Checkpoint Pointsec PC User manual
Pointsec PC
Installation Guide
Version 6.3.1, B
November 5, 2008
© 2003-2008 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and
Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks.
For third party notices, see: http://www.checkpoint.com/3rd_party_copyright.html.
Table of Contents i
Contents
Preface Introduction ...................................................................................................... 1
Who Should Read This Guide?............................................................................. 2
About This Guide ............................................................................................... 2
Other Documentation ......................................................................................... 2
Contact Information ........................................................................................... 3
Feedback .......................................................................................................... 3
Accepting Delivery of Pointsec PC ....................................................................... 3
Direct Delivery .............................................................................................. 3
Outside Carrier Delivery ................................................................................. 3
Electronic Download...................................................................................... 4
Who To Contact in the Case of an Unsuccessful Delivery........................................ 5
Chapter 1 Before You Install Pointsec PC
About Pointsec PC Administrators........................................................................ 7
Pointsec PC Environment Requirements............................................................... 7
Pointsec PC System Requirements ...................................................................... 8
Installing on Portable Computers ......................................................................... 8
About Passwords................................................................................................ 9
Password Options............................................................................................... 9
Fixed Passwords............................................................................................ 9
Dynamic Tokens............................................................................................ 9
Smart Cards ................................................................................................. 9
Do not Modify Pointsec for PC.msi Package.......................................................... 9
Before Installing .............................................................................................. 10
Read the Release Notes............................................................................... 10
Considerations for Other Programs ................................................................ 10
Review precheck.txt .................................................................................... 10
Changing Graphics Displayed in Preboot and License Text Displayed during Installation
21
Chapter 2 Installing Pointsec PC for Administrators
Installing Pointsec PC on Windows Vista ............................................................ 23
Registering Pointsec PC.................................................................................... 24
Creating Administrator Accounts........................................................................ 27
Administrator Accounts Using Fixed Passwords .............................................. 27
Administrators Using Smart Cards ................................................................ 29
Specifying Volumes, Encryption Methods, and the Recovery Path ......................... 30
Log File Created During Installation .............................................................. 33
Logging On for the First Time............................................................................ 34
Accessing Pointsec PC Management Console ...................................................... 36
Encryption Progress.......................................................................................... 36
Installing Pointsec PC in an IBM RRU Environment ............................................ 37
Running Using precheck.txt ......................................................................... 37
Running InstallRRU.msi after Installation...................................................... 37
Log File Created During Installation .............................................................. 38
Booting the System into IBM RRU................................................................ 38
ii
1
Preface P
Preface
In This Chapter
Introduction
Pointsec PC Enterprise Workplace Edition (Pointsec PC) is a policy-based,
enterprise security software solution. Pointsec PC combines boot
protection, preboot authentication and strong encryption to ensure only
authorized users are granted access to information stored in desktop and
laptop PCs.
Pointsec PC is deployed and administered across the network. As
encryption is both automatic and transparent, security is enforced without
requiring special efforts from users.
Introduction page 1
Who Should Read This Guide? page 2
About This Guide page 2
Other Documentation page 2
Contact Information page 3
Accepting Delivery of Pointsec PC page 3
Note - Pointsec PC is designed to be first installed and configured in a
test environment comprised of an administrator’s workstation and
networked computers. Once the Pointsec PC system has been
thoroughly tested, it can be deployed to a production environment.
Who Should Read This Guide?
2
Who Should Read This Guide?
This guide is for IT staff who will work as Pointsec PC administrators. As a
Pointsec PC administrator, you should be well acquainted with your
organization’s network and operating procedure.
About This Guide
This guide is designed to help you install Pointsec PC for the first time. It
is organized as follows:
•Chapter 1, Before You Install Pointsec PC on page 7, which covers
information that will help you install Pointsec PC quickly and without
problems
•Chapter 2, Installing Pointsec PC for Administrators on page 23, which
takes you through the process of installing Pointsec PC for use on an
administrator’s workstation.
Information on creating profiles, deploying them, administering
Pointsec PC protected computers and updating Pointsec PC software can
be found in the Pointsec PC Administrator’s Guide.
Other Documentation
Apart from this installation guide, the following documentation is
available:
Pointsec PC Release Notes contain the latest information on the current
Pointsec PC release.
Pointsec PC Administrator’s Guide describes how to perform administrative
tasks, for example, how to install and update Pointsec PC on client
computers using profiles and how to remove Pointsec PC.
Pointsec PC Quick Start Guide describes in brief a master installation,
creating sets, groups and users, and how to deploy Pointsec PC to your
clients.
Contact Information
Preface 3
Contact Information
If you require information on Check Point’s other security products or
services, or if you should encounter any problems with Pointsec PC, please
visit our web site or call us.
Feedback
Check Point is engaged in a continuous effort to improve its
documentation. Please help us by sending your comments to:
Accepting Delivery of Pointsec PC
There are three methods of accepting a secure delivery of Pointsec PC:
•Direct delivery
•Outside carrier delivery
•Electronic download in an e-package
Direct Delivery
With this delivery method, Pointsec PC is delivered directly to you by a
Pointsec engineer. Before you accept delivery of Pointsec PC, always check
the credentials of the Pointsec engineer.
The Pointsec PC CD-ROM case is sealed with three tamper-evident
Pointsec stickers. Verify the authenticity of the package by ensuring that
these stickers are unbroken and have not been tampered with in any way.
Outside Carrier Delivery
In this method of delivery, Pointsec PC is delivered to you directly using a
third-party shipper, such as FedEx or DHL. Before you accept delivery of
Pointsec PC, always check the credentials of the carrier.
Table 1-1 Contact information
Area Technical Support Sales
Telephone:The Americas 972-444-6600 1-800-429-4391
International +972-3-6115100
Web site www.checkpoint.com
Electronic Download
4
The Pointsec PC CD-ROM case is sealed with three tamper-evident
Pointsec stickers. Verify the authenticity of the package by ensuring that
these stickers are unbroken and have not been tampered with in any way.
Electronic Download
In this method of delivery, you download Pointsec PC directly from the
Internet as an e-package.
To access the Pointsec PC e-package, you must register for an account on
the Pointsec server site.
The server site is protected with a Pointsec certificate. You must accept
this certificate to access the site. Once logged in, you can see all the
e-packages you have purchased.
At the site, you enter a request for a user account and fill in the required
information. The account is registered and you receive an e-mail from
Pointsec containing the information you need to log in and download the
e-package. The e-mail also contains information on how to verify the
authenticity of the e-package.
Verifying the E-package
Your downloaded Pointsec e-package(s) each contain a
ZIP
file, containing
the Pointsec product and a text file,
product_file_name.txt
which
contains the information you need to verify that the package has not been
tampered with.
To do this, use the command line utility
fsum.exe
to compute the MD5
checksum for the
ZIP
file and compare it with the MD5-checksum in
product_file_name.txt
. If the checksums match, you know that the
e-package has not been tampered with.
You can download
fsum.exe
for free from http://www.slavasoft.com/fsum/.
To verify an e-package:
1. Copy
fsum.exe
, the downloaded
ZIP
file and
product_file_name.txt
to a temporary folder and run the
fsum.exe
with the
-c
switch.
fsum.exe
compares the checksum specified in
product_file_name.txt
to the checksum it computes using the MD5 algorithm for the
ZIP
file.
If the checksum for the
ZIP
file matches the checksum in
product_file_name.txt
, the
ZIP
file is marked OK and you know that
the e-package has not been tampered with.
Otherwise, the file is marked with the word FAILED. See “Who To
Contact in the Case of an Unsuccessful Delivery” on page 5 for more
information if the verification fails.
2. Repeat the process for each Pointsec e-package that you have
purchased.
Who To Contact in the Case of an Unsuccessful Delivery
Preface 5
Who To Contact in the Case of an
Unsuccessful Delivery
If your Pointsec PC delivery shows signs of having been tampered with or
the MD5 checksum you generate does not match the checksum in
validate.txt
, contact your Pointsec representative immediately for advice
on how to proceed.
Who To Contact in the Case of an Unsuccessful Delivery
6
7
Chapter 1
Before You Install Pointsec PC
This chapter discusses Pointsec PC administration levels, system requirements, types
of passwords used during installation and how you can streamline the installation
process by using the
precheck.txt
file.
About Pointsec PC Administrators
Pointsec PC administrators control the profiles that are used to install Pointsec PC on
client computers. When installing Pointsec PC, you will create two administrator
accounts. For more information on Pointsec PC administrators, see the Pointsec PC
Administrator’s Guide.
Pointsec PC Environment Requirements
To maximize the level of security, you should ensure that the following environment
requirements are met:
•You have received an authentic copy of Pointsec PC; see “Accepting Delivery of
Pointsec PC” on page 3 for more information.
•You use a Pointsec PC service account with the following permissions on the local
computer:
Run as Service
,
RXWD
to the
Program Files\Pointsec
directory. For
more information, see the Pointsec PC Administrator’s Guide.
Note - In a Common Criteria-validated environment, passwords with
at least eight characters should be used.
Pointsec PC System Requirements
8
•You have a secure network share with the following permissions:
RX
for
all users,
RXWD
for the Pointsec PC service account.
•A reliable time source on the local computer, i.e. it should be
synchronized with a time server.
•A phone verification database to determine the authenticity of a user
over the phone.
•A test environment for the initial installation and creation of the
deployable Pointsec PC profile/configuration.
Pointsec PC System Requirements
For system requirements, including operating system, service pack,
memory, and disk space requirements, please see thePointsec PC Release
Notes.
Installing on Portable Computers
If you are installing Pointsec PC on a portable computer, we recommend
you connect the computer to the AC power supply. The time required to
encrypt can vary depending on the size of the disk, what programs are
running, and the speed of the processor.
If the portable computer’s battery fails, Pointsec PC may not have
completed the encryption process. If this is the case, Pointsec PC will
continue the encryption process when the computer reboots.
Note - We recommend that you always perform a backup of any
computer on which you want to install Pointsec PC.
Note - Fragmented Disks
To install Pointsec PC, 100 MB of disk space is required, of which 2
MB must be contiguous, free space. If this amount of continuous space
is not available, the installation will fail. In general, it is considered
good practice to avoid fragmented disks to enhance overall
performance. It is also considered good practice to defragment disks
prior to installing Pointsec PC.
About Passwords
Chapter 1 Before You Install Pointsec PC 9
About Passwords
Before you start installing Pointsec PC, you should know something about
the types of passwords you will be asked to specify during the installation.
Password Options
You can use the following types of passwords when installing Pointsec PC:
fixed passwords and dynamic tokens.
Fixed Passwords
Fixed passwords, as the name implies, do not change. In Pointsec PC, a
fixed password must contain at least four characters but no more than 31.
For more information, see “Administrator Accounts Using Fixed
Passwords” on page 27 and the Pointsec PC Administrator’s Guide.
Dynamic Tokens
Dynamic tokens, also known as one-time passwords, change constantly.
Users use a small device, usually called a dynamic token, to generate a
new password every time they start their workstations. Dynamic tokens are
intended for environments requiring better security than fixed passwords
can provide where password standards are not rigorous enough.
For more information, see “Administrators Using Dynamic Tokens” on
page 28 and the Pointsec PC Administrator’s Guide.
Smart Cards
Smart cards provide secure storage of user credentials and digital
certificates. Pointsec PC supports both smart cards with readers, and
readerless USB tokens.
For more information, see “Administrators Using Smart Cards” on page 29
and the Pointsec PC Administrator’s Guide.
Do not Modify Pointsec for PC.msi Package
Do not modify the Pointsec for PC.msi package in any way. For instance, do
not attempt to modify the Pointsec for PC.msi package by using transforms.
Modification of the Pointsec for PC.msi package invalidates the
supportability of the product.
Before Installing
10
Before Installing
The following sections discuss information you need to know and things
you need to check before you start to install Pointsec PC.
Read the Release Notes
The release notes contain the latest information on Pointsec PC. Read
them to find out what is new, fixed or changed. You can find the release
notes on your Pointsec PC CD.
Considerations for Other Programs
Consider the following:
•PointsecMedia Encryption
If Pointsec Media Encryption is already installed on the workstation
on which you want to install Pointsec PC, Single Sign On (SSO)
will not work properly.
To fix this, manually insert the string value
CompatibleGinas=pme.dll
in Windows’ registry.
This action does not have to be taken if Pointsec Media Encryption
is installed after Pointsec PC.
•PointsecPC and Entrust
For information on Pointsec PC and Entrust installation and
integration, please see the Pointsec PC Administrator’s Guide.
Review precheck.txt
precheck.txt
is an installation settings file designed to make installing
Pointsec PC even simpler. By configuring
precheck.txt
, you can
streamline the installation process and configure settings faster. The
precheck.txt
file is in the same folder as the
Pointsec PC.msi
file.
When you start to install Pointsec PC, the installation program reads
precheck.txt
and determines if it should terminate in certain
circumstances as specified by you. You can also configure
precheck.txt
when installing on a computer running IBM Rapid Restore Ultra (RRU).
In addition, you can use
precheck.txt
to configure settings for third-party
Graphical Identification and Authentication (GINA) dlls, Single Sign On
(SSO) delay times, and update intervals.
precheck.txt settings can be altered after installation by editing them in
the Pointsec registry key.
Review precheck.txt
Chapter 1 Before You Install Pointsec PC 11
Precheck Settings
The following sections describe the settings you can configure in
precheck.txt
.
General Settings
Table 1-1 General Settings
Setting Description
AddFilter=Yes
This is a legacy setting for Windows Pointsec PC driver
installation. It is no longer used.
SupportMultiProcessor=Yes
The value can be
Yes
or
No
. If the value is set to No, the
installation will be terminated if either more than one
processor or multithreading is detected. The default value is
Yes.
AbortOnWindowsXP=No
The value can be
Yes
or
No
. If the value is set to Yes, the
installation will be terminated if Windows XP is the operating
system on the computer on which Pointsec PC is being
installed. The default value is No.
AbortOnDualBoot=Yes
The value can be
Yes
or
No
. The default value is
Yes
which
will cause Pointsec PC to terminate an installation on a dual
boot system.
IgnoreOldInstallation=No
Set this setting to
Yes
to enable support for re-installing on
selected volumes while keeping old installations on other
volumes.
Note: You must use the same user accounts in both
installations.
Note: A re-installation of the boot volume requires all volumes
to be protected by Pointsec PC.
ChainToMBR=
This setting specifies which boot record Pointsec PC will load
and start immediately after Pointsec PC preboot logon:
Yes = Pointsec PC loads and starts the master boot record.
Yes is the default.
No = Pointsec PC loads and starts the partition boot record.
Review precheck.txt
12
ExtendedLogging=
This setting specifies whether or not log events containing the
status of all user accounts and groups will be written to the
central log file. This setting can be used to reduce the size of
the central log file.
Yes = Write log events containing the status of all user
accounts and groups to the central log file.
No = Do not write log events containing the status of all user
accounts and groups to the central log file.
No is the default.
Run=
Here you can enter a program to run before Pointsec PC is
installed.
RunAfter=
Here you enter the path to scripts or execs that you want run
immediately after the user logs on to Windows after the
reboot that follows the installation of Pointsec PC. For
example:
• The path to the script required when installing in an IBM
RRU environment.
• The path to the
dotnetfx.exe
to install the .NET
Framework if it is not already installed on this machine.
The
dotnetfx.exe
is found in the Pointsec PC directory:
Pointsec for
PC\1_Pointsec_for_PC\Tools\DotNetRunTime\dotnetfx.exe
Note: Best practice is to specify the path in UNC format:
\\<server>\<share>\....
Table 1-1 General Settings
Setting Description
Review precheck.txt
Chapter 1 Before You Install Pointsec PC 13
HidInf=
Together with
Drivers=
, this setting is used to deploy the HID
driver, found under
/modules/hid
. For example:
Drivers=HID\hptc1100.bin
HidInf=HID\hptc1100.inf
The HID driver enables the pen on tablet PCs.
See the current Release Notes for available drivers.
Note: If you have installed a Wacom driver on a computer that
does not have Wacom hardware installed, this can cause
hanging during preboot. To avoid this, hold both SHIFT keys
down while the progress bar is visible during the loading of
Pointsec preboot. A new menu selection, HID drivers, will be
displayed, allowing you to disable the Wacom driver(s).
Note: You can also deploy HID drivers after installation using
pscontrol.exe
. For example:
C:\>pscontrol register-hid hptc1100.inf
C:\>pscontrol install-driver hptc1100.bin
Drivers=
The value of this setting specifies the preboot smart card
drivers that will be installed together with the Pointsec PC
system. These drivers enable communication between a smart
card and Pointsec PC prior to the start of Windows.
The specified value for this setting must be a
semicolon-separated list of file names with no paths specified
and no blanks. For example:
Drivers=msc_p11.bin;prd_ccid.bin
Available drivers are located in the
Modules
folder.
With the help of this facility, it is possible to use a smart card
to log on at initial authentication.
See the description of
HidInf=
, above, for information on
using
Drivers=
to deploy HID drivers.
Table 1-1 General Settings
Setting Description
Review precheck.txt
14
CSPRandom=
This setting specifies the name of the Cryptographic Service
Provider (CSP) to use for random number generation during
installation. The CSP name is vendor specific, and it can
normally be found in the documentation for the CSP.
The CSP must be installed on a machine’s Windows system
prior to Pointsec PC installation.
The Pointsec PC installation program will attempt to use the
CSP specified in this setting to generate random numbers.
The CSP’s random number generation is vendor specific, and
it might require the presence of external hardware, for
example, a smart card.
If the random number generation fails, the installation is
aborted.
ShowRecoverMessages=
This setting specifies whether or not the message box related
to the unavailability of the recovery path will be displayed to
the user.
Yes = Display the message box related to the unavailability of
the recovery path to the user.
No = Do not display the message box related to the
unavailability of the recovery path to the user.
No is the default.
SuspendEncryptionTimeout=
The amount of time, in minutes, to delay the start of
encryption after Windows has started.
Minimum value = 4
Maximum value = 60
The default value is 4.
KeyImportDirectory=
The path to the key import directory.
Note: Specifying a path for this setting activates encryption
key import.
Best practice is to specify the path in UNC format:
\\<server>\<share>\....
Table 1-1 General Settings
Setting Description
Table of contents
Popular Desktop manuals by other brands
Corvus systems
Corvus systems Personal Workstation Service manual
Dell
Dell XPS 8930 Setup and specifications
Shuttle
Shuttle XPC SN26P user guide
HP
HP Pavilion t122 specification
Rockwell Automation
Rockwell Automation Allen-Bradley 6181X-12A2SW71DC, Allen-Bradley 6181X-00N2SW71DC, Allen-Bradley 6181X-12A2SWX1DC, Allen-Bradley... user manual
Dell
Dell OptiPlex Micro Plus 7010 owner's manual
