Upload
letitia-jenkins
View
232
Download
0
Tags:
Embed Size (px)
Citation preview
December 11, 2007 – HSBC, Hong Kong
SafeBoot Advanced Training
www.safeboot.com
SafeBoot® Mobile Data Security
SafeBoot® Mobile Data Security
2www.safeboot.com |
SafeBoot Advanced Training
Summary A administrator-level overview of the benefits and
advanced use of the SafeBoot Device Encryption product.
Target Audience Technical Engineers responsible for Support,
Implementation, Systems and (Pre)Sales.
SafeBoot® Mobile Data Security
3www.safeboot.com |
Agenda
What happens if SafeBoot is installed? Tuning the Object Database SafeBoot Recovery Differences between v4.x and 5.x How to obtain Technical Support?
SafeBoot® Mobile Data Security
4www.safeboot.com |
Agenda
What happens if SafeBoot is installed? Tuning the Object Database SafeBoot Recovery Differences between v4.x and 5.x How to obtain Technical Support?
SafeBoot® Mobile Data Security
5www.safeboot.com |
SECTOR 0
SECTORS
1 - 62
BIOS
MBR
HDD
APPL SafeBoot DE Installation
SBR
PreBoot Authentication to access SBFS
and boot up Windows
What happens if SafeBoot is installed? (1/2)
SECTOR 63 - ...
Partition gap
HDD (SBFS / MBR)
SafeBoot® Mobile Data Security
6www.safeboot.com |
What happens if SafeBoot is installed? (2/2)
SafeBoot replaces MBR with it’s own (SBR) NO repartitioning of the Hard Disk required– like competitors using
a Linux Preboot OS Original MBR saved in SafeBoot File System (SBFS) SBR contains info about start of bootcode and SBFS sector chains After logon, loads original MBR and runs it (now updates original
MBR with current partition table)
SafeBoot® Mobile Data Security
7www.safeboot.com |
Agenda
What happens if SafeBoot is installed? Tuning the Object Database SafeBoot Recovery Differences between v4.x and 5.x How to obtain Technical Support?
SafeBoot® Mobile Data Security
8www.safeboot.com |
Tuning the Object Database (1/2)
1. Disable the Server Antivirus on the SBDATA folder (exclude SBDATA). The antivirus cannot scan encrypted data, so its of no use to enable it. Due to the many file access that this causes, disabling Antivirus on the SBDATA folder greatly improves server performance.
2. Disable NTFS LastAccessedTime. This feature has no value within the SafeBoot environment and significantly slows down file access.
3. Enable Name Indexing. This improves user and machine name to ID resolution. See the Administration Guide for details.
4. Have the SBDATA folder on a *local* drive on the server. Don't put SBDATA on a remote file share or NAS. Storing the data on a remote server, even on a SAN, is always significantly slower than local direct storage.
5. Periodically export and cleanup the User and Machines Audit logs with the scripting tool. If a server is running for a significant amount of time the Audit log can grow to big proportions. By exporting and cleaning this will reduce the SafeBoot Database size. This is especially important for accounts used for scripting and automation, as they generate large audit logs.
6. The Database consists of many files and the speed of File access is the most important factor for high performance. So inserting more cache memory into the Servers HD RAID controller will improve performance. You can also switch the database into "compressed mode" which reduces the number of files, and on some controllers, will improve performance.
SafeBoot® Mobile Data Security
9www.safeboot.com |
Tuning the Object Database (2/2)
7. Limit the maximum number of concurrent client connections to the SafeBoot server. See the Administration Guide for details. A balance must be struck between accepting many connections but processing them slowly, and accepting a few connections and processing them quickly. The default connection limit of 200 is designed to achieve this balance.
8. Reduce TCPIP KeepAliveTime from 2 hours to 5 minutes. This will force dead network connections to be disconnected quickly.
9. On the machine properties do not force a high synchronization rate without good reason – we recommend machines sync each 6 hours. Synchronizing every few minutes simply adds unnecessary network and database load.
10. Be careful about assigning unnecessary users to machines - even though it may be simple to assign every user to every machine, this is often a huge security risk and is considered bad practice. You should think in terms of who actually needs to use the machine, and also the administrators and engineers. On every machine sync each user policy needs to be checked and potentially updated, so having hundreds of unnecessary users adds unwanted load (and security risk).
11. Switch off object change tracking if you are not using that feature of the Backup Tool (see the Administration Guide). This prevents unnecessary writes to the database.
12. Follow the standard Microsoft Performance Tuning Guidelines for Windows Server.
SafeBoot® Mobile Data Security
10www.safeboot.com |
2. Disable NTFS LastAccessedTime
This feature has no value within the SafeBoot environment and significantly slows down file access.
Use “fsutil” from the command line to check the “lastaccesstime-behavior” on your system:
fsutil behavior query disablelastaccess
To disable the last access time use:
fsutil behavior set disablelastaccess 1
SafeBoot® Mobile Data Security
11www.safeboot.com |
3. Name Indexing (1/2)
The Name Index creates a "shortcut" to name-to-id lookup by periodically creating indexes of the name/id attributes of all objects in the directory.
Once created, all lookups pass through the cache for resolution - as the Cache is much smaller than the directory this leads to dramatic increases of performance, mainly through better use of the operating system file cache.
As a side-effect, the name index also speeds up counting objects in the database (part of license validation).
SafeBoot® Mobile Data Security
12www.safeboot.com |
3. Name Indexing (2/2)
The Name Index is controlled through the file “DBCFG.INI" stored in the root of the object directory (normally the “SBDATA” directory). The index files are stored in the root of each object type.
The following sections should be in “DBCFG.INI”:[NameIndex]Enabled=Yes
SafeBoot® Mobile Data Security
13www.safeboot.com |
5. Export and cleanup Audit logs
Periodically export and cleanup the User and Machines Audit logs with the scripting tool. If a server is running for a significant amount of time the Audit log can grow to big proportions. By exporting and cleaning this will reduce the SafeBoot Database size. This is especially important for accounts used for scripting and automation, as they generate large audit logs.
The scipting tool commands which must be used are:
DumpUserAudit and DumpMachineAudit.
SafeBoot® Mobile Data Security
14www.safeboot.com |
Agenda
What happens if SafeBoot is installed? Tuning the Object Database SafeBoot Recovery Differences between v4.x and 5.x How to obtain Technical Support?
SafeBoot® Mobile Data Security
15www.safeboot.com |
SafeBoot’s impact on machine Changes to MBR Full/Partial encryption Standard diagnostics tools: ERD’s, Ghost, Partitioning Tools,
etc…
Creating a Recovery Disk Bootable floppy disk Recovery Files Machine objects from DataBase
SafeBoot Recovery
SafeBoot® Mobile Data Security
16www.safeboot.com |
Purpose of the Access Code Daily Code Only available for trained people
SafeBoot Recovery
SafeBoot® Mobile Data Security
17www.safeboot.com |
Most common issues - Error, cause and solution?? “Layer Key” error: Emergency Boot “92h” error: Emergency Boot “INT13” Error: Reset INT13 OS crash: Removing SafeBoot
Important! SafeBoot problem (Black Screen) = Emergency Boot Windows problem (BSOD) = Removing SafeBoot
SafeTech Common Tasks
SafeBoot® Mobile Data Security
18www.safeboot.com |
Agenda
What happens if SafeBoot is installed? Tuning the Object Database SafeBoot Recovery Differences between v4.x and 5.x How to obtain Technical Support?
SafeBoot® Mobile Data Security
19www.safeboot.com |
Differences between v4.x and 5.x (1/6)
Security Enhancements The architecture and source code was submitted for Common Criteria EAL4
certification, and reached CC EAL4 approval in March 2006. SafeBoot v5 has been BITS certified.
Administrator Functions New installation wizard which must be activated with a dedicated product
code. This has the big advantage that only one CD build is required which includes all products and features.
The Administration system will now automatically detect the host OS Language, and if supported will display interface in that language.
In v4 SafeBoot could only try to reach the remote machine by its known IP address. V5 also supports in second position the DNS network name.
SafeBoot® Mobile Data Security
20www.safeboot.com |
Differences between v4.x and 5.x (2/6)
Usability Changes (1/3) The Management Centre and Device Encryption Client have been restyled in
a modern Windows XP look and feel to increase user acceptance.
Management Centre v4 Management Centre v5
SafeBoot® Mobile Data Security
21www.safeboot.com |
Differences between v4.x and 5.x (3/6)
Usability Changes (2/3) The Device Encryption pre-boot operating system (PBOS) now supports
resolutions to 1024x768 in true color for a rich user experience. The new PBOS is a full 32bit OS and supports complete text and graphical styling by administrators, including font changes.
SafeBoot v4 SafeBoot v5
SafeBoot® Mobile Data Security
22www.safeboot.com |
Differences between v4.x and 5.x (4/6)
Usability Changes (3/3) SafeTech v5 can be run from CD-Roms or bootable USB-Devices. SafeBoot v5 introduces a new recovery method with WinTech. WinTech can
perform most of the SafeTech options and offers enhanced recovery options without the need for a floppy disk.
SafeTech v4
SafeTech v5
SafeBoot® Mobile Data Security
23www.safeboot.com |
Differences between v4.x and 5.x (5/6)
Technology Enhancements Historically Device Encryption v4 used a proprietary 16bit pre-boot
operating system to provide authentication services. The v5 environment uses a complete 32bit COTS manufacturing operating system customized to provide SafeBoot related services. This OS has full USB support, omponents for touch screens, tablet displays, mice and other HID devices etc. The apabilities of the Device Encryption v5 PBOS far exceed those of any other Full Disk Encryption product.
The entire SafeBoot v5 suite has been re-written to support Unicode text and messaging end to end. SafeBoot is available in many double-byte languages such as Chinese, Korean, Japanese and Arabic
Device Encryption 5 supports many keyboard layouts impossible to support in V4, such as Kazakh, Polish, Japanese, Estonian etc.
SafeBoot® Mobile Data Security
24www.safeboot.com |
Differences between v4.x and 5.x (6/6)
Performance Changes The SafeBoot initial disk encrypt function has been enhanced to perform the
initial one-time encryption of the disk faster – the v5 version is approximately 2-4x faster than v4 product.
The new Pre-Boot authentication environment now makes user of caching and indexing to support thousands of users simultaneously. Whereas the v4 PBOS was designed to support a maximum of 500 users, with a realistic limit of around 300, the v5 PBOS supports over 10,000 users.
Hibernation speed has been increased by a factor of 6. Previously hibernation could take 1-2 minutes to perform due to the mode in which SafeBoot was forced to hook Hibernation within Windows. With SafeBoot 5 hibernation can now be performed at almost the same rate as a non-encrypted system.
SafeBoot® Mobile Data Security
25www.safeboot.com |
Agenda
What happens if SafeBoot is installed? Tuning the Object Database SafeBoot Recovery Differences between v4.x and 5.x How to obtain Technical Support?