background image

19

 

 

Object

 

Directory

 

Maintenance

 

 

Maintenance

 

Introduction

 

To

 

keep

 

the

 

database

 

clean

 

and

 

healthy,

 

maintenance

 

is

 

required

 

on

 

a

 

regular

 

basis.

 

This

 

maintenance

 

can

 

be

 

done

 

manually

 

using

 

the

 

Endpoint

 

Encryption

 

Manager,

 

or,

 

with

 

the

 

EEPC

 

command

 

Line

 

Tool

 

(SBADMCL),

 

which

 

is

 

the

 

preferred

 

way

 

for

 

larger

 

Object

 

Directories.

 

 

This

 

guide

 

describes

 

the

 

processes

 

needed

 

for

 

maintenance.

 

It

 

is

 

written

 

for

 

Endpoint

 

Encryption

 

administrators.

   

 

NOTE

:

  

These

 

are

 

generic

 

recommendations

 

based

 

on

 

experience

 

but

 

not

 

always

 

be

 

suitable

 

for

 

your

 

specific

 

environment.

  

For

 

database

 

maintenance

 

and

 

performance,

 

it

 

is

 

always

 

recommended

 

to

 

engage

 

McAfee

 

Professional

 

services

 

prior

 

to

 

implementing

 

any

 

of

 

these

 

suggestions.

 

It

 

is

 

possible

 

on

 

already

 

installed

 

environments

 

to

 

have

 

a

 

McAfee

 

professional

 

perform

 

consultancy

 

and

 

provide

 

a

 

“health

 

check”

 

on

 

the

 

setup

 

and

 

performance

 

settings

 

of

 

the

 

Object

 

Directory

  

 

Environment

 

This

 

guide

 

applies

 

to

 

McAfee

 

Endpoint

 

Encryption

 

V5

 

and

 

up,

 

however

 

many

 

steps

 

in

 

this

 

guide

 

can

 

be

 

applied

 

to

 

V4

 

(build

 

4770).

 

Audit

 

maintenance

 

Audit

 

can

 

grow

 

unlimited

 

in

 

the

 

database.

 

This

 

can

 

slow

 

down

 

the

 

database

 

dramatically.

 

The

 

Endpoint

 

Encryption

 

administrator

 

has

 

to

 

make

 

sure

 

that

 

the

 

audit

 

is

 

cleaned

 

up

 

every

 

year

 

or

 

every

 

half

 

year

 

depending

 

on

 

the

 

database

 

performance.

  

For

 

more

 

information

 

on

 

the

 

command

 

line

 

tool

 

SBADMCL.exe

 

or

 

its

 

commands

 

please

 

see

 

the

 

Endpoint

 

Encryption

 

Scripting

 

Tool

 

User

 

Guide,

 

which

 

is

 

found

 

in

 

most

 

normal

 

installations

 

of

 

the

 

Endpoint

 

Encryption

  

Manager.

 

 

Extracting

 

and

 

Clearing

 

Audit

 

from

 

the

 

Database

 

The

 

audit

 

from

 

users

 

and

 

systems

 

needs

 

to

 

be

 

cleared

 

at

 

least

 

once

 

a

 

year

 

for

 

smaller

 

implementations

 

and

 

frequently

 

for

 

larger

 

deployments

 

because

 

it

 

grows

 

fast.

  

Heavily

 

used

 

objects

 

such

 

as

 

an

 

administrator’s

 

account

 

or

 

user

 

object

 

frequently

 

used

 

by

 

a

 

script

 

are

 

likely

 

to

 

be

 

common

 

large

 

audit

 

creators.

 

 

The

 

need

 

to

 

clear

 

audits

 

can

 

vary

 

depending

 

on

 

configuration,

 

usage

 

and

 

requirements.

 

However,

 

the

 

Security

 

Management

 

team

 

should

 

decide

 

when

 

to

 

clear

 

the

 

audit.

 

In

 

later

 

versions

 

of

 

the

 

tool,

 

the

 

ClearDaysOld

 

command

 

was

 

added.

 

This

 

option

 

gives

 

the

 

administrator

 

the

 

possibility

 

to

 

clear

 

audits

 

that

 

are,

 

for

 

example,

 

90

 

days

 

and

 

older.

 

This

 

option

 

must

 

be

 

used

 

instead

 

of

 

the

 

Clear

 

option,

 

because

 

the

 

Clear

 

option

 

will

 

override

 

the

 

ClearDaysOld

 

option

 

if

 

used

 

together.

  

 

The

 

audit

 

will

 

always

 

be

 

exported

 

before

 

it

 

is

 

deleted.

 

This

 

will

 

give

 

the

 

administrator

 

the

 

possibility

 

to

 

look

 

back

 

at

 

older

 

audits

 

using

 

Microsoft

 

Excel

 

or

 

similar

 

tools.

 

 

Clearing

 

the

 

Audit

 

SBADMCL

 

is

 

usually

 

run

 

from

 

the

 

directory

 

where

 

the

 

Endpoint

 

Encryption

 

Manager

 

is

 

installed.

  

An

 

admin

 

account

 

with

 

high

level

 

credentials

 

will

 

be

 

needed

 

for

 

the

 

script.

 

 

Some

 

of

 

the

 

commands

 

needed

 

below

 

are

 

database

 

intensive

 

processes,

 

so

 

run

 

these

 

command

 

during

 

non

 

working

 

hours

 

only,

 

or,

 

do

 

it

 

in

 

more

 

controlled

 

sessions

 

(one

 

group

 

at

 

a

 

time

 

for

 

example)

 

during

 

daytime

 

if

 

the

 

groups

 

are

 

small.

 

 
 

Содержание ENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE

Страница 1: ...1 McAfee Endpoint Encryption Enterprise Best Practices Guide November 2009...

Страница 2: ...d No part of this publication may be reproduced transmitted transcribed stored in a retrieval system or translated into any language in any form or by any means without the written permission of McAfe...

Страница 3: ...OF 5000 USER MACHINE OBJECT DIRECTORY 10 VIRTUAL SERVERS 10 GLOBAL DEPLOYMENTS 11 OPTIMISATION ACTIONS 11 OPTIMISATION ACTIONS OVERVIEW 12 NAME INDEXING DBCFG INI 13 WARNINGS 13 DBCFG INI 13 GROUP SI...

Страница 4: ...19 CLEARING THE AUDIT 19 DELETED ITEMS CLEANUP 20 CHECKING FOR DATABASE CORRUPTION 20 WHY DOES THE DATABASE GET CORRUPTED 20 ORPHANED OBJECTS 21 RESTORE COMMANDS 21 CLEANUP COMMANDS 21 DUMP MACHINE D...

Страница 5: ...e product and the environment in which it is being used before arriving at any decision on implementation strategy Calculations and figures in this guide are based on field evidence and not theoretica...

Страница 6: ...a distributed way For example the Web Helpdesk component can be installed on a dedicated web server while the rest of the components are on a separate Endpoint Encryption Server However the majority o...

Страница 7: ...hared Server can be used for low numbers Please see Virtual Server section in this guide Virtual hardware has to be of higher specification if resources are shared See Page 11 2000 5000 users systems...

Страница 8: ...nvironment has not been fully tested at this time in engineering Load Balancing Given the best configuration is usually a single high performance server with DAS then the least optimal way to perform...

Страница 9: ...s The default settings of the Communication Server limit the queue to 200 entries a balance between taking connections and processing connections After that point the connections are refused This is a...

Страница 10: ...use of Virtual Servers is a result of Lack of resources dedicated to the virtual server Dynamically assigned resources to the virtual server which starves it of the necessary performance during peak p...

Страница 11: ...y is necessary it is better to include endpoints from all regions in the pilot phase Optimisation Actions NOTE These are generic recommendations based on experience but not always be suitable for your...

Страница 12: ...me to five minutes Disable NTFS Last Access Update with a registry change Increase the size of the NTFS Master File Table MFT with a registry change Optimize backups Exclude the Object Directory and t...

Страница 13: ...smaller than 5000 systems otherwise you find the number by multiplying the number of users or systems in the database by 0 6 Example If the number of users in the database is 10 000 the Locktimeout s...

Страница 14: ...lable from your McAfee representative Attribs SingleFile No If this is set to Yes the attributes for objects will be placed into a single file instead of each one having their own file Not generally u...

Страница 15: ...ours NOTE A similar setting KeepAliveInterval has a default 1000 1 second this setting is correct so do not change this Last Access Time Stamp NtfsDisableLastAccessUpdate With large databases it is po...

Страница 16: ...3 or 4 instead of the default value of 1 Object Directory Backup Tool Setup If you set up your Object Directory backup tool make sure it is not running too many times a day because the in between tim...

Страница 17: ...ed you schedule EEPC command line tool SBADMCL to cleanup machine audit and the user audit See Endpoint Encryption Object Directory Maintenance section below File Cache on Raid Hard Drive Controller L...

Страница 18: ...containing old deleted users systems and other objects and are found through the System tab in the Endpoint Encryption Manager These objects can slow searches down If these objects are needed for aud...

Страница 19: ...ds please see the Endpoint Encryption Scripting Tool User Guide which is found in most normal installations of the Endpoint Encryption Manager Extracting and Clearing Audit from the Database The audit...

Страница 20: ...within the Object Directory is renamed The extension of the folder is renamed from RMV to WPE With a very large database these empty removed folders can sometimes slow down searches In a test lab try...

Страница 21: ...have a full backup of SBDATA before doing this Restore Commands To restore orphaned user objects back into a group use this command SBADMCL Command RestoreUsers Adminuser Admin Adminpwd mypassword Gr...

Страница 22: ...ects in the DumpMaDesc log can be deleted from the database If the normal deletion doesn t work use Windows Explorer to browse to the actual location in the database and delete the physical folder In...

Страница 23: ...utes servicing each client EEPC has excellent password synchronization across all the endpoint clients a user is assigned to It is therefore logical that adding thousands of users to each machine will...

Страница 24: ...nate Requests This option stops the machine from entering hibernation mode Note this option is not supported in Vista With later versions of EEPC v5 x this should normally be left disabled to allow no...

Страница 25: ...ppear as a fixed drive and therefore swaps with the fixed disk after booting from it It can cause recovery problems with Remove or Emergency Boot for example Alternatively use with a floppy disk drive...

Страница 26: ...tion to encrypted data Using one autoboot user for too many machines Instead use more autoboot users to reduce the multiple connections and load on the autoboot user object in the database Autoboot us...

Отзывы: