Presentation is loading. Please wait.

Presentation is loading. Please wait.

Full Disk Encryption.

Published byDominick Booth Modified over 7 years ago

Similar presentations

Presentation on theme: "Full Disk Encryption."— Presentation transcript:

1 Full Disk Encryption

2 Course Objectives Given Privileged Permissions and Permissions Settings as defined in Full Disk Encryption, define the role of users and administrators in your organization. Considering Full Disk Encryption’s encryption technology, choose the most suitable method for authenticating each user type. Install and confirm the installation of Full Disk Encryption for the administrator with the installation CDs. Determine access levels for Full Disk Encryption users and create user profiles. Select the suitable authentication method for a given deployment. Prepare a strategy to deploy Full Disk Encryption to all company endpoints.

3 Course Objectives (cont.)
Given existing configuration sets and profiles, implement a Full Disk Encryption deployment for end-users. Install Full Disk Encryption on a user’s machine to initiate encryption and observe the installation process from the user’s perspective. Perform basic profile maintenance procedures such as updating and upgrading profiles from client computers, and using Remote Help to re-permit locked-out users access to their systems. Configure Service Accounts for handling recover files, update profiles, and upgrade packages. View and use the Local Events Database for monitoring and Full Disk Encryption auditing. View and transfer the local log file to the central log file. Create and deploy an uninstall profile from client computers.

4 Course Objectives (cont.)
Develop a plan for recovering encrypted information from a hard disk. Customize the preboot environment. Troubleshoot a failed installation and repair corrupted boot sectors. Install and Configure SmartCenter for Full Disk Encryption – WebRH for Web-based remote help. Manage Organization Units to control user access and permissions. Provide remote help to Full Disk Encryption clients using SmartCenter for Full Disk Encryption – WebRH.

5 Full Disk Encryption Administration
Preface Full Disk Encryption Administration

6 Course Objectives (cont.)
Develop a plan for recovering encrypted information from a hard disk. Customize the preboot environment. Troubleshoot a failed installation and repair corrupted boot sectors. Install and Configure SmartCenter for Full Disk Encryption – WebRH for Web-based remote help. Manage Organization Units to control user access and permissions. Provide remote help to Full Disk Encryption clients using SmartCenter for Full Disk Encryption – WebRH.

7 Preface Recommended Setup for Labs

8 Full Disk Encryption Overview
1 Full Disk Encryption Overview

9 Full Disk Encryption Overview
Full Disk Encryption Data-Security Technology

10 Full Disk Encryption Overview
File and Disk Encryption File encryption enables users to protect vital data Boot Protection/Authentication Boot protection authenticates users before a computer boots.

11 Full Disk Encryption Overview
Check Point Total Security Model

12 Full Disk Encryption Overview
Check Point Total Security Model Laptop outside secure network

13 Full Disk Encryption Overview
How Full Disk Encryption works:

14 Full Disk Encryption Overview
Full Disk Encryption security features Operates at boot level No Master Boot Record modification Dynamic-key creation on boot Sector-by-sector encryption Encryption / decryption process One installation profile for Windows Single MSI Strong user authentication Secure Remote Help Central configuration and administration Keyboard lock and screen-saver (Windows) Limited number of failed login attempts Audit logging of events

15 Full Disk Encryption Overview
Managing Full Disk Encryption Full Disk Encryption administration is designed to allow central control of policy and security settings, decentralized deployment and daily administration.

16 Pointsec PC Security Features (cont.)
Authentication Methods Good Better Better Best

17 Other FDE Security Features
Recovery FDE Authority Levels System Administrator Administrator User Automatic Logging and Centralized Auditing Remote Help FDE Licensing Sold per seat

18 FDE Authority Levels System Administrator
Create and manage user profiles Configure system settings Add and remove Administrator and User accounts Configure settings for Administrator and User accounts Give Remote Help to users who are locked out or have forgotten their password

19 FDE Authority Levels Administrator User View Logs Uninstall
Provide Remote Help Management Console Logon Provide ‘Reset Password’ Provide ‘One-Time Logon User Receive ‘Reset Password’ Receive ‘One-Time Logon

20 FDE Logging Automatic Logging and Centralized Auditing
Local event database Local log file Central log file Windows Event Log

21 FDE Remote Help Remote Help
FDE includes a Remote Help function that gives Administrators the ability to help users with lost password information without the user being online.

22 FDE Licensing Licensing
FDE Licensing is provided based on the number of seats sold.

23 FDE Components FDE Components FDE Database

24 FDE Components FDE Components FDE Boot Authentication

25 FDE Management Console
Local Remote Remote Help

26 FDE Encryption Key FDE Encryption Key Generation
Initial encryption of the Hard Drive Common Criteria EAL4 configuration

27 FDE System Requirements
Supported Operating Systems Microsoft Windows Mac OS X Linux Operating System Requirements / Limitations Stripe/Volume sets Compressed Root Directory Windows 2000 User Account registry permission Memory and disk space requirements

28 FDE System Requirements
File Systems / Volumes / OS Upgrades Resizing partitions Overlapping partitions Disk volume without drive letter Disk utilities OS Upgrades Software Incompatibilities Remote Help malfunctions on slaved HDs Antivirus software FDE and VMware

29 FDE System Requirements
Limitations Deployment software SATA CD/DVD Dual booting Multiple HD Recovery and hibernation Hidden volumes Mounted volumes/dynamic disks USP and CD-Rom

30 Installing Full Disk Encryption
1 Installing Full Disk Encryption

31 Review Questions & Answers
Which components comprise the basic installation of Pointsec PC? Discuss the importance of each. The Pre-Boot environment - This is the basic security function of Pointsec PC providing boot protection and access control. The Pointsec Database - Where user information is stored, and what is authenticated against for access to the data. 2. What is the purpose of the three sections of the Pointsec Management Console? Local - affects changes on the local machine Remote - affects changes on remote machines Remote Help - provides remote assistance to users for access control 3. What are three types of hard-drive protection, and which two are used by Pointsec PC? Why? File Encryption, Data Encryption & Boot Protection Boot protection and Data Encryption - these provide the most secure level of data security.

32 The Full Disk Encryption Management Console
2 The Full Disk Encryption Management Console

33 Overview of the FDE Management Console
The Full Disk Encryption Management Console (FDEMC) gives you access to all Full Disk Encryption functions. Using the console, the Administrator configures both local and remote settings for users’ Full Disk Encryption encrypted drives.

34 Overview of the FDE Management Console
FDEMC Dialog Box The Full Disk Encryption Management Console window first displays the Local, Remote and Remote Help folder options after opening:

35 Overview of the FDE Management Console
The local folder The local folder gives the Administrator the ability to view, edit, export, and print local settings, as well as view, export and print log files.

36 Overview of the FDE Management Console
Edit Settings Hardware Devices Install Logon Remote Help Screen Saver System Password Policy Wake on LAN Windows Integrated Logon Network Location Awareness Failed Windows Logon Attempts WIL Switch Hardware Hash

37 Overview of the FDE Management Console
Groups The same settings can be selected for either groups or user accounts.

38 Overview of the FDE Management Console
The Remote Folder The Remote folder is were the Administrator creates and stores configuration sets for remote installations.

39 Overview of the FDE Management Console
Configuration Sets Use the configuration set to provide a central configuration point for a rood directory path. Profile Storage Update Profile Install Central Log Recovery Upgrade

40 Overview of the FDE Management Console
Working with Profiles

41 Creating Configuration Sets and Profiles
2 Creating Configuration Sets and Profiles

42 Creating Configuration Sets and Profiles
2 Creating Configuration Sets and Profiles

43 Review Question & Answers
1. In addition to creating and storing configuration sets and profiles, what can the Administrator use the Remote folder for? Creating upgrade packages and recovery media, and viewing Logs 2. What do Privileged Permissions do? Permits changes for other accounts in other groups. For example - a HELPDESK login has the privileged permission to provide Remote Help. 3. If you start the PCMC on a computer that has a network connection but no access to the Internet, which setting in Internet Explorer do you have to modify to avoid delays in starting the PCMC? Under Tools > Internet Options > Advanced > Security, clear the selection for “Check for Publisher’s Certificate Revocation List”

44 Full Disk Encryption Management
3 Full Disk Encryption Management

45 Full Disk Encryption Management
Tips for Deployment

46 Full Disk Encryption Management
Deployment Checklist Prepare the server shares Customize the preboot environment Customize Precheck.txt file Choose your distribution method Check requirements Inform end users Deploy Full Disk Encryption to machines

47 Full Disk Encryption Management
FDE Maintenance Update the configuration Remote Help and One-Time Login The log viewer Software upgrades

48 Full Disk Encryption Management
Working with Update Profiles Account settings Group settings Adding or deleting groups Creating an Update Profile Deleting a User through the Update Profile Machine-Specific Update Pushing the Update Profile to the Computers

49 Full Disk Encryption Management
Upgrading FDE Software upgrades are used to upgrade FDE software, transparent to the end-user.

50 Deploying Full Disk Encryption
3 Deploying Full Disk Encryption

51 Removing User Profiles
4 Removing User Profiles

52 5 Using Remote Help

53 Full Disk Encryption Management
Remote Help Remote password change One time login

54 Full Disk Encryption Management
User Verification Predetermined question/answer Employee ID Employee start-date Voice verification Known information Call-back

55 3 Deploying Pointsec PC

56 Removing User Profiles
4 Removing User Profiles

57 5 Using Remote Help

58 Review Questions & Answers
1. What profile setting provides an administrator remote confirmation of a Full Disk Encryption installation on a client computer? When creating the profile, the selection under System Settings > Install > Enable status export to file must be enabled. This will then create a .txt file in the Central Log directory in the network share. Each machine that has been deployed this profile will have it’s own .txt file. 2. Name 2 of the 3 ways to configure a Full Disk Encryption Service Start Account? In a Full Disk Encryption profile via Local > Edit Settings > System Settings Via the local PC Operating System Services settings

59 Full Disk Encryption Log Management
4 Full Disk Encryption Log Management

60 Full Disk Encryption Auditing
Auditing is a central function of security software. Control of system history is essential to detecting malicious behavior or trace problems.

61 Full Disk Encryption Auditing
Full Disk Encryption Log The FDE logs are stored in one or more of four locations: Local event database Local log file Central log file Windows Event Log Logs information about events, such as login attempts, encryption status, and time of each update to the configuration. Up to 255 events are stored here. The contents of the local event database are transferred here by the PC tray application (P95Tray.exe) each time a user logs in to Windows. This is a network folder to which local log files are copied. FDE log files are exported to the local Windows Event Viewer in real time.

62 Full Disk Encryption Auditing
Windows Event Viewer

63 Full Disk Encryption Auditing
Log Filter

64 Review Questions & Answers
1. Name the four locations where FDE logs are stored? Local Event Database Local Log File Central Log File Windows Event Log 2. What log-event element is unique to each entry, and is useful when communicating with support? The ID 3. Name three of the five criteria used in filtering log entries? Info Warning Error Success Failure

65 Uninstallation, Recovery and
5 Uninstallation, Recovery and Troubleshooting

66 Uninstallation, Recovery, and Troubleshooting
Uninstallation Types Full Disk Encryption can be uninstalled by: Creating and deploying an uninstall porfile Using Add/Remove Programs When to use an Uninstall Profile Employee no longer with company Machine needs an OS update Employee is traveling to a country where strong disk encryption is illegal

67 Uninstallation, Recovery, and Troubleshooting
Uninstallation Types Full Disk Encryption can be uninstalled by: Creating and deploying an uninstall porfile Using Add/Remove Programs When to use an Uninstall Profile Employee no longer with company Machine needs an OS update Employee is traveling to a country where strong disk encryption is illegal

68 Uninstallation, Recovery, and Troubleshooting
Full Disk Encryption Recovery is based primarily on the Recovery file specified locally in the directory C:\Documents and Settings\All Users\Application Data\Pointsec\Pointsec for PC. Full Disk Encryption transfers the recovery file from C:\Documents and Settings\All Users\Application Data\Pointsec\Pointsec for PC to the directory specified in the FDEMC under Local > Edit Settings > System Settings > Install > Set Recovery Path.

69 Uninstallation, Recovery, and Troubleshooting
If no valid recovery path can be found when Full Disk Encryption is trying to write to the recovery file, the encryption will not start until Full Disk Encryption has ascertained that it will be possible to carry out a recovery later. Until Full Disk Encryption has carried out the recovery, the PC will be left unprotected.

70 Uninstallation, Recovery, and Troubleshooting
Recovery Methods Recovery via the Start menu Recovery via the FDEMC Creating a recovery CD-ROM Using Slave Drive Functionality to recover information

71 Uninstallation, Recovery, and Troubleshooting
Booting from Alternative Media

72 Uninstallation, Recovery, and Troubleshooting
Preboot Customization Menu

73 Uninstallation, Recovery, and Troubleshooting
Customizing and Branding Full Disk Encryption Customizing Update the banner displayed Update the background image Set a preboot screeen-saver image

74 Uninstallation, Recovery, and Troubleshooting
Troubleshooting a Failed Installation Create a bootable floppy disk During boot, press F8 Choose two recovery options: Display Disk Information Repair Master Boot Record Repair a Volume Including Master Boot Record Undo the Last Repair Keyboard and Language Settings

75 Uninstalling from Removable Media
6 Uninstalling from Removable Media

76 7 Upgrading Full Disk Encryption 6.x.x
to a Custom Full Disk Encryption 7.0 Installation

77 Review Questions & Answers
1. Which command-line utility is used to create a bootable floppy disk for recovery? What are two of the recovery options available? userec.exe add/remove recovery 2. What safeguard is built into the uninstallation process? It requires two administrative logins. 3. What happens during transparent uninstallation? The client PC can still be used while Full Disk Encryption decrypts the data on the hard drive. Decryption off the hard drive runs as a throttled background service during uninstallation. 4. What are concerns during uninstallation with recovery media? It is not a complete uninstallation, in that the program must be uninstalled using Add/Remove programs after the decryption process has completed.

78 SmartCenter for Pointsec - webRH
6 SmartCenter for Pointsec - webRH

79 SmartCenter for Pointsec - webRH
Overview SmartCenter for Pointsec – webRH enables an organization’s helpdesk to use Internet technologies to provide Remote Help.

80 SmartCenter for Pointsec - webRH
User Requirements System Requirements HD –staff requirements Full Disk Encryption Requirements Browser Requirements

81 SmartCenter for Pointsec - webRH
Installing SmartCenter for Pointsec – webRH SmartCenter for Pointsec – webRH SQL Database SmartCenter for Pointsec – webRH Application It is possible to install and run both SmartCenter for Pointsec – webRH components on the same server running Microsoft SQL Server and Internet Information Services. However, Check Point recommends that you install them on separate servers.

82 SmartCenter for Pointsec - webRH
webRH Administration Managing OU groups Adding and deleting tokens for helpdesk staff and Administrators Managing helpdesk staff and Administrators Creating and deploying profiles to protected devices Reviewing and exporting log files

83 SmartCenter for Pointsec - webRH
Getting Started using webRH Start your browser and go to SmarCenter for Pointsec – webRH, i.e.,

84 SmartCenter for Pointsec - webRH
Enter your user name and click Next. The following web page opens:

85 SmartCenter for Pointsec - webRH
Enter the challenge into your dynamic token, generate a response and enter the response. Click Login. The Welcome page opens.

86 SmartCenter for Pointsec - webRH
Managing OU Groups Populating the levels below with Administrator accounts Populating own and levels below with HD users Creating OU groups of levels below own privilege level, and connect them to a parent OU level

87 SmartCenter for Pointsec - webRH
Managing User Accounts User type User name Login method Organizational unit Start Date Expire Date

88 SmartCenter for Pointsec - webRH
Managing Authentication Tokens SmartCenter for Pointsec - webRH access requires dynamic token authentication. Tokens must be imported into SmartCenter for Pointsec - webRH so that they can be assigned to helpdesk staff. Before you start to create a token entry in SmartCenter for Pointsec - webRH, you must have the token programming information available and you must enter this information correctly for the tokens to be used. When creating a token entry in SmartCenter for Pointsec - webRH, you can test the token to ensure that the entry is correct and the token is working.

89 SmartCenter for Pointsec - webRH
Configuring Password Settings Fixed Passwords Minimum Password Length Minimum Password Age Maximum Password Age Password History Length Password Complexity Requirements Session Timeout Show logout timer Minutes Size of image in webRH

90 SmartCenter for Pointsec - webRH
Log files in SmartCenter for Pointsec – webRH WebRH logs Remote Help events and enables Administrators to export the log files for further analysis.

91 Review Questions & Answers
1. Describe the two installation components of SmartCenter for Pointsec - webRH, and what are entailed in each? SmartCenter for Pointsec - webRH SQL Databse: Stores information needed to provide remote help to users. SmartCenter for Pointsec - webRH Web Application: The browser-based program used to administer and provide Remote Help. 2. What advantage does SmartCenter for Pointsec - webRH have over Remote Help in Pointsec PC? Pointsec PC does not need to be installed on the Remote Help provider’s machine. Remote Help can be provided using a Web browser.

Download ppt "Full Disk Encryption."

Similar presentations

Module 1: Installing Windows XP Professional

Module 1: Installing Windows XP Professional
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
A+ Guide to Software, 4e Chapter 4 Supporting Windows 2000/XP Users and Their Data.

A+ Guide to Software, 4e Chapter 4 Supporting Windows 2000/XP Users and Their Data.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Chapter 16 Chapter 16: Troubleshooting. Chapter 16 Learning Objectives n Develop your own problem-solving strategy n Use the Event Viewer to locate and.

Chapter 16 Chapter 16: Troubleshooting. Chapter 16 Learning Objectives n Develop your own problem-solving strategy n Use the Event Viewer to locate and.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
1 Module 2 Installing Windows NT. 2  Overview Preparing for Installation Installing Windows NT Performing a Server-based Installation Troubleshooting.

1 Module 2 Installing Windows NT. 2  Overview Preparing for Installation Installing Windows NT Performing a Server-based Installation Troubleshooting.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Installing Windows Vista Lesson 2. Skills Matrix Technology SkillObjective DomainObjective # Performing a Clean Installation Set up Windows Vista as the.

Installing Windows Vista Lesson 2. Skills Matrix Technology SkillObjective DomainObjective # Performing a Clean Installation Set up Windows Vista as the.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Chapter 7 Installing and Using Windows XP Professional.

Chapter 7 Installing and Using Windows XP Professional.
Ch 11 Managing System Reliability and Availability 1.

Ch 11 Managing System Reliability and Availability 1.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

Similar presentations

Ads by Google