestformycomputer
UnderAdvanced:
Backgroundservices
Systemcache
Openingatestgroupwithmoretha
ntherecommendednumberofobjects(forexample5000)canbeagood
testusingtheEEPCserverconnection(notthroughalocalconnection).Anothertestistocreateanddelete
100usersandsystemsusingthecommandlinetoolSBADMCLthroughatestbatchfile.
ManagingAudits
Theauditoftheusersandsystemscanslowdownthedatabase.ItisrecommendedyouscheduleEEPC
commandlinetoolSBADMCLtocleanupmachineauditandtheuseraudit.SeeEndpointEncryptionObject
DirectoryMaintenancesectionbelow.
FileCacheonRaidHardDriveController
LettheObjectDirectoryhostserverhavethelargestpossiblefilecacheontheRAIDHardDrivecontroller.This
Hardwaredevicewillincreasethefileaccessspeeddramatically.
NOTE:ifcacheisenabledonRAIDcontrollers,useUPSbackupforpowerfailureprotection,becauseapower
failurecanleadtoada
talossaswritesmaybestillheldincache.
ConnectionSpeed
Thespeedbetweentheremoteserversandthefileserversiscrucial.Makethoseconnectionsdedicatedhigh
speedconnections,e.g.GigabitEthernetorFibre.Itisusuallyrecommendedyouhaveasingleserverlocated
onthesamededicatedserver,ratherthanmultipleEEPCDatabaseserversconnectinginfromremoteserver
systems.
18
ObjectDirectoryPhysicalLocation
ConsiderationshouldbemadetothelocationoftheObjectDirectory.
ThedefaultfinalfolderfortheEndpointEncryptionObjectDirectoryisinafoldercalledSBDATA.Ifpossible,
useaseparatefixeddriveorpartitiontotheOSforexample,OSandapplicationonC:databaseonD:.Thisis
usuallydecid
edatthetimeofinitialinstallationandcanbemodifiedatanothertime.
ObjectDirectoryAccess
CheckthateveryadministratorthatneedstologontotheObjectDirectorygoesthroughtheEndpoint
EncryptionDatabaseserver,notdirectthroughlocalconnection.Wherepossible,donotallowthedatabaseto
beshared.
SearchingforObjects
LimittheuseoftheFindfunctionin20K+databasesduringnormalworkinghoursasitcanslowaccessfor
othersystemsanduserobjects.AnotheralternativeistoworkonarecentcopyoftheObjectDirectoryto
performsearches,andoncethelocationisfound,theycanbenavigatedtodire
ctlyintheliveObjectDirectory.
ClearingDeletedObjects
ClearobjectsfromDeletedItemsregularlywhennotneeded.Deleteditemsarefolderscontainingolddeleted
users,systems,andotherobjectsandarefoundthroughtheSystemtabintheEndpointEncryptionManager.
Theseobjectscanslowsearchesdown.Iftheseobjectsareneededforauditing,theywillneedtobere
tained
byfirstbackingupthewholedatabase(SBDATAfolder)andthenstoring,dated,carefullyforthatpurpose.
Thenemptythedeleteditemsfromthecurrentlivedatabasetohelpspeedofaccess.Seethemoredetailed
ObjectDirectoryMaintenancesectionbelow.
SBSERVER.INI
ThisfileisfoundinthemaininstallationfolderforyourEndpointEncryptionManager.Itcanbeusedtoadjust
themaximumnumberofconnectionstheEndpointEncryptionserverwillacceptandthebehaviorwhenthe
maximumisreached.
SBServerinicontents:
[Connections]
Max=200
AcceptAtMax=No
Thedefaultsettingsareusuallyfineformostimplementati
onsbutMax=200canbesettoahighervalue
dependingonthenumberofincomingconnections.Thisshouldonlybechangediftheserverhasahigh
specificationandisrecommendedbyaMcAfeeEndpointEncryptionconsultant.Inaddition,thiswouldneed
tobetestedtodetermineifth
isimprovessynceventsandserverload.(PleaseseeEndpointEncryption
ManagerAdministrationGuidesuppliedwithEndpointEncryptionManagerforfurtherdetailsonSBServer.ini).
19
ObjectDirectoryMaintenance
MaintenanceIntroduction
Tokeepthedatabasecleanandhealthy,maintenanceisrequiredonaregularbasis.Thismaintenancecanbe
donemanuallyusingtheEndpointEncryptionManager,or,withtheEEPCcommandLineTool(SBADMCL),
whichisthepreferredwayforlargerObjectDirectories.
Thisguidedescribestheprocessesneededformaintenance.ItiswrittenforEndp
ointEncryption
administrators.
NOTE:Thesearegenericrecommendationsbasedonexperiencebutnotalwaysbesuitableforyourspecific
environment.Fordatabasemaintenanceandperformance,itisalwaysrecommendedtoengageMcAfee
Professionalservicespriortoimplementinganyofthesesuggestions.Itispossibleonalreadyi
nstalled
environmentstohaveaMcAfeeprofessionalperformconsultancyandprovidea“healthcheck”onthesetup
andperformancesettingsoftheObjectDirectory
Environment
ThisguideappliestoMcAfeeEndpointEncryptionV5andup,howevermanystepsinthisguidecanbeapplied
toV4(build4770).
Auditmaintenance
Auditcangrowunlimitedinthedatabase.Thiscanslowdownthedatabasedramatically.TheEndpoint
Encryptionadministratorhastomakesurethattheauditiscleanedupeveryyearoreveryhalfyeardepending
onthedatabaseperformance.FormoreinformationonthecommandlinetoolSBADMCL.exeorits
commandsple
aseseetheEndpointEncryptionScriptingToolUserGuide,whichisfoundinmostnormal
installationsoftheEndpointEncryptionManager.
ExtractingandClearingAuditfromtheDatabase
Theauditfromusersandsystemsneedstobeclearedatleastonceayearforsmallerimplementationsand
frequentlyforlargerdeploymentsbecauseitgrowsfast.Heavilyusedobjectssuchasanadministrator’s
accountoruserobjectfrequentlyusedbyascriptarelikelytobecommonlargeauditcreators.
Thenee
dtoclearauditscanvarydependingonconfiguration,usageandrequirements.However,theSecurity
Managementteamshoulddecidewhentocleartheaudit.Inlaterversionsofthetool,theClearDaysOld
commandwasadded.Thisoptiongivestheadministratorthepossibilitytoclearauditsthatare,forexample,
90da
ysandolder.ThisoptionmustbeusedinsteadoftheClearoption,becausetheClearoptionwilloverride
theClearDaysOldoptionifusedtogether.
Theauditwillalwaysbeexportedbeforeitisdeleted.Thiswillgivetheadministratorthepossibilitytolook
backatolderauditsusingMicrosoftEx
celorsimilartools.
ClearingtheAudit
SBADMCLisusuallyrunfromthedirectorywheretheEndpointEncryptionManagerisinstalled.Anadmin
accountwithhighlevelcredentialswillbeneededforthescript.
Someofthecommandsneededbelowaredatabaseintensiveprocesses,sorunthesecommandduringnon
workinghoursonly,or,doitinmor
econtrolledsessions(onegroupatatimeforexample)duringdaytimeifthe
groupsaresmall.
20
ToexportandthenclearALLuserauditsusethiscommand:
SBADMCL–Command:DumpUserAudit–Adminuser:Admin–Adminpwd:mypassword
File:c:\dump\Dumpuser.txt–Group:*–clear
ToexportandthenclearALLmachineauditsusethiscommand:
SBADMCL–Command:DumpMachineAudit–Adminuser:Admin–Adminpwd:mypassword
File:c:\dump\DumpMachine.txt–Group:*–clear
ToexportandclearALLuseraudits90daysandolderus
ethiscommand:
SBADMCL‐Command:DumpUserAudit‐Adminuser:Admin‐Adminpwd:mypassword‐Group:*‐
File:c:\Dump\DuUserAu90.txt‐ClearDaysold:90
ToexportandclearALLmachineaudits90daysandolderusethiscommand:
SBADMCL–Command:DumpMachineAudit–Adminuser:”Admin”–Adminpwd:”mypassword”
File:DuMachAu90.txt–Group:*–ClearDaysOld:90
ForfurtheranalysisoftheAuditseetheAdviceonhandlingauditdocument.
Toexportandclearfromaspecificgrou
paddthegroupnameinsteadof*
DeletedItemsCleanup
AsmentionedpreviouslyclearingobjectsfromDeletedItems(foundthroughtheSystemtabinMcAfee
EndpointEncryptionManager)canaidObjectDirectoryaccessspeed.Whenthedeleteditemsareemptied,
theactualphysicalfolderfortheobjectwithintheObjectDirectoryisrenamed.Theextensionofthefolderis
renamedfrom.RMVto.W
PE.Withaverylargedatabase,theseempty/removedfolderscansometimesslow
downsearches.

Inatestlab,tryremoving.WPEfoldersandtestsearchspeeds.Ifanimprovementisfound,itmaybeworth
repeatingontheliveObjectDirectory.Alwaysensuretestsandfullbackupsareperfor
medbeforeany
procedure.
CheckingforDatabaseCorruption
Whydoesthedatabasegetcorrupted?
Corruptionscanbecausedbyfailedinstallationsandbadsectorsonendpointsystemsorunsupported
procedures,disconnectednetworklinkstotheObjectDirectory*orfailingdrivesandsoon.
PoororslowaccesstotheObjectDirectorycancauseasloworintermittentaccesstothedatabase.Thiscan
causetheOb
jectDirectorytocorruptduringdatabaseoperations.Endpointinstallationscanfailandcause
corruption.Inaddition,asaconsequence,corruptedobjectscancauseacorruptedindex,andtocompletethe
circlethiscanalsocausecorruptedobjectsthemselves.Slownessofthediskaccesscanbeaproblemwhen
usingsh
aredresourcesSANorNASconnectionsratherthanDAS.
SeethedocumentServerandObjectDirectoryOptimizationsectionabovefordetailedinformationaboutthe
performancesettings.
*Morerobustinv5Release5701onwards.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26

McAfee ENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE User manual

Type
User manual
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI