December 11, 2007 – HSBC, Hong Kong SafeBoot Advanced Training SafeBoot ® Mobile Data Security

December 11, 2007 – HSBC, Hong Kong

SafeBoot Advanced Training

www.safeboot.com

SafeBoot® Mobile Data Security


2www.safeboot.com |

SafeBoot Advanced Training

Summary A administrator-level overview of the benefits and

advanced use of the SafeBoot Device Encryption product.

Target Audience Technical Engineers responsible for Support,

Implementation, Systems and (Pre)Sales.


3www.safeboot.com |

Agenda

What happens if SafeBoot is installed? Tuning the Object Database SafeBoot Recovery Differences between v4.x and 5.x How to obtain Technical Support?


4www.safeboot.com |

Agenda



5www.safeboot.com |

SECTOR 0

SECTORS

1 - 62

BIOS

MBR

HDD

APPL SafeBoot DE Installation

SBR

PreBoot Authentication to access SBFS

and boot up Windows

What happens if SafeBoot is installed? (1/2)

SECTOR 63 - ...

Partition gap

HDD (SBFS / MBR)


6www.safeboot.com |

What happens if SafeBoot is installed? (2/2)

SafeBoot replaces MBR with it’s own (SBR) NO repartitioning of the Hard Disk required– like competitors using

a Linux Preboot OS Original MBR saved in SafeBoot File System (SBFS) SBR contains info about start of bootcode and SBFS sector chains After logon, loads original MBR and runs it (now updates original

MBR with current partition table)


7www.safeboot.com |

Agenda



8www.safeboot.com |

Tuning the Object Database (1/2)

1. Disable the Server Antivirus on the SBDATA folder (exclude SBDATA). The antivirus cannot scan encrypted data, so its of no use to enable it. Due to the many file access that this causes, disabling Antivirus on the SBDATA folder greatly improves server performance.

2. Disable NTFS LastAccessedTime. This feature has no value within the SafeBoot environment and significantly slows down file access.

3. Enable Name Indexing. This improves user and machine name to ID resolution. See the Administration Guide for details.

4. Have the SBDATA folder on a *local* drive on the server. Don't put SBDATA on a remote file share or NAS. Storing the data on a remote server, even on a SAN, is always significantly slower than local direct storage.

5. Periodically export and cleanup the User and Machines Audit logs with the scripting tool. If a server is running for a significant amount of time the Audit log can grow to big proportions. By exporting and cleaning this will reduce the SafeBoot Database size. This is especially important for accounts used for scripting and automation, as they generate large audit logs.

6. The Database consists of many files and the speed of File access is the most important factor for high performance. So inserting more cache memory into the Servers HD RAID controller will improve performance. You can also switch the database into "compressed mode" which reduces the number of files, and on some controllers, will improve performance.


9www.safeboot.com |

Tuning the Object Database (2/2)

7. Limit the maximum number of concurrent client connections to the SafeBoot server. See the Administration Guide for details. A balance must be struck between accepting many connections but processing them slowly, and accepting a few connections and processing them quickly. The default connection limit of 200 is designed to achieve this balance.

8. Reduce TCPIP KeepAliveTime from 2 hours to 5 minutes. This will force dead network connections to be disconnected quickly.

9. On the machine properties do not force a high synchronization rate without good reason – we recommend machines sync each 6 hours. Synchronizing every few minutes simply adds unnecessary network and database load.

10. Be careful about assigning unnecessary users to machines - even though it may be simple to assign every user to every machine, this is often a huge security risk and is considered bad practice. You should think in terms of who actually needs to use the machine, and also the administrators and engineers. On every machine sync each user policy needs to be checked and potentially updated, so having hundreds of unnecessary users adds unwanted load (and security risk).

11. Switch off object change tracking if you are not using that feature of the Backup Tool (see the Administration Guide). This prevents unnecessary writes to the database.

12. Follow the standard Microsoft Performance Tuning Guidelines for Windows Server.


10www.safeboot.com |

2. Disable NTFS LastAccessedTime

This feature has no value within the SafeBoot environment and significantly slows down file access.

Use “fsutil” from the command line to check the “lastaccesstime-behavior” on your system:

fsutil behavior query disablelastaccess

To disable the last access time use:

fsutil behavior set disablelastaccess 1



3. Name Indexing (1/2)

The Name Index creates a "shortcut" to name-to-id lookup by periodically creating indexes of the name/id attributes of all objects in the directory.

Once created, all lookups pass through the cache for resolution - as the Cache is much smaller than the directory this leads to dramatic increases of performance, mainly through better use of the operating system file cache.

As a side-effect, the name index also speeds up counting objects in the database (part of license validation).



3. Name Indexing (2/2)

The Name Index is controlled through the file “DBCFG.INI" stored in the root of the object directory (normally the “SBDATA” directory). The index files are stored in the root of each object type.

The following sections should be in “DBCFG.INI”:[NameIndex]Enabled=Yes



5. Export and cleanup Audit logs

Periodically export and cleanup the User and Machines Audit logs with the scripting tool. If a server is running for a significant amount of time the Audit log can grow to big proportions. By exporting and cleaning this will reduce the SafeBoot Database size. This is especially important for accounts used for scripting and automation, as they generate large audit logs.

The scipting tool commands which must be used are:

DumpUserAudit and DumpMachineAudit.



Agenda




SafeBoot’s impact on machine Changes to MBR Full/Partial encryption Standard diagnostics tools: ERD’s, Ghost, Partitioning Tools,

etc…

Creating a Recovery Disk Bootable floppy disk Recovery Files Machine objects from DataBase

SafeBoot Recovery



Purpose of the Access Code Daily Code Only available for trained people

SafeBoot Recovery



Most common issues - Error, cause and solution?? “Layer Key” error: Emergency Boot “92h” error: Emergency Boot “INT13” Error: Reset INT13 OS crash: Removing SafeBoot

Important! SafeBoot problem (Black Screen) = Emergency Boot Windows problem (BSOD) = Removing SafeBoot

SafeTech Common Tasks



Agenda




Differences between v4.x and 5.x (1/6)

Security Enhancements The architecture and source code was submitted for Common Criteria EAL4

certification, and reached CC EAL4 approval in March 2006. SafeBoot v5 has been BITS certified.

Administrator Functions New installation wizard which must be activated with a dedicated product

code. This has the big advantage that only one CD build is required which includes all products and features.

The Administration system will now automatically detect the host OS Language, and if supported will display interface in that language.

In v4 SafeBoot could only try to reach the remote machine by its known IP address. V5 also supports in second position the DNS network name.




Usability Changes (1/3) The Management Centre and Device Encryption Client have been restyled in

a modern Windows XP look and feel to increase user acceptance.

Management Centre v4 Management Centre v5




Usability Changes (2/3) The Device Encryption pre-boot operating system (PBOS) now supports

resolutions to 1024x768 in true color for a rich user experience. The new PBOS is a full 32bit OS and supports complete text and graphical styling by administrators, including font changes.

SafeBoot v4 SafeBoot v5




Usability Changes (3/3) SafeTech v5 can be run from CD-Roms or bootable USB-Devices. SafeBoot v5 introduces a new recovery method with WinTech. WinTech can

perform most of the SafeTech options and offers enhanced recovery options without the need for a floppy disk.

SafeTech v4

SafeTech v5




Technology Enhancements Historically Device Encryption v4 used a proprietary 16bit pre-boot

operating system to provide authentication services. The v5 environment uses a complete 32bit COTS manufacturing operating system customized to provide SafeBoot related services. This OS has full USB support, omponents for touch screens, tablet displays, mice and other HID devices etc. The apabilities of the Device Encryption v5 PBOS far exceed those of any other Full Disk Encryption product.

The entire SafeBoot v5 suite has been re-written to support Unicode text and messaging end to end. SafeBoot is available in many double-byte languages such as Chinese, Korean, Japanese and Arabic

Device Encryption 5 supports many keyboard layouts impossible to support in V4, such as Kazakh, Polish, Japanese, Estonian etc.




Performance Changes The SafeBoot initial disk encrypt function has been enhanced to perform the

initial one-time encryption of the disk faster – the v5 version is approximately 2-4x faster than v4 product.

The new Pre-Boot authentication environment now makes user of caching and indexing to support thousands of users simultaneously. Whereas the v4 PBOS was designed to support a maximum of 500 users, with a realistic limit of around 300, the v5 PBOS supports over 10,000 users.

Hibernation speed has been increased by a factor of 6. Previously hibernation could take 1-2 minutes to perform due to the mode in which SafeBoot was forced to hook Hibernation within Windows. With SafeBoot 5 hibernation can now be performed at almost the same rate as a non-encrypted system.



Agenda




Questions?

Thank you for your attention!

Don‘t take the risk…. Be safe, install SafeBoot®


Documents

December 11, 2007 – HSBC, Hong Kong SafeBoot Advanced Training SafeBoot ® Mobile Data Security