Sunday, July 24, 2016

My McAfee FRMP4.3 Notes

My McAfee FRMP4.3 Notes

- encrypts files on folders on local drives, network shares, removable media drives(eg: portable hard drive) via policies set in EPO

- depends on Windows credentials

- FRMP client installed on client machine, frmp sync (policies and encryption keys) with EPO server.

========================================================================
Steps to upgrade EEFF:
a) uninstall existing version.
b) install supported mcafe agent. (mcafee agent 4.8 / 5)
c) check mcafee agent communicates to epo server
c) use msiexec.exe /q /i eeff32.msi (for 32bit os) or msiexec.exe /q /i eeff64.msi (for 64bit os)
d) restart client machine
e) don't forget to check and test it works properly

========================================================================

How to move or migrate machines with installed FRMP from existing EPO server to another EPO server?
a) backup encryption keys and policy info
b) export encryption keys and policy info
Note: user domain and username do not change

In FRMP, it is like a persistent encryption engine. Eg: Even if move out of encrypted directory, file remains encrypted.

========================================================================

What are the Protection Level options available for Removable Media?

The available options are:

 Removable Media Policy is organized into two tabs:
- USB Media
- Floppy Disk Media

Options available for USB Media:
- Allow Unprotected Access
- Allow Encryption (with offsite access)
- Enforce Encryption (with offsite access)
- Enforce Encryption (onsite access only)
- BlockWrite Operations
NOTE: This option will restrict the USB devices to a read-only mode. (New FRP feature)

Options available for Floppy Disk Media:
- Allow Unprotected Access
- Block Write Operations

(From: KB81450)
========================================================================

FRMP Protection Options for usb devices:
- Use enforce encryption (onsite access only).
Example: Restrict access to encrypted usb devices within company's environment only.

-- No automatic decryption of existing files.
Example: If removable media device (eg: usb hard drive) has Enforce Encryption (onsite access only), data in usb device remains encrypted even disable it using policy to Allow Unprotected Access.

Remember FRMP is a persistent encryption engine.

--- To decrypt data in usb device, Key Field option = Decrypt
Changing policy to Allow Unprotected Access affects new devices (usb devices that not affected by Enforce Encryption (onsite access only) )

-- New files keep getting encrypted.

Problem Example: Disabling the enforce encryption (onsite access only) has no effect. New files still encrypted because encryption policy applied to usb device.
Workaround: To remove applied encrytion policy on removeable media, Key Field = Decrypt

-- Ignore existing content on media

Ignore existing content on media = Disabled,
Result - all existing files becomes encrypted (not ignored). This needs machines with

FRMP installed.

Ignore existing content on media = Enabled,
Result - Only new files are encrypted

- Use Allow encryption (with offsite access) or enforce enryption (with offsite access). Example: enable users to access encrypted usb devices on system without install mcafee encryption software

- Use enforce encryption (with offsite access).
Example: Copy a file to usb device only when encrypted, else, device is read only. If user managed option selected, files can copied only to encrypted portion of device.

- Block Write Operation option. Example: make usb sticks as read only.

========================================================================

Sharing with cd/dvd/iso

Enforce Encryption (onsite access only)
- burning applications
burning software should be supported else cd/dvd can be plaintext. See KB81450

- cd/dvd format limitation
cd/dvd media should be supported. See KB76478

========================================================================

FRMP Encryption
- policy driven
Example: Enforce encryption of a folder (or serveral folders) by specifting location and encryption key (or corresponding encryption keys) for that folder.

- user driven
Example: users can selectively encrypt or decrypt folders. Explicit Encrypt and Explicit Decrypt made enabled.

========================================================================

Removing a folder encryption policy - it does not decrypt content of that folder.
Problem Example: Removing a folder encryption policy - it does not decrypt content of that folder.
Workaround: Specifiy policy pointing to folder location. Encryption key field = Decrypt

========================================================================

Encrypted parent folder - decrypted subfolder

Default setting - all subfolder in a folder that is "encrypt" also encrypted. Follows inheritance.

Problem Example:
Parent Folder (Properties - encrypted)
- Sub Folder (Properties - decrypted)

Solution: Use decrypt option

========================================================================

Encryption Keys

Regular and user personal keys
- Recommend deactivate keys instead of deleting keys. Deleted key cannot be restored.

User personal keys
- Administrator can create unique keys for users
- can referenced in Grant Key policy generically (as single key) and create unique keys for users

Use personal keys and multiple EPO db
- Not recommended.
- Recommended for user register with one 1 EPO and gets policies and key from that EPO

========================================================================

User local keys
- local key limited to user and client machine where it was created


user local keys vs user personal keys
- user manually created (user) local keys on their local machines and share via export and import processes.
- user local keys NOT uploaded to EPO db and not transfer to user to other machines via default frmp
- Administrator create unique keys for users for user personal keys in EPO








References:
KB81450
- FRMP4.3 Best Practice Guide




- wong chee tat :)

No comments: