McAfee ENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE, Руководство пользователя

Страница: 19 / 26

19
Object Directory Maintenance
Maintenance Introduction
To keep the database clean and healthy, maintenance is required on a regular basis. This maintenance can be
done manually using the Endpoint Encryption Manager, or, with the EEPC command Line Tool (SBADMCL),
which is the preferred way for larger Object Directories.
This guide describes the processes needed for maintenance. It is written for Endpoint Encryption
administrators.
NOTE : These are generic recommendations based on experience but not always be suitable for your specific
environment. For database maintenance and performance, it is always recommended to engage McAfee
Professional services prior to implementing any of these suggestions. It is possible on already installed
environments to have a McAfee professional perform consultancy and provide a “health check” on the setup
and performance settings of the Object Directory
Environment
This guide applies to McAfee Endpoint Encryption V5 and up, however many steps in this guide can be applied
to V4 (build 4770).
Audit maintenance
Audit can grow unlimited in the database. This can slow down the database dramatically. The Endpoint
Encryption administrator has to make sure that the audit is cleaned up every year or every half year depending
on the database performance. For more information on the command line tool SBADMCL.exe or its
commands please see the Endpoint Encryption Scripting Tool User Guide, which is found in most normal
installations of the Endpoint Encryption Manager.
Extracting and Clearing Audit from the Database
The audit from users and systems needs to be cleared at least once a year for smaller implementations and
frequently for larger deployments because it grows fast. Heavily used objects such as an administrator’s
account or user object frequently used by a script are likely to be common large audit creators.
The need to clear audits can vary depending on configuration, usage and requirements. However, the Security
Management team should decide when to clear the audit. In later versions of the tool, the ClearDaysOld
command was added. This option gives the administrator the possibility to clear audits that are, for example,
90 days and older. This option must be used instead of the Clear option, because the Clear option will override
the ClearDaysOld option if used together.
The audit will always be exported before it is deleted. This will give the administrator the possibility to look
back at older audits using Microsoft Excel or similar tools.
Clearing the Audit
SBADMCL is usually run from the directory where the Endpoint Encryption Manager is installed. An admin
account with high ‐ level credentials will be needed for the script.
Some of the commands needed below are database intensive processes, so run these command during non
working hours only, or, do it in more controlled sessions (one group at a time for example) during daytime if the
groups are small.