3 Replies Latest reply on Sep 22, 2010 10:10 AM by SafeBoot

    Offline ReenableSecurity

      Can A client's security be reenabled without requireing network connectivity to the server?  In the XML <database> tag is there a local database moniker I can use?

       

      I'm building a package to

      • uninstall software
      • DisableSecurity
      • Reboot
      • ReenableSecurity
      • Install updated software
      • reboot

       

      The issue is with the potential for the system to be offline during the install ReenableSecurity cycle.  For security reasons for our systems, we need to ensure that the SafeBoot security is renabled immediatly upon system restart.  (We are handling this by Local Group Policies)

       

      I'm using direct calls to the SBAdmDLL.dll and not using the commandline utility.

       

       

      Message was edited by: danerjones on 9/21/10 9:25:38 PM CDT

       

       

      Message was edited by: danerjones on 9/21/10 9:26:25 PM CDT
        • 1. Re: Offline ReenableSecurity

          yes? Reenablesecurity and disablesecurity ONLY work offline - they don't talk to the DB at all.

           

          You need to make sure in your machine policy you have the "allow local control of autoboot" (sic?) enabled though - it's DISABLED by default to prevent this exploit.

           

          The nice thing is that if the machine does come online and sync - it will remove the "disablesecurity" feature automatically and revert back to pre-boot enabled (unless the central EEM policy has an autoboot user assigned to the machine of course).

          • 2. Re: Offline ReenableSecurity

            According to the "McAfee®  Endpoint Encryption Scripting Tool User Guide" on page 45, states that the Connection is required and the example shows a full SbAdminConnection section.

             

            <SafeBoot>
            <SbAdminScripting>
              <SbAdminConnection>
               <ConnectionType>Transient</ConnectionType>
               <Database>SafeBoot Admin Database</Database>  
               <AuthType>UserNamePassword</AuthType>
               <AdminUser>SbAdmin</AdminUser>
               <AdminPwd>12345</AdminPwd>
              </SbAdminConnection>
              <SbAdminCommand>
               <Command>DisableSecurity</Command>
              </SbAdminCommand>
            </SbAdminScripting>
            </SafeBoot>

             

            I tried the command again but without the SbAdminConnection section and it worked.  The documentation needs to be updated to clarify this difference.

             

            <SafeBoot> 
            <SbAdminScripting>
              <SbAdminCommand>
               <Command>DisableSecurity</Command>
              </SbAdminCommand>
            </SbAdminScripting>
            </SafeBoot>
            • 3. Re: Offline ReenableSecurity

              you are correct. I'll submit an FMR for this.