WinTech and SafeTech Administration Guide

5400(516-0025)

McAfee, Inc.
McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USA Tel: (+1) 888.847.8766 Internet: www.mcafee.com

For more information regarding local McAfee representatives please contact your local McAfee office, or visit: www.mcafee.com

Document: WinTech and SafeTech Administration Guide Last updated: Thursday, 26 June 2008 SafeBoot Enterprise Build: 5400(516-0025) Device Encryption Product Version: 5.1.6

Copyright (c) 1992-2008 McAfee, Inc., and/or its affiliates. All rights reserved. McAfee, SafeBoot and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners.

McAfee, Inc.

Welcome
The team at McAfee is dedicated to providing you with the best in security for protecting data on personal computers. Applying the latest technology, deployment and management of users is enhanced using simple and structured administration controls. SafeBoot 5 Device Encryption represents the latest addition to the SafeBoot family and incorporates functionality not found in earlier versions. This new edition of SafeBoot features a new dimension in IT security incorporating many new enterprise level options, including automated upgrades, file deployment, flexible grouping of users and centralized user management. In addition, users credentials can be imported and synchronized with other deployment systems. WinTech and SafeTech are McAfees disaster recovery systems used in conjunction with Device Encryption. Through the continued investment in technology and the inclusions of industry standards we are confident that our goal of keeping SafeBoot at the forefront of data security will be achieved.

About This Guide

This guide is designed to aid corporate security administrators to understand the disaster recovery tools, WinTech and SafeTech. Included in this document are procedures on how to recover data from problem machines. If you are unsure about any procedure, and are concerned about your data, then you must contact McAfee support before undertaking any of the procedures in this document.

Audience
This guide was designed to be used by qualified system administrators and security managers. Knowledge of basic networking and routing concepts, and a general understanding of the aims of centrally managed security is required. McAfee can only contribute to information security within your organization as part of a coherent and well-implemented organisational security policy.

McAfee, Inc.

Document Conventions
The following conventions are used in this guide: Convention Italic font Use Examples See Creating Users for more information.

Indicates a user entry or identifies a document for further reading, a chapter or sub-chapter of this guide. inverted Indicates a menu option, a button or hyperlink that must be clicked. Enclose optional keywords and values in command syntax Separates two or more possible options in command syntax

Text in commas

Click the Ok button.

Square Brackets ( [] )

SBServer [username] [password] SBServer start | stop

Vertical Bar ( | )

Related Documentation
The following materials are available from our web http://www.safeboot.com, and from your SafeBoot Distributor: Device Encryption v5 Administrators Guide Device Encryption v5 QuickStart Guide Management Center v5 Administrators Guide site,

Contacting Technical Support

Dial your respective country phone number (numbers overleaf) for technical support on this product. Remember to have your maintenance agreement number, your license number, and details of the problem you are experiencing to hand when calling for support. Please refer to www.mcafee.com for further information. If you purchased SafeBoot from one of our distribution channels, you can call them direct for support. Alternatively, you can contact McAfee direct at one of these locations:

ii

McAfee, Inc.

The Americas
USA and Canada: (+1) 877 330 2424 | 8:00 a.m.-5:00 p.m. (EST) | 13:00-22:00 (GMT)

Europe
France: +33 (0) 146 24 56 34 | 4:00 a.m.-Noon. (EST) | 10:00-18:00 (GMT) Germany: (+49) (0)1805-SAFEBOOT (+49) (0)1805-72332668 | 4:00 a.m.-Noon. (EST) | 10:00-18:00 (GMT) Netherlands: (+31) (0)30 634 8850 | 4:00 a.m.-Noon. (EST ) | 10:00-18:00 (GMT) Sweden: (+46) (0) 8 21 25 55 | 4:00 a.m.-Noon. (EST) | 10:00-18:00 (GMT) UK & Ireland: (+44) (0)871 200 3263 | 3:00 a.m.-11 a.m. (EST) | 09:00-17:00 (GMT)

Asia
Singapore: (+65) 9736 7878 | 9:30am 17:30 local time

Other Regions / Countries

All Other Countries: (+31) (0)30 634 8850 | 4:00 a.m.-Noon. (EST ) | 10:00-18:00 (GMT)

Acknowledgements
SafeBoots Novell NDS Connector and LDAP Connectors make use of OpenLDAP (www.openldap.org) and OpenSSL (www.openssl.org). Due credit is given to these organisations for their free APIs.

iii

McAfee, Inc.

Table of Contents
WELCOME ........................................................................................................... I ABOUT THIS GUIDE.................................................................................................I AUDIENCE............................................................................................................I DOCUMENT CONVENTIONS ........................................................................................ II RELATED DOCUMENTATION ....................................................................................... II CONTACTING TECHNICAL SUPPORT .............................................................................. II The Americas ................................................................................................ iii Europe ......................................................................................................... iii Asia ............................................................................................................. iii Other Regions / Countries ............................................................................... iii ACKNOWLEDGEMENTS ............................................................................................ III TABLE OF CONTENTS .......................................................................................... I FIGURES ............................................................................................................. 2 1. 2. INTRODUCTION.......................................................................................... 3 WINTECH ................................................................................................... 4 PRIOR KNOWLEDGE ................................................................................................ 3 2.1 CREATING A BARTPE BOOT CD\DVD ..................................................................... 5 2.1.1 Create the BartPE CD/DVD ....................................................................... 5 2.2 BOOT FROM THE BARTPE WINDOWS CD/DVD ........................................................... 7 2.3 RESET INT 13 ................................................................................................ 8 2.4 AVOIDING THE RESET OF INT13 FOR A BIOS UPGRADE ................................................ 9 2.5 ENCRYPTION AND BOOT SECTOR REMOVAL PROCEDURE 1 .............................................. 9 2.6 ENCRYPTION AND BOOT SECTOR REMOVAL PROCEDURE 2 ............................................ 11 2.7 MOUNT DRIVE .............................................................................................. 12 2.8 RESTORING THE MBR (MASTER BOOT RECORD) ....................................................... 14 2.9 RESTORING THE SAFEBOOT MBR ........................................................................ 15 3. SAFETECH................................................................................................. 16 3.1 CREATING A SAFETECH BOOT DISK ...................................................................... 16 3.2 CREATING THE SAFEBOOT TRANSFER DATABASE ....................................................... 16 3.3 EMERGENCY BOOT .......................................................................................... 16 3.4 RESET INT 13 .............................................................................................. 18 3.5 AVOIDING THE RESET OF INT13 FOR A BIOS UPGRADE .............................................. 19 3.6 ENCRYPTION AND BOOT SECTOR REMOVAL PROCEDURE 1 ............................................ 19 3.7 ENCRYPTION AND BOOT SECTOR REMOVAL PROCEDURE 2 ............................................ 21 4. GLOSSARY ................................................................................................ 23

McAfee, Inc.

Figures
FIGURE 1 - THE BARTPE CD/DVD BUILDER WINDOW .............................................................. 6 FIGURE 2 THE SAFEBOOT INTERFACE FOR ACCESS TO WINTECH .................................................. 7 FIGURE 3 - ACCESSING SAFEBOOT WINTECH ........................................................................ 8 FIGURE 4 - THE WINTECH APPLICATION .............................................................................. 8 FIGURE 5 - THE SAFETECH APPLICATION ........................................................................... 17

McAfee, Inc.

1. Introduction
This guide discusses how to use the McAfee Device Encryption disaster recovery tools, WinTech and SafeTech. SafeTech is purely a disaster recovery tool that allows the administrator to perform everyday recovery functions. WinTech performs the same functions under a Windows-like environment and includes greater features such as drive mounting, booting from BartPe and easier access to encrypted USB drives and memory sticks. Included in this document are procedures on how to recover data from problem machines. If you are unsure about any procedure, and are concerned about your data, then you must contact McAfee support before undertaking any of the procedures in this document. Extreme care must be taken when using WinTech and SafeTech. If they are used without diligence this may result in the loss of data. McAfee cannot be held responsible for loss of data.

Prior Knowledge
This guide was written for security administrators. It assumes the reader has some knowledge of security concepts, data encryption, Device Encryption and the Management Center. It is preferable that administrators (readers) attend some form of McAfee Training to understand the basic concepts before following the procedures in this guide.

McAfee, Inc.

2. WinTech
This chapter explains some of the common tasks that can be undertaken using McAfees Windows based disaster recovery tool, WinTech. Please exercise caution for all WinTech procedures. McAfee is not responsible for the loss of data. Please contact McAfee if you are unsure about attempting any of these procedures. WinTech contains the same functions as its sister application, SafeTech. WinTech, however, contains the following features: Boot from a BartPE CD/DVD: This provides administrators with the ability to utilize the same recovery environment for disaster recovery and repair. Mount Drive: The Mount Drive feature allows quick access to data on an encrypted drive. This is only possible if the administrator has been properly authorized using the correct key. There is no need to completely decrypt the drive first to get at important files. Data is decrypted on-the-fly from the encrypted disk and this allows full access to the contents. Easier access to encrypted USB drives and memory sticks: WinTech provides access to USB drives and memory sticks that have been encrypted using 5.x DE optional USB removable drive support. An encrypted USB flash memory stick or external USB drive is generally only accessible from the machine it was encrypted from, however, WinTech allows these encrypted drives to be mounted and viewed, or the contents removed, without requiring access to the original working machine. However, for this to work the machine key must still be available in the master Object Directory of the Management Center. You can access a machine using the WinTech plug-in providing you also have the following: As with all McAfee data security products, at all times, a valid user authentication or machine key is needed to access the data on the encrypted hard drive or USB stick. The daily access code to allow access to the functions and use of WinTech. This is usually obtained from McAfee Support by customers with a valid support contract.

McAfee, Inc.

The Daily access code does NOT provide access to encrypted data. Although WinTech is a convenient recovery tool, it is NOT a back door to data. The daily access code ONLY enables advanced WinTech menu functions. Authentication is still required to access the encrypted data. The other way is to provide the machines unique encryption key exported from the administration database (this requires administration rights to export).

2.1 Creating a BartPE Boot CD\DVD

Bart's PE Builder helps you build a "BartPE" (Bart Preinstalled Environment) bootable Windows CD-Rom or DVD from the original Windows XP. Before you create the BartPE CD\DVD you will need the Windows XP \i386 folder. The \i386 folder holds the files used to install, repair, modify, update and rebuild Windows. This can be found on the root directory of a Windows XP Pro/Home installation CD. You will also need the contents of the \Recovery\Making a Rescue CD\BartPE Plug-in and the \SafeBoot\SBWinTech_AES-FIPS folders which can be found on the installation CD. If you have downloaded SafeBoot you can find these paths on the computer where the Management Center resides.

2.1.1 Create the BartPE CD/DVD

1. Download the latest BartPe install http://www.nu2.nu/pebuilder/ website for download links. 2. Install BartPe using the default install locations. 3. Open Windows Explorer and navigate to the \pebuilderxxxxx\plugin folder. Note: xxxxx = denotes the version number of BartPE. 4. Create a subfolder called safeboot. This folder will be the source for the SafeBoot recovery files. 5. Copy the files from the \Recovery\Making a Rescue CD\BartPe Plugin folder to the \pebuilderxxxxx\plugin\safeboot folder. 6. Launch BartPe. file. See information the and

McAfee, Inc.

Figure 1 - The BartPE CD/DVD Builder window

a. The Source box should contain the path to the Windows installation files, i.e. the \i386 folder. See Creating a BartPE Boot CD\DVD above for further info. b. The Custom folder should contain any other local or remote files and folders you may wish to include. Note: Do not include the Windows directory or any other folder that has files in use. Also, bear in mind that the files you add must fit your target CD or DVD. If you unsure what to enter in this field, then leave it empty. c. In the Output Directory field enter a directory name to store the files PE Builder copies. Please note that the location you enter is relative to your \pebuilder directory. d. If you need to specify an absolute path, you must change the Output path absolute in the Builder Options dialog. e. Use the Media Output section to specify whether you want to create a CD/DVD or an ISO image. Note: you can click the Plugins button to add, edit, enable/disable, configure or remove plugins from the list. f. Click the Build button to start writing the CD/DVD or build the ISO image.

McAfee, Inc.

2.2 Boot from the BartPE Windows CD/DVD

WinTech is accessed via the BartPE plug-in boot CD/DVD. When the problem machine is booted with this CD/DVD, the first screen you will see is the SafeBoot interface (see below). This will be followed by a pop up dialogue that will prompt you to start network services. You may start the network services if you have added the drivers for your Ethernet card to the CD/DVD build; otherwise click No. 1. Boot the machine with the BartPE CD/DVD. This will load the SafeBoot interface.

Any USB sticks or drives you need to access later will need to be plugged in before Windows PE starts to load. This includes any encrypted disks you wish to access, or, any disk containing the machine export database.

1. Click the Go

Programs

SafeBoot WinTech.

2. Enter the authorization/access code when prompted and click Ok.

Figure 2 The SafeBoot Interface for access to WinTech

McAfee, Inc.

Figure 3 - Accessing SafeBoot WinTech

Figure 4 - The WinTech application

2.3 Reset INT 13

INT 13 is an interrupt vector that stores a machines bios information. If the hardware of a machine changes (the motherboard, for example) or a virus has affected the bios, this will have an impact on the preboot environment and SafeBoot will not work. In this situation you will need to boot from the BartPE CD/DVD to access WinTech and reset the INT 13 to reflect the correct bios. Before proceeding you must have the following: The BartPE Boot CD/DVD boot disk. The floppy drive or USB containing the machine configuration file (.SDB). This contains the machine key that will provide access to the problem machine. The daily access (authorization) code. This can be obtained directly from McAfee Support or from your internal Help Desk (Note: availability from your Help Desk is dependent on your contract with McAfee).

McAfee, Inc.

3. Boot the machine with the BartPE CD/DVD. This will load the SafeBoot interface. 4. Click the Go Programs SafeBoot WinTech. 5. Enter the authorization/access code when prompted and click Ok. 6. From the top toolbar select SafeBoot followed by Authenticate from SBFS. This will prompt you for the SafeBoot credentials for this machine. 7. Enter the username and password for the client machine. 8. Click the SafeBoot option from the toolbar and select the RESET INT13 Vector from the menu. A message containing INT13 has been successfully reset should appear. 9. Click OK.

2.4 Avoiding the Reset of INT13 for a BIOS upgrade

If you wish to avoid the Reset INT 13 condition while updating the BIOS, then you can temporarily turn off Virus Protection before the BIOS upgrade. 1. Locate the machine in the Management Center, Devices tab. 2. Right-click on it and select Properties. 3. Select the General icon. 4. Under Options, scroll down until you find Virus Protection. 5. Deselect the Enable MBR virus protection option. 6. Click Apply. When the BIOS has been upgraded, the Enable MBR virus protection option should be re-enabled and the machine synchronized. This will again protect the machines boot sector.

2.5 Encryption and Boot Sector Removal Procedure 1

Use the following procedure in the event that: Windows becomes corrupt. You cannot access the data of an encrypted machine. Encryption or decryption fails.

Make sure the machines main power supply is plugged in for this procedure. Do not attempt to perform on battery only.

McAfee, Inc.

Before proceeding you must have the following: The BartPE Boot CD/DVD boot disk. The floppy drive or USB containing the machine configuration file (.SDB). This contains the machine key that will provide access to the problem machine. Note: any sticks and drives required to access the machine must be plugged in before WinTech starts. The daily access/authorization code. This can be obtained directly from McAfee Support or from your internal Help Desk. Note: availability from your Help Desk is dependent on your contract with SafeBoot.

1. Boot the machine with the BartPE CD/DVD. This will load the SafeBoot interface. 2. Click the Go Programs SafeBoot WinTech. 3. Enter the access code when prompted and click Ok. 4. From the top menu click the SafeBoot option. 5. Select the Authenticate from SBFS option from the SafeBoot menu. 6. Enter the machines username and password. 7. Select Remove SafeBoot. This will decrypt the drive and remove the boot sector. It may take some hours depending on the machine performance and the storage capacity of the drive or partition. 8. Next, when SafeBoot has been removed, delete its record from the Management Center (the central record will no longer have the correct parameters for the machine). See the Device Encryption Administrators Guide for further information, or, contact your SafeBoot Database Administrator.
If you had a problem with Windows and the operating system is repaired, SafeBoot will automatically reactivate itself if the installed files are still intact. It will also connect to the SafeBoot Server. The machine may encrypt at this point too depending on its settings in the database. This can be prevented by disconnecting from the network prior to booting the machine (or disable wireless networking). After Windows has loaded, open Dos CMD prompt. Change to the SafeBoot folder on the machine and enter: sbsetup Uninstall. This command can only be used if the drive is completely unencrypted.

10

McAfee, Inc.

Make sure you check where the \SBADMIN (administration system files) and the \SBDATA (database folder) have been installed. If your installation is not in the recommended locations, then make sure you check where they have been installed before proceeding. Also, disconnecting from the network will prevent re-activation only if this machine was originally a SafeBoot online install. If it was an offline install, then boot to Windows Safe Mode first. See the Device Encryption Administrators Guide for further information regarding online and offline installation.

2.6 Encryption and Boot Sector Removal Procedure 2

If SafeBoot does not work and the previous Encryption and Boot Sector Removal Procedure 1 cannot be used, then follow this procedure. Note: this procedure should only be attempted under the guidance of McAfee Support. For this method the machines configuration should be exported from the database. Before proceeding you must have the following: The BartPE Boot CD/DVD boot disk. The floppy drive or USB containing the machine configuration file (.SDB). This contains the machine key that will provide access to the problem machine. Note: any sticks and drives required to access the machine must be plugged in before WinTech starts. The daily access/authorization code. This can be obtained directly from McAfee Support or from your internal Help Desk Note: availability from your Help Desk is dependent on your contract with McAfee.

1. Export machine configuration to a floppy disk or a USB stick. See the procedure. a. Insert your choice of removable media, i.e. floppy disk or USB drive. b. Select the Devices tab from the Management Center. c. Right-click on the machine name. d. Select Export Configuration and browse to the floppy disk or USB drive. e. Enter a name the database. f. Click Save. 2. Boot the machine with the BartPE CD/DVD. This will load the SafeBoot interface. 3. Click the Go 5. Using WinTech:
11

Programs

SafeBoot WinTech.

4. Enter the access code when prompted and click Ok.

McAfee, Inc.

a. From the top menu click the SafeBoot option. b. Select the Authenticate from Database option from the SafeBoot menu. c. Next, select the machine SDB file and click Ok. d. Select the correct machine name from the Select Machine window. e. Select Remove SafeBoot from the SafeBoot drop down menu. This will decrypt the drive and remove the boot sector. It may take some hours depending on the machine performance and the storage capacity of the drive or partition. 6. Remember to delete the machines record from the Management Center after SafeBoot has been removed. The central record will no longer have the correct parameters for the machine.

When the operating system is repaired, SafeBoot will automatically reactivate itself if the installed files are still intact and it connects to the SafeBoot Server. The machine may encrypt at this point too depending on its settings in the database. This can be prevented by disconnecting from the network prior to booting the machine (or disable wireless networking). After Windows has loaded, open Dos CMD prompt. Change to the SafeBoot folder on the machine and enter: sbsetup Uninstall. Note: This command can only be used if the drive is completely unencrypted.

Disconnecting from the network will prevent re-activation only if this machine was originally an online install of SafeBoot. If it was an offline install boot to Windows Safe Mode first. See the Device Encryption Administrators Guide PDF document for further information regarding online and offline installation.

2.7 Mount Drive

The Mount Drive feature allows quick access to data on an encrypted drive. This is only possible if the administrator has been properly authorized using the correct key. There is no need to completely decrypt the drive first to get at important files. Data is decrypted onthe-fly from the encrypted disk and this allows full access to the contents. This includes access to data stored on removable media. Before proceeding you must have the following: The BartPE Boot CD/DVD boot disk.
12

McAfee, Inc.

The floppy drive or USB containing the machine configuration file (.SDB). This contains the machine key that will provide access to the problem machine. The daily access (authorization) code. This can be obtained directly from McAfee Support or from your internal Help Desk (Note: availability from your Help Desk is dependent on your contract with McAfee). a. Insert your choice of removable media, i.e. floppy disk or USB drive. b. Select the Devices tab from the Management Center. c. Right-click on the machine name. d. Select Export Configuration and browse to the floppy disk or USB drive. (Note: There are two options you can select: the Include all users in the configuration option will add all users that can access the machine, into the machine configuration; the Include all files in the configuration option will add all the files assigned to the machines groups into the machine configuration). e. Enter a name for the database file. f. Click Save.

1. Export the machine configuration to a floppy disk or a USB stick:

2. Boot from the BartPE Windows CD/DVD

Any USB sticks or drives you need to access later will need to be plugged in before Windows PE starts to load. This includes any encrypted disks you wish to access, or, any disk containing the machine export database.

a. Boot the machine with the BartPE CD/DVD. This will load the SafeBoot interface. b. Click the Go Programs SafeBoot WinTech. 3. Enter the authorization/access code when prompted and click Ok.

The Info bar at the bottom of the tool reports Not Authorized until the code has been correctly entered. After the code has been entered, this changes to Authorized. The Not Authenticated message still shows. User authentication or an encryption key to decrypt any data is still required!

13

McAfee, Inc.

4. Now enter the machines key retrieved earlier from the exported database. a. From the SafeBoot Database. menu select Authenticate exported from

b. Browse to the location of the configuration, i.e. floppy or USB stick. c. Click the SDB file you created earlier.

machine

d. From the Disk menu, choose Mount Drive. e. From Go menu run the file management tool (BartPE default is A43 File Utility Manager).

2.8 Restoring the MBR (Master Boot Record)

The MBR loads the boot sector which in turn will load the operating system. The MBR of a machine is stored in the central administration database during the synchronization and can therefore be exported as part of the SafeBoot Transfer Database (.SDB) file. Note: if you have performed a manual (forced) decrypt then you must follow this procedure to restore the original MBR. Before proceeding you must have the following: The floppy drive or USB containing the machine configuration file (.SDB). This contains the machine key that will provide access to the problem machine.

1. Authenticate from the database using the .SDB file on the floppy disk or USB. Note: this must be plugged in before booting from the BartPE CD/DVD: a. Click the SafeBoot menu followed by the Authenticate from Database option. Note: There is a known problem with BartPE at present: if you select the Authenticate from Database option from the SafeBoot menu, the dialog box may not immediately display the .SDB file(s). To view the contents of the floppy disk/USB stick, then type in the drive letter containing the media, e.g. a:\, f:\, etc. b. Next, select the machine SDB file from the floppy disk or USB drive. c. Click Open. d. Select the correct machine name from the Select Machine window. e. Click Ok to confirm the authentication. 2. Restore the MBR: a. Click the Disk menu followed by Restore MBR.
14

McAfee, Inc.

b. Click Yes to confirm that you want to overwrite the Master Boot Record.

2.9 Restoring the SafeBoot MBR

The SafeBoot MBR loads the SafeBoot pre-boot environment. This MBR is stored in the central administration database during the synchronization. You can restore the SafeBoot MBR in the event Before proceeding you must have the following: The floppy drive or USB containing the machine configuration file (.SDB). This contains the machine key that will provide access to the problem machine.

1. Authenticate from the database using the .SDB file on the floppy disk or USB. Note: this must be plugged in before booting from the BartPE CD/DVD: a. Click the SafeBoot menu followed by the Authenticate from Database option. Note: There is a known problem with BartPE at present: if you select the Authenticate from Database option from the SafeBoot menu, the dialog box may not immediately display the .SDB file(s). To view the contents of the floppy disk/USB stick, then type in the drive letter containing the media, e.g. a:\, f:\, etc. b. Next, select the machine SDB file from the floppy disk or USB drive. c. Click Open. d. Select the correct machine name from the Select Machine window. e. Click Ok to confirm the authentication. 2. Restore the SafeBoot MBR: a. Click the Disk menu followed by Restore MBR. b. Click Yes to confirm that you want to overwrite the Master Boot Record.

15

McAfee, Inc.

3. SafeTech
This chapter explains some of the common tasks that can be undertaken using McAfees disaster recovery tool, SafeTech. Please exercise caution for all SafeTech procedures. SafeBoot is not responsible for the loss of data. Please contact SafeBoot if you are unsure about attempting any of these procedures.

3.1 Creating a SafeTech Boot Disk

You can create a boot disk from the Management Center by using the Recovery menu option. 1. Select the Recovery Management Center. option on the top toolbar of the

2. Select Create SafeTech Boot Disk. a. Enter a floppy disk into the a:\ drive and select Ok. This will create the boot disk.

3.2 Creating the SafeBoot Transfer Database

The SafeBoot Transfer Database is the machine configuration file (.SDB). This file contains the machine key that will provide access to the problem machine. 1. Enter the media into the drive you wish to export the database to, e.g. floppy disk or USB drive. 2. Select the Devices tab from the Management Center. 3. Right-click on the machine name. 4. Select Export Configuration and browse to the floppy disk or USB drive. 5. Enter a name for the database. 6. Click Save.

3.3 Emergency Boot

The Emergency boot is performed in the event of SafeBoot failing to boot or the logon screen is corrupt. Before proceeding you must have the following: The SafeTech boot disk. The floppy drive or USB containing the machine configuration file (.SDB). This contains the machine key that will provide access to the problem machine.
16

McAfee, Inc.

The daily access code. This can be obtained directly from McAfee Support or from your internal Help Desk (Note: availability from your Help Desk is dependent on your contract with McAfee).

1. Create a SafeTech boot disk. See the Creating a SafeTech Boot Disk procedure at the beginning of this chapter. 2. Reboot the problem machine using the SafeTech boot disk. 3. Enter the authentication code. 4. Click Ok.

Figure 5 - The SafeTech application

5. Authenticate from the database file (.SDB) a. Enter the media containing the machine configuration file (.SDB). b. From the top toolbar click SafeBoot. c. Select Authenticate from Database. d. Select the machine configuration file (filename.SDB) from the disk or USB drive. e. Click Ok. The machine name will be shown in the open window. This will be the machine exported from the Management Center. The correct machine name is listed. f. Click Use Selected Machine. The panel at the bottom of the SafeTech screen should display an Authorized and Ready status. 6. Perform the Emergency Boot.
17

McAfee, Inc.

a. From the top toolbar click SafeBoot. b. Click the Emergency Boot option. This will prompt you to confirm the operating system. c. Click Yes if you are using Windows XP (or earlier), or, click No if you are using Windows 2003, Vista and higher. d. Click Ok to confirm the Emergency Boot. When the machine boots into Windows, if there is a network connection to the SafeBoot server, then the machine will synchronize with the SafeBoot Object Directory and fully repair itself. Check this by rightclicking on the SafeBoot icon in the system tray, followed by Show Status. If SafeBoot is unable to establish connection to the master directory at this time, continue to use the SafeTech Emergency Repair boot disk to boot the machine until a connection to the server is made.

3.4 Reset INT 13

INT 13 is an interrupt vector that stores a machines bios information. If the hardware of a machine changes (the motherboard, for example) or a virus has affected the bios, this will have an impact on the preboot environment and SafeBoot will not work. In this situation you will need to use a boot disk to access SafeTech and reset the Int 13 to reflect the correct bios. Before proceeding you must have the following: The SafeTech boot disk. The floppy drive or USB containing the machine configuration file (.SDB). This contains the machine key that will provide access to the problem machine. The daily access code. This can be obtained directly from McAfee Support or from your internal Help Desk (Note: availability from your Help Desk is dependent on your contract with McAfee).

1. Create a SafeTech boot disk. See the Creating a SafeTech Boot Disk procedure at the beginning of this chapter. Note: The machine configuration is not required. 2. Reboot the problem machine using the SafeTech boot disk. 3. Enter the access code when prompted and click Ok. 4. From the top toolbar select SafeBoot followed by Authenticate from SBFS. This will prompt you for the SafeBoot credentials for this machine.

18

McAfee, Inc.

If you get a message that indicates a failure to read the values from the disk, contact McAfee Support otherwise, click Login With Selected Token. 5. Enter the username and password for the client machine. 6. Click the SafeBoot option from the toolbar and select the RESET INT13 Vector from the menu. The INT13 has been successfully reset message should appear. 7. Click OK.

3.5 Avoiding the Reset of INT13 for a BIOS upgrade

If you wish to avoid the Reset INT 13 condition while updating the BIOS, then you can temporarily turn off Virus Protection before the BIOS upgrade. 1. Locate the machine in the Management Center, Devices tab. 2. Right-click on it and select Properties. 3. Select the General icon. 4. Under Options, scroll down until you find Virus Protection. 5. Deselect the Enable MBR virus protection option. 6. Click Apply. When the BIOS has been upgraded, the Enable MBR virus protection option should be re-enabled and the machine synchronized. This will again protect the machines boot sector.

3.6 Encryption and Boot Sector Removal Procedure 1

Use the following procedure in the event that: Windows becomes corrupt. You cannot access the data of an encrypted machine. Encryption or decryption fails.

Make sure the machines main power supply is plugged in for this procedure. Do not attempt to perform it on battery only.

Before proceeding you must have the following: The SafeTech boot disk.
19

McAfee, Inc.

The daily access code. This can be obtained directly from McAfee Support or from your internal Help Desk (Note: availability from your Help Desk is dependent on your contract with McAfee).

1. Create a SafeTech Boot Disk. See the Creating a SafeTech Boot Disk procedure at the beginning of this chapter. 2. Boot the problem machine with the SafeTech Boot disk. 3. Enter the authorization code. 4. From the top menu click the SafeBoot option. 5. Select the Authenticate from SBFS option from the SafeBoot menu. SafeTech reads values from the drive and returns a message. If the message indicates a failure to read the values from the disk then contact McAfee Support, otherwise, choose the right token and click Logon with Selected Token. 6. Enter the machines username and password. 7. Select Remove SafeBoot. 8. This will decrypt the drive and remove the boot sector. It may take some hours depending on the machine performance and the storage capacity of the drive or partition. 9. Next, when SafeBoot has been removed, delete its record from the Management Center (the central record no longer has the correct parameters for the machine). See the Device Encryption Administrators Guide for further information, or, contact your SafeBoot Database Administrator.
If you had a problem with Windows and the operating system is repaired, SafeBoot will automatically reactivate itself if the installed files are still intact. It will also connect to the SafeBoot Server. The machine may encrypt at this point too depending on its settings in the database. This can be prevented by disconnecting from the network prior to booting the machine (or disable wireless networking). After Windows has loaded, open Dos CMD prompt. Change to the SafeBoot folder on the machine and enter: sbsetup Uninstall. This command can only be used if the drive is completely unencrypted.

Make sure you check where the \SBADMIN (administration system files) and the \SBDATA (database folder) have been installed. If your installation is not in the recommended locations, then make sure you check where they have been installed before proceeding. Also, disconnecting from the network will prevent re-activation only if this machine was originally a SafeBoot online install. If it was an offline install, then boot to Windows Safe Mode first. See
20

McAfee, Inc.

the Device Encryption Administrators Guide for further information regarding online and offline installation.

3.7 Encryption and Boot Sector Removal Procedure 2

If SafeBoot does not work and the previous Encryption and Boot Sector Removal Procedure 1 cannot be used, then follow this procedure. Note: this procedure should only be attempted under the guidance of McAfee Support. For this method the machines configuration should be exported from the database. Before proceeding you must have the following: The SafeTech boot disk. The floppy drive or USB containing the machine configuration file (.SDB). This contains the machine key that will provide access to the problem machine. The daily access code. This can be obtained directly from McAfee Support or from your internal Help Desk (Note: availability from your Help Desk is dependent on your contract with McAfee).

1. Create a SafeTech Boot Disk. See the Creating a SafeTech Boot Disk procedure at the beginning of this chapter. 2. Export machine configuration file (.SDB) to a floppy disk or a USB stick. See the Creating the SafeBoot Transfer Database procedure earlier in the chapter. 3. Boot the problem machine with the SafeTech boot disk. 4. Enter the authorization code when prompted. 5. Use SafeTech to authenticate from the database: a. From the top menu click the SafeBoot option. b. Select the Authenticate from Database option from the SafeBoot menu. c. Next, select the machine SDB file and click Ok. d. Select the correct machine name from the Select Machine window. 6. Select Remove SafeBoot from the SafeBoot drop down menu. This will decrypt the drive and remove the boot sector. It may take some hours depending on the machine performance and the storage capacity of the drive or partition. 7. Remember to delete the machines record from the Management Center after SafeBoot has been removed. The central record will no longer have the correct parameters for the machine.
21

McAfee, Inc.

When the operating system is repaired, SafeBoot will automatically reactivate itself if the installed files are still intact and it connects to the SafeBoot Server. The machine may encrypt at this point too depending on its settings in the database. This can be prevented by disconnecting from the network prior to booting the machine (or disable wireless networking). After Windows has loaded, open Dos CMD prompt. Change to the SafeBoot folder on the machine and enter: sbsetup Uninstall. Note: This command can only be used if the drive is completely unencrypted.

Disconnecting from the network will prevent re-activation only if this machine was originally an online install of SafeBoot. If it was an offline install boot to Windows Safe Mode first. See the Device Encryption Administrators Guide PDF document for further information regarding online and offline installation.

22

McAfee, Inc.

4. Glossary
Topic
Algorithms Authorize

Description
An option on the main menu for setting the correct algorithm on a machine. Enter the daily access/authorization code in this dialog box. The code can be obtained directly from McAfee Support or from your internal Help Desk. Note: availability from your Help Desk is dependent on your contract with McAfee. This function allows the user to authenticate using the machine key obtained via the Select Transfer Database (SDB file) exported from the master object directory. This authentication is through entering the correct userid and password. This option is applicable to users of HP computers only. HP users can create a recovery file containing the machine key and recovery key. This menu option allows the user to authenticate onto a problem HP machine using the saved recovery file. Displays a list of current world telephone support numbers. The Crypt/Decrypt option allows you to safely manipulate which sectors are encrypted on the disk. This option follows the crypt list (see Get Disk Information) to validate the ranges you submit, so it will not encrypt sectors which are currently encrypted, and will not decrypt sectors which are currently not encrypted. This option supports power fail protection. You can only use the Crypt/Decrypt Sectors option if the disk crypt state is still valid. If SafeBoot has become corrupt on the disk, or the crypt state has been corrupted, you will need to use the Force Crypt/Decrypt Sectors option. If you change the encryption state with the Crypt/Decrypt Sectors option, appropriate modifications will be made to the disk Crypt List. For example, if you encrypt a new range, a new Region definition will be created. If you decrypt within an existing Region, then the existing region will be split into two, if you completely decrypt a region, it will be removed from the crypt list.

Authenticate from Database

Authenticate from SBFS Authenticate from HP Recovery File

Contact Crypt/Decrypt Sectors

Disk

Menu containing the options: Get Disk information; Repair Disk Information; Crypt Sectors; Force Crypt Sectors; Edit Crypt State; Restore MBR; Restore SafeBoot MBR; Mount Drive. GUID The unique GUID of the machines disk (a Device Encryption construct). Alg ID - The ID of the SafeBoot Algorithm used to encrypt the disk. 23

Disk Information

McAfee, Inc.

Topic

Description
Database ID The SafeBoot Database ID (hexadecimal) of the host SafeBoot Database that this machine has registered its keys to, and is accepting policy updates from. You can determine the Database ID through Management Center by looking at the License Information. Machine ID This is the machine unique object ID. You can find the machines corresponding policy object by authenticating to the correct SafeBoot Database (using the Database ID above to ensure youre connected to the correct DB). Then click the SafeBoot Machines Group node in the Devices tab, then click the Groups Find and search for the appropriate Object ID in the example above it would be 00000003. SBFS Sector Map This is the sector location at the beginning of the SBFS Sector map. The SBFS Sector map defines the ranges of sectors on the users hard disk which contain the Device Encryption pre-boot environment. SBFS Sector Map Count This is the size of the sector map. Key Check A hash of the encryption key used to protect the machine. This is used to verify keys are correct. Crypt List Region Count The number of defined crypted areas of this logical disk. This usually corresponds to the number of partitions on the drive. Region - Each region is defined as follows: Start Sector The physical start sector of the region End Sector The last physical sector included in the region region Sector Count The number of sectors included in this

PowerFail Status Device Encryption tracks the progress of encryption on the drive to ensure that if power is lost during encryption, the process is recoverable. Status Determines whether the drive is currently in powerfail state. A status of Inactive indicates that the current encryption process has finished. Partition A section per Logical partition on this physical drive as follows: Partition Number The unique partition number. Partition Type The file system detected on this partition. Partition Bootable Whether the partition is bootable or not. Partition Recognised Whether the partition is recognized as viable. Partition Drive Letter The detected drive letter of this partition. 24

McAfee, Inc.

Topic

Description
Partition Start Sector The physical start sector of the partition. Partition End Sector The physical end sector of the partition. Partition Sector Count The number of sectors in the partition.

Edit Disk Crypt State

Before using this option call McAfee Technical support for assistance. This option will certainly cause irretrievable data loss if used incorrectly. Ensure when using this option that there is no possibility of losing power while it is working this option DOES NOT support power fail protection.

Emergency Boot Force Crypt/Decrypt Sectors

Repairs the SafeBoot File system on the client machine. Before using this option call McAfee Technical support for assistance. Unlike the Crypt/Decrypt sectors option, the Force Crypt/Decrypt option does not pay attention to the disk crypt state, it simply performs the operation blindly according to user input. Force Crypt does not support power fail, nor does it apply any logic or parameter validation on the input. You should only use the Force Crypt/Decrypt sectors option when all else fails, when the on-disk structures are completely corrupted for example. This option will certainly cause irretrievable data loss if used incorrectly. If you are forced to use this option, you should make a recording of each operation you apply to aid in data recovery. Ensure when using this option that there is no possibility of losing power while it is working this option DOES NOT support power fail protection.

Get Disk Information

This option displays information about the physical drives detected by SafeTech. Each physical disk has a node in the disk information tree which describes its LUN, partitions, size and SafeBoot information. The Mount Drive feature allows quick access to data on an encrypted drive. This is only possible if the administrator has been properly authorized using the correct key. There is no need to completely decrypt the drive first to get at important files. Data is decrypted on-the-fly from the encrypted disk and this allows full access to the contents.

Mount Drive

Mount SBFS as a drive

This option provides quick and easy access to the SafeBoot File System by mounting it as a drive.

25

McAfee, Inc.

Topic
Open Workspace

Description
This option opens the Workspace window. For assistance on how to use the SafeTech/WinTech workspace, please contact McAfee support. Note: The Open Workspace option appears in the Disk menu for SafeTech only, however, with the WinTech application appears as a main menu option.

Remove SafeBoot

Removes the encryption and boot sector from a machine, but does not remove the SafeBoot client files. (See the Device Encryption Administration Guide for details on removing client files). The Repair Disk Information option will fix problems with the boot disk only. For this to work the crypt list portion must still be valid and the power fail state must be inactive. When moving a hard disk between machines, updating the BIOS, or after a virus attack, SafeBoot will warn of a possible virus at boot time and deny access to the machine. Should there be a possibility of a virus, run a virus checker.

Repair Disk Information

Reset INT13 vector

Restore MBR

Restores the original MBR of the machine but does no validation checking. Now that the disk information for the boot disk is stored in the main partition, the only link to it is from the SafeBoot MBR. If the SafeBoot MBR gets removed or corrupted, there is no way to find the disk information. So the client now stores the SafeBoot MBR in the database during sync, hence it will be exported to the transfer database and can then be used by WinTech to restore the SafeBoot MBR. This allows administrators to have the ability to restore it in case of a disaster recovery with WinTech. This can be used to repair a corrupt logon screen, for example.

Restore SafeBoot MBR

Set Background Colour (SafeTech only) .SDB Select Transfer Database

This option allows the background colour of the screen to be set to improve clarity on older monitors. You can choose from Black, Red, Green, Blue, or White. The file type of the select transfer database file. See below. The Select Transfer Database is the machine configuration file containing the encryption keys and MBR information for a particular machine. This file is created (exported) from the main database using the Management Center. This option allows you to specify an algorithm for the disk in the event that it is not picked up automatically. This option allows you to specify an algorithm for the Workspace in the event that it is not picked up automatically. 26

Set Disk Algorithm

Set Workspace Algorithm

McAfee, Inc.

Topic

Description

Set Algorithm

This option allows you to select which algorithm to use in the current SafeTech session. As the SafeBoot Device Encryption algorithm is an enterprise-wide setting, and can never be changed, you should confirm the algorithm the Management Center is using before setting it in SafeTech. You can do this from the Help/About/Modules screen check the description of the SBAlg.DLL file. Selecting the wrong algorithm here will prevent any manual decryption functions (decrypt sectors, force decrypt sectors etc) perform the wrong mathematical functions on the data. This process is reversible, by for example re-encrypting the sector ranges but if the algorithm choice cannot be remembered, can be extremely time consuming to recover from.

27