Chapter pointsec for Pc remixed 1.fm
Chapter pointsec for Pc remixed 1.fm
Chapter pointsec for Pc remixed 1.fm
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Chapter</strong><br />
Pointsec <strong>for</strong> PC<br />
2<br />
Pointsec <strong>for</strong> PC (Pointsec) is an enterprise-security solution that provides intrusion<br />
protection <strong>for</strong> data at rest on mobile devices, by employing the use of strong authentication<br />
and encryption. “<br />
Figure 2-2: Pointsec <strong>for</strong> PC (Pointsec) — Complete Data Protection<br />
7
<strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC<br />
In the previous figure, the following terms are used:<br />
MBR = Master Boot Record; this file describes the layout of the hard drive.<br />
PBR = Partition Boot Record; each partition on the hard drive starts with a boot<br />
record.<br />
Mandatory Access Control = the Pointsec <strong>for</strong> PC (Pointsec) preboot authentication<br />
program<br />
Pointsec <strong>for</strong> PC (Pointsec) replaces the original boot records upon install to be able<br />
to show the preboot authentication program only. After replacing these files, Pointsec<br />
<strong>for</strong> PC (Pointsec) encrypts the entire disk sector by sector, including system, temporary,<br />
and deleted files. The encryption is user-transparent and automatic, so there<br />
is no need <strong>for</strong> user intervention or user training.<br />
8 Endpoint Security with Pointsec
Extending Data Security Policies <strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC<br />
Extending Data Security Policies<br />
Pointsec <strong>for</strong> PC (Pointsec) extends enterprise-data security policies to the<br />
desktop and mobile devices by automatically encrypting the entire hard<br />
drive, using a strong-bit encryption scheme. The installation of the<br />
program is an en<strong>for</strong>ceable desktop installation, meaning end users do<br />
not have a choice in the manner about whether or not to install. This is<br />
accomplished using a centralized deployment method, combined with<br />
remote administration. Pointsec <strong>for</strong> PC (Pointsec) eases administrative<br />
tasks in a deployment by allowing <strong>for</strong> installation and product updates<br />
across the network, and minimizing the amount of desktop visits<br />
required.<br />
Compatibility<br />
Pointsec <strong>for</strong> PC (Pointsec) operates at the boot level, but does not<br />
modify the master boot record. Since it is below the OS level, Pointsec<br />
<strong>for</strong> PC (Pointsec) is compatible with all applications that run on Windows<br />
2000, Windows XP and Linux. A single MSI installation is available <strong>for</strong><br />
all Windows versions, using a special profile type.<br />
The encryption of the hard drive is sector-by-sector, allowing <strong>for</strong> the<br />
encryption/decryption process (while the operating system is running)<br />
to be done on the fly. The keys used in the encryption/decryption<br />
process are dynamically created on boot.<br />
As of this release, Check Point does not support Windows Server 2003<br />
on Pointsec <strong>for</strong> PC (Pointsec), but does have plans to support this OS at<br />
some point.<br />
Endpoint Security with Pointsec 9
<strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC Authentication Methods<br />
Authentication Methods<br />
There is no central authentication database. All authentication occurs<br />
against the locally stored database. This database allows Pointsec <strong>for</strong><br />
PC (Pointsec) to support the following authentication methods:<br />
� User ID + password<br />
� User ID + PIN + l<br />
� Smart card or USB + PIN<br />
If a specific smart card or token type is not included in the base<br />
installation, Pointsec <strong>for</strong> PC (Pointsec) has a Software Development Kit<br />
<strong>for</strong> creating drivers <strong>for</strong> card/token support.<br />
Recovery Is Always Possible<br />
Pointsec <strong>for</strong> PC (Pointsec) ensures that data on a system is always<br />
recoverable. Since authentication is local to a specific installation, this<br />
means that a unique key is created <strong>for</strong> each device, thereby ensuring that<br />
there is no master-key vulnerability. These keys are created automatically<br />
at installation and are updated automatically when changes occur, such<br />
as a user profile being removed from a local installation. For<br />
administrative access to a specific machine, Pointsec <strong>for</strong> PC (Pointsec)<br />
requires two authorized administrator logins to unlock the<br />
administrative mode of a specific machine.<br />
Always keep control of your recovery files, preferably using off-site<br />
storage. Data cannot be recovered without it!<br />
10 Endpoint Security with Pointsec
Automatic Logging and Centralized Auditing <strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC<br />
Automatic Logging and Centralized Auditing<br />
All security events in Pointsec <strong>for</strong> PC (Pointsec) are automatically logged.<br />
The log files are then automatically transferred to a central location <strong>for</strong><br />
Security Auditing. The encrypted log files can be centrally viewed by<br />
corporate security officers using Windows Event Viewer, or exported to<br />
different <strong>for</strong>mats <strong>for</strong> viewing in third-party tools.<br />
Remote Help<br />
Pointsec <strong>for</strong> PC (Pointsec) includes a Remote Help function that gives<br />
Administrators the ability to help users with lost password in<strong>for</strong>mation,<br />
without the user being online. This is done using a secure Dynamic<br />
Challenge/Response procedure.<br />
Remember to validate the end user be<strong>for</strong>e per<strong>for</strong>ming Remote Help!<br />
Pointsec <strong>for</strong> PC (Pointsec) Components<br />
The basic installation of Pointsec <strong>for</strong> PC (Pointsec) on an endpoint is<br />
comprised of the following components:<br />
� Secure local user database<br />
� Preboot authentication program<br />
� Pointsec <strong>for</strong> PC (Pointsec) Management Console (PCMC)<br />
� Recovery-file creation from registry entries<br />
� Encryption/decryption key and program services<br />
� Monitoring program<br />
Each of these components are covered in detail in the following<br />
sections.<br />
Endpoint Security with Pointsec 11
<strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC Pointsec <strong>for</strong> PC (Pointsec) Database<br />
Pointsec <strong>for</strong> PC (Pointsec) Database<br />
The local Pointsec <strong>for</strong> PC (Pointsec) database is a closed database<br />
allocated from 2 MB of contiguous space, and is encrypted using a 512bit<br />
key. The database is created from the Pointsec <strong>for</strong> PC (Pointsec)<br />
installation profile and stores all of the users and groups that have access<br />
to this local computer. Users authenticate to this local database at boot<br />
authentication. The database can be viewed using the Pointsec <strong>for</strong> PC<br />
(Pointsec) Management Console.<br />
Figure 2-3: Pointsec <strong>for</strong> PC (Pointsec) Preboot Environment Login<br />
12 Endpoint Security with Pointsec
Pointsec <strong>for</strong> PC (Pointsec) Boot Authentication <strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC<br />
Pointsec <strong>for</strong> PC (Pointsec) Boot Authentication<br />
The preboot authentication program, also known as the Pointsec <strong>for</strong><br />
PC (Pointsec) Multi Factor Authentication Program (MFAE) replaces the<br />
standard hard-drive boot records. This allows <strong>for</strong> the Pointsec <strong>for</strong> PC<br />
(Pointsec) authentication to appear at boot. The MFAE loads after BIOS<br />
and the low-level boot record via a modified-partition boot record, so<br />
the Pointsec <strong>for</strong> PC (Pointsec) authentication is per<strong>for</strong>med be<strong>for</strong>e the<br />
operating system starts.<br />
The Pointsec <strong>for</strong> PC (Pointsec) preboot environment is comprised of the<br />
following components:<br />
� 32-bit secure operating system<br />
� VESA graphics, .jpg background<br />
� Keyboard drivers<br />
� Mouse drivers<br />
� MFAE<br />
� Pointsec <strong>for</strong> PC (Pointsec) smart card drivers<br />
� Pointsec <strong>for</strong> PC (Pointsec) Reader Drivers<br />
Endpoint Security with Pointsec 13
<strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC Pointsec <strong>for</strong> PC (Pointsec) Management Console<br />
Figure 2-4: Pointsec <strong>for</strong> PC (Pointsec) Management Console<br />
Pointsec <strong>for</strong> PC (Pointsec) Management Console<br />
The Pointsec <strong>for</strong> PC (Pointsec) Management Console is available in an<br />
administrative or Master installation, or when an Administrator logs into<br />
a user’s machine. The PCMC is divided into three primary sections:<br />
Local, Remote and Remote Help. Each section is described in the<br />
following list:<br />
� Local<br />
This section is used to change local settings, manage local logs,<br />
check local status, etc.<br />
14 Endpoint Security with Pointsec
Pointsec <strong>for</strong> PC (Pointsec) Management Console <strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC<br />
� Remote<br />
Here, the Pointsec <strong>for</strong> PC (Pointsec) Administrator can create and<br />
deploy configuration files (profiles) that will affect remote computers.<br />
� Remote Help<br />
This section is used to per<strong>for</strong>m Remote Help and one-time login<br />
tasks.<br />
The PCMC works with the Pointsec <strong>for</strong> PC (Pointsec) program via the<br />
PCMCUtil.dll driver and the Prot_ins.sys database<br />
Figure 2-5: PCMC — Driver — Database Interaction<br />
� PCMC (system settings)<br />
Creates, updates and manages profiles, locally and remotely; client<br />
needs .Net Framework installed.<br />
� PCMUtil.dll (driver)<br />
The driver encrypts/decrypts profiles, works with the database in<br />
authentication, and imports local profiles into the database.<br />
� Prot_ins.sys database (SA)<br />
The database has been extended from its size in earlier versions of<br />
1.7 MB to 2.0 MB. In addition to storing the profile in<strong>for</strong>mation<br />
used in authentication, the database also stores the token drivers.<br />
Endpoint Security with Pointsec 15
<strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC Pointsec <strong>for</strong> PC (Pointsec) Encryption-Key Generation<br />
Pointsec <strong>for</strong> PC (Pointsec) Encryption-Key<br />
Generation<br />
Pointsec <strong>for</strong> PC (Pointsec) encryption keys are created after the first<br />
reboot after installation of the product. Individual keys are created <strong>for</strong><br />
each partition, to provide the highest level of security. Keys are kept in<br />
the recovery file (*.rec), which is 512-bit encrypted and stored on the<br />
defined recovery share. Encryption keys are never stored in cleartext,<br />
and are only recoverable with two privileged authentications.<br />
Figure 2-6: Registry Key-Naming In<strong>for</strong>mation<br />
16 Endpoint Security with Pointsec
Recovery File-Naming Conventions <strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC<br />
Recovery File-Naming Conventions<br />
The recovery file <strong>for</strong>mat is ComputerName_R.rec, where<br />
ComputerName is the value of the computer name as listed in the<br />
registry key:<br />
HKLM\SYSTEM\ CurrentControlSet\ Control\<br />
ComputerName\ ComputerName<br />
You can also run the hostname command from the command line to get<br />
the recovery filename, i.e., the hostname used as the naming convention<br />
of recovery files.<br />
Services and Processes<br />
Figure 2-7: Pointsec <strong>for</strong> PC (Pointsec) Processes in Task Manager<br />
Endpoint Security with Pointsec 17
<strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC Pointsec <strong>for</strong> PC (Pointsec) Monitoring — P95Tray.exe<br />
Pointsec <strong>for</strong> PC (Pointsec) runs three services on the local machine:<br />
� PROT_SRV.EXE — Provides encryption and decryption during<br />
installation and uninstallation<br />
� PstartSr.EXE — Allows Pointsec <strong>for</strong> PC (Pointsec) to push<br />
recovery files and poll <strong>for</strong> update profiles<br />
� P95tray.EXE — The taskbar application<br />
Pointsec <strong>for</strong> PC (Pointsec) Monitoring — P95Tray.exe<br />
Figure 2-8: P95Tray.exe Interface<br />
Figure 2-9: P95Tray.exe Icon<br />
P95Tray.exe is the Monitoring program that is accessible <strong>for</strong> end<br />
users. Any user on the machine can use this to:<br />
� Check encryption status (when Pointsec <strong>for</strong> PC (Pointsec) is first<br />
installing and encrypting).<br />
18 Endpoint Security with Pointsec
<strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC Initial Encryption of the Hard Drive<br />
� Activate the screen saver to lock the workstation.<br />
� Select the language in the PBE or Windows (more than 25 languages<br />
supported).<br />
Additionally, Administrators can access this to change credentials on the<br />
local system.<br />
Initial Encryption of the Hard Drive<br />
Encryption takes place only after Pointsec <strong>for</strong> PC (Pointsec) off-loads the<br />
Recovery file from the local machine. Regardless of amount of<br />
in<strong>for</strong>mation on the hard drive, the encryption rate is approximately 10<br />
GB per hour. This functions as a throttled background service, allowing<br />
the workstation user to continue to work while the drive is encrypting.<br />
Mousing over the system-tray icon shows encryption status.<br />
Figure 2-10: Encryption Status<br />
19 Endpoint Security with Pointsec
<strong>Chapter</strong> 2: Pointsec <strong>for</strong> PC Initial Encryption of the Hard Drive<br />
20 Endpoint Security with Pointsec