McAfee Endpoint Encryption v5 User manual

1



McAfee®EndpointEncryption

EnterpriseBestPracticesGuide



November2009

2



Nopartofthispublicationmaybereproduced,transmitted,transcribed,storedinaretrievalsystem,or

translatedintoanylanguageinanyformorbyanymeanswithoutthewrittenpermissionofMcAfee,Inc.,or

itssuppliersoraffiliatecompanies

3



Contents



INTRODUCTION 5

PURPOSEOFTHISGUIDE 5

RELEVANTPRODUCTS 5

SOLUTIONARCHITECTURE 6

DESIGNPHILOSOPHY 6

SERVERCONFIGURATION 7

BASICSERVERREQUIREMENTS 7

RECOMMENDEDSERVERHARDWARE 7

SERVERREDUNDANCY 8

HOTBACKUPDATABASES 8

CLUSTERING 8

LOADBALANCING 8

SERVERANDOBJECTDIRECTORYOPTIMISATION 9

ENDPOINTTOSERVERCOMMUNICATION‐NETWORKLOADE STIMATION 9

ESTIMATINGTHESIZEOFTHEOBJECTDIRECTORY 9

TYPICALGROWTHOF5000USER/MACHINEOBJECTDIRECTORY 10

VIRTUALSERVERS 10

GLOBALDEPLOYMENTS 11

OPTIMISATIONACTIONS 11

OPTIMISATIONACTIONSOVERVIEW 12

NAMEINDEXING(DBCFG.INI) 13

WARNINGS 13

DBCFG.INI 13

GROUPSIZES 14

TCP/IPKEEPALIVETIMEREDUCTION 15

LASTACCESSTIMESTAMP(NTFSDISABLELASTACCESSUPDATE) 15

WINDOWSSERVERASAFILESERVER 15

OBJECTDIRECTORYBACKUPTOOLSETUP 16

ANTI‐VIRUSSCANNER 16

WINDOWSPERFORMANCE 17

MANAGINGAUDITS 17

FILECACHEONRAIDHARDDRIVECONTROLLER 17

CONNECTIONSPEED 17

OBJECTDIRECTORYPHYSICALLOCATION 18

OBJECTDIRECTORYACCESS 18

SEARCHINGFOROBJECTS 18

CLEARINGDELETEDOBJECTS 18

SBSERVER.INI 18

4



OBJECTDI

RECTORYMAINTENANCE 19

MAINTENANCEINTRODUCTION 19

ENVIRONMENT 19

AUDITMAINTENANCE 19

EXTRACTINGANDCLEARINGAUDITFROMTHEDATABASE  19

CLEARINGTHEAUDIT 19

DELETEDITEMSCLEANUP 20

CHECKINGFORDATABASECORRUPTION 20

WHYDOESTHEDATABASEGETCORRUPTED? 20

ORPHANEDOBJECTS 21

RESTORECOMMANDS 21

CLEANUPCOMMANDS 21

DUMPMACHINEDESCRIPTION 22

USEROBJECTS‐GENERALPERFORMANCETIPS 23

GENERALADVICE 24

DEFAULTPRODUCTSETTINGS(FORMAXIMUMCOMPATIBILITY). 24

THINGSTOAVOID 25

5



Introduction



PurposeofthisGuide

WhenplanningalargerolloutofEndpointEncryptionv5,itisimportanttounderstandtheprocessofscaling

thebackendObjectDirectoryandtheassociatedEndpointEncryptionCommunicationsServerprocessesto

meetrequirements.ThisguideoutlinestheconsiderationsaroundEndpointEncryption5implementationand

suggestspossiblesolutions.



Theguidealsodiscussesconsiderationsono

ptimizationandmaintenancebeforeandafteritsimplementation.



Italsoassumesthereaderhassomeknowledgeofenterprisesystems(configurationandmanagement)and

someknowledgeofEndpointEncryptioncomponents(EndpointEncryptionManagerv5.x,EndpointEncryption

forPCv5.xandotherMcAfeeEndpointEncryptioncomponents)thatwillbenefitfromgoodpra

cticeand

ObjectDirectoryoptimization(seebelow).



ThisguideisacollationoftheprofessionalopinionsofEndpointEncryptioncertifiedengineers,andnotthe

exactscience.Becauseeveryimplementationisunique,itiscriticaltounderstandboththeproductandthe

environmentinwhichitisbeingused,befor

earrivingatanydecisiononimplementationstrategy.

Calculationsandfiguresinthisguidearebasedonfieldevidenceandnottheoreticalsystemtestingandare

our“bestadvice”atthetimeofwriting.



WerecommendyoutodiscussyourrequirementswithyourMcAfeerepresentative.McAfeehaswide

experienceindeployi

ngrealworldimplementations.



Thankstoalltheauthorswhohavecontributedtowardsthisguide.



RelevantProducts

Thisguidediscussesconfigurationandmaintenanceofthebackendservercomponents,EndpointEncryption

Managerv5.xanditsObjectDirectorytogether,whichmanageandgovernthefollowingversion5client

componentsofEndpointEncryption:

• EndpointEncryptionforPC(EEPC)

• EndpointEncryptionforFilesandFolders(EEFF)

• EndpointEncryptionforMobile(E

EMO)

• EndpointEncryptionforRemovableMedia(EERM)



Othercomponentsthatmaybenefitindirectly:

• EndpointEncryptionScriptingTool

• EndpointEncryptionReportingTool

• EndpointEncryptionObjectDirectoryBackup



However,thevastmajorityoftheguideisconcernedwithEndpointEncryptionforPCasoptimizationsof

theManagerandObjectDirectorywillmak

ethemostimpactonthiscomponent.



6



SolutionArchitecture



DesignPhilosophy

McAfeeEndpointEncryptionisaclient/serverapplicationdesignedtobeimplementedwithasimple,single

serverarchitecture.ThissingleserverhostsanencrypteddatabaseknownastheObjectDirectory,andruns

servicestoallowconnectionstothedatabasefromboththeEncryptedEndpointsandtheManagementCenter

applications.Communicationwiththeda

tabaseoccursinasecureway(detaileddescriptionsareprovidedin

theManagementCenterAdministrationGuide).Thissingleservercanhostallcomponentsofthe

ManagementCenter,eveninenterpriseenvironments.



Whileitismostcommontoimplementtheproductwithasingleserver,therearealsootheroptions.The

compon

entsaremodularandareinstalledinadistributedway.Forexample,theWebHelpdeskcomponent

canbeinstalledonadedicatedwebserverwhiletherestofthecomponentsareonaseparateEndpoint

EncryptionServer.However,themajorityofourimplementationsaredonewithasingleserverbecausethisis

usuallyth

ebestapproach.



NOTE:Thisguidehasallrecommendations,assumingasingleserverapproach.



Whenreadingthefollowingsections‐eventhoughourrecommendationmaybetouseasingleserverwith

DirectAttachedStorage(DAS),avirtualserverwithNASbasedstorageisusableandwillhavesome

advanta

gesinyourenvironmentforsmallnumbersofendpointsorwithlimitedsynceventsandlimitedusers

perclient.However,weadviseagainstusingsuchimplementationsandrecommendyoudiscussyour

requirementswithMcAfeebeforeimplementation.



IftheperformanceoftheMcAfeesolutionisbelowtheacceptablelimits,migratingtowa

rdsour

recommendationsissuretolendimprovement.



7



ServerConfiguration



BasicServerRequirements

TheEndpointEncryptionCommunicationsServerprocessrunsunderMicrosoftWindows2000/2003.

CurrentlysomecustomersreportthatitworkswellunderWindows2008,howeverMcAfeehasnotofficially

certifiedthis.PleaseseetheMcAfeeKnowledgeBasearticleKB53698forcurrentinformationonsupported

environments.



Theperformancerequireddependsprimarilyuponthenumberofc

oncurrentconnectionsanenterprisecan

experienceandthenumberofconcurrentobjectcreationevents.Realworldimplementationssuggestthe

followingminimumandrecommendedconfigurations.



Notetheterm“ObjectDirectory”usedthroughoutthisguidereferstothedatabaseorstoreforusers,

endpointsandothersettings,andfilesforEndpointEncryptionmanagement.



RecommendedServerHardware 



20‐2000users/systems



Minimumsingleserverconfiguration



•DedicatedServer

•2GHzDualcoreprocessor

•2GBRam

•4GBfreeharddisk,RAID1

•100MbNetwork



VirtualorSharedServercanbeusedforlownumbers.

PleaseseeVirtualServersectioninthisguide.Vir

tual

hardwarehastobeofhigherspecificationif

resourcesareshared.SeePage11.

2000‐5000users/systems



Recommendedsingleserverconfiguration



•DedicatedServer

•2.4GHz2Dualor1Quadcoreprocessor

•4GBRam

•4GBfreeharddisk,RAID5

•100MbNetwork



5000‐50,000users/systems



Recommendedsingleserverconfiguration



•DedicatedServer

•3GHz2Dual/1Quadcoreprocessor

•4GBRAM

•RAID510KRPMDirect‐attachedStorage,100GB

•Gigabitor3x100MbNetwork

50,000‐150,000users/systems



Recommendedsingleserverconfiguration



•DedicatedSe

rver

•3.0GHzorhigher2Quad/4Dualcore(8cores).

•6GBRAM

•RAID5Direct‐attachedStorage.15KRPM.250GB 

•Gigabitor4x100MbNetwork



MentionedRAIDreferstohardwareRAID,notsoftware.EnablecachingonRAIDifpossible,butensure

suitableUPSpowerisavailable.

Migratinganenvironmentbetweenhardwareplatformsissimplesoitispossibletostartwithaminimal

configurationandlaterextendittoahigherconfigurationinaccordancewithperformancemonitoringand

capa

cityplanning.

NOTE:Thesemayvarydependingonotherconfigurationsettings.



8



ServerRedundancy

Itisriskytohaveasinglephysicalserverforyourenterprise,evenifyoutakeregularbackups.Werecommend

youtotakestepstoexpediterecoveryfromanoutageinaccordancewithanestablishedBusinessContinuity

andDisasterRecovery(BCDR)plan.



HotBackupDatabases

IncreasetheredundancyofthesystembyreplicatingtheEndpointEncryptionObjectDirectorytoasecond



physicalserver.Adedicatedreplicationtool“ObjectDirectoryBackup”whichisoptimizedtofollowthe

changelogofanEndpointEncryptionv5ObjectDirectoryissuppliedwiththeproductsuite.



Inthiscasesetuparesilientsystemusingtwophysicalboxes,bothhostingEndpointEncryptionServers–one

hostingthemasterOD

Bandtheotherhavingahotbackup.Incasethemasterserverfails,theEndpoint

EncryptionServeronthesecondbackupboxcanberestartedin“master”mode.Thenrebuildorreplacethe

affectedmachineandcreateanewmaster.



TheODBBackuputilitycanalsobeusedtomakeregularbac

kupsoftheODB,givingfurtherrecoveryoptions

incaseofadisaster.Thismethodhowever,requiresmanualinteractiontostartthefailover.



AHotBackupdocumentdiscussingthisscenarioisavailable.



Clustering

Fullyautomatedfailoversforapplicationsusuallyemployaclusterserverenvironment.AlthoughtheMcAfee

EndpointEncryptionObjectDirectoryandManagercanrunonacluster,werecommendagainstusing‘shared’

resourceswherepossible.AsperMcAfeeKB53698,WindowsClusterenvironmenthasnotbeenfullytestedat

thistimeinengineering.



LoadBalancing

GiventhebestconfigurationisusuallyasinglehighperformanceserverwithDASthentheleastoptimalwayto

performclusteringistoputtheObjectDirectoryonanetworkshare(NAS)andtheninstalltheManagement

Centerontwoserverswhichaccessthesharesimultaneously.



NOTE:Thelatterwillfunctio

n,butitwillbesignificantlydetrimentaltoserverperformance.



Youshouldnotethatifyouusespecialloadbalancingswitchestosplitnetworkload,youshouldsetthemto

alloweachclientactiveconnectiontooccurwiththesameswitchthroughoutthesyncevent(andnot

split/distributeeachpacketdu

ringasinglesync).



Makingremoteconnectionstothedatabaseisslowerthanlocalconnections,sothisdesignisoftentooslow

toworkeffectively.



IfDASisnotusedandthereareissuessuchasperformance,objectcorruption(especiallyasobjectnumbersin

theMcAfeeEndpointEncryptionObjectDire

ctoryincrease)McAfeesupportwillrecommendmovingtoDAS

andhighperformancededicatedserver.



IfaSANistheonlyoptionavailable,pleasenoteSANarrayscanprioritizetheconnectionstothephysicalbox

inwhatisknownasTierlevels.Tier1isthehighestpriority,Tier3isthelo

west.McAfeeEndpointEncryption

needsoptimaldiskaccesssowouldneedTier1prioritywithdedicatedLUNStoprovidethehighestspeed

connection.Thisisnecessaryforfullandpromptservicesynchronizationrequestsandadministration.This

avoidscorrupteddatabases,objects,clientsandslowadministrationperformance.RunningonSANisnot

recommended,bu

tifitmustbedone,thentheconnectionmustbeTier1.

9



ServerandObjectDirectoryOptimisation



EndpointtoServerCommunication‐NetworkLoadEstimation

EndpointEncryptionnetworktrafficistheeasiesttoconsiderintermsof“synchronizationevents”.Eachtimea

systemstartsittriestoconnecttoadesignatedEEPCdatabasecommunicationserverandupdateitsprofile.It

mayalso(dependinguponconfiguration)trytoconnectperiodically.Inlargedeployments,thefirststepin

estimatingth

enetworkloadcausedbyEndpointEncryptionistoestimatethepeaknumberofconcurrent

synchronizationevents.Thisisrelatedtotheuserworkingpractices.Forexample,if2000usersswitchtheir

systemsonat9A.M,the“9A.M.”effectcanbedilutedbysettingoptionalbootsyncdelayandof

fsettimesto

spreadtheloadacross,forexampleonehour.



Oncepeakflowisestimated,doubleittogivesomesafety,thenworkonanestimateof7KBperuserpersync

(thisisaveryhighapproximationbasedontotalupdateoftheusereverytwosyncevents).AtypicalWindows

server,inourexp

erience,canaccept100connectionspersecondperserver,withadefaultmaximumwait

timeof30secondsforpendingconnections.



ThemaximumcapabilityofasingleCommunicationsServer,takingthecapacityofthenetworktobe100

Mbps(1millionbitspersec

ond)is20synchronizationsofdataasecond.AWindowsserverOScanestablish

connectionsaboutevery10ms,andcanhandleunlimitedconnections(althougheventuallyitwillrunoutof

clockcyclesandmemory).



Onceestablished,aconnectioncantakeanunlimitedamountoftimetofinish,thoughthedef

aulttimeouton

establishingaconnectionis30seconds.Iftherearemorethan100attemptedconnectionspersecond,the

queuecannotbelongerthan3,000connections.



ThedefaultsettingsoftheCommunicationServerlimitthequeueto200entries(abalancebetweentaking

connectionsandprocessingconnections).Afterthatpoin

t,theconnectionsarerefused.Thisisareasonable

“realworld”setting.Aslongastheprofileofthesystemissettoretrytheconnectionafter,forexample,four

hours,thereisnolossoffunction.Settingthequeuelengthtomorethan1500canresultinpoorperformance

fromtheserverasittriestose

rvicesomanyconnections.



Inrealtermswecansaythatasageneralmaximumcase,theEndpointEncryptionServerislimitedto100

connectionspersecond,withasustainedload.Saturationinourexperienceisreachedwhenthereismore

than1400synchronizationev

entsperminute(1200acceptedandprocessed,200queued).Achievingthisload

intherealworldrequiresamassive,badlyplannedandconfiguredpopulationofsystems.Currentcustomers

with40000+installationsrarelyexceedthe200currentconnectionpoints,mostofwhichareadministrators

performingconfigurationchanges.



Theoperatingsystemordiskcontrollercac

hesmostofEndpointEncryption’sdatabase,soeventuallythe

commonfileswillbesuppliedfromRAMratherthanacrosstheconnectiontothedatabasehost,or,fromdisk.

Usingthecompressedversionofthedatabasecanimproveperformancebyasmallamount,however,itis

usefulwhenco

rporatebackupsoftwarehasdifficultyarchivingthedatabase.



ThisroughcalculationtellsusthatweneedoneEndpointEncryptionServerper1400eventsaminute

minimum;however,experiencingthesysteminactionwillgivetruefeedback.Itisoftenthecasethatmodern

hardwareoutperformspaperestimations.



EstimatingtheSizeoftheObjectDirectory

ThebasesizeofanEndpointEncryption5.xObjectDirectoryisaround150MB.Becauseyouaddnewusers

andsystems,theODBgrowsaccordingly.Italsogrowsinsizeassystemssynchronizeanduploadaudit

information.



10



AnObjectDirectorywith5000usersand5000systemscouldbeexpectedtogrowasfollows:



TypicalGrowthof5000user/machine ObjectDirectory  

Day DataSize ApproxDiskSpaceUsed

1 83MB 143MB

5 89MB 143MB

20 204MB 403MB

50 396MB 745MB

100 747MB 1050 MB

365 2455MB 3900 MB



Usersandsystemsarethemostprevalentobjecttypesinalargedatabase.Typically,oncreation,thesetypes

ofobjectstake4000bytes.Aday’sauditaddsaroundanadditional700bytesofdataperobject.Although

thesefiguresareverysmall,becauseofwastedspaceontheObjectDirectoryServer’sharddisk,th

eactual

disksizeoccupiedbytheObjectDirectorycanbe4xormorelarger.



VirtualServers

McAfeeEndpointEncryptionManagercanberunfromaVirtualServerforlowernumbersofEndpoints.

McAfeerecommendsphysicallydedicatedhardwareforhighnumbersofEndpoints.



Performanceofvirtualsystemsisdependentonmanyfactorsthatcansignificantlyaffecttheoverallproduct

performancewhencomparedtophysicallydedicatedhardware.High‐speeda

ccesstothedatawithinthe

ObjectDirectoryisrequiredandmustbecarefullyconsideredandevaluatedinaVirtualServerEnvironment.



CurrenttestingofVirtualServersrunningEEPCoperateswithinasetnumbersofdatabaseobjects.McAfee’s

experienceshowsthatperformancesissuearisingfromtheuseofVirtualServersisaresultof:



• Lackofresour

cesdedicatedtothevirtualserver.

• Dynamicallyassignedresourcestothevirtualserverwhichstarvesitofthenecessaryperformance

duringpeakperiods.

• Sloworreduceddiskaccess,resultinginasloweraccesstotheObjectDirectory.



McAfeesupportstheuseofVirtualServersrunningtheadministrativef

unctionalityofEEPCprovidedthe

appropriateresourcesarefullydedicatedtotheVirtualServeratalltimes.Ifperformanceproblemsare

experienced,theresourcesavailabletotheVirtualServerneedtobeincreased.Pleaserefertothe

recommendedserverspecificationsastheminimumresourcesfullyassi

gnedtotheVirtualServeratalltimes.

Theseresourcesapplytothespecificimage,andnottotheoverallresourcesofthehost.

CustomersneedtofollowtherecommendationsofMcAfeeSupportandraiseasupportticketfortheissues

relatedtoaVirtualServer.Theserecommendationscanvaryfromtwea

kingofserverandmachinesettingsas

specifiedinthisguideallthewaytomovingtheEEPCmanagementenvironmenttophysicalhardwareasalast

resortifnecessary.



ByengagingMcAfeeprofessionalservices,theywillassistyouinadequatelyscopingyourdeployment

hardwareneedsandcanrecommendabes

tpracticesapproach.



AsthetechnologyisevolvingandbetterVMfarmsarecomingonline,virtualhardwaresupportforgreater

numbersshouldbepossible.PleaseseeMcAfeeKB65747formoreinformation.



Thiswillbereviewedforthenextmajorrelease(version6.0ePOintegrated).



11



GlobalDeployments

ThesingleserverapproachworkswellaslongastheendpointscanmakeandsustainaTCP/IPconnectionto

theserver.DependingonthequalityoftheWANlink,someglobaldeploymentswillrequiremultipleservers.

Eachoftheseisessentiallyitsownenvironment,withitsownObjectDirectory.Manycustomershaveone

serverineachregion:oneforNorthAmeric

a,oneforEuropeandAfrica,andoneforAsia.Todetermine,ifthis

multiserverstrategyisnecessary,itisbettertoincludeendpointsfromallregionsinthepilotphase.



OptimisationActions

NOTE:Thesearegenericrecommendationsbasedonexperiencebutnotalwaysbesuitableforyourentire

specificenvironment.Fordatabasemaintenanceandperformance,itisalwaysrecommendedyouengage

McAfeeprofessionalservicespriortoimplementingthesesuggestions.



TheObjectDirectoryissmallinsize,butcontainsahighnumberoffiles.Forexample,aty

pical10,000node

deploymenthas1.7millionfilesinitsObjectDirectory.Foroptimalperformance,wemustconfigurethe

operatingsystemandthehardwaretoprovidefastaccesstolotsofsmallfiles.



12



OptimisationActionsOverview



McAfeegenerallyrecommendsthefollowingactions(mostofwhicharedescribedinmoredetaillater):



•OptimizeharddisksforI/Operformance.Asabove,15KRPMdisksarethebest.Thedisksshouldbeina

RAID5arraywithacontroller,withthemaximumamountofcacheavailable.UPSba

ckupis

recommended.Seechaptersabove.



•UseDASratherthananetworklocationSAN/NAS.Seechaptersabove.



•EnableindexingoftheObjectDirectorywithdbcfg.ini.



•Keepnumberofobjectspergrouptoaminimumwithintheobjectdirectoryandminimizenumberof

usersassignedtoclients.Als

olessaggressivesyncpolicyforclientscaneaseserverload.



•ReducetheTCP/IPKeepAliveTimetofiveminutes.



•DisableNTFSLastAccessUpdatewitharegistrychange.



•IncreasethesizeoftheNTFSMasterFileTable(MFT)witharegistrychange.



•Optimizebackups.



•Exclu

detheObjectDirectoryandtheassociatedservicesfromvirusscans.



•SetWindowsserverperformancessettingstobackgroundservicesandsystemcache.



•ManageAudits.



•UseHardDrivecontrollercaching.



•UsegoodnetworkconnectionstoObjectDirectoryservers.



•StoretheObjectDirectory(usuallystoredinSB

DATAfolder)onaseparatedriveorpartitiontotheOS.



•Don’tallowthedatabasetobeshared.



•CheckthateveryadministratorgoesthroughtheEEPCDatabaseserver,notdirectthroughlocal

connection.



•Limittheuseofthe‘Find’functionin20K+databasesduringnormalworkinghoursasitca

nslowaccess.



•Clearobjectitemsfromdeleteditems,regularlywhennotneeded.



•IncreasemaxconnectionsinSBServer.ini(insomecases).



13



NameIndexing(DBCFG.INI)

Nameindexingshouldbeenabledonalldatabasesespeciallythosewithover1000endpointsorusers.Itwill

benoticeablyfasterandimproveperformance.



Todothis,createabasictextfilecalledDBCFG.INI;fileandcopyittotheSBDATAfolder(assumingdefault

locationforObjectDirectory)andeditasbel

ow:



Warnings

• DonotuseSingleFilemodeasshownintheoptionsbelow.Itcanbeusedforsmalldatabasesbutnot

recommendedasitcanbemuchslower.

• TheFindfunctiondoesnotusethenamecacheandthereforesearchesthecompletedatabase

sequentially.



DBCFG.INI

Sectionsareaddeddefinedby[]withtheoptionsineachsectionaddedasbelow.

[NameIndex]

Enabled=Yes

Thismustbesetto"Yes"forthenameindex/cachingtobeusedbyprogramsrunningforthisdirectory.

LockTimeout=3000

Thisoptioncontrolshowlongtheprocesswillretryaccesstotheindexfileifitislocked.Youcandecreasethis

valueiftheadministratorexperienceslongwaitingtimesdurin

ginstallation,forexample–1000,however,

onlyindatabasessmallerthan5000systems,otherwiseyoufindthenumberbymultiplyingthenumberof

usersorsystemsinthedatabaseby0.6.



Example:Ifthenumberofusersinthedatabaseis10,000,theLocktimeoutshouldbe6000.

Thedefaultval

ueis3000.

Thevalueisin100thsofasecond.

Incaseofmultipleservers,thetimeoutcanexceedduetomanysimultaneousconnections.Inthatcasethe

valueneedstobeincreasedto30000.



LockSleep=10

Thisoptioncontrolshowlongtheprocesswillsleep(wait)beforere‐tryingopeningalo

ckedfile.Thevalueisin

1000thsofasecond.Incaseofmultipleservers,thelocksleepmightneedtobeincreasedduetomanylock

timeouts.Inthatcasethevalueneedstobeincreasedto100oreven1000.



HashCount=16

Thisoptioncontrolshowmany"buckets"thehas

hofthenameissplitinto.Itshouldbebetween1and256

(default16).Generally,agoodvaluecanbecalculatedbytakingthesquarerootofthenumberofusers.

However,foroptimalperformancethisvalueshouldbetunedbytesting.



MinEntrySize=16



Thisistheminimumspacetoallocateperobjectnameintheindexfile.Thedefa

ultof16isagoodvalueifthe

namesdonotexceed16characters.Youdonotneedtospecifythevalueifthenamesdonotexceed16

characters.



14



LifeTime=86400

Thetime(inseconds)forwhichtheindexwillbeusedbeforeitisautomaticallyre‐createdifsomebodylogson

tothedatabase.Thedefaultis30minutesbutisneverrecommended.Avalueofzeromeansthatitnever

expiresautomatically,andthevalueof86400meanson

eday.



Avalueofzerogivesyoufullcontrolbutthissettingneedsaseparateprocesstorecreatetheindex.Thiscould

beasimplebatchfilethatrunsovernight‐removestheindexfilesandforcesarecreate.Thiscansometimes

producethebestresultandperformance.



Recreationofth

eindexfileswilltakeperformance.Itwillcausethelogontobedelayedforquitesometime

dependantondatabasesizeandperformance,andcancauseissuesifthecreationofsystemsoccursduring

thisrebuildtime.Therefore,dependingonthesizeofthedatabase,itisrecommendedthispro

cessissetto

runveryearlyinthemorning.Forexample,removename*filesinSBDATA00000001and00000002folders

especiallythroughascriptearlymorning2A.M.Followingthat,runanadminlogonusingthecommandline

tool(SBADMCL)andperformacommandsuchasgetcountsthroughscripttorebuildthecac

heearly,before

thesystemssynchronize.



Youcanuseabatchfilesforthis,oneexampleiscalledRecreateCache.bat.Examplesofscriptsareinthe

optionalEEPCToolsdownload,or,availablefromyourMcAfeerepresentative.



[Attribs]

SingleFile=No

IfthisissettoYes,theattributesforobjectswillbeplacedintoasinglefileinsteadofeachonehavingtheir

ownfile.Notgenerallyusedalthoughitsimplifiesandspeedsupbackup,thiswillmakethedatabasetwiceas

slow!



AutoConvert=No

IfthisissettoYesandSingleFileisalsosettoYes,thena

ttributesareautomaticallyconvertedtoasinglefile

whentheobjectisopenedforwriting.Otherwise,onlynewobjectswillhavetheirattributesinasinglefile.

NOTE:Attributesarenotconverteduntiltheyareopenedforwriting.Again,thiscanproducefewerfil

esper

objecttoaidbackupsbutisslightlylessresilienttofailure.



[Tracking]

ObjectChanges=No

Objectchangetrackingforthebackuptoolmightdecreasetheperformanceofthedatabasebyabout100%

thusitisnotrecommendedtousethisinbigenvironments.



Groupsizes

Thesizeofausergrouporsystemsgroupshouldnotbetoobig.Ausergroupof5000cantake20secondsor

moretoopenevenonafastserver.Werecommendkeepingthesizeunder2000.Optimally1000orlesswill

workwellinmanycasesforfasteraccesstogrou

psonanyserver.



Alsoassigninglargegroupofusersdirectlytoaclientcanhaveperformanceimplications(network/server

performance,slowclientbootupandsynctimesandinstallationprocesses)sosmallergroupsarebetter.

Userscanbeassignedindividuallytoo.Thefewerusersassignedthebetterfromasecurityperspec

tive.See

UserObjects–GeneralPerformanceTipssectionlater.



15



TCP/IPKeepAliveTimeReduction

ReducethissettingonallEEPCserversfromtwohours(thedefault)tofiveminutes.Theserverwillrequirea

restart.Oncethisisdone,ifanendpointclientlosestheconnectionwiththeserver,theserverwillreleasethe

lockafterapproximately5minutes.Thiswillalsopreventbrokenremotesbadmclcon

nectionsfromlocking

thescriptinguseraccountfor2hours.



Procedure

1. OpenRegedit

2. Goto:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

3. OpenorcreatetheDwordKeepAliveTime

4. Changethevalueto300000indecimals(Timeinmilliseconds)



Extrainfo

TheKeepAliveTimesettingcontrolshowoftenkeep‐alivepacketsaresentinmilliseconds(30

0,000is

recommended).ItcontrolshowoftenTCPsendsakeep‐alivepackettoverifythatanidleconnectionisstill

intact.Iftheremotecomputerisstillreachable,itacknowledgesthekeep‐alivepacket.

MSKBarticle:http://support.microsoft.com

/default.aspx?scid=kb;en‐us;324270#EQACAAA



Key:Tcpip\Parameters

ValueType:REG_DWORD(Timeinmilliseconds)

ValidRange:1‐0xFFFFFFFF

Default:7,200,000(twohours)



NOTE:AsimilarsettingKeepAliveIntervalhasadefault1000(=1second),thissettingiscorrectsodonot

changethis.

LastAccessTimeStamp(NtfsDisableLastAccessUpdate)

Withlargedatabases,itispossiblethatsomegroupsmaybecomeoverpopulated.Whenalargegroupis

opened(forexampleonewithover5000users),itcantakesometimetoopen.Toreduceharddiskreadand

writetime,aregistrysettingcanbesettopreventtheLastAccesstimest

ampfrombeingupdatedoneveryfile

access.Theperformanceboostwillbeabout50%!Arestartisneededafterthechange.



Procedure

1. Openregedit.

2. GotoHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem.

3. CreateanewDWORDvalue,ormodifytheexistingvalue,named"NtfsDisableLastAccessUpdate"and

setitto"1".

Microsoftarticle:http://technet2.microsoft.com/Wind

owsServer/en/library/80dc5066‐7f13‐4ac3‐8da8‐

48ebd60b44471033.mspx?mfr=true

WindowsServerasaFileServer

TuneMicrosoftWindows2003servertobeafileserver.

SeetheMicrosoftarticlehttp://support.microsoft.com/kb/174619

aboutthis.

Theory

IncreaseNTFSMFT(MasterFileTable,usedtobeFAT)to50%ofthediskspace.Theresultisthatsmallfiles

arebeingstoredintheMFTandnotasseparatefilesintheNTFS.Thishelpsalotbecausewehavethousands

ofsmallfiles.

Procedure

16



1. OpenRegedit.

2. GotoHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem.

3. Intherightpane,lookfortheDwordnamedNtfsMftZoneReservation.

4. IfexistschangetheDwordto4.

5. Ifnotexists,createanewDWORDNtfsMftZoneReservationintheregistryandsetitsvalueto4.



EXTRAINFO

Thedefaultvalueforth

iskeyis1.Thisisgoodforadrivethatwillcontainrelativelyafewlargefiles.Other

optionsinclude:



2—Mediumfileallocation

3—Largerfileallocation

4—Maximumfileallocation

Unfortunately,Microsoftdoesn'tgiveanyclearguidelinesastowhatdistinguishesMediumfromLargerand

Maximumlevelsoffiles.Suffi

ceittosay,ifyouplantostorelotsoffilesonyourworkstation,youmaywantto

consideravalueof3or4insteadofthedefaultvalueof1.



ObjectDirectoryBackupToolSetup

IfyousetupyourObjectDirectorybackuptool,makesureitisnotrunningtoomanytimesadaybecausethe

inbetweentimewillbetooshort.Thiswillcausethetooltorunconstantlycausingoverload.Donotusethe

objectchangetrackerinbigdatabase.Itwilldecreasethedatab

asespeedabout100%!



Anti‐VirusScanner

Itisnotnecessarytouseavirusscanneronthedatabase(SBDATA).Mostofthedataisencrypted,sothereis

nothingtobescannedandscanningwillreducemuchoftheperformance.Switchoffanyscanningofthe

SBDATAontheEEPCDatabaseserver.Also,excludetheSbDbServerexecutablefromsc

anning.



AlsoifyourAntiVirusprogramhashigh‐risk/low‐riskprocessdetectionmarkingalltheEEM/EEPCmain

executablesontheserveraslowriskanddisablescanningonreads/writesmayhelpfurther(seescreen

shots).



ExamplesetupusingMcAfeeVSE8.5:



 

17



 



WindowsPerformance

BydefaulttheWindowsperformancesettingsaresetto‘Applications’.However,testingshoulddefinethe

bestsetting.TherecommendedsettingsunderControlPanel,System,Advanced,performanceare:



• LetWindowschoosewhat’sbestformycomputer



UnderAdvanced:

• Backgroundservices

• Systemcache

Openingatestgroupwithmoretha

ntherecommendednumberofobjects(forexample5000)canbeagood

testusingtheEEPCserverconnection(notthroughalocalconnection).Anothertestistocreateanddelete

100usersandsystemsusingthecommandlinetoolSBADMCLthroughatestbatchfile.



ManagingAudits

Theauditoftheusersandsystemscanslowdownthedatabase.ItisrecommendedyouscheduleEEPC

commandlinetoolSBADMCLtocleanupmachineauditandtheuseraudit.SeeEndpointEncryptionObject

DirectoryMaintenancesectionbelow.



FileCacheonRaidHardDriveController

LettheObjectDirectoryhostserverhavethelargestpossiblefilecacheontheRAIDHardDrivecontroller.This

Hardwaredevicewillincreasethefile‐accessspeeddramatically.

NOTE:ifcacheisenabledonRAIDcontrollers,useUPSbackupforpowerfailureprotection,becauseapower

failurecanleadtoada

talossaswritesmaybestillheldincache.

ConnectionSpeed

Thespeedbetweentheremoteserversandthefileserversiscrucial.Makethoseconnectionsdedicatedhigh

speedconnections,e.g.GigabitEthernetorFibre.Itisusuallyrecommendedyouhaveasingleserverlocated

onthesamededicatedserver,ratherthanmultipleEEPCDatabaseserversconnectinginfromremoteserver

systems.



18



ObjectDirectoryPhysicalLocation

ConsiderationshouldbemadetothelocationoftheObjectDirectory.



ThedefaultfinalfolderfortheEndpointEncryptionObjectDirectoryisinafoldercalledSBDATA.Ifpossible,

useaseparatefixeddriveorpartitiontotheOSforexample,OSandapplicationonC:databaseonD:.Thisis

usuallydecid

edatthetimeofinitialinstallationandcanbemodifiedatanothertime.



ObjectDirectoryAccess

CheckthateveryadministratorthatneedstologontotheObjectDirectorygoesthroughtheEndpoint

EncryptionDatabaseserver,notdirectthroughlocalconnection.Wherepossible,donotallowthedatabaseto

beshared.



SearchingforObjects

LimittheuseoftheFindfunctionin20K+databasesduringnormalworkinghoursasitcanslowaccessfor

othersystemsanduserobjects.AnotheralternativeistoworkonarecentcopyoftheObjectDirectoryto

performsearches,andoncethelocationisfound,theycanbenavigatedtodire

ctlyintheliveObjectDirectory.



ClearingDeletedObjects

ClearobjectsfromDeletedItemsregularlywhennotneeded.Deleteditemsarefolderscontainingolddeleted

users,systems,andotherobjectsandarefoundthroughtheSystemtabintheEndpointEncryptionManager.

Theseobjectscanslowsearchesdown.Iftheseobjectsareneededforauditing,theywillneedtobere

tained

byfirstbackingupthewholedatabase(SBDATAfolder)andthenstoring,dated,carefullyforthatpurpose.

Thenemptythedeleteditemsfromthecurrentlivedatabasetohelpspeedofaccess.Seethemoredetailed

ObjectDirectoryMaintenancesectionbelow.



SBSERVER.INI

ThisfileisfoundinthemaininstallationfolderforyourEndpointEncryptionManager.Itcanbeusedtoadjust

themaximumnumberofconnectionstheEndpointEncryptionserverwillacceptandthebehaviorwhenthe

maximumisreached.



SBServerinicontents:

[Connections]

Max=200

AcceptAtMax=No



Thedefaultsettingsareusuallyfineformostimplementati

onsbutMax=200canbesettoahighervalue

dependingonthenumberofincomingconnections.Thisshouldonlybechangediftheserverhasahigh

specificationandisrecommendedbyaMcAfeeEndpointEncryptionconsultant.Inaddition,thiswouldneed

tobetestedtodetermineifth

isimprovessynceventsandserverload.(PleaseseeEndpointEncryption

ManagerAdministrationGuidesuppliedwithEndpointEncryptionManagerforfurtherdetailsonSBServer.ini).



19



ObjectDirectoryMaintenance



MaintenanceIntroduction

Tokeepthedatabasecleanandhealthy,maintenanceisrequiredonaregularbasis.Thismaintenancecanbe

donemanuallyusingtheEndpointEncryptionManager,or,withtheEEPCcommandLineTool(SBADMCL),

whichisthepreferredwayforlargerObjectDirectories.



Thisguidedescribestheprocessesneededformaintenance.ItiswrittenforEndp

ointEncryption

administrators.



NOTE:Thesearegenericrecommendationsbasedonexperiencebutnotalwaysbesuitableforyourspecific

environment.Fordatabasemaintenanceandperformance,itisalwaysrecommendedtoengageMcAfee

Professionalservicespriortoimplementinganyofthesesuggestions.Itispossibleonalreadyi

nstalled

environmentstohaveaMcAfeeprofessionalperformconsultancyandprovidea“healthcheck”onthesetup

andperformancesettingsoftheObjectDirectory



Environment

ThisguideappliestoMcAfeeEndpointEncryptionV5andup,howevermanystepsinthisguidecanbeapplied

toV4(build4770).

Auditmaintenance

Auditcangrowunlimitedinthedatabase.Thiscanslowdownthedatabasedramatically.TheEndpoint

Encryptionadministratorhastomakesurethattheauditiscleanedupeveryyearoreveryhalfyeardepending

onthedatabaseperformance.FormoreinformationonthecommandlinetoolSBADMCL.exeorits

commandsple

aseseetheEndpointEncryptionScriptingToolUserGuide,whichisfoundinmostnormal

installationsoftheEndpointEncryptionManager.



ExtractingandClearingAuditfromtheDatabase

Theauditfromusersandsystemsneedstobeclearedatleastonceayearforsmallerimplementationsand

frequentlyforlargerdeploymentsbecauseitgrowsfast.Heavilyusedobjectssuchasanadministrator’s

accountoruserobjectfrequentlyusedbyascriptarelikelytobecommonlargeauditcreators.



Thenee

dtoclearauditscanvarydependingonconfiguration,usageandrequirements.However,theSecurity

Managementteamshoulddecidewhentocleartheaudit.Inlaterversionsofthetool,theClearDaysOld

commandwasadded.Thisoptiongivestheadministratorthepossibilitytoclearauditsthatare,forexample,

90da

ysandolder.ThisoptionmustbeusedinsteadoftheClearoption,becausetheClearoptionwilloverride

theClearDaysOldoptionifusedtogether.



Theauditwillalwaysbeexportedbeforeitisdeleted.Thiswillgivetheadministratorthepossibilitytolook

backatolderauditsusingMicrosoftEx

celorsimilartools.



ClearingtheAudit

SBADMCLisusuallyrunfromthedirectorywheretheEndpointEncryptionManagerisinstalled.Anadmin

accountwithhigh‐levelcredentialswillbeneededforthescript.



Someofthecommandsneededbelowaredatabaseintensiveprocesses,sorunthesecommandduringnon

workinghoursonly,or,doitinmor

econtrolledsessions(onegroupatatimeforexample)duringdaytimeifthe

groupsaresmall.



20



ToexportandthenclearALLuserauditsusethiscommand:



SBADMCL–Command:DumpUserAudit–Adminuser:Admin–Adminpwd:mypassword–

File:c:\dump\Dumpuser.txt–Group:*–clear



ToexportandthenclearALLmachineauditsusethiscommand:



SBADMCL–Command:DumpMachineAudit–Adminuser:Admin–Adminpwd:mypassword–

File:c:\dump\DumpMachine.txt–Group:*–clear



ToexportandclearALLuseraudits90daysandolderus

ethiscommand:



SBADMCL‐Command:DumpUserAudit‐Adminuser:Admin‐Adminpwd:mypassword‐Group:*‐

File:c:\Dump\DuUserAu90.txt‐ClearDaysold:90



ToexportandclearALLmachineaudits90daysandolderusethiscommand:



SBADMCL–Command:DumpMachineAudit–Adminuser:”Admin”–Adminpwd:”mypassword”–

File:DuMachAu90.txt–Group:*–ClearDaysOld:90



ForfurtheranalysisoftheAuditseetheAdviceonhandlingauditdocument.



Toexportandclearfromaspecificgrou

paddthegroupnameinsteadof*



DeletedItemsCleanup



AsmentionedpreviouslyclearingobjectsfromDeletedItems(foundthroughtheSystemtabinMcAfee

EndpointEncryptionManager)canaidObjectDirectoryaccessspeed.Whenthedeleteditemsareemptied,

theactualphysicalfolderfortheobjectwithintheObjectDirectoryisrenamed.Theextensionofthefolderis

renamedfrom.RMVto.W

PE.Withaverylargedatabase,theseempty/removedfolderscansometimesslow

downsearches.



Inatestlab,tryremoving.WPEfoldersandtestsearchspeeds.Ifanimprovementisfound,itmaybeworth

repeatingontheliveObjectDirectory.Alwaysensuretestsandfullbackupsareperfor

medbeforeany

procedure.



CheckingforDatabaseCorruption

Whydoesthedatabasegetcorrupted?

Corruptionscanbecausedbyfailedinstallationsandbadsectorsonendpointsystemsorunsupported

procedures,disconnectednetworklinkstotheObjectDirectory*orfailingdrivesandsoon.



PoororslowaccesstotheObjectDirectorycancauseasloworintermittentaccesstothedatabase.Thiscan

causetheOb

jectDirectorytocorruptduringdatabaseoperations.Endpointinstallationscanfailandcause

corruption.Inaddition,asaconsequence,corruptedobjectscancauseacorruptedindex,andtocompletethe

circlethiscanalsocausecorruptedobjectsthemselves.Slownessofthediskaccesscanbeaproblemwhen

usingsh

aredresourcesSANorNASconnectionsratherthanDAS.



SeethedocumentServerandObjectDirectoryOptimizationsectionabovefordetailedinformationaboutthe

performancesettings.



*Morerobustinv5Release5701onwards.



McAfee Endpoint Encryption v5, ENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE User manual

Related papers

Other documents