Full Disk Encryption

Course Objectives Given Privileged Permissions and Permissions Settings as defined in Full Disk Encryption, define the role of users and administrators in your organization. Considering Full Disk Encryption’s encryption technology, choose the most suitable method for authenticating each user type. Install and confirm the installation of Full Disk Encryption for the administrator with the installation CDs. Determine access levels for Full Disk Encryption users and create user profiles. Select the suitable authentication method for a given deployment. Prepare a strategy to deploy Full Disk Encryption to all company endpoints.

Course Objectives (cont.) Given existing configuration sets and profiles, implement a Full Disk Encryption deployment for end-users. Install Full Disk Encryption on a user’s machine to initiate encryption and observe the installation process from the user’s perspective. Perform basic profile maintenance procedures such as updating and upgrading profiles from client computers, and using Remote Help to re-permit locked-out users access to their systems. Configure Service Accounts for handling recover files, update profiles, and upgrade packages. View and use the Local Events Database for monitoring and Full Disk Encryption auditing. View and transfer the local log file to the central log file. Create and deploy an uninstall profile from client computers.

Course Objectives (cont.) Develop a plan for recovering encrypted information from a hard disk. Customize the preboot environment. Troubleshoot a failed installation and repair corrupted boot sectors. Install and Configure SmartCenter for Full Disk Encryption – WebRH for Web-based remote help. Manage Organization Units to control user access and permissions. Provide remote help to Full Disk Encryption clients using SmartCenter for Full Disk Encryption – WebRH.

Full Disk Encryption Administration Preface Full Disk Encryption Administration

Course Objectives (cont.) Develop a plan for recovering encrypted information from a hard disk. Customize the preboot environment. Troubleshoot a failed installation and repair corrupted boot sectors. Install and Configure SmartCenter for Full Disk Encryption – WebRH for Web-based remote help. Manage Organization Units to control user access and permissions. Provide remote help to Full Disk Encryption clients using SmartCenter for Full Disk Encryption – WebRH.

Preface Recommended Setup for Labs

Full Disk Encryption Overview 1 Full Disk Encryption Overview

Full Disk Encryption Overview Full Disk Encryption Data-Security Technology

Full Disk Encryption Overview File and Disk Encryption File encryption enables users to protect vital data Boot Protection/Authentication Boot protection authenticates users before a computer boots.

Full Disk Encryption Overview Check Point Total Security Model

Full Disk Encryption Overview Check Point Total Security Model Laptop outside secure network

Full Disk Encryption Overview How Full Disk Encryption works:

Full Disk Encryption Overview Full Disk Encryption security features Operates at boot level No Master Boot Record modification Dynamic-key creation on boot Sector-by-sector encryption Encryption / decryption process One installation profile for Windows Single MSI Strong user authentication Secure Remote Help Central configuration and administration Keyboard lock and screen-saver (Windows) Limited number of failed login attempts Audit logging of events

Full Disk Encryption Overview Managing Full Disk Encryption Full Disk Encryption administration is designed to allow central control of policy and security settings, decentralized deployment and daily administration.

Pointsec PC Security Features (cont.) Authentication Methods Good Better Better Best

Other FDE Security Features Recovery FDE Authority Levels System Administrator Administrator User Automatic Logging and Centralized Auditing Remote Help FDE Licensing Sold per seat

FDE Authority Levels System Administrator Create and manage user profiles Configure system settings Add and remove Administrator and User accounts Configure settings for Administrator and User accounts Give Remote Help to users who are locked out or have forgotten their password

FDE Authority Levels Administrator User View Logs Uninstall Provide Remote Help Management Console Logon Provide ‘Reset Password’ Provide ‘One-Time Logon User Receive ‘Reset Password’ Receive ‘One-Time Logon

FDE Logging Automatic Logging and Centralized Auditing Local event database Local log file Central log file Windows Event Log

FDE Remote Help Remote Help FDE includes a Remote Help function that gives Administrators the ability to help users with lost password information without the user being online.

FDE Licensing Licensing FDE Licensing is provided based on the number of seats sold.

FDE Components FDE Components FDE Database

FDE Components FDE Components FDE Boot Authentication

FDE Management Console Local Remote Remote Help

FDE Encryption Key FDE Encryption Key Generation Initial encryption of the Hard Drive Common Criteria EAL4 configuration

FDE System Requirements Supported Operating Systems Microsoft Windows Mac OS X Linux Operating System Requirements / Limitations Stripe/Volume sets Compressed Root Directory Windows 2000 User Account registry permission Memory and disk space requirements

FDE System Requirements File Systems / Volumes / OS Upgrades Resizing partitions Overlapping partitions Disk volume without drive letter Disk utilities OS Upgrades Software Incompatibilities Remote Help malfunctions on slaved HDs Antivirus software FDE and VMware

FDE System Requirements Limitations Deployment software SATA CD/DVD Dual booting Multiple HD Recovery and hibernation Hidden volumes Mounted volumes/dynamic disks USP and CD-Rom

Installing Full Disk Encryption 1 Installing Full Disk Encryption

Review Questions & Answers Which components comprise the basic installation of Pointsec PC? Discuss the importance of each. The Pre-Boot environment - This is the basic security function of Pointsec PC providing boot protection and access control. The Pointsec Database - Where user information is stored, and what is authenticated against for access to the data. 2. What is the purpose of the three sections of the Pointsec Management Console? Local - affects changes on the local machine Remote - affects changes on remote machines Remote Help - provides remote assistance to users for access control 3. What are three types of hard-drive protection, and which two are used by Pointsec PC? Why? File Encryption, Data Encryption & Boot Protection Boot protection and Data Encryption - these provide the most secure level of data security.

The Full Disk Encryption Management Console 2 The Full Disk Encryption Management Console

Overview of the FDE Management Console The Full Disk Encryption Management Console (FDEMC) gives you access to all Full Disk Encryption functions. Using the console, the Administrator configures both local and remote settings for users’ Full Disk Encryption encrypted drives.

Overview of the FDE Management Console FDEMC Dialog Box The Full Disk Encryption Management Console window first displays the Local, Remote and Remote Help folder options after opening:

Overview of the FDE Management Console The local folder The local folder gives the Administrator the ability to view, edit, export, and print local settings, as well as view, export and print log files.

Overview of the FDE Management Console Edit Settings Hardware Devices Install Logon Remote Help Screen Saver System Password Policy Wake on LAN Windows Integrated Logon Network Location Awareness Failed Windows Logon Attempts WIL Switch Hardware Hash

Overview of the FDE Management Console Groups The same settings can be selected for either groups or user accounts.

Overview of the FDE Management Console The Remote Folder The Remote folder is were the Administrator creates and stores configuration sets for remote installations.

Overview of the FDE Management Console Configuration Sets Use the configuration set to provide a central configuration point for a rood directory path. Profile Storage Update Profile Install Central Log Recovery Upgrade

Overview of the FDE Management Console Working with Profiles

Creating Configuration Sets and Profiles 2 Creating Configuration Sets and Profiles

Creating Configuration Sets and Profiles 2 Creating Configuration Sets and Profiles

Review Question & Answers 1. In addition to creating and storing configuration sets and profiles, what can the Administrator use the Remote folder for? Creating upgrade packages and recovery media, and viewing Logs 2. What do Privileged Permissions do? Permits changes for other accounts in other groups. For example - a HELPDESK login has the privileged permission to provide Remote Help. 3. If you start the PCMC on a computer that has a network connection but no access to the Internet, which setting in Internet Explorer do you have to modify to avoid delays in starting the PCMC? Under Tools > Internet Options > Advanced > Security, clear the selection for “Check for Publisher’s Certificate Revocation List”

Full Disk Encryption Management 3 Full Disk Encryption Management

Full Disk Encryption Management Tips for Deployment

Full Disk Encryption Management Deployment Checklist Prepare the server shares Customize the preboot environment Customize Precheck.txt file Choose your distribution method Check requirements Inform end users Deploy Full Disk Encryption to machines

Full Disk Encryption Management FDE Maintenance Update the configuration Remote Help and One-Time Login The log viewer Software upgrades

Full Disk Encryption Management Working with Update Profiles Account settings Group settings Adding or deleting groups Creating an Update Profile Deleting a User through the Update Profile Machine-Specific Update Pushing the Update Profile to the Computers

Full Disk Encryption Management Upgrading FDE Software upgrades are used to upgrade FDE software, transparent to the end-user.

Deploying Full Disk Encryption 3 Deploying Full Disk Encryption

Removing User Profiles 4 Removing User Profiles

5 Using Remote Help

Full Disk Encryption Management Remote Help Remote password change One time login

Full Disk Encryption Management User Verification Predetermined question/answer Employee ID Employee start-date Voice verification Known information Call-back

3 Deploying Pointsec PC

Removing User Profiles 4 Removing User Profiles

5 Using Remote Help

Review Questions & Answers 1. What profile setting provides an administrator remote confirmation of a Full Disk Encryption installation on a client computer? When creating the profile, the selection under System Settings > Install > Enable status export to file must be enabled. This will then create a .txt file in the Central Log directory in the network share. Each machine that has been deployed this profile will have it’s own .txt file. 2. Name 2 of the 3 ways to configure a Full Disk Encryption Service Start Account? In a Full Disk Encryption profile via Local > Edit Settings > System Settings Via the local PC Operating System Services settings

Full Disk Encryption Log Management 4 Full Disk Encryption Log Management

Full Disk Encryption Auditing Auditing is a central function of security software. Control of system history is essential to detecting malicious behavior or trace problems.

Full Disk Encryption Auditing Full Disk Encryption Log The FDE logs are stored in one or more of four locations: Local event database Local log file Central log file Windows Event Log Logs information about events, such as login attempts, encryption status, and time of each update to the configuration. Up to 255 events are stored here. The contents of the local event database are transferred here by the PC tray application (P95Tray.exe) each time a user logs in to Windows. This is a network folder to which local log files are copied. FDE log files are exported to the local Windows Event Viewer in real time.

Full Disk Encryption Auditing Windows Event Viewer

Full Disk Encryption Auditing Log Filter

Review Questions & Answers 1. Name the four locations where FDE logs are stored? Local Event Database Local Log File Central Log File Windows Event Log 2. What log-event element is unique to each entry, and is useful when communicating with support? The ID 3. Name three of the five criteria used in filtering log entries? Info Warning Error Success Failure

Uninstallation, Recovery and 5 Uninstallation, Recovery and Troubleshooting

Uninstallation, Recovery, and Troubleshooting Uninstallation Types Full Disk Encryption can be uninstalled by: Creating and deploying an uninstall porfile Using Add/Remove Programs When to use an Uninstall Profile Employee no longer with company Machine needs an OS update Employee is traveling to a country where strong disk encryption is illegal

Uninstallation, Recovery, and Troubleshooting Uninstallation Types Full Disk Encryption can be uninstalled by: Creating and deploying an uninstall porfile Using Add/Remove Programs When to use an Uninstall Profile Employee no longer with company Machine needs an OS update Employee is traveling to a country where strong disk encryption is illegal

Uninstallation, Recovery, and Troubleshooting Full Disk Encryption Recovery is based primarily on the Recovery file specified locally in the directory C:\Documents and Settings\All Users\Application Data\Pointsec\Pointsec for PC. Full Disk Encryption transfers the recovery file from C:\Documents and Settings\All Users\Application Data\Pointsec\Pointsec for PC to the directory specified in the FDEMC under Local > Edit Settings > System Settings > Install > Set Recovery Path.

Uninstallation, Recovery, and Troubleshooting If no valid recovery path can be found when Full Disk Encryption is trying to write to the recovery file, the encryption will not start until Full Disk Encryption has ascertained that it will be possible to carry out a recovery later. Until Full Disk Encryption has carried out the recovery, the PC will be left unprotected.

Uninstallation, Recovery, and Troubleshooting Recovery Methods Recovery via the Start menu Recovery via the FDEMC Creating a recovery CD-ROM Using Slave Drive Functionality to recover information

Uninstallation, Recovery, and Troubleshooting Booting from Alternative Media

Uninstallation, Recovery, and Troubleshooting Preboot Customization Menu

Uninstallation, Recovery, and Troubleshooting Customizing and Branding Full Disk Encryption Customizing Update the banner displayed Update the background image Set a preboot screeen-saver image

Uninstallation, Recovery, and Troubleshooting Troubleshooting a Failed Installation Create a bootable floppy disk During boot, press F8 Choose two recovery options: Display Disk Information Repair Master Boot Record Repair a Volume Including Master Boot Record Undo the Last Repair Keyboard and Language Settings

Uninstalling from Removable Media 6 Uninstalling from Removable Media

7 Upgrading Full Disk Encryption 6.x.x to a Custom Full Disk Encryption 7.0 Installation

Review Questions & Answers 1. Which command-line utility is used to create a bootable floppy disk for recovery? What are two of the recovery options available? userec.exe add/remove recovery 2. What safeguard is built into the uninstallation process? It requires two administrative logins. 3. What happens during transparent uninstallation? The client PC can still be used while Full Disk Encryption decrypts the data on the hard drive. Decryption off the hard drive runs as a throttled background service during uninstallation. 4. What are concerns during uninstallation with recovery media? It is not a complete uninstallation, in that the program must be uninstalled using Add/Remove programs after the decryption process has completed.

SmartCenter for Pointsec - webRH 6 SmartCenter for Pointsec - webRH

SmartCenter for Pointsec - webRH Overview SmartCenter for Pointsec – webRH enables an organization’s helpdesk to use Internet technologies to provide Remote Help.

SmartCenter for Pointsec - webRH User Requirements System Requirements HD –staff requirements Full Disk Encryption Requirements Browser Requirements

SmartCenter for Pointsec - webRH Installing SmartCenter for Pointsec – webRH SmartCenter for Pointsec – webRH SQL Database SmartCenter for Pointsec – webRH Application It is possible to install and run both SmartCenter for Pointsec – webRH components on the same server running Microsoft SQL Server and Internet Information Services. However, Check Point recommends that you install them on separate servers.

SmartCenter for Pointsec - webRH webRH Administration Managing OU groups Adding and deleting tokens for helpdesk staff and Administrators Managing helpdesk staff and Administrators Creating and deploying profiles to protected devices Reviewing and exporting log files

SmartCenter for Pointsec - webRH Getting Started using webRH Start your browser and go to SmarCenter for Pointsec – webRH, i.e., http://localhost/webRH/login/index.asp

SmartCenter for Pointsec - webRH Enter your user name and click Next. The following web page opens:

SmartCenter for Pointsec - webRH Enter the challenge into your dynamic token, generate a response and enter the response. Click Login. The Welcome page opens.

SmartCenter for Pointsec - webRH Managing OU Groups Populating the levels below with Administrator accounts Populating own and levels below with HD users Creating OU groups of levels below own privilege level, and connect them to a parent OU level

SmartCenter for Pointsec - webRH Managing User Accounts User type User name Login method Organizational unit E-mail Start Date Expire Date

SmartCenter for Pointsec - webRH Managing Authentication Tokens SmartCenter for Pointsec - webRH access requires dynamic token authentication. Tokens must be imported into SmartCenter for Pointsec - webRH so that they can be assigned to helpdesk staff. Before you start to create a token entry in SmartCenter for Pointsec - webRH, you must have the token programming information available and you must enter this information correctly for the tokens to be used. When creating a token entry in SmartCenter for Pointsec - webRH, you can test the token to ensure that the entry is correct and the token is working.

SmartCenter for Pointsec - webRH Configuring Password Settings Fixed Passwords Minimum Password Length Minimum Password Age Maximum Password Age Password History Length Password Complexity Requirements Session Timeout Show logout timer Minutes Size of image in webRH

SmartCenter for Pointsec - webRH Log files in SmartCenter for Pointsec – webRH WebRH logs Remote Help events and enables Administrators to export the log files for further analysis.

Review Questions & Answers 1. Describe the two installation components of SmartCenter for Pointsec - webRH, and what are entailed in each? SmartCenter for Pointsec - webRH SQL Databse: Stores information needed to provide remote help to users. SmartCenter for Pointsec - webRH Web Application: The browser-based program used to administer and provide Remote Help. 2. What advantage does SmartCenter for Pointsec - webRH have over Remote Help in Pointsec PC? Pointsec PC does not need to be installed on the Remote Help provider’s machine. Remote Help can be provided using a Web browser.