Pointsec_PC_EW_6.2_Admin_A

Transcription

Pointsec PC
Administrator’s Guide
Version 6.2, A
July 2007
© 2003-2007 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and
Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
©2003–2007 Check Point Software Technologies Ltd. All rights reserved.
Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing,
ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic
Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker
ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine,
MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle
Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro,
SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter
Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM,
SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network
Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, VPN-1, VPN-1 Accelerator Card, VPN-1
Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer,
VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security
Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point
Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein
are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668,
5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pending
applications.
For third party notices, see “THIRD PARTY TRADEMARKS AND COPYRIGHTS” on page 267.
Contents
Preface
Chapter 1
Who should read this guide? ............................................................................... 1
Related Documentation ...................................................................................... 1
Contact Information ........................................................................................... 3
Overview of PC Security ...................................................................................... 3
PC Security Methods and Technologies ........................................................... 4
Pointsec PC Security Features and Benefits.......................................................... 5
Managing Pointsec PC........................................................................................ 6
Deploying Pointsec PC........................................................................................ 6
Languages Supported in Pointsec PC ................................................................... 7
Pointsec PC in a Common Criteria EAL-4 Environment .......................................... 7
An Administration Overview
Administration Levels ......................................................................................... 9
System Administrator .................................................................................... 9
Administrator.............................................................................................. 10
User Level ....................................................................................................... 11
Typical Permissions for Roles ....................................................................... 11
Overview of the Pointsec PC Management Console (PCMC) .................................. 13
PCMC Dialog .............................................................................................. 14
PCMC Menu Bar ......................................................................................... 14
Chapter 2
Configuring System Settings
Accessing Local Settings .................................................................................. 17
Status Information ...................................................................................... 19
Encryption Information ................................................................................ 19
Editing Settings ............................................................................................... 20
Hardware Device Settings ............................................................................ 20
Install Settings ........................................................................................... 21
Logon Settings............................................................................................ 25
Remote Help Settings.................................................................................. 27
Screen Saver Settings.................................................................................. 28
System Passwords Policy Settings................................................................. 29
Wake-on-LAN Settings................................................................................. 30
Windows Integrated Logon Settings............................................................... 32
The Export to CSV File Button ...................................................................... 34
The Print Settings Button ............................................................................ 34
Printing Settings .............................................................................................. 34
Exporting Settings to a CSV File ........................................................................ 36
Viewing the Event Log Database ........................................................................ 36
Filtering Log Entries .................................................................................... 39
Exporting Logs................................................................................................. 41
Chapter 3
Configuring Group and User Account Settings
Local Settings for Groups and User Accounts...................................................... 43
System Settings for Groups .......................................................................... 45
Chapter 4
Group Authority Levels
What Is a Group Authority Level (GAL)? ......................................................... 61
Using GALs To Create a Tiered Authority Structure ......................................... 62
Table of Contents
i
Master Installation GALs..............................................................................
GAL Sanity Checks......................................................................................
GALs and Permissions .................................................................................
GALs and Remote Help................................................................................
63
68
68
69
Chapter 5
Managing Groups and User Accounts
Creating Group Accounts .................................................................................. 71
Default Values and How the Effective Values of Settings are Determined .......... 74
Adding a User Account to a Group ..................................................................... 77
Password Authentication.............................................................................. 80
Dynamic Token Authentication ..................................................................... 81
Smart Card Authentication ........................................................................... 86
Chapter 6
Working with Configuration Sets
Root Directory Path .......................................................................................... 89
Directory Paths ........................................................................................... 90
Creating a New Set .......................................................................................... 91
Exporting/Importing Set Configurations .............................................................. 96
Chapter 7
Working with Installation and Update Profiles
About Pointsec PC Profiles.............................................................................. 101
Converting Pre-6.2 Profiles to 6.2 Profiles................................................... 102
Installation Profiles ................................................................................... 102
Update Profiles......................................................................................... 103
Upgrade Profiles ....................................................................................... 103
Uninstall Profiles ...................................................................................... 103
What’s in a profile? ................................................................................... 103
Creating a Profile Based on Another Profile or Local Settings......................... 104
Before Creating Profiles .................................................................................. 105
Working with Profiles – an Overview ................................................................. 105
Sets......................................................................................................... 106
Deploying Pointsec PC for the First Time ..................................................... 107
Updating Pointsec PC Settings ................................................................... 107
Updating Pointsec PC Software .................................................................. 107
Removing Pointsec PC using a Profile ......................................................... 108
Creating and Deploying Installation Profiles ...................................................... 108
Creating a New Set.................................................................................... 108
Creating an Installation Profile ................................................................... 113
Creating an Update Profile .............................................................................. 121
Difference between Remove and Mark for Removal....................................... 122
Uninstall Profiles ...................................................................................... 122
Ensuring that Administrator Accounts Exist on Both the Admin Machine and all Client
Machines............................................................................................... 123
Deploying Pointsec PC Using an Install Profile.................................................. 124
Deploying in an MSI Package .......................................................................... 125
Verifying a Pointsec PC Deployment................................................................. 126
Running Pointsec PC as a Service on a PC ....................................................... 127
Pointsec Service Start Service Account Specifics ......................................... 127
Creating and Deploying Update Profiles............................................................ 129
Creating an Update Profile ......................................................................... 130
Working with Accounts in an Update Profile ................................................ 130
Deploying an Update Profile....................................................................... 130
Pushing Update Profiles to Computers ............................................................. 130
ii
How does the Update Profile Affect a Logged-on User? ................................. 131
Chapter 8
Upgrading Pointsec for PC 4.x and 5.x Installations
Overview ..................................................................................................
From Which Legacy Versions Can You Upgrade?...........................................
Requirements for Upgrading a 4.x/5.x Client................................................
The Process of Upgrading ..........................................................................
The Characteristics of an Upgrade Profile ....................................................
Configuring an Upgrade Profile...................................................................
Legacy Account Handling...........................................................................
Upgrade Operations...................................................................................
Chapter 9
133
135
135
135
136
139
139
140
Upgrading from Pointsec for PC 6.x.x to Pointsec PC
Upgrading from 6.x.x to 6.2 ............................................................................ 145
Before Upgrading ...................................................................................... 145
Performing the Upgrade............................................................................. 146
.................................................................................................................... 148
Chapter 10
Using a Service Start Account
Pointsec PC Service Start Service Program - pstartsr.exe.................................... 150
Setting up the Pointsec Service Start Account ............................................. 152
General Requirements ............................................................................... 162
What does the Pointsec Service Start Service Do? ........................................ 163
Example of Setup...................................................................................... 163
Upgrade from Pointsec 4.x/5.x Installations ................................................. 164
Chapter 11
Pointsec PC Logging Functionality
The Local Event Database............................................................................... 165
The Local Log File.......................................................................................... 166
The Central Log File ....................................................................................... 167
Manually Transferring the Local Log File to the Central Log File ......................... 168
Timestamps and the Windows Event Log .......................................................... 168
Exporting Logs............................................................................................... 168
Viewing a Local Log File ............................................................................ 169
Chapter 12
Remote Help
Implementing a Remote Help Procedure .......................................................... 171
Types of Remote Help .................................................................................... 172
Verifying Users .............................................................................................. 173
Providing Remote Help ................................................................................... 173
Chapter 13
Pointsec PC Utilities
Pointsec PC Password Synchronization............................................................. 177
Synchronizing Using the Windows Password for Authentication in Pointsec PC Preboot
178
Synchronizing Using the Pointsec PC Preboot Authentication Password for
Authentication in Windows ...................................................................... 179
Windows Password Complexity Requirements............................................... 180
Pointsec PC Wake-on-LAN (WOL) .................................................................... 180
Setting up WOL ........................................................................................ 180
WOL Logon Example ................................................................................. 181
Pointsec PC Windows Integrated Logon (WIL) ................................................... 181
Security Features on WIL-enabled Computers .............................................. 182
User Perspective on WIL ............................................................................ 183
Table of Contents
iii
Administrator Perspective on WIL ............................................................... 183
Pointsec PC in Multi-language Environments .................................................... 183
Language Support ..................................................................................... 183
Support for Multi-language Keyboards......................................................... 184
Switching Keyboard Layouts....................................................................... 184
Single Sign-On (SSO) ..................................................................................... 185
About SSO ............................................................................................... 185
SSO and Password Changes ....................................................................... 185
Entrust SSO ............................................................................................. 185
Entrust Profile Revocation.......................................................................... 186
Windows Smart Card ................................................................................. 189
Enabling SSO ........................................................................................... 189
Chapter 14
Removing Pointsec PC
Uninstall Profiles ........................................................................................... 191
Creating an Uninstall Profile ...................................................................... 191
Configuring Uninstall Profiles ..................................................................... 193
Deploying an Uninstall Profile .................................................................... 193
Windows Add/Remove Programs ...................................................................... 194
Chapter 15
Recovery, Repair and Bootable Media
The Pointsec PC Recovery File ........................................................................ 197
If the Recovery File Path is not Found.............................................................. 197
Recovery and the Pointsec PC Version on the Client .......................................... 198
Recovery via the Start menu....................................................................... 198
Recovery from the PCMC ........................................................................... 198
Creating a Recovery Disk from the PCMC.......................................................... 199
Creating a Recovery CD-ROM .......................................................................... 201
Recovering Information................................................................................... 202
Using Slave Drive Functionality to Recover Information................................. 202
Booting from Alternative Media ....................................................................... 205
Accessing the Alternative Boot Media Menu................................................. 205
Appendix A
Being Authenticated by Pointsec PC
About Authentication...................................................................................... 207
Navigating................................................................................................ 208
Ensuring that your Computer has not been Tampered with ............................ 208
Being Authenticated for the First Time............................................................. 208
Using a Fixed Password ............................................................................. 209
Using a Dynamic Token ............................................................................. 211
Using a Smart Card/USB Token .................................................................. 212
Synchronizing Passwords ................................................................................ 216
What if I forget my password?.......................................................................... 217
What if I don't have access to my token/smart card? .......................................... 218
Pointsec PC Single Sign-on (SSO) ................................................................... 219
Appendix B
Status Information When Exported to File
Appendix C
Pointsec PC Permissions
Permissions: With Pointsec PC Service Start..................................................... 227
Recommended Users................................................................................. 227
Required Permissions ................................................................................ 228
Permissions: Without Pointsec PC Service Start ................................................ 228
Permissions: Remote Desktop ......................................................................... 228
iv
Windows User Account Registry Permissions..................................................... 229
Appendix D
Language Support
Support for Tier 1 Languages ..................................................................... 231
Support for Tier 2 Languages ..................................................................... 231
Appendix E
Language Packs
Installing Language Packs............................................................................... 233
Before Installation of Pointsec PC............................................................... 233
After Installation of Pointsec PC ................................................................. 234
Language Packs ............................................................................................. 234
Legacy Language Pack (Default) ................................................................. 234
2 - Americas............................................................................................. 234
3 - Scandinavian and Baltic ....................................................................... 235
4 - Asia and Pacific (APAC)........................................................................ 235
5 - Europe 1............................................................................................. 236
6 - Europe 2............................................................................................. 236
7 -All ....................................................................................................... 236
Appendix F
Keyboard Layouts
Supported Keyboard Layouts ........................................................................... 237
Appendix G
PS Control Command Line Utility
Using the PS Control Utility ............................................................................ 239
Options .................................................................................................... 240
Commands ............................................................................................... 240
Error Codes .............................................................................................. 241
Examples of Using the PS Control Utility ..................................................... 241
Smart Cards, Smart Card Readers and their Drivers ........................................... 242
Managing Smart Cards, Smart Card Readers and Drivers............................... 243
Exporting a Machine’s Status Information......................................................... 243
Export Status File ..................................................................................... 244
Installing Language Packs............................................................................... 247
Appendix H
The pslogexp.exe Log Export Utility
pslogexp.exe Utility Syntax and Commands ...................................................... 249
Syntax ..................................................................................................... 249
Commands ............................................................................................... 250
Examples of Using the pslogexp.exe Utility ....................................................... 250
Correct Display of National Characters in Exported Files .................................... 251
Appendix I
Pointsec PC and IBM RRU
Installing the InstallRRU.msi Package ............................................................. 253
RRU Functionality on a Pointsec PC Machine ................................................... 253
Accessing................................................................................................. 253
Using....................................................................................................... 254
Appendix J
Pointsec PC Common Criteria Configuration
Common Criteria EAL4 Configuration Requirements .......................................... 256
Cryptographic Algorithms and Key Sizes ...................................................... 256
All Partitions Encrypted, Boot Protection Enabled ........................................ 256
No Delete Access to the Pointsec File Share ................................................ 256
Wake on LAN............................................................................................ 256
Table of Contents
v
Windows Integrated Logon .........................................................................
User Level Privileges .................................................................................
Local Administration Disabled ....................................................................
Administration and Configuration via Profiles...............................................
Software Upgrade between Common Criteria Versions Only............................
Password Requirements.............................................................................
Password Synchronization Requirements .....................................................
Maximum Failed Logons before Reboot .......................................................
Appendix K
257
257
257
257
258
258
258
258
Importing Encryption Keys
Preparing to Use Imported Encryption Keys ...................................................... 259
Key Import Directory Structure ................................................................... 259
precheck.txt File ....................................................................................... 260
precheck.txt Settings for Encryption Key Import ........................................... 260
Administrator Checklist for Importing Encryption Keys....................................... 261
End-user Interaction During Installation ........................................................... 262
Appendix L
Glossary
Index ........................................................................................................... 271
vi
P
Preface
Preface
This preface contains background information on PC security and
Pointsec PC benefits and features, as well as a general discussion of how
Pointsec PC Enterprise Workplace Edition (hereafter referred to as
Pointsec PC) is designed and how it should be deployed.
Who should read this guide?
Administrators who will be deploying and administrating Pointsec PC, and
providing Remote Help within their organization should read this guide.
Related Documentation
This release includes the following documentation:
TABLE P-1
Pointsec PC documentation
Title
This document contains...
Pointsec PC Installation Guide
Instructions and information on how to install
Pointsec PC the first time, the so-called master
installation.
1
Related Documentation
TABLE P-1
Pointsec PC documentation
Title
This document contains...
Pointsec PC Deployment Guide
Describes an imaginary, but realistic, customer
environment and how to deploy Pointsec PC on the
computers in that environment.
Pointsec PC Quick Start Guide
Contains guidance related to among other things,
the master installation, configuring installation
profiles, and deploying via the installation profiles.
Pointsec PC Release Notes
•
•
System requirements
Current information about the product, such as
• new features and functions in the current
release,
• problems that have been fixed since the
previous release, and
• any known issues about the current release.
2
Contact Information
Contact Information
If you require information on Check Point’s other security products or
services, or if you should encounter any problems with Pointsec PC, please
visit our web site or call us.
TABLE P-2
Telephone
Web site
Contact information
Technical Support
Sales
The Americas
972-444-6600
1-800-429-4391
International
+972-3-6115100
https://secureknowledge
.checkpoint.com/.
http://partners.us.checkpoint.com
Here you can search for a Check
Point sales partner near you.
Our SecureKnowledge
center is a
comprehensive
self-service database
designed to quickly and
easily answer all of your
technical installation,
configuration and
upgrade needs on Check
Point products.
Overview of PC Security
With computer security becoming increasingly important, almost all focus
has been on securing large, multi-user machines. This makes sense
because mainframes and large servers are not only major repositories of
data, they are also crucial to daily operations. However, there is an equally
serious and growing risk of compromise to the many smaller, mostly
single-user, machines such as desktop and laptop PCs, as well as even
Pocket PC, Palm OS and other PDAs. These computers frequently store an
enterprise’s most current and valuable information. Increasingly, portable
computers also store passwords, logon scripts, and certificates used to
access the enterprise network. The small size and portability of these
computers mean that they are also much more vulnerable than large
machines are to theft or illicit access.
Preface
3
PC Security Methods and Technologies
An additional and often unrecognized problem is that a PC is the most
available and vulnerable starting point for access to a network. Studies of
computer crime reveal that insiders pose the largest threat. Clearly,
providing secure PCs is an essential component of establishing network
security.
PC Security Methods and Technologies
A variety of methods and technologies have been employed to secure PCs
and their contents, including physical controls (cables, locks on power
supplies, anchored docking stations, etc.) and electronic means such as
data encryption, user authentication, audit logs and tracking utilities.
Physical access control is becoming less relevant, with users insisting on
portability. Consequently, there is an increasing emphasis on electronic
protection. There are two general types of electronic PC security: file and
full disk encryption, and boot protection/authentication.
The following graphic illustrates the difference between unprotected data,
standard file encryption and Pointsec PC protection:
FIGURE P-1
4
Pointsec PC Security Features and Benefits
File and Full Disk Encryption
File encryption enables users to protect vital data. It is usually easy to
implement but is subject to user discretion regarding what to secure, and
the willingness of users to consistently follow security procedures. Given
this dependence on user compliance, organizations seeking to enforce a
security policy often find file encryption insufficient.
Unlike file encryption, which leaves security holes, Pointsec PC encrypts
the entire disk sector by sector, including the system files, temp files, and
even deleted files. The encryption is user-transparent and automatic, so
there is no need for user intervention or user training. Because the
encryption occurs in the background without noticeable performance loss,
there is no user downtime. This provides enforceable security that cannot
be bypassed by the user.
Boot Protection/Authentication
The importance of boot protection is often misunderstood or confused with
the BIOS password schemes offered by computer manufacturers.
Boot protection means authenticating users before a computer is booted. It
prevents the operating system from being subverted by unauthorized
persons using any of the widely available password cracking tools. These
tools have proliferated on the Internet and can be used with devastating
effect. Unfortunately, most BIOS-level protection schemes are fatally weak
and cannot be tightly linked with full disk encryption.
Boot protection has the further advantage of providing an effective
deterrent to illicit network access via network-connected machines,
especially if these machines are linked as part of a VPN.
While controlling access to the computer is important, this does not by
itself protect the data stored on the disk. For example, a simple boot
floppy disk could be used to bypass boot protection. Alternatively,
removing the drive and placing it in another computer will make the file
accessible to brute-force hacking attempts. Even in those rare cases where
the drive itself is secured with a password, the data is not encrypted and
is therefore vulnerable to several types of attacks. To secure this data, it
must be encrypted. Once encrypted, the files will be inaccessible to any
unauthorized person.
Pointsec PC Security Features and Benefits
Pointsec PC secures desktop and laptop computers from unauthorized
physical access, using both boot protection and full disk encryption.
Pointsec PC provides the following security functions:
•
Strong user authentication
Preface
5
Managing Pointsec PC
•
Support for user identification using dynamic tokens, USB tokens and
smart cards
•
Secure Remote Help for users who have forgotten their passwords
•
Central configuration and administration
•
Keyboard lock and screen saver for Windows-based computers
•
Limited number of failed logon attempts with automatic locking
•
Audit logging of events such as successful and failed logon attempts
With Pointsec PC, all logical partitions/volumes are boot protected and
encrypted. The careful integration of boot protection and automatic
encryption provides a high degree of security with minimal impact on
users. Boot protection prevents subversion of the operating system or the
introduction of rogue programs, while sector-by-sector encryption makes it
impossible to copy individual files for brute force attacks. Full disk
encryption secures the data even if the disk is removed and loaded into a
controlled machine. This ensures security by allowing an organization to
determine the security level instead of leaving it up to the user to see that
the information is encrypted.
Pointsec PC uses full disk encryption to guarantee that unauthorized users
cannot access or manipulate information on a protected computer, from
either available, erased or temporary files. Pointsec PC safeguards the
operating system and the important system files (which often contain clues
to passwords for Windows), shared devices and the network.
Managing Pointsec PC
Pointsec PC administration is designed to allow central control of policy
and security settings, decentralized deployment and daily administration.
Using Pointsec PC profiles, system administrators are able to install and
configure the system, delegate authorization throughout the network,
modify the system for local conditions, and assign the properties and
authorization of individual users.
Pointsec PC allows simple but powerful local and central logging of system
information, group information and individual user account information.
Deploying Pointsec PC
The Pointsec PC program is first installed and configured on a Pointsec PC
administrator’s workstation. Once Pointsec PC has been configured on that
workstation, the system administrator can configure a Pointsec PC
6
Languages Supported in Pointsec PC
installation profile containing all the information and software necessary to
install and manage Pointsec PC on the PCs to which it is deployed on the
network.
Note - When Pointsec PC is installed on a client using deployment
software such as SMS or Tivoli, the service that runs the msi.exe must
be run as LOCAL_SYSTEM, and the service must have “Interact with
desktop” activated. If the service is run as a normal user account, the
installation will fail.
Languages Supported in Pointsec PC
Pointsec PC supports the following languages in the preboot environment,
in the Pointsec PC Management Console (PCMC), and in the tray
application:
•
English
•
French
•
German
•
Japanese
•
Italian
•
Spanish
All other languages into which Pointsec PC has been localized are
supported only in the preboot environment and in the tray application.
See Appendix E, “Language Packs” for a complete list of the languages
into which Pointsec PC has been localized.
Pointsec PC in a Common Criteria EAL-4
Environment
Pointsec PC is a flexible security product. However, in a Common Criteria
(CC) EAL-4 environment, not all possible Pointsec PC configurations are
permitted. We recommend that administrators installing, deploying and
managing Pointsec PC in a CC-validated environment do the following:
•
Pay particular attention to notes and other CC information in this guide
•
Read and comply with the requirements documented in Appendix J,
“Pointsec PC Common Criteria Configuration”
Preface
7
Pointsec PC in a Common Criteria EAL-4 Environment
8
1
Chapter
Pointsec PC should be managed using different levels of authority. It can be managed
from the Pointsec PC Management Console (PCMC) on any computer that has
Pointsec PC installed. This gives administrators control over and easy access to
higher-level functionality without being tied to any one machine.
This chapter explains different levels of authority, how to use them, how to access
administration functions from any computer, and how to establish the initial system
settings.
Administration Levels
Many businesses define only two levels of authority: a system administrator, who has
full authority, and users whose authority is limited to logging on and receiving remote
help. But you can also configure Pointsec PC to have many levels of administration: a
system administrator level and several other administrator levels. These levels allow for
centralized control of the creation of the profiles that are used to install, update, and
uninstall Pointsec PC on client computers while simultaneously allowing local control
of the deployment of those profiles.
With Pointsec PC you can implement a hierarchical system for administration. An
example of such an administration hierarchy, using a system administrator level and an
administrator level, is described below.
System Administrator
You can configure the system administrator to have the highest authorization level in
the administration of Pointsec PC.
9
Administrator
See Chapter 3, “Configuring Group and User Account Settings”, and note
the screen image of Privileged Permissions in the PCMC below, which
illustrates security-sensitive settings that you might want to restrict to
sysadmins. See also the description of authority levels in Chapter 4,
“Group Authority Levels” on page page 61.
In the example below, system administrators will, among other things, be
able to perform the following tasks in the system:
•
Create and manage profiles
•
Configure system settings
•
Add and remove administrators and user accounts
•
Configure settings for administrators and user accounts
•
Give Remote Help to users who are locked out or have forgotten their
passwords.
Figure 1-1
At least two competent individuals must be designated as system
administrators to manage Pointsec PC and the security of the information
it contains.
It is imperative that Pointsec PC system administrators receive adequate
training and are not careless, willfully negligent or hostile. Pointsec PC
system administrative personnel should follow the instructions provided in
this guide.
Pointsec PC system administrators must keep their authentication data
private.
Administrator
Administrators should be given more limited authority in relation to what
has been defined for the system administrator in the system settings.
10
User Level
An administrator can add, remove and change certain settings for specific
users. Administrators are not allowed to work with users who have higher
administration privileges than they do, nor can they raise their own
authorization level. Administrators are usually allowed to provide Remote
Help and to modify profiles.
Only users who can be trusted to follow and abide by the instructions
provided in this guide should be designated as Pointsec PC administrators.
Pointsec PC administrators must keep their authentication data private.
Note - By default, Pointsec PC administrators have the same authority
as users. The system administrator determines the amount of authority
an administrator has by configuring the authority settings in the System
Settings dialog box. For more information, see below.
User Level
Users have limited authority, according to what has been defined by the
system administrator in the system settings. Each user is assigned an
account with a unique user identity and password that together authorize
access to the entire hard disk.
Authorized Pointsec PC users must keep their authentication data private.
Typical Permissions for Roles
This section describes an example of a hierarchic authority structure to
give you an idea of how permissions can be configured to give different
specific users different levels of authority.
The following tables list Privileged Permissions, Permissions and Remote
Help settings for a possible structure with Pointsec PC user accounts,
administrators, and system administrators. This structure provides a
good level of security, but you will probably want to define your own
structure.
Table 1-1
Privileged Permissions
User
Administrator
Change Permissions for User Accounts
X
Change Privileged Permissions
X
Create User Accounts
X
Create Groups
X
Create Profiles
X
Remove User Accounts
X
Chapter 1
11
Typical Permissions for Roles
Table 1-1
User
Administrator
Remove Groups
X
Remove Profiles
X
Edit System Settings
X
Table 1-2
Permissions
Permissions
User
Administrator
Change Password
X
Change Single Sign-On
X
View Logs
X
X
Uninstall
X
X
Provide Remote Help
X
X
Management Console Logon
X
X
X
Create Recovery Media
X
Table 1-3
Remote Help Settings
Permissions/Remote Help
User
Administrator
Provide ‘Reset Password’
X
X
Provide ‘One Time Logon’
X
X
Receive ‘Reset Password’
X
Receive ‘One Time Logon’
X
For more information, see “Configuring Group and User Account Settings”
on page 43.
12
Overview of the Pointsec PC Management Console (PCMC)
Overview of the Pointsec PC Management
Console (PCMC)
The Pointsec PC Management Console (PCMC) gives you quick and easy
access to all Pointsec PC functions.
To start the PCMC:
1. Click Start, navigate to the Check Point program group and select
Pointsec PC → Management Console. The Pointsec PC Management
Console (PCMC) program starts:
Figure 1-2
Note - If you start the PCMC on a computer that has a network
connection but no access to Internet, the PCMC can be slow in
starting. The PCMC’s .exe file is signed with a digital signature for
security, and when this file starts, Windows attempts to reach the
publisher’s Certificate Revocation List (CRL) to see if the .exe file’s
certificate has been revoked. If the CRL cannot be reached via the
network connection, it takes a long time for the PCMC to start.
To circumvent this delay, open Internet Explorer, select Tools →
Internet Properties or Internet Options (depending on the version).
Click the Advanced tab. In the Settings window, scroll down to the
heading Security and clear the Check for publisher’s certificate
revocation check box. Click OK.
Chapter 1
13
PCMC Dialog
PCMC Dialog
In the PCMC dialog, you can select an option either in the folder tree to
the left or by clicking the active link in the relevant dialog box image in
the pane to the right, for example, “Go to Local”.
The PCMC dialog contains the following options:
Table 1-4
PCMC Dialog
Option
Description
Local Installation
Select to manage the local installation of the
Pointsec PC.
Remote Installation
Select to manage profiles, logs, and recovery files
for remote installations.
Remote Help
Select to help locked-out users change the account
password or temporarily logon.
PCMC Menu Bar
The menu bar contains the File and Help menus. The File menu contains
the following options:
Table 1-5
File Menu Options
Option
Description
Extend Authority
Enables system administrators and administrators to use PCMC on any
computer where Pointsec PC has been installed. See “Extending
Authority” on page 14 for more information.
Import Set
Configurations...
See Chapter 6, “Working with Configuration Sets”.
Export All Set
Configurations...
See Chapter 6, “Working with Configuration Sets”.
Exit
Select to save any changes you have made and exit Pointsec Admin.
Extending Authority
The Extend Authority option enables administrators to use PCMC to access
administrator functions on any computer with Pointsec PC installed.
To extend authority:
1. From the File menu, select Extend Authority. The Extend Authority dialog
box opens:
14
PCMC Menu Bar
Figure 1-3
2. Do one of the following:
•
Enter the user account name and authenticate with an authorized
administrator password, and if you use a smart card for
authentication select Use inserted smart card. Click OK.
•
If you are locked out, click Remote Help to receive assistance
logging on.
After authentication, you can manage Pointsec PC from this computer.
Chapter 1
15
PCMC Menu Bar
16
2
Chapter
This chapter provides a general introduction to the system settings with which you
configure Pointsec PC.
System settings are related to installation, the hardware devices used for
authentication, logon, Wake-on-LAN, required path specifications, and a number of
other aspects of the product such as Remote Help, screen savers and hibernation.
Other settings - those for Groups and User Accounts - are relevant for volume access,
logging on, authentication, permissions, Remote Help, single sign-on and password
synchronization. These settings are described in Chapter 3, “Configuring Group and
User Account Settings”.
Accessing Local Settings
Local settings are settings for the machine on which you are logged on, usually the
machine on which Pointsec PC is first installed and from which the installation of
Pointsec PC will be deployed to all clients.
The PC Management Console (PCMC), shown below, allows you to work with system,
local and remote settings. It provides wizards for defining, among other things: sets,
groups, and users accounts.
To access the local settings:
1. Start Pointsec and select one of the following:
•
Local in the folder tree to the left
•
Go To Local under Local Installation in the main panel
17
Accessing Local Settings
Figure 2-1
The Local dialog box is displayed:
Figure 2-2
18
Status Information
Status Information
The following Status information is displayed in the main panel:
Table 2-1
Status Information
Status field
Explanation
Locally installed version
The version of Pointsec PC currently installed on this machine.
Preboot User Account
The name of the user account that authenticated at preboot.
PCMC User Account
The name of the user account currently logged on to PCMC.
Windows Integrated
Logon enabled
The current value specified for the Windows Integrated Logon Enabled
setting: On or Off.
Last Recovery Update
Date and time the most recent recovery file was created.
Last Recovery File
Delivery
Date and time a recovery file was last copied to its target directory.
The target directory is the directory specified under Recovery Path in
the Install settings under System Settings.
Last Log File Update
Date and time the log file was last updated by Pointsec PC.
Last Log File Delivery
Date and time the log file was last written by Pointsec PC. The file
name of the log file is the same as the name of the machine. The log
file is written to the same directory or directories as specified in Set
Central Log Path (Install settings under System Settings).
Last Local Update
Date and time of the most recent change to a Local setting; also
contains the user account name that made the change.
Last Update Profile
Date and time the most recent update profile was downloaded and the
path, including the profile name, from which is was downloaded.
Encryption Information
The following Encryption information relevant to each volume is displayed:
Table 2-2
Encryption Information
Text
Explanation
Encrypting name nn%
Displays the progress of encryption, including the name of the
encryption algorithm and the percentage of encryption completed.
Fully encrypted name
States that the volume is fully encrypted and the name of the
algorithm used to encrypt it.
Decrypting nn%
Displays the progress of decryption as the percentage of decryption
completed.
Unencrypted
States that the volume is unencrypted.
Error
An error has occurred during encryption or decryption.
Chapter 2
19
Editing Settings
Note - If a disk is neither encrypted nor boot protected, it is not
listed/displayed in the encryption information in the PCMC.
Editing Settings
To edit settings:
1. In the main panel under Actions, click Edit Settings. The folder tree is
displayed in the left panel.
2. Click the folder of the settings you wish to edit. See the following for
descriptions and editing details of the various system settings.
Hardware Device Settings
Hardware Devices contains the following settings:
Figure 2-3
Table 2-3
Hardware Device Settings
Setting
Description
Minimum Group
Authority Level Required
Group authority level required to edit the Hardware Devices settings.
Enable PCMCIA
Enable connection of smart card readers to a PCMCIA port.
Enable Serial
Enable connection of smart card readers to a serial port.
Enable USB
Enable connection of smart card readers to a USB port.
Enable Mouse in
Preboot
Enable mouse support in the Pointsec PC preboot environment.
Enable Low Graphics
Mode
Enable low-graphics mode in the Pointsec PC preboot environment.
Allow a Slave Hard Drive
Allow the system to use another encrypted drive as a slave drive.
Allow Hard Drive To Be
Slaved
Allow this drive to be a slave drive in other Pointsec PC systems.
20
Install Settings
Install Settings
Install contains the following settings:
Note - For a description of group settings, see Chapter 3, “Configuring
Group and User Account Settings”.
Figure 2-4
Table 2-4
Install Settings
Setting
Description
Minimum Group
Authority Level
Required
The minimum group authority level required to edit the Install settings. For
example, if you set this to 7, user accounts with the group authority levels
of 9, 8, and <=7 can edit the Install settings. For more information on
group authority levels, see Chapter 4, “Group Authority Levels” on page
17.
Organization
Name of the organization. This name is displayed in the Information about
Pointsec PC dialog box, which is accessed by right clicking on the
Pointsec PC icon in the system tray and selecting Information.
Maximum length of this value is 255 bytes. Note that all UNICODE
characters are not 1 byte in length, but can be 1, 2 or 4 bytes. Thus the
length of the value you input depends on the length of the characters in
the character set you use.
Product Owner
Owner of the Pointsec PC product. This is included in Information about
Pointsec, which is displayed by clicking on the Pointsec PC icon in the
system tray.
The maximum length of this value is 255 bytes. Note that all UNICODE
characters are not 1 byte in length, but can be 1, 2 or 4 bytes. Thus the
length of the value you input depends on the length of the characters in
the character set you use.
Chapter 2
21
Install Settings
Table 2-4
Install Settings
Setting
Description
Select Language
Sets the language that will be used in the client preboot interface, the
client system tray, and the client single sign-on dialog (if single sign-on is
active on that client). This language must be one of the languages
installed on the machine.
If the language specified is not installed on the machine, the language
will be set to US English or, if French (Canadian) is specified and not
installed, to French. For more information on installing languages, see
Chapter D, “Language Support”on 231.
Product Serial
Number
Serial number of the Pointsec PC product.
If necessary, this can be changed by right-clicking on the serial number
and choosing Change value. A dialog opens where you can either enter
your new licence number manually under Pointsec PC Legacy serial
number/Check Point Licence or click the Browse button to import a Check
Point licence (.lic) file.
Pointsec PC supports only one single licence, not multiple licences.
This number, with its last six digits masked, is included in Information
about Pointsec, which is displayed by clicking on the Pointsec PC icon in
the system tray.
22
Install Settings
Table 2-4
Install Settings
Setting
Description
Set Update
Validation
Password
The administrator uses Set Update Validation Password to set the password
clients will use to validate update profiles they pull from a shared folder.
This password is crucial to the update or uninstall process and has a
maximum length of 31 bytes. Note that all UNICODE characters are not 1
byte in length, but can be 1, 2 or 4 bytes. Thus the length of the value
you input depends on the length of the characters in the character set you
use.
The update validation password (UVP) on the client is initially set by the
installation profile, or manually on the client machine via System
Settings/Install/Set Update Validation Password.
Example:
The UVP on the admin machine is changed to B, and the admin machine
deploys an update profile to the clients. This profile has been saved on
the admin machine after the UVP has been changed to B (Note that this
saving is necessary if the UVP in the profile is to be updated to the
current UVP of the admin machine). This deployed profile actually
contains both UVPs A and B, and when clients pull the update profile,
they accept it because it contains A and, in addition, they recognize that
the UVP has been set to B in this profile, so they change their UVPs to B.
Now, if a client changed its UVP to C and was used to deploy a UVP
(containing UVPs B and C) to all other clients, after pulling the profile the
clients would have UVP C. Once they have C, none of these clients will
accept an update profile deployed from the admin machine that still has
UVP B.
Set Log Password
The log password prevents unauthorized access to both local and non-local
logs. Note that changing the log password triggers Pointsec PC to create a
new Central Log file, which has a unique name.
The log password cannot be imported into a profile based on local
settings; therefore, the log password setting must be specified in a profile
that is ‘based on local’.
Enable Export of
Status to File
If enabled, the status information is exported in a file to the directory
specified in the Set Central Log Path setting. If no path is specified, the file
is not written. For a detailed description of the status information in the
file, see Appendix B, “Status Information When Exported to File” on page
page 221.
Chapter 2
23
Install Settings
Table 2-4
Install Settings
Setting
Description
Set Upgrade Path
Path to the directory or directories from which the installation will
download software upgrades.
Enter the path(s) to the directory or directories where the Pointsec PC
system administrator will place the program upgrade files. Best practice is
to specify the path in UNC format: \\<server>\<share>\....
Pointsec PC downloads these software upgrades automatically in the
background at predefined intervals or the next restart. See “Working with
Installation and Update Profiles” on page 101 for more information.
Set Update Profile
Path
Path to the directory or directories from which the installation will
download update profiles.
Enter the path(s) to the directory or directories where Pointsec PC is to
look for update profiles to use when updating system and user
information. Best practice is to specify the path in UNC format:
\\<server>\<share>\....
Pointsec PC downloads these profiles according to the predefined update
interval. Default is every third hour or at the next restart, i.e. when the
Pointsec PC Tray program is loaded next. See “Working with Installation
and Update Profiles” on page 101 for more information.
Set Recovery Path
Path to the directory or directories from which the installation will store
recovery data. Best practice is to specify the path in UNC format:
Set Central Log
Path
Path to the directory or directories in which the installation will store a
copy of the local log file. Best practice is to specify the path in UNC
format: \\<server>\<share>\....
24
Logon Settings
Table 2-4
Install Settings
Setting
Description
Set PKCS#11 dll
Path
The path to the PKCS#11 dll file.
This setting is used only if you use smart cards and have specific reasons
for not using the default method of accessing smart cards. Setting a
PKCS#11 path is required if you are going to use the smart card
differentiation feature.
When smart card differentiation is in enabled, these serial numbers are
stored together with user information in a database. When a user tries to
log on with a smart card, the PKCS#11 dll collects the smart card ID and
certificate and compares these to the smart card ID and certificate
information already stored in the user account. This makes it possible to
have the same certificate on multiple smart cards while the system can
still differentiate between different users by the different smart card IDs.
Windows cannot register the PKCS#11 dll file automatically, the path to
the file has to be set manually. The dll file is distributed with your smart
card so the location depends on the smart card used, refer to your smart
card manual to find out where the dll is located.
As an example, the PKCS#11 dll file distributed with Aladdin smart cards
is found under: WINDOWS\system32\eTpkcs11.dll.
Pointsec Service
Start Account
Username
The Windows account to use when starting the Pointsec PC service.
Specify the account in the form: [Domain]\[Username]. See Chapter 10,
“Using a Service Start Account” on page 149 for more information.
Pointsec Service
Start Account
Password
Windows account password to the account that starts the Pointsec PC
service in Windows. See Chapter 10, “Using a Service Start Account” on
page 149 for more information.
Note - Pointsec PC will always use the first available path and will not
continue to look for newer files in other paths.
Pointsec PC maintains fail-safe communication with these locations by
using transactions to communicate. By definition, transactions ensure that
only correct and uninterrupted data will be stored and available.
Note - All paths should be to network shares that are located using a
secure but accessible UNC path.
Logon Settings
Logon contains the following settings:
Chapter 2
25
Logon Settings
Figure 2-5
Table 2-5
Logon settings
Setting
Description
Minimum Group
Authority Level
Required
The minimum group authority level required to edit the Logon settings.
For example, if you set this to 7, user accounts with the group authority
levels of 9, 8, and <=7 can edit the Logon settings. For more
information on group authority levels, see Chapter 4, “Group Authority
Levels” on page 17.
Logon Verification
Set the number of seconds that the verification text for a successful
logon is displayed, or disable the display of the logon verification text.
Set Max Failed
Logons Before Reboot
Set the maximum number of failed logons allowed before a reboot is
invoked or disable this function.
This setting does not apply to smart cards: a smart card handles the
maximum number of failed logons internally, that is, the smart card
itself handles what to do when this maximum is exceeded.
The value of the Max Failed Logons Before Reboot must be set to three or
fewer in a Common Criteria validated environment.
Skip Management
Console Logon
When this setting is selected, Pointsec PC reuses the credentials
entered for preboot authentication for the logon to the Management
Console. Thus, no manual logon to the Management Console is
required. This will work only if the user account has permission to
access to the Management Console.
This setting and the Windows Integrated Logon setting (under “Logon
Settings” above) logon cannot both be enabled at the same time. If they
are, the system will deny you access to the Management Console.
26
Table 2-5
Logon settings
Setting
Description
Allow Hibernation
and Crash Dumps
Allow the client to be put into hibernation and to write memory dumps.
This setting is enabled by default.
This setting, when selected, enables Pointsec PC protection when the
workstation is in hibernation mode. It also enables the writing of
memory dumps.
On the Pointsec PC-protected workstation, all volumes selected for
encryption must be fully encrypted before Pointsec PC will allow
hibernation.
See the current release notes for information on operating system and
hardware requirements.
When a machine is hibernating, only the Pointsec PC user account that
initiated the hibernation may logon to preboot authentication. To allow
another user account to use this machine, a Remote Help session is
required.
Consider operational security management when enabling hibernation.
As Pointsec PC supports one-time logon and remote password change in
hibernation mode, you must ensure that the user requesting this help is
legitimate. For more information, see chapter 12, “Remote Help” on
page 173 for more information.
If this setting is changed, the PC must be rebooted before the change
takes effect. A dialog box will be displayed, informing you about this.
For hibernation to function, the system disk on which Windows is
installed must be encrypted. Hibernation will not function with
boot-only protection.
Remote Help contains the following settings:
Chapter 2
27
Screen Saver Settings
Figure 2-6
Table 2-6
Remote Help settings
Setting
Description
Minimum Group
Authority Level
Required
The minimum group authority level required to edit the Remote Help
settings. For example, if you set this to 7, user accounts with the
group authority levels of 9, 8, and <=7 can edit the Remote Help
settings. For more information on group authority levels, see Chapter
4, “Group Authority Levels” on page 17.
Enable Remote Help
Enable Remote Help functionality? Select Yes or No. By selecting this
option, you enable users to use Remote Help on this computer.
The corresponding group and/or user account settings must also be
selected to enable providing and/or receiving Remote Help: Permissions
-> Remote Help -> Receive One-Time Password or Receive One-Time Logon
or Provide One-Time Password or Provide One-Time Logon.
For Remote Help to function, both the user account of the
Remote-Help provider and of the Remote-Help recipient must exist on
the computer. Note also that the Remote-Help provider’s group
authority level must be equal to or higher than the group authority
level of the Remote-Help recipient.
Use 20-Character
Challenge
Select to use a 20-character challenge instead of the default
10-character challenge in Remote Help sessions.
Screen Saver Settings
Screen Saver contains the following settings:
28
System Passwords Policy Settings
Figure 2-7
Table 2-7
Screen Saver settings
Setting
Description
Minimum Group Authority
Level Required
The minimum group authority level required to edit the Screen
Saver settings. For example, if you set this to 7, user accounts
with the group authority levels of 9, 8, and <=7 can edit the
Screen Saver settings. For more information on group authority
levels, see Chapter 4, “Group Authority Levels” on page 17.
Set Screen Saver Text
Specify the text that will be displayed in the Pointsec for PC
screen saver.
Allow Windows Screen Saver
Select to allow the Windows screen saver. Clear the checkbox is
you do not want the Windows screen saver to be used.
System Passwords Policy Settings
System Passwords Policy contains the following settings:
Figure 2-8
Chapter 2
29
Wake-on-LAN Settings
Table 2-8
System Password Policy settings
Setting
Description
Minimum Group
Authority Level Required
The minimum group authority level required to edit the System
Passwords Policy settings. For example, if you set this to 7, user
accounts with the group authority levels of 9, 8, and <=7 can edit
the System Passwords Policy settings. For more information on group
authority levels, see Chapter 4, “Group Authority Levels” on page 17.
Windows Complexity
Requirements
If enabled, Pointsec PC will enforce password requirements similar to
the Windows Complexity Requirements:
•
The password must at least be six characters long.
•
The password must contain characters from at least three of the
following four categories:
•
•
English uppercase characters
•
English lowercase characters
•
Base 10 digits
•
Non-alphanumeric (for example: !, $, #, or %)
The password must not contain the username.
Require Letters and
Digits
Both letters and digits must be used in passwords if this setting is
active.
Case Sensitivity
Accept upper- and lowercase letters in passwords. If the value of this
setting is “No”, all letters are interpreted as uppercase regardless of
their case when entered.
Allow Special Characters
Allow the use of the following other special characters:; ! " # $ % &&
' ( ) * + , - . / : < = > ? @ { }.
Allow Consecutive,
Identical Characters
Allow more than two consecutive, identical characters in passwords.
Require Upper and
Lower Case
The password must contain both upper and lower case characters.
Allow Embedded Space
Characters
Passwords may contain embedded space characters.
Allow Leading or Trailing
Space Characters
Allow leading or trailing space characters or both.
Allow Password of
Adjoining Characters
Allow a password to consist of a series of characters from adjoining
keys on the keyboard.
Set Minimum Length
Set the minimum length for passwords.
Wake-on-LAN contains the following settings:
30
Figure 2-9
Table 2-9
Wake-on-LAN settings
Setting
Description
Minimum Group
Authority Level
Required
The minimum group authority level required to edit the Wake-on-LAN
settings. For example, if you set this to 7, user accounts with the group
authority levels of 9, 8, and <=7 can edit the Wake-on-LAN settings. For
more information on group authority levels, see Chapter 4, “Group
Authority Levels” on page 17.
Enable Wake on LAN
Enable Wake-on-LAN functionality. This setting will cause the computer
to automatically boot after the time specified under Wake On LAN Set
Start Delay, below. For more information see Chapter 13, “Pointsec PC
Utilities”.
On a machine on which Wake-on-LAN is enabled, carrying out either of
the following actions will disable Wake-on-LAN: (1) entering any
keystroke in the PPBE authentication window, or (2) successfully
logging on to the PCMC. After either of these actions, Wake-on-LAN
must again be enabled via this setting.
In a Common Criteria validated environment, this setting must be
disabled.
Set Start Delay
The delay in minutes after which a Wake-on-LAN boot starts.
Allow Windows Logon
Allow a Windows logon after a Wake-on-LAN boot.
Set Expiration Date
Set the date on which the Wake-on-LAN functionality will be disabled.
Set Max Number of
Logons Allowed
Set the maximum number of Wake-on-LAN logons allowed, if any.
Chapter 2
31
Windows Integrated Logon Settings
The Windows Integrated Logon (WIL) function enables users to log on
without preboot authentication. This functionality is described in
“Pointsec PC Windows Integrated Logon (WIL)” in Chapter 13,
“Pointsec PC Utilities”.
Windows Integrated Logon (WIL) contains the following settings:
Figure 2-10
32
Table 2-10
Windows Integrated Logon (WIL) settings
Setting
Description
Minimum Group
Authority Level
Required
The minimum group authority level required to edit the Windows
Integrated Logon settings. For example, if you set this to 7, user
accounts with the group authority levels of 9, 8, and <=7 can edit the
Windows Integrated Logon settings. For more information on group
authority levels, see Chapter 4, “Group Authority Levels” on page 17.
Windows Integrated
Logon
Select this to enable user accounts to log on without preboot
authentication, that is, to bypass authentication at startup. Note that
this setting affects all your users. See the information on WIL in
“Pointsec PC Windows Integrated Logon (WIL)” on page 181.
disabled.
If both Windows Integrated Logon and Change Credentials in the
Pointsec PS Tray (Figure 3-4 on page 46) are enabled, Change
Credentials in the Pointsec PS Tray will be disabled and grayed out in
the tray menu.
Note that this setting and the Skip Management Console Logon setting
(under “Logon Settings” above) cannot both be enabled at the same
time. If they are, the system will deny you access to the Management
Console.
Set PPBE Failure WIL
Message
The text specified in this setting is the message that will be displayed
to the user when WIL has been disabled automatically.
Enable Network
Locations Awareness
Enables or disables the Network Locations Awareness function.
Set Network Locations
Specifies the IP addresses that the Network Locations Awareness
module will ping during Windows boot.
Set Max Failed Windows
Logon Attempts
Maximum number of logon attempts in Windows before WIL is
automatically disabled. This value is reset after a successful logon has
been performed.
Display Enable WIL
Switch
Displays the 'Enable WIL' switch in the tray icon menu and in
preboot.
This setting enables the user to disable WIL if the user, for example,
is to remove the computer from the network to work from another
location, it saves the user from a reboot at the next start-up when WIL
is automatically disabled.
Chapter 2
33
The Export to CSV File Button
Table 2-10
Windows Integrated Logon (WIL) settings
Setting
Description
Enable Hardware Hash
Specifies if a hardware hash from the BIOS ROM area together with
data from the CPU will be calculated to ensure that the hard drive has
not been tampered with.
Bypass PPBE WIL
Message
This setting will be reflected in PPBE when the user selects the 'Don’t
show this message again'-checkbox in the PPBE WIL message dialog.
This setting is useful for users who regularly disconnect their
computers from the network and do not want to see the message
explaining that WIL has been automatically disabled each time.
Set WIL User Screen
Saver Time-out
Time in minutes before the screen saver is activated for WIL users.
The Export to CSV File Button
The Export CVS File button in the Local dialog box allows you to export the
settings to a tab-separated CVS file. Note that you can also right-click a
group or user account folder and select Export to CSV to export the
settings for just that folder.
The Print Settings Button
The Print Settings button in the Local dialog box allows you to print the
settings, for a group or user account folder that is selected. Note that you
can also right-click a group or user account folder and select Print to print
the settings for just that folder.
Printing Settings
The Print Settings option in the Local dialog box allows you to print the local
settings.
Note - Before printing local settings you must have already set up the
printer or printers you want to use.
34
Printing Settings
Figure 2-11
To print local settings:
1. Click Print Settings. The Print dialog box is displayed:
Chapter 2
35
Exporting Settings to a CSV File
Figure 2-12
2. Select a printer and click OK to print the settings.
Exporting Settings to a CSV File
The Export Settings to CVS File option in the Local dialog box allows you to
export the settings to a file as tab-separated CSV values.
Viewing the Event Log Database
The View Event Log Database option in the Local dialog box allows you to
view the event log database as necessary.
36
Figure 2-13
To view the log:
1. Click View Event Log Database. The Log Viewer dialog box is displayed:
Figure 2-14
Chapter 2
37
Note that you can export the log by clicking on the Export button. Then
specify the name of the file that will contain the log, as well as the file
type in the Save as type drop-down box. Valid file types are XML, CSV
(Comma Separated Values) and TSV (Tab Separated Values). Then click
Save.
Each log entry contains the following elements:
Table 2-11
Log Entry Elements
Heading
Explanation
Priority
This includes both the icon that represents the type of event (Info, Warning,
Error, Success, or Failure) and the level of that type of event (Low, Normal,
High).
ID
Each event has a unique ID, and you might be requested to provide this ID
when communicating with Pointsec Support.
Timestamp
The timestamp showing when the event was recorded in the log.
Description
Text that describes the event.
To view detailed log entry information:
•
Double click the log entry you want to see in more detail.
•
Right click the entry you want to see in more detail and select
Details.
The Log Entry Details dialog box is displayed:
38
Filtering Log Entries
Figure 2-15
To exclude events from the display list:
1. Right click the entry you wish to exclude from the list and select Hide
this kind. All events with the same ID will be excluded from the display
list. To redisplay them, click Apply.
The logs can be customized to contain the information you desire. You can
select any combination of event type (Info, Warning, Error, Success, Failure)
and event level (High, Normal or Low for Warnings), and only those types and
levels selected will appear in the log. User account name, description text
and timestamp filter can also be filtered for.
Event Type
You can select the types of events to be included in the log from the list
below.
To select event types to be displayed in the log:
1. Select the checkbox of the event type(s) you want included in the log,
and click Apply.
Chapter 2
39
The following types of events can be displayed:
Table 2-12
Event Types
Event type
Description
Info
An informational event.
Warning
A warning event is issued to make the administrator
aware of something.
Error
Signifies a Pointsec PC error.
Success
Signifies a successful action, for example, a successful
logon.
Failure
Signifies a unsuccessful action, for example, a failed
logon or a failed password change.
Event Level
Each event is assigned a level of either High, Normal or Low. The level is
displayed immediately to the right of the icon that represents the type of
event.
Figure 2-16
To select event levels to be displayed in the log:
1. For each type of event, select the level of event you want to appear in
the log. Click Apply.
User Account Name
To filter events according to user account name:
1. Enter the user account name in the Filter for User Name field and click
Apply. This field is not case sensitive and all input is displayed in
upper case characters.
Description Text
To filter events according to description text:
1. Enter the description text in the Filter for Description Text field and click
Apply. This field is case sensitive.
40
Exporting Logs
Timestamp Filter
To filter events according to timestamp:
1. Select Timestamp Filter. The corresponding fields of the Logs dialog box
are activated:
Figure 2-17
2. Select one of the following:
•
Before
Displays all events before the date and time you specify in the End
field. Note that you can filter for all events before a certain date
(without specifying a specific time on that day) by clearing the
time of day in the field in which the time is specified.
•
After
Displays all events after the date and time you specify in the End
field. Note that you can filter for all events after a certain date
(without specifying a specific time on that day) by clearing the
time of day in the field in which the time is specified.
•
Within Time Span
Displays all events within the dates and times you specify in the
Start and End fields. Note that you can filter for all events between
two dates (without specifying a specific time or times on one or
both days) by clearing the time of day in the field in which the
time is specified. Similarly, you can filter for events between two
times on one day.
3. Click Apply.
Exporting Logs
The log export functionality allows log content to be exported in the
following formats, which support import into other management and data
systems: Comma Separated Values (CSV), Tab Separated Values (TSV) and
XML. This includes logs from Local Settings or from a configuration set.
Export can be done on the basis of selectable criteria.
Chapter 2
41
Exporting Logs
To export logs:
1. Select Export Local Log Database in the Local dialog box:
Figure 2-18
The Save As window is displayed:
Figure 2-19
2. Specify the name of the file that will contain the log, as well as the file
type in the Save as type drop-down box. Valid file types are XML, CSV
(Comma Separated Values) and TSV (Tab Separated Values).
3. Click Save.
42
3
Chapter
Configuring Group and User
Account Settings
This chapter provides a general introduction to the settings that can be specified for
both groups and user accounts. These settings are related to volume access, logging
on, authentication, permissions, single sign-on and password synchronization.
Each setting has a default value, but a value that has been set (specified) always
overrides a default value. Thus, for certain important settings, for example, those
related to password policy, you may want to set the values rather than relying on the
defaults.
Local Settings for Groups and User Accounts
To open the Local Settings:
1. Start Pointsec and select one of the following:
•
Local in the folder tree to the left
•
Go To Local under Local Installation in the main panel
43
Local Settings for Groups and User Accounts
Figure 3-1
2. The Local dialog box is displayed:
Figure 3-2
44
System Settings for Groups
3. Click Edit Settings and the folder tree under Local is displayed in the left
panel. This group of settings can be specified for both groups and user
accounts.
•
For group settings
Under Groups, expand the System folder to see the folders that
contain Group Settings.
•
For user settings
Under User Accounts, expand the tree for a user (ADMIN in the
example below) and then expand the Account Settings folder that is
displayed; you will see the folders containing the account settings.
You also see that the same settings exist for both groups and user
accounts:
Figure 3-3
1. Click System under Groups and the following setting is displayed:
Chapter 3
45
Figure 3-4
Table 3-1
System settings for groups
Setting
Description
GUID
(Globally Unique Identifier) The GUID is a unique
reference number that identifies each group and user
account. GUIDs are used internally by Pointsec PC to
guarantee each group and user account’s uniqueness.
Group Settings
1. Click Group Settings and the following settings are displayed:
Figure 3-5
Table 3-2
46
Group Settings
Setting
Description
Logon Authorized
User accounts in this group are allowed to log on.
Table 3-2
Group Settings
Setting
Description
Set Screen Saver
Timeout
Time in minutes before the screen saver is activated.
Set Expiration
Date
The date on which this group will expire.
Set Group
Authority Level
Set the group authority level for this group. See
“Group Authority Levels” on page 61 for detailed
information on group authority levels.
Logon Settings
1. Click Logon under Group Settings and the following settings are
displayed:
Figure 3-6
Table 3-3
Logon settings
Setting
Description
Set Max Failed Logons
Set the maximum number of failed logons allowed before the account
is locked.
For smart card users, the smart card is locked when the maximum
number of failed logons configured for the individual smart card is
exceeded.
However, the Pointsec PC Set Max Failed Logons setting is not used
for smart cards. Therefore, the user account using the smart card will
not be locked even though the smart card is locked.
Chapter 3
47
Table 3-3
Logon settings
Setting
Description
Set Logon Limit
Set the maximum number of successful logons allowed before the
account is locked.
Set Failed Attempts
Before Temporary
Lockout
Set the number of failed logon attempts before a temporary lockout
occurs.
Set Temporary Lockout
Time
Set the duration in minutes of a temporary lockout.
Authentication Settings
Fixed Password
Pointsec PC supports Unicode characters in passwords. See “Keyboard
Layouts” on page 237 for the keyboards (locale codes) supported and
“Language Packs” on page 233 for the languages supported.
1. Click Fixed Password and the settings are displayed:
Figure 3-7
48
Table 3-4
Fixed Password settings
Setting
Description
Windows Complexity
Requirements
When enabled, each time the password is changed, Pointsec PC will
enforce password requirements similar to the following Windows
Complexity Requirements:
• The password must at least be six characters long.
• The password must contain characters from at least three of the
following categories:
– English uppercase characters
– English lowercase characters
– Base 10 digits
– Non-alphanumeric symbols (for example:!, $, #, or%).
• The password must not contain the username.
Uppercase and lowercase characters other than English characters can
also be used; contact Microsoft for information on exactly what can be
used.
If the new password does not meet the criteria described above, the
password change is rejected and a message communicating this is
displayed to the user.
Passwords are checked at the following times:
• When changed in Pointsec PC preboot authentication.
• At Windows logon.
• When changing password via the PCMC.
Require Letters and
Integers
Require that both letters and integers be used in passwords.
enabled.
Case Sensitivity
Accept uppercase and lowercase letters in passwords. If the check box
is cleared, all letters are interpreted as uppercase regardless of their
case when entered.
Allow Special
Characters
Allow the use of the following special characters:! “# $% & ' () * +, -.
/:; < = >? @ {}
Allow Consecutive,
Identical Characters
Allow more than two consecutive, identical characters in passwords.
disabled.
Chapter 3
49
Table 3-4
Fixed Password settings
Setting
Description
Require Upper and
Lower Case
Require that passwords contain both uppercase and lowercase
characters.
enabled.
Characters
Allow passwords with embedded space characters.
Allow Leading or
Trailing Space
Characters
Allow leading or trailing space characters, or both.
Allow Password of
Adjoining Characters
Allow passwords to consist of a series of characters from adjoining
keys on the keyboard.
Set Minimum Length
Set the minimum length for passwords.
In a Common Criteria validated environment, The value of this setting
must be 8.
Set Minimum Age
Set the minimum age of passwords in days, or no limitation for
password age. Minimum password age is the number of days the
password must exist before being changed.
Set Maximum Age
Set the maximum allowed age of a password in days.
If you have specified a maximum age at the group level, and later
decide you want it set at the user account level, do the following (Do
not use “Disable”, which only disables the feature):
1. Right click Set Maximum Age in Group Settings.
2. Select Reset value.
3. Click OK.
4. Specify the new maximum age for each user account.
Password History
50
Number of passwords that must be used before a previously used
password may be used again. Note that passwords created in the
PCMC are not saved in the password history.
Note - If you specify that a group of accounts must use fixed
passwords, you must ensure that the settings for the passwords meet
strict security standards:
•
Always specify complex passwords that require letters, numbers,
special characters and spaces. Do not include repeating
characters.
•
Use a mix of uppercase and lowercase letters.
•
Use non-alphanumeric symbols such as the dollar sign ($) and
percentage symbol (%).
•
Pointsec PC supports Unicode characters in passwords. See
“Keyboard Layouts” on page 237 for the keyboards (locale
codes) supported and “Language Packs” on page 233 for the
languages supported.
•
Make sure the password does not include any word that can be
found in a dictionary – you can use parts of words.
•
Make sure the password can be remembered without having to be
written down.
•
When deploying Pointsec PC, create a policy to go with the
password, including end-user education and enforcement as well
as a procedure for action if someone forgets their password or
simply cannot get it to work.
Smart Card
1. Click Smart Card and the settings are displayed:
Figure 3-8
Chapter 3
51
Table 3-1
Smart Card settings
Setting
Description
Certificate Expiration
Warning
The time in days before the certificate expires and a warning is
displayed to the user.
Certificate Expiration
Action
The action that will be taken when a certificate expires.
Certificate Revocation
Action
The action that will be taken when a certificate is revoked.
Windows Smart Card Insertion/Removal Handling
These settings make it possible to control the action taken when a smart
card-authenticated user removes the smart card.
1. Click Windows Smart Card Insertion/Removal Handling and the following
settings are displayed:
Figure 3-9
52
Table 3-2
Windows Smart Card Insertion/Removal Handling settings
Setting
Description
Use Pointsec Token
Insertion/Removal Handling
Enables/disables the Pointsec PC
. If this feature is disabled, the Windows Token Removal Handling
feature is used instead.
Action If Smart Card Is
Removed
Action that will be taken if a smart card is removed. The following
actions can be set:
•
•
•
•
•
Do nothing - the user continues to be logged on.
Lock the workstation – the screen lock is activated and the
user needs to re-authenticate.
Log off the user – the system returns to the initial Windows
user logon screen. This log off action will be forced after 30
seconds.
Log off and shut down – the system logs off the user, closes all
open applications and saves data before shutting down the
system. The shutdown will be forced after 30 seconds.
Shut down immediately – the systems shuts down immediately
without any regard to open applications or data being
processed.
Privileged Permissions Settings
1. Click Privileged Permissions and the following settings are displayed:
Figure 3-10
Chapter 3
53
Table 3-3
Privileged Permissions settings
Setting
Description
Change Permissions
Set whether or not the account(s) are allowed to change permissions.
Change Privileged
Permissions
Set whether or not the account(s) are allowed to change privileged
permissions.
Set whether or not the account(s) are allowed to:
•
Create user accounts.
•
Edit other user accounts’ names.
• Edit other user accounts’ fixed passwords.
Note that this setting does not allow these accounts to change/edit
their own names or fixed passwords; to do that the Permissions
setting, Change Credentials must be enabled. See Permissions
Settings, below.
Create Groups
Set whether or not the account(s) are allowed to create groups.
Advanced Profile
Editing
Set whether or not to allow the following:
•
Opening and editing of profiles created in versions of
Pointsec for PC prior to the current version.
•
Changing the GUID on groups and users.
Create Profiles
Set whether or not the account(s) are allowed to create profiles.
Set whether or not the account(s) are allowed to remove user
accounts.
Remove Groups
Set whether or not the account(s) are allowed to remove groups.
Remove Profiles
Set whether or not the account(s) are allowed to remove profiles.
Set whether or not the account(s) are allowed to edit the system
configuration under System Settings.
Grants the account the authority to change the local system settings
on the computer they are logged in to. These changes can be
overridden with an update profile.
When this option is not selected, editing system settings will not be
available to the user account.
See “Working with Installation and Update Profiles” on page 101 for
more information.
Access to Local
Set whether or not the account(s) are allowed to access Local in the
Pointsec PC folder tree.
Access to Remote
Set whether or not the account(s) are allowed to access Remote in the
Pointsec PC folder tree.
Permissions Settings
1. Click Permissions and the settings are displayed:
54
Figure 3-11
Table 3-4
Permissions settings
Setting
Description
Change Credentials
Set whether or not the account(s) are allowed to change their own
fixed passwords and/or credentials. Note that for account(s) to be able
to change other user accounts’ fixed passwords and/or user account
names, the Privileged Permissions setting Create Users must be
enabled. See Create Users under Privileged Permission settings,
above.
To create a temporary smart card user, this setting must be set to Yes.
Set whether or not the account(s) are allowed to change the single
sign-on settings.
When this option is selected, the account’s SSO setting can be
changed when being authenticated by Pointsec PC. For more
information on SSO, see Chapter 13, “Pointsec PC Utilities”.
View Logs
Set whether or not the account(s) are allowed to view logs.
Uninstall
Set whether or not the account(s) are allowed to uninstall
Pointsec PC.
Grants the account the authority to remove Pointsec PC from this
system. If the account does not have this privilege, an administrator
must go to the computer to remove the software.
Pointsec PC can only be removed by two user accounts that both have
this authority. A Pointsec PC user alone cannot remove Pointsec PC.
See “Removing Pointsec PC” on page 191 for more information.
Chapter 3
55
Table 3-4
Permissions settings
Setting
Description
Management Console
Logon
Set whether or not the account(s) are allowed to log on to the
Management Console.
disabled on all clients.
Set whether or not the account(s) are allowed to create recovery
media.
Allow Logon to
Hibernated System
Set whether or not to allow the account(s) to log on to a system
hibernated by another account.
Change to Fixed
Password
Set whether or not the account(s) are allowed to be changed to use
fixed password authentication.
Change to Dynamic
Token
dynamic token authentication.
Change to Smart Card
smart-card authentication.
Change Credentials in
the Pointsec for PC tray
Set whether or not the account(s) are allowed to change their
credentials in the Pointsec PC tray.
When authenticating to change credentials in the Pointsec PC tray,
the Pointsec PC authentication dialog box has a Remote Help button.
This button enables only One-time logon; Remote password change is
not availble via this Remote Help button.
If both Windows Integrated Logon (see Figure 2-10 on page 32) and
Change Credentials in the Pointsec PC Tray are enabled, Change
Credentials in the Pointsec PC Tray will be grayed out and disabled in
the tray menu.
Remote Help
1. Click Remote Help and the settings are displayed:
56
Figure 3-12
Note - For Remote Help to function, both the user account of the
Remote-Help provider and of the Remote-Help recipient must exist on
the computer. Note also that the Remote-Help provider’s group authority
level must be equal to or higher than the group authority level of the
Remote-Help recipient.
Table 3-5
Setting
Description
Provide ‘Remote
Password Change’
Set whether or not the account(s) are allowed to provide Remote
Password Change for other user accounts.
For a user account to be able to provide Remote Help, this option
must be also be selected in both the client system settings and the
user account properties.
Provide ‘One-Time
Logon’
Set whether or not the account(s) are allowed to provide One Time
Logon for other user accounts.
Chapter 3
57
Table 3-5
Setting
Description
Receive ‘Remote
Password Change’
Set whether or not the account(s) are allowed to receive Remote
Password Change.
For a user account to be able to receive Remote Help, this option
Receive ‘One-Time
Logon’
Set whether or not the account(s) are allowed to receive One-Time
Logon.
Response Format
Select whether to use Numeric or Alphanumeric format for the response
in Remote Help.
Single Sign-On Settings
1. Click Single Sign-On and the settings are displayed:
Figure 3-13
Table 3-6
Single Sign-On settings
Setting
Description
Enable SSO
Set whether or not single-sign-on functionality is to be enabled for the
account(s).
Entrust SSO
Set whether or not Entrust single-sign-on functionality is to be used
by the account(s).
Smart Card Triggers
Windows SSO logon?
Set whether or not to allow using a smart card to trigger the Windows
SSO logon.
58
Password Synchronization Settings
1. Click Password Synchronization and the settings are displayed:
Figure 3-14
Chapter 3
59
Table 3-7
Password Synchronization settings
Setting
Description
Synchronize Windows
Password to Preboot
Synchronizes Pointsec PC password and Windows password by setting
the Pointsec PC password to the Windows password.
When a user changes the Windows password, Pointsec PC will prompt
for the Pointsec PC password and then synchronize it with the new
Windows password.
This setting can be enabled together with Synchronize Preboot
Password to Windows (below) so that in whichever environment the
password is changed it will be synchronized with the password in the
other environment.
Password synchronization must be inactivated in a Common Criteria
validated environment.
Synchronize Preboot
Password to Windows
Synchronizes the Pointsec PC password and the Windows password by
setting the Windows password to the Pointsec PC password.
When a user changes the Pointsec PCs password, Pointsec PC will
prompt for the Windows password and then synchronize it to the new
Pointsec PC password.
This setting can be enabled together with Synchronize Preboot
Windows to Preboot (above) so that in whichever environment the
password is changed it will be synchronized with the password in the
other environment.
Password synchronization must be inactivated in a Common Criteria
validated environment.
60
Chapter
4
This chapter describes the Pointsec PC group authority levels.
What Is a Group Authority Level (GAL)?
Authority means, among other things, the right to carry out an action. A group
authority level (GAL) relates to which actions that user accounts in a group can carry
out.
A GAL is a mandatory setting for each group. The GAL is assigned when the group is
created, and the GAL can be changed once the group has been created. Every user
account in a group inherits the group’s GAL. But GALs cannot be assigned directly to
user accounts.
A GAL is also a mandatory setting for System Settings. When you do an master install,
the Required Group Authority Level for each System Settings folder is set to the most
secure value by default.
A GAL consists of a combination of a number and an optional operator, see the
descriptions of “Group-Authority-Level Number” and “Equal-Authority-Level Operator”,
below.
Group-Authority-Level Number
A group authority level (GAL) contains a number from zero to nine (0-9) that is set for
each group and for each System Settings folder in the Pointsec PC Management
Console (PCMC). Nine is the highest GAL, and zero is the lowest.
A user account with a given GAL level can change the settings etc. of groups with a
lower GAL: for example, user accounts that have the GAL nine, can access and edit
settings for all user accounts with a GAL of eight and lower, user accounts with a GAL
of five, can access and edit settings for all user accounts of four and lower, and so on.
Therefore, the GAL numbers are always displayed together with the less than operator:
<, for example, <9.
61
Using GALs To Create a Tiered Authority Structure
See Figure 4-1, below.
Equal-Authority-Level Operator
To enable user accounts with the same GAL to edit each other’s settings,
an equal authority level operator can be enabled by selecting the Equal
Authority Level checkbooks when assigning the GAL to a group. See
Figure 4-1, below. If this operator is enabled for, say, Group A, Group A
can edit the settings of all user accounts that have GALs equal to or lower
than Group A’s GAL. Therefore, GALs consisting of both a number and an
equal-authority-level operator are displayed together with the less than or
equal to operator: <=, for example, <=9.
Again, the user accounts of a group inherit the group authority level of
their group. Group authority level cannot be set for an individual user
account, it can be set only for a group.
See Figure 4-1, below.
Figure 4-1
Using GALs To Create a Tiered Authority Structure
Using group authority levels (GALs), you can make a tiered authority
structure to suit the security requirements of your organization. Here is an
example of such a structure:
62
Master Installation GALs
•
System group has Group Authority Level (<=9). This group
contains corporate recovery accounts based on dynamic tokens
stored in the Chief Security Officer's safe.
•
Security Officer group has Group Authority Level (<=9). A team
established by the Chief Security Officer to generate the Mandatory
Security Policy (MSP) for the enterprise and create highest level
group and account structure.
•
WebRH group has Group Authority Level (<=9). Provided by
webRH update profile importation or execution. This group is
managed in the Pointsec PC internal context and set to the
required Authority Level automatically.
•
Software Delivery Security Team group has Group Authority Level
(<=5). This group contains trusted members of the Software
Delivery team who have Security responsibility to ensure secure
update and deployment operations.
•
Workstation Support Team group has Group Authority Level (<=4).
This team is the direct, on-site support organization that provides
direct assistance to users in the organization and does not have
authority to affect the Mandatory Security Policy, nor does it make
changes to the Wake on LAN.
•
Users group has Group Authority Level (<1). This is the group for
the users normally operating the computer and who are not
authorized for any further capabilities with respect to configuration.
•
System Settings, except for Wake-On-LAN (WOL) settings, are set
to the Minimum Required Group Authority Level of 9 to protect the
Mandatory Security Settings (their default value).
•
Wake on LAN (WOL) settings are set to Minimum Required Group
Authority Level of 5 so the Software Delivery Security Team can
create Update Profiles enabling Wake on LAN for their
distributions.
During a master installation, the GALs listed below are assigned by
default. They can of course be changed by a user account with the
required authority.
The Systems Group
When you do a master installation, Pointsec PC assigns the Systems group,
which is automatically created in a master installation, the highest GAL:
<=9.
Chapter 4
63
The System Settings Folders
During a master installation, the Minimum Required Group Authority Level
for each System Settings folder is by default set to 9.
Note - Note here the absence of the ‘less than’ operator and the ‘equal to’
operators. If, for example, the value displayed for a Minimum Required
Group Authority Level is 7, user accounts with the following GALs can
edit the relevant settings: <=9, <9, <=8, <8, and <=7, but a user
account with <7 cannot.
Other Groups of User Accounts
Pointsec PC assigns new groups other than the Systems group the GAL:
<1.
GALs for New Profiles (Not Based on Local
Settings or Another Profile)
The information below concerns GALs when defining a new profile.
Silent Installation, Interactive Installation, Silent Upgrade, and
Interactive Upgrade Profiles
For the profiles listed in the heading above:
•
All local System Settings are added to the profile, but their
Minimum Required Group Authority Levels are changed to the
highest level the user can change.
•
The user cannot set the Minimum Required Group Authority Level
of System Settings folders to higher than the highest GAL the user
can edit.
•
The GAL of groups in the profile cannot be set higher than the
group authority level the user can change.
Update Profiles
For update profiles:
64
•
All system settings are blank. Depending on the local system
setting Minimum Required Group Authority Level, the System
Setting folders are marked read-only. That is, if a System Setting
folder is read-only in the Local settings, the folder will also be
read-only in the profile settings.
•
can edit.
•
The GAL of groups in the profile cannot be set higher than the GAL
the user is allowed to change.
GALs for New Profiles Based on Local Settings
The information below concerns GALs when defining a new profile that is
based on local settings.
•
All local System Settings are added, with their current Minimum
Required Group Authority Level. If the user has a lower GAL, the
System Settings become read-only.
•
can edit.
•
•
All groups with a GAL that the user can change are inserted into
the new profile. But groups with a higher GAL than the user can
change are not inserted into the new profile.
Update Profiles
For update profiles based on local settings:
•
All System Settings with a Minimum Required Group Authority
Level that the current user can edit are inserted into the update
profile and can be edited by the user. The System Settings that
have a higher Minimum Required Group Authority than the user
can edit are blank in the update profile (not imported), and they
are displayed as read-only. That is, if a System Settings folder
would be read-only in the Local settings, the folder will not contain
any settings, and it will also be read-only in the update profile
settings.
•
can edit.
•
•
All groups with a GAL that the user can change are inserted into
the new profile. But groups with a higher GAL than the user can
change are not inserted into the new profile.
GALs for New Profiles Based on Another Profile
The information below concerns GALs when defining a new profile that is
based on another profile.
Chapter 4
65
•
All local System Settings are added, with their current Minimum
Required Group Authority Level. If the user has a lower GAL, the
System Settings become read-only.
•
can edit.
•
•
All groups are added with their current GALs. If the user has a
lower GAL than the group’s GAL, the group (and its users) are
displayed as read-only.
Update Profiles
For update profiles:
•
All System Settings with a Minimum Required Group Authority
Level that the current user can edit are inserted into the update
profile and can be edited by the user. The System Settings that
have a higher Minimum Required Group Authority than the user
can edit are blank in the update profile (not imported), and they
are displayed as read-only. That is, if a System Settings folder
would be read-only in the profile settings, the folder will not
contain any settings, and it will also be read-only in the update
profile settings.
•
All groups with a GAL that the user can change are copied from the
old profile and inserted into the new profile. But groups with a
higher GAL than the user can change are not inserted into the new
profile.
•
can edit.
•
GALs and Existing Profiles
The information below concerns GALs when editing existing profiles.
Opening and Editing a Pre-Pointsec PC 6.2 Profile in the 6.2
PCMC
When opening and editing pre-Pointsec PC 6.2 profiles in the 6.2 PCMC:
66
•
The Minimum Required Group Authority Level of each System
Settings folder is set to the highest GAL the user can edit.
•
can edit.
•
•
Because pre-Pointsec PC 6.2 groups do not have a Group Authority
Levels, the groups in the profile are automatically assigned the
highest GAL the user can edit. (If the user is <6 all groups are
given GAL <=6).
•
When the profile is saved, it will be saved as a Pointsec PC 6.2
profile.
Opening and Editing Pointsec PC 6.2 Profiles
When opening and editing Pointsec PC 6.2 profiles:
•
If the user opening the profile has lower GAL than the minimum
group authority level required for a System Settings folder in the
profile, that folder is set to read-only.
•
If the user opening the profile has lower GAL than that required to
edit a group in the profile, that group is set to read-only.
•
can edit.
•
•
Edited or new groups can never be set to a higher GAL than the
GAL the user can edit.
Opening and Editing Local Settings in Pointsec PC 6.2
When opening and editing Local settings in Pointsec PC:
•
If the user opening the Local settings has a lower GAL than a
Minimum Required Group Authority Level for a System Settings
folder in the profile, that folder is set to read-only.
•
can edit.
•
If the user opening the Local settings has a lower GAL than that
required to edit a group in the profile, that group is set to
read-only.
Chapter 4
67
GAL Sanity Checks
•
can edit.
•
•
Edited or new groups can never be set to a higher GAL than the
GAL the user can edit.
GAL Sanity Checks
The following sanity checks are related to GALs. They are performed when
saving after editing Local settings or a profile’s settings:
•
1.Low group authority level on groups
When the group or groups with the highest GAL do not have
permission to change groups with the same GAL (see
“Equal-Authority-Level Operator” on page 62), it is possible to
create groups with settings that never can be changed. If this
occurs when editing a local profile, the sanity check prohibits
saving the profile and thus forces either a resolution of the problem
or a cancel. If this occurs when creating/editing other profiles, the
sanity check issues a warning.
•
2.No group has a high enough GAL to edit System Settings
If one or more of the System Setting folders require a higher GAL
than that of any of the groups in the profile, this sanity check is
triggered. If this occurs when editing a local profile, the sanity
check prohibits saving the profile and thus forces either a
resolution of the problem or a cancel. If this occurs when
creating/editing other profiles, the sanity check issues a warning.
•
3.No group has a Group Authority Level of <=9
When creating a installation profile (or a 4.x/5.x upgrade profile) a
warning sanity check recommends that the administrator should
define at least one administrator group with a GAL of <=9.
GALs and Permissions
GALs are a complement to the Permissions and Privileged Permissions in
the PCMC, and the three of them combine in innumerable ways. Here is a
summary of important aspects of each:
Group Authority Levels (GALs)
Group Authority Levels:
•
68
Control who affects whom and who can affect which System
Settings
GALs and Remote Help
•
Are mandatory for each group
•
Must be specified of each folder under System Settings.
•
Cannot NOT be specified for any user account
•
Are inherited by the user account from its group
Permissions and Privileged Permissions (PCMC)
Permissions and privileged permissions in the PCMC:
•
Control who can affect what
•
Are defined for each group and user account
•
Are inherited
•
Filter which settings can be configured in the PCMC
•
Filter which parts of the PCMC are enabled and which are disabled
for each user account
A Remote-Help provider’s group authority level must be equal to or higher
than the group authority level of the Remote-Help recipient.
Chapter 4
69
70
Chapter
5
Managing Groups and User
Accounts
This chapter explains how to create and manage Pointsec PC groups and user accounts
on the computer on which you have installed Pointsec PC.
In Pointsec PC, a user account always belongs to one (and only one) group. This
means that before you create any user accounts, you must first create one or more
groups to contain user accounts.
Note - You cannot move a user account from one group to another, but must
instead delete the user account from its current group and then redefine it in the
other group.
Creating Group Accounts
Once the installation of Pointsec PC is completed and you have opened the PC
Management Console, you can see that a group called System has already been
created. And under the System group folder, there is a tree of User Accounts where you
will find the two users you defined during installation (in this example, DAPA and
ADMIN).
You can now create new group accounts if desired.
71
Figure 5-1
To create a new group account:
1. Right click Groups. The New Group button is displayed:
Figure 5-2
2. Click the New Group button and enter a group name in the New Group
dialog box:
Figure 5-3
3. Click OK. The new group is now listed in the tree under Groups (in this
example ABC Group).
Note that there are currently no user accounts in the User Accounts
folder in ABC Group:
72
Figure 5-4
4. In the Group Settings folder for the new group you have created,
configure the relevant group settings (see Chapter 3, “Configuring
Group and User Account Settings”, for details on configuring these
settings):
Figure 5-5
Table 5-1
Group Settings
Setting
Description
Logon Authorized
Allow user accounts in this group to log on.
Screen Saver Timeout
Time in minutes before the screen saver is
activated.
Expiration Date
Date this group will expire.
Expand the Group Settings folder tree for the new group, and you will see
the folders as described in Chapter 3, “Configuring Group and User
Account Settings”:
Chapter 5
73
Default Values and How the Effective Values of Settings are Determined
Figure 5-6
Default Values and How the Effective Values of
Settings are Determined
If no value has been specified for a setting in either the group or user
account, the default value for that setting prevails; see the Default column
in the tables below.
When the values set for a group and a user account in that group differ,
Pointsec PC sets an effective value, that is, one value that is used for that
setting. The tables below list what the effective value will be. In most
cases, Pointsec PC selects the more secure value.
In the tables below, the value Nearest means that if the value is set in a
user account, that value is the effective value even if a different value is
set for this setting in the group; it if is set only in the group, that value will
be the effective value, and it if is not set in either user account or group,
the default value will be the effective value.
Table 5-2
Password effective values and default settings
Password Settings
Effective Value if Group and User
Account Differ
Default
Require Letter and Integers
Enabled
Disabled
Enable Case Sensitivity
Disabled
Disabled
Enabled
Disabled
Allow Consecutive, Identical Characters
Disabled
Disabled
Require Upper and Lower Case
Enabled
Disabled
Allow Embedded Space Characters
Disabled
Disabled
Allow Leading or Trailing Space
Characters
Disabled
Disabled
Allow Password of Adjoining Characters
Disabled
Disabled
74
Table 5-2
Password effective values and default settings
Password Settings
Account Differ
Default
Set Minimum Length
The larger of the two values
Six characters
Set Maximum Age
The smaller of the two values
Disabled
Password History
Disabled
Table 5-3
Logon effective values and default settings
Logon Settings
Account Differ
Default
Disabled
Set Logon Limit
Disabled
Attempts Before Temporary Lockout
Disabled
Temporary Lockout Time
Disabled
Table 5-4
Privileged Permissions effective values and default settings
Account Differ
Default
Change Permissions
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Create Groups
Disabled
Disabled
Create Profiles
Disabled
Disabled
Disabled
Disabled
Remove Groups
Disabled
Disabled
Remove Profiles
Disabled
Disabled
Disabled
Disabled
Table 5-5
Permissions effective values and default settings
Account Differ
Default
Change Password
Disabled
Disabled
Disabled
Disabled
View Logs
Disabled
Disabled
Uninstall
Disabled
Disabled
Remote Help
Disabled
Disabled
Chapter 5
75
Table 5-5
Permissions effective values and default settings
Account Differ
Default
Disabled
Disabled
Disabled
Disabled
Allow Logon to Hibernated System
Enabled
Enabled
Change to Fixed Password
Disabled
Disabled
Change to Dynamic Token
Disabled
Disabled
Disabled
Disabled
Change Credentials in the Pointsec for PC
tray
Disabled
Disabled
Table 5-6
Single Sign-On effective values and default settings
Single Sign-On Settings
Account Differ
Default
Enable SSO
Disabled
Disabled
Use Entrust for SSO
Disabled
Disabled
Smart Card insertion triggers Windows
SSO logon
Nearest
Disabled
Table 5-7
Password Synchronization effective values and default settings
Password Synchronization Setting
Account Differ
Default
Synchronization Mode
Nearest
Disabled
Table 5-8
Remote Help effective values and default settings
Account Differ
Default
Provide ‘Reset Password’
Disabled
Disabled
Provide ‘One-Time Logon’
Disabled
Disabled
Receive ‘Reset Password’
Disabled
Disabled
Receive ‘One-Time Logon’
Disabled
Disabled
Response Format
Nearest
Numeric
76
Adding a User Account to a Group
As discussed above, once the installation of Pointsec PC is completed and
you have opened the PC Management Console, you can see that a group
called System has already been created. Under the System group folder is a
tree of User Accounts where you will find the two user accounts you defined
during installation.
Figure 5-7
These two users are assigned what can be called ‘system administrator
privileges’, for example, all the Privileged Permissions and all the Permissions
except Create Recovery Media are set to Yes. Almost all other user accounts
you define will be assigned significantly more restricted privileges than
those of a system administrator.
To add another user account to the group:
1. Right click User Accounts and the Add User Account button becomes
active:
Figure 5-8
2. Click the Add User Account button to activate the User Account wizard:
Chapter 5
77
Figure 5-9
Table 5-9
User Account dialog fields
Field
Description
User account
name
The name must be 1-31 characters long. Pointsec PC supports Unicode
characters in user account names. See “Keyboard Layouts” on page 237 for
the keyboards (locale codes) supported and “Language Packs” on page 233
for the languages supported.
78
Table 5-9
Field
Description
Type of user
account
The type of user account can be:
•
•
•
Normal
A regular user account is usually created for users of the computer on
which you are working. This account can also be used as an
administrator account and be included in a profile when you deploy
Pointsec PC.
Service User
What distinguishes a service user from other users is that a service user
must use Remote Help’s Remote Password Change to gain access to the
system the first time. After access is granted via Remote Password
Change, the service user can reboot the system and log on without
requiring this type of Remote Help. But when another user logs on, the
service user account is locked, and the service user will need Remote
Help’s Remote Password Change to log on to log on again.
Temporary
A temporary account is usually created for users on the computer on
which you are working to limit the time the user can access the
computer. This account can also be used in a profile to create user
accounts when you deploy Pointsec PC.
When someone logs in using a temporary user account on a
Pointsec PC-protected computer, they are prompted for a new user
account name and password.
To create a temporary smart card user, the user account must have the user
account setting Change Credentials set to Yes. This setting is located under
Group/User Account → Permissions → Change Credentials.
If more than one temporary user account is deployed to a machine, when
the first temporary user logs on Pointsec PC will display the name of the
user currently logged onto Windows with the new Pointsec PC user account
name. But when the second (and third, etc.) temporary user logs on,
Pointsec PC displays the temporary user account name as the new user
account name. The user must enter another user account name to be able
to continue - the temporary user account name cannot be used.
Based on the new user account name and password, Pointsec PC creates a
new user account and deletes the temporary account. This makes deploying
Pointsec PC easy, as one Pointsec profile can be used for all computers and
you do not need to know exactly which user is on what computer.
For more information on profiles, see chapter 7, “Working with Installation
and Update Profiles” on page 101
Chapter 5
79
Password Authentication
Table 5-9
Field
Description
Authentication
method
Authentication for this user account will be done via:
•
•
•
Password
Dynamic Token
Smart Card
3. After specifying the logon name, type and password authentication
method, click OK. Note that defining a temporary user account is done
the same way as with a normal user account.
Password Authentication
4. Fill in the password details:
Figure 5-10
Table 5-10
Password fields
Field
Description
Password
The password must meet the criteria you have specified for fixed
passwords in Group Settings. Note that while you enter the password
and confirm that password in the Confirm Password text box, the text
‘Invalid Password’ is displayed to the right of the Password text box.
This text is displayed until the password meets all the criteria that
have previously been configured for passwords.
80
Dynamic Token Authentication
Table 5-10
Password fields
Field
Description
Confirm Password
Enter the password you entered in the Password text box.
Force change of
password at next logon
Selecting this option forces the user to specify a new user account
password at the next logon.
Password Rules
Length Adjoining Characters Retype Match Consecutive, Identical Characters Special Characters 5. Click Next, and after viewing the result do one of the following:
•
If you are satisfied, click Finish.
•
If you want to make changes, click Back, make the changes and
click Finish.
Use the above process to define any other user accounts that will use
password authentication.
To use dynamic token authentication:
1. Enter logon name and type of account, and select Dynamic Token:
Figure 5-11
2. Click Next.
•
To enter token values manually, see the procedure “Manually
Entering Token Values” on page 82.
Chapter 5
81
•
To enter token values by importing a file, see the procedure
“Entering Token Values by Importing a File” on page 83.
Manually Entering Token Values
To enter token values manually:
1. Choose Add dynamic token by manually entering values and click Next:
Figure 5-12
2. Enter the information required:
Figure 5-13
82
Table 5-11
Dynamic Token dialog fields
Field
Description
Dynamic Token
Serial Number
Serial number, usually found on the back of the
dynamic token.
Dynamic Token Key
Enter the token key you received from Pointsec with
the token.
Challenge Length
A number from 1-8.
Response Length
A number from 1-16.
Challenge Format
Choose either Hexadecimal or Ascii.
Response Format
Choose either Friendly or Decimal.
3. Click Next and do one of the following:
•
•
click Finish.
Figure 5-14
Entering Token Values by Importing a File
1. Choose Add dynamic token by importing from file and click Next:
Chapter 5
83
Figure 5-15
2. Navigate to the directory containing your tokens and select a file to
import:
Figure 5-16
3. Enter the password, which is the Encryption key in the key file you
intend to import. Click OK:
84
Figure 5-17
The tokens are imported:
Figure 5-18
4. Click Next and do one of the following:
•
•
click Finish.
Chapter 5
85
Smart Card Authentication
Figure 5-19
A reminder: in order for smart card authentication of a user account to
function, note that you must correctly specify the type of smart card
readers you will use under Hardware Devices in System Settings. For details,
see “Logon Settings” on page 25. Furthermore, you must ensure that the
required drivers are installed for the smart cards and smart card readers
you will use. See “Smart Cards, Smart Card Readers and their Drivers” on
page 242 for details.
To choose smart card authentication:
1. Enter the logon name and type of account, and select Smart Card:
Figure 5-20
2. Click Next.
86
Selecting the Smart Card Certificate
To select the smart card certificate:
1. Select one of the smart card certificates listed under Issued to:
Figure 5-21
Note - Pointsec PC will not allow you to associate the same certificate
with two user accounts. When Pointsec PC detects that you are
attempting to do so it issues an error message and makes an entry in
the log, and the wizard closes. Examine the log for more information
about the error.
The wizard looks for certificates locally in Personal Store and, if
accessible, on smart cards and USB tokens, as well as in Microsoft
Active Directory.
If a certificate is stored in more than one place, it will be listed as
many times as the wizard finds it. When selecting a certificate listed
multiple times, it does not matter which of the listed instances of that
certificate you choose. Review the Location column in the list to
determine if the a certificate is listed more than once.
2. Click OK.
3. Click Finish to complete the creation of a user account that uses a
smart card for authentication:
Chapter 5
87
Figure 5-22
88
6
Chapter
Working with Configuration
Sets
Configuration sets, hereafter referred to simply as sets, are used as share points from
which you can carry out your remote management. Typical remote management tasks
include installing (and uninstalling) Pointsec PC on remote clients, updating the
configuration on remote clients, providing one or more centralized points for storage of
logs, and so on.
Root Directory Path
Best practice is to use the set to provide a central configuration point for a root
directory path, as shown in the illustration below.
Figure 6-1
The root directory path points to a shared folder on a server. When you define a set,
one of the things you will do is specify the paths to the directories here. These paths
are described below.
89
Directory Paths
Directory Paths
The following directory paths should be created:
Profile Storage
The Profile Storage directory is where profiles are stored while you edit
them in the Pointsec PC Management Console (PCMC), prior to their being
published. As long as the profiles are in this directory, they cannot be
pulled by clients. It is a dedicated share for profile development.
This directory path must be specified when you define a set.
Update Profile
The Update Profile directory is where update and uninstall profiles are
placed so they can be pulled by the clients. By specifying subdirectories
for individual client computers, you can target your updates to individual
client computers.
In a profile, this path is referred to as the Update Profile Path. Set it by
editing the profile and specifying the path to use in System Settings →
Install → Set Update Profile Path.
Install
The Install directory is where you store installation packages, installation
profiles, and other configuration files that are to be used during the
installation, for example, the precheck.txt file and the files in the oemvar
folder.
Central Log
This is the directory to which clients copy their log files. In a profile, this
path is referred to as the Central Log Path. Set it by editing the profile and
specifying the path to use in System Settings → Install → Set Central Log
Path.
Recovery
The Recovery directory should be the target directory for client’s recovery
files. This is the directory in which Pointsec PC stores recovery files.
Recovery files contain information required to decrypt the
Pointsec PC-protected computer. For more information on recovery, see
Chapter 15, “Recovery, Repair and Bootable Media”.
In a profile, this path is referred to as the Recovery Path. Set by editing
the profile and specifying the path to use in System Settings → Install →
Set Recovery Path.
90
Creating a New Set
Upgrade
Place the upgrade source package and any supporting configuration files in
this directory. This is the directory from which clients will pull the upgrade
source package and other supporting configuration files. In a profile, this
path is referred to as the Upgrade Path. Set it by editing the profile and
specifying the path to use in System Settings → Install → Set Upgrade Path.
Creating a New Set
To create a new set:
1. Start the Pointsec PC Management Console (PCMC) and select Remote:
Figure 6-2
2. Click New Set and the Create New Set Wizard opens:
Chapter 6
91
Creating a New Set
Figure 6-3
3. Enter a descriptive name that makes clear what the configurations and
profiles belong to.
You can select Automatically create a directory structure if you want
Pointsec PC to create folders. This requires that you have previously
configured a root directory on which the directory structure will be
created. This root directory must be a shared folder on the network, for
example:
\\<server name>\<shared folder>...
You must also have the required permissions to create the directories.
If these conditions are met, and you specify the shared folder under
Enter the root directory in which the directories will be created, the
PCMC automatically enters the following subfolders to the shared
folder and displays them in the relevant fields of the wizard:
•
<shared folder>\Profile Storage
•
<shared folder>\Update Storage
•
<shared folder>\Install
•
<shared folder>\Log
•
<shared folder>\Recovery
•
<shared folder>\Upgrade
4. Click Next:
92
Creating a New Set
Figure 6-4
5. Specify a storage path, the path to a directory that will hold the profiles
while you edit them. Best practice is to specify paths in UNC format:
\\<server>\<share>\.... The profiles you are working on will be
stored in this directory until you publish them. As long as they are in
the storage directory, you can edit them, and they cannot be pulled by
remote clients. Note that you must click Add for the path to be
included in the set.
6. When no more paths are to be added, click Next:
Figure 6-5
7. Specify an update profile path, the path to a directory from which clients
will pull update and uninstall profiles. Best practice is to specify the
path in UNC format: \\<server>\<share>\.... In the profile, this path
is referred to as the Update Profile Path. Set by editing the profile and
specifying this path in System Settings/Install/Set Update Profile Path.
Note that you must click Add for the path to be included in the set.
Chapter 6
93
Creating a New Set
Figure 6-6
9. Specify an Install path, the path to a directory containing the
Pointsec PC installation package. Best practice is to specify paths in
UNC format: \\<server>\<share>\.... Note that you must click Add
for the path to be included in the set.
Figure 6-7
11. Specify a log path, a path to a directory into which the clients in the set
will copy thier log files. Best practice is to specify paths in UNC
format: \\<server>\<share>\.... In a profile, this path is referred to
as the Central Log Path. Set it by editing the profile and specifying a
path in System Settings → Install → Central Log Path. Note that you
must click Add for the path to be included in the set.
94
Creating a New Set
Figure 6-8
13. Specify a recovery path, a path to a directory into which the clients in
the set will copy thier recovery files. Best practice is to specify paths
in UNC format: \\<server>\<share>\.... In the profile, this path is
referred to as the Recovery Path. Set it by editing the profile and
specifying a path in System Settings → Install → Recovery Path. Note
that you must click Add for the path to be included in the set.
Figure 6-9
15. Specify an upgrade path, a path to a directory in which upgrade package
files are located and from which clients downoload these files. Best
practice is to specify paths in UNC format: \\<server>\<share>\....
In a profile, this path is referred to as the Upgrade Path. Set it by
editing the profile and specifying a path in System Setting → Install →
Upgrade Path. Note that you must click Add for the path to be included
in the set.
Chapter 6
95
Exporting/Importing Set Configurations
Figure 6-10
17. Create the set by clicking Finish.
Figure 6-11
The set is created. Note that the set configuration is saved when the set is
created.
Set configurations can be exported from one PCMC and imported into
another PCMC. All set configurations, and individual set configurations can
be exported or imported.
96
Exporting All Set Configurations
To export all set configurations, select Export All Set Configurations....in
the PCMC File menu. A browser window is displayed. Browse to the
directory in which you want so store the set configurations, and click Save.
Figure 6-12
Exporting One Set Configuration
There are two ways to export a single configuration set:
First Alternative
1. Right click a set in the PCMC folder tree and select Export Set
Configuration.... A browser window is then displayed.
2. Browse to the directory in which you want so store the set
configurations, and click Save.
Figure 6-13
Second Alternative
1. Select a set in the PCMC folder tree and then click the Export Set
Configuration button under Actions on the right-hand side of the
window; see Figure 6-14, below. A browser window is then displayed.
configurations, and click Save.
Chapter 6
97
Figure 6-14
Importing a Set Configuration
There are three ways you can import a set configuration:
First Alternative
1. Select Import Set Configuration... in the PCMC File menu. A browser
window is displayed.
configuration, and click Open.
Figure 6-15
Second Alternative
1. Right click Remote in the PCMC folder tree and select Import Set
Configuration...; see Figure 6-16, below. A browser window is then
displayed.
98
Figure 6-16
Third Alternative
1. Click Import Set Configuration under New Configuration Set in the
PCMC Remote window; see Figure 6-17, below. A browser window is
then displayed.
Figure 6-17
Publishing Profiles Directly from the Profile List
You can publish a profile directly from the list of profiles in the PCMC.
Update and Uninstallation Profiles
To publish an update or uninstallation profile in the profile list:
1. Right click the profile, and the Update Profile paths that have been
configured in the set are displayed as selectable choices under Publish
profile to.
2. Select the configured update profile path you want, and the profile is
automatically copied to the selected path.
Chapter 6
99
Installation Profiles
To publish an installation profile in the profile list:
1. Right click the profile, and the Install paths that have been configured
in the set are displayed as selectable choices under Publish profile to.
2. Select the configured Install path you want, and the installation profile
is automatically copied to the selected path.
Figure 6-18
100
7
Chapter
Working with Installation and
Update Profiles
This chapter explains how to create Pointsec PC profiles that are used to:
•
Install Pointsec PC on the computers (client machines) in your networks
•
Uninstall/remove Pointsec PC from client machines
•
Manage the user accounts, groups and other settings on client machines
About Pointsec PC Profiles
Pointsec PC profiles contain user and group account information, the settings which
control which volumes are to be encrypted, who can access the drives, privilege levels
and update settings.
There are four types of Pointsec PC profiles:
•
Installation profiles
•
Update profiles
•
Uninstall profiles
•
Upgrade profiles, for information on upgrade profiles, see “The Characteristics of
an Upgrade Profile” on page 136.
Note - Spaces are not allowed in profile names. For example,
update_profile.upp is a valid profile name, but update profile.upp
is not valid.
101
Converting Pre-6.2 Profiles to 6.2 Profiles
Converting Pre-6.2 Profiles to 6.2 Profiles
Pre-6.2 profiles can be used in 6.2 only if you convert them to 6.2
profiles. To convert a pre-6.2 profile to a 6.2 profile:
1. Move the pre-6.2 profile to a 6.2 Profile Storage path.
2. Open the pre-6.2 profile in the Pointsec PC 6.2 PCMC.
3. Verify that the 6.2 serial number/license is used by checking System
Settings
4. Install → Product Serial Number.
5. Convert and save the pre-6.2 profile by clicking OK.
The converted profile can now be used in Pointsec PC 6.2.
Installation Profiles
There are two types of installation profiles:
•
Silent install
•
Interactive install
Note - Fragmented Disks
2 MB of contiguous disk space is required for Pointsec PC installation.
If this amount of continuous space is not available, the installation will
fail. In general, it is considered good practice to avoid fragmented disks
to enhance overall performance. It is also considered good practice to
defragment disks prior to installing Pointsec PC.
Note - In Common Criteria validated environments, all administration
and configuration of client installations must be done via profiles. The
only local administration allowed is the initial administration of an
administration installation, which is then used to create an initial
installation profile to be used to install the clients. All updates and
new installation profiles for both clients and administration are then
maintained via profiles, created on an administration installation.
In a Common Criteria validated environment, only silent installation
profiles should be used to deploy Pointsec PC.
Silent Installation Profiles
A silent installation profile contains the group and user account
information and system settings. When a silent installation profile is
deployed on a computer, Pointsec PC is installed on the computer without
any interaction with the user.
102
Update Profiles
Interactive Installation Profiles
An interactive installation profile contains the group and user account
information and system settings. When an interactive installation profile is
deployed on a computer, Pointsec PC is installed on the computer with
some interaction with the user.
Note - If you deploy Pointsec for PC using interactive installations, you
may want to suppress the Reboot needed dialog box, which is normally
displayed at the end of the installation dialog. To suppress this dialog
box, assign the value ReallySuppress to the MSI REBOOT property in
the following way:
setup.exe /v”REBOOT=reallySuppress”
Note that there is no space between the “v” and the first double quote
(“).
Update Profiles
An update profile contains new settings to be deployed on
Pointsec PC-protected computers. See “Creating and Deploying Update
Profiles” on page 129 for more information.
Upgrade Profiles
For information on upgrade profiles, see “The Characteristics of an
Upgrade Profile” on page 136.
Uninstall Profiles
An uninstall profile contains the settings needed to remove Pointsec PC
from a computer.
What’s in a profile?
All profiles contain system settings. Group settings and user account
settings are optional, but each user account must belong to a group.
System Information
System information includes paths to the central server where recovery
files, update profiles and software updates are stored. It also contains
settings related to, for example, installation, hardware devices,
Wake-on-LAN, and Remote Help.
Chapter 7
103
Creating a Profile Based on Another Profile or Local Settings
In addition to the system information described above, installation profiles
also contain information on which disk volumes are to be protected by
Pointsec PC, the type(s) of security (encryption and/or boot protection) to
be used, and the encryption algorithms to be used.
Group Information
Group information contains the system settings for local groups and their
authorization, including the user's right to receive Remote Help and
security settings such as keyboard lock. Group information also contains
the privileges for system administrators, administrators, and user accounts
at the group level.
User Account Information
User account information contains settings for individual user accounts,
including the account’s authorization for different volumes, Remote Help
and security settings such as time-out settings for the screen saver and
unlocking the keyboard lock. User account information also contains the
privileges for system administrators, administrators and user accounts.
Creating a Profile Based on Another Profile or Local
Settings
To facilitate the specification of the system settings, group settings, and
user account settings information in a new profile, you can base the new
profile on
•
An existing profile, or
•
The local settings of the computer on which you create the profile.
When you base a new profile on local settings or an existing profile, you
can select which settings you want to use (if however you do not choose to
base it on Group Settings, the User Account Settings choice will be grayed
out and cannot be selected).
Note - A new installation or upgrade profile inherits the Pointsec
PC/Check Point license number of the computer on which it is
created even if Base new profile on Existing profile or existing
settings is not selected.
104
Before Creating Profiles
Before Creating Profiles
Before you create any Pointsec PC profiles, it is a good idea to create the
directories where you will store the profiles.
Note - We recommend that you create the directories on a network share
with RWXD share permissions for all users. If you do not want to
specifically define these permissions for all users, you should use the
Pointsec Service Start service. See “General Requirements” on
page 128 for details.
This share must be secure and backed up regularly.
To create profile directories:
1. Create the following directories:
•
Storage
This is the directory that will hold profiles while you edit them. The
profiles will remain in this directory until you publish them; see
“Publish Path” on page 107. As long as they are in the storage
directory, they cannot be pulled by remote clients.
•
Update
This is the directory from which clients will pull profiles. Note that the
path to this directory must be set in the profiles that are put in this
directory. In the profile, this path is referred to as the update path, and
is set by editing the profile and setting this path in System Settings →
Install → Set Update ProfilePath.
•
Recovery
This is the directory in which Pointsec PC stores information about the
Pointsec PC-protected computers. This information is needed to
provide Remote Help; see Chapter 12, “Remote Help” for details. It is
also used to recover encrypted information in the event of an operating
system crash. For more information on recovery, see Chapter 15,
“Recovery, Repair and Bootable Media”.
Working with Profiles – an Overview
The following graphic provides an overview of working with Pointsec PC
profiles:
Chapter 7
105
Sets
Figure 7-1
Sets
Profiles are organized into sets. Each profile much belong to a set. Sets
are meant to help you locate and work with your profiles. For example, you
might want to have a set for each department’s profiles if they differ.
Storage Path
As you will see below, each set contains the specifications for a storage
path and a publish path. The storage path is the directory path to the
directory in which you will store profiles while you configure them prior to
deployment. Best practice is to specify the path in UNC format:
106
Deploying Pointsec PC for the First Time
Publish Path
The publish path is the directory path to the directory from which clients
will pull the profiles. Profiles are put in this directory when the
administrator has finished configuring the profile and decided that the
profile is ready to be deployed. Best practice is to specify the path in UNC
format: \\<server>\<share>\....
Deploying Pointsec PC for the First Time
Generally, when deploying Pointsec PC for the first time, you create and
save an install profile on a secure workstation. You then move the install
profile to a publish directory, a secure shared directory on the network.
Note - The users on the computers on which you wish to install
Pointsec PC must have read and execute permissions to the shared
directory.
The install profile can be started from any device that can map a drive and
run an executable file.
Updating Pointsec PC Settings
As changes in security requirements and personnel occur, you will need to
update the settings that have been deployed on Pointsec PC-protected
computers.
You do this by creating and placing an update profile in the Update
directory on the designated file server.
Note - The users on the computers on which you wish to update
security settings or make other changes must have read and execute
permissions to this directory.
Pointsec PC-protected computers regularly check this directory for new
update profiles. When they find a new update profile they download it and
implement the changes. For more information, see “Creating and
Deploying Update Profiles” on page 129.
Updating Pointsec PC Software
Whenever a new version of Pointsec PC becomes available, you can easily
deploy it to computers in your network. You simply create a software
update profile and place it in the SW_Update directory.
Note - The users on computers on which you wish to update
Pointsec PC, must have read and execute permissions to this directory.
Chapter 7
107
Removing Pointsec PC using a Profile
Removing Pointsec PC using a Profile
If, for any reason, you need to remove Pointsec PC from computers in your
network, you can do so by placing an uninstall profile in the Update
directory. See Chapter 14, “Removing Pointsec PC” for more information.
Note - The user accounts on computers from which you wish to remove
Pointsec PC must have read and execute permissions to this directory.
Creating and Deploying Installation Profiles
The first profile we will create and deploy is a silent install profile, the
most commonly used profile when deploying Pointsec PC for the first time.
Creating a New Set
To create a new set:
1. Start the Pointsec PC Management Console (PCMC) and select Remote:
Figure 7-2
2. Click New Set and the Create New Set Wizard opens:
108
Creating a New Set
Figure 7-3
3. Enter a descriptive name that makes clear what the configurations and
profiles belong to, for example “Set_Accounting” for a set that
contains the configuration and profiles for the accounting department,
“Set_Development”, etc. You can select Automatically create a
directory structure if you want Pointsec PC to create folders.....
Click Next:
Figure 7-4
4. Specify the storage path, the path to the directory that will hold the
profiles while you edit them. Best practice is to specify all the paths in
UNC format: \\<server>\<share>\.... The profiles you are working on
will be stored in this directory until you publish them. As long as they
are in the storage directory, you can edit them, and they cannot be
pulled by remote clients. Note that you must click Add for the path to
be included in the set.
5. After clicking Add, click Next:
Chapter 7
109
Creating a New Set
Figure 7-5
6. Specify the update profile path, the path to the directory from which
clients will pull update and uninstall profiles. Best practice is to
specify the path in UNC format: \\<server>\<share>\.... Note that
this path must also be set in the profiles that are put in this directory;
in the profile, this path is referred to as the update profile path, and is
set by editing the profile and setting this path in System Settings →
Install → Set Update Profile Path. Note that you must click Add for the
path to be included in the set.
7. After clicking Add, Click Next:
Figure 7-6
8. Specify the Install path, the path to the directory from which clients will
pull installation profiles. Best practice is to specify the path in UNC
format: \\<server>\<share>\.... Note that you must click Add for
the path to be included in the set.
110
Creating a New Set
Figure 7-7
10. Specify the log path, the path to the directory in which the set’s log is
located and to which clients copy their log files. Best practice is to
specify the path in UNC format: \\<server>\<share>\.... Note that
this path must also be set in the profiles that are put in this directory;
in the profile, this path is referred to as the update profile path, and is
set by editing the profile and setting this path in System Settings →
Install → Central Log Path. Note that you must click Add for the path to
be included in the set.
Figure 7-8
12. Specify the recovery path, the path to the directory in which the set’s
recovery files are located and to which clients copy their recovery files.
Best practice is to specify the path in UNC format:
\\<server>\<share>\.... Note that this path must also be set in the
profiles that are put in this directory; in the profile, this path is
Chapter 7
111
Creating a New Set
referred to as the update profile path, and is set by editing the profile
and setting this path in System Settings → Install → Recovery Path.
Note that you must click Add for the path to be included in the set.
Figure 7-9
14. Specify the upgrade path, the path to the directory in which upgrade
package files are located and from which clients download these files.
\\<server>\<share>\.... Note that this path must also be set in the
profiles that are put in this directory; in the profile, this path is
referred to as the update profile path, and is set by editing the profile
and setting this path in System Settings → Install → Upgrade Path. Note
that you must click Add for the path to be included in the set.
Figure 7-10
16. Create the set by clicking Finish.
112
Creating an Installation Profile
Figure 7-11
The process of creating and deploying an installation profile involves:
•
Creating the profile.
•
Adding group and user accounts.
•
Configuring the profile settings.
•
Deploying the profile to computers in the network; see “Deploying
Pointsec PC Using an Install Profile” on page 124.
Note - Before you can create any profiles, the Profile Validation
Password (Local → Edit Settings → System Settings → Install) must be
set.
To create an installation profile:
1. From the window that displays information about Set Accounting, do
one of the following:
•
Click New Profile
•
Start PCMC and click Remote and then New Profile:
Chapter 7
113
Figure 7-12
The New Profile Wizard is displayed:
Figure 7-13
2. Click Next.
3. Select the set in which you want to include this installation profile.
Click Next:
114
Figure 7-14
4. Select Installation, silent. Click Next:
Figure 7-15
5. Enter the name of the new profile (in this case, install_accounting).
Note - Spaces are not allowed in profile names. For example,
update_profile.upp is a valid profile name, but update profile.upp
is not.
6. Enter and confirm the password, which will be required when you want
to edit the profile.
Note - The password policy applied to the password specified here is
the password policy of the user account that is currently logged on and
is creating the new profile. See “Authentication Settings” on page 48
for more information on the settings that can be specified for fixed
passwords.
7. Click Next:
Chapter 7
115
Figure 7-16
8. If you want to base the profile on the local settings of the computer on
which you are creating the profile, or on an existing profile select
Existing profile or local settings:
Figure 7-17
9. If you select to base the profile on Existing profile or local settings, you
must then either browse to an existing profile or specify which local
settings the new profile is to be based on (System, Group, or User
Account), then click Next:
116
Figure 7-18
10. View the information and, if satisfied, complete the creation of the
profile by clicking Finish:
Figure 7-19
The installation profile you just created is now displayed among the
profiles under Set Accounting:
Figure 7-20
Chapter 7
117
The System Settings in the Profile You Just
Created
The profile that was just created will contain the values for the settings
that will be set on the client machines installed with this profile.
Note - The log password cannot be imported into a profile based on
local settings; therefore, the log password setting must be specified
in a profile that is ‘based on local’. If it is not specified in, for
example, a installation profile based on local settings, the clients
that are installed using this profile will not have a log password set
until it is specifically specified on that client, either manually or via
an update profile.
Sanity Checks
When you click OK, Pointsec PC performs a number of ‘sanity checks’ on
the profile that you want to save. The Settings That Might Have Undesirable
Effects window displays the results of the sanity checks, for example:
Figure 7-21
The following ‘sanity checks’ are performed on the profile:
•
Does at least one account have access to the Management Console?
At least one user account with access to the Management Console is
required to be able to perform administration on the machine.
•
Are there any accounts in the profile for which no type of
authentication has been defined?
This warning occurs only when you create a profile ‘based on local
settings’. You must manually set the authentication:
1. Right click each user in the tree structure.
2. Select Name and Authentication.
118
3. Define the authentication details.
•
Do you really want Windows Integrated Logon enabled on this
machine?
Windows Integrated Logon bypasses all preboot authentication.
•
Is at least one user account defined in this installation profile?
If no user accounts are defined in the profile, no user account will be
able to log on to the machine on which Pointsec PC is installed with
this profile.
•
Do at least two user accounts in the profile have permission to create
recovery media?
Recovery media cannot be created, and the system cannot be
recovered, unless at least two user accounts have permission to create
recovery media on the machine on which Pointsec PC is installed with
this profile.
•
Do at least two user accounts in the profile have permission to
uninstall Pointsec PC?
You will not be able to remove Pointsec PC from the machine on which
it has been installed with this profile unless the profile contains at
least two user accounts that have permission to perform uninstall.
•
Has an expiration date been set for each temp user account in the
profile?
Usually an expiration date should be defined for each temp user
account. If this is not the case, you will be warned about each temp
user account that does not have an expiration date defined.
To make changes to settings that have caused a warning in the Settings
That Might Have Undesirable Effects window:
1. Click Cancel and alter the relevant setting or settings.
Each time you click OK the sanity checks are performed, and any
warnings of problematic settings will be displayed. If none of the sanity
checks produce a warning, the profile is created.
2. If you want to accept the settings that cause the warnings, click OK in
the Settings That Might Have Undesirable Effects window, and the profile
will be created with the problematic settings.
And when the profile is created, it is prepopulated with the local System
Settings of the machine on which the profile was created. If any of these
values have not been set on the local machine, the Pointsec PC default
values will be used. It is good practice to examine the System Settings in
the profile and make any required changes.
Chapter 7
119
Figure 7-22
Creating Groups and User Accounts in the Profile
The next step is to create groups and user accounts in the profile you have
created.
To create groups and user accounts:
1. At the profile symbol in PCMC Remote, double click the profile, create
groups, and create user accounts.
2. Define a group that contains at least two administrator user accounts.
3. Best practice: Create another group in which you define a temporary
user account. It is preferable to work with group settings rather than
with individual user account settings.
Note - There are two reasons a specific group must be created for the
temporary user:
•
The settings should be completely separate from those of the
administrator accounts.
•
This group can be used to delete user accounts created with a
temporary user account. For instructions on doing this, see
“Deleting user accounts created with a temporary user account”
on page 121.
Which Settings Should Be Defined?
4. Examine the default settings in the installation profile and decide if
they are to your satisfaction:
120
•
System Settings
See Chapter 2, “Configuring System Settings” for a description of
these settings. If not, change the settings to the desired values.
•
Group settings for the Administrator group
The permissions for this group (XREF to permissions tables) and
note that Administrators probably have stricter rules for passwords
than normal user accounts do.
•
Group settings for the group containing the temp user.
Creating an Update Profile
The profile is now ready.
Deleting user accounts created with a temporary user account
To delete user accounts created with a temporary user account:
1. Create an update profile based on the install profile containing the
temporary user account, based only on Groups.
2. Open the update profile for editing and remove all groups except the
one that contains the temporary user.
3. Mark the only remaining group for removal.
4. Save the profile by clicking OK.
5. Place this profile in the Update folder on the client machine from
which you want to remove the user account.
Note - Do not place the profile in the Publish Profile directory because
this will cause the deletion of all user accounts created with the
temporary user account.
Deploying Smart Card Drivers Together with Smart Card User
Accounts in Installation Profiles
When creating smart card user accounts via installation profiles, it is
important that the required smart card drivers exist on the machine prior
to logon. This is necessary if smart card user accounts are to be able to log
on directly at first-time authentication.
To install smart card drivers at the same time as Pointsec PC is installed:
1. Add the Driver setting to the precheck.txt file. Specify each driver file
name if more than one driver is involved, separating the file names
with semicolons (no spaces are allowed). Below is an example in which
the smart card driver files msc_p11.bin and prd_ccid.bin are specified:
Drivers=msc_p11.bin;prd_ccid.bin
An update profile is used to change the settings on a system that has
already been installed.
You can either create an update profile from scratch or based on an
already existing installation or update profile.
An update profile contains only the changes you want to make to the target
installation(s). For example, if you want to change only one setting, you
specify only that setting.
Chapter 7
121
Difference between Remove and Mark for Removal
Difference between Remove and Mark for Removal
Remove
Remove deletes all data regarding the user or group in the profile. If you
deploy this profile, it will not affect the users or groups you just removed
because there is information left in the profile regarding these users or
groups.
Mark for Removal
When marking a group or user account for removal, the group or user
remains in the profile and acts as a container for sending the information
to remove the group or user on the machine(s) the profile is deployed to.
Summary of Differences
Mark for Removal is used to remove things at remote machines; in other
words, all the information about the user or group is in the profile because
it has to be sent to the client(s) where it will remove the user or group. The
information must be sent to the client, so it is designated as “Mark for
Removal” to signify to the admin that this user or group will be removed
on the client machine(s).
Remove simply removes data from the profile, and is a way to edit the
contents of a profile. You might have five groups, and want to update a
setting for only one of the groups. In this case, you could remove the four
groups you do not want to affect, leaving only the group you want to
change in the profile.
Uninstall Profiles
A uninstall profile cannot be edited, and requires authentication by two
administrator user accounts.
The machine on which you create the uninstallation profile must contain at
least two system administrator accounts that are also on the clients you
want to uninstall. To complete the creation of the uninstall profile,
Pointsec PC prompts for the authentication of two system administrators
before the profile is created (these two system administrator accounts
must also exist on the client).
122
Ensuring that Administrator Accounts Exist on Both the Admin Machine and all Client Machines
Ensuring that Administrator Accounts Exist on Both
the Admin Machine and all Client Machines
Pointsec PC 6.0 creates unique user accounts. Even if you define a user
account with the same name on two different machines, these are actually
two different accounts in that they have the same user account name but
unique GUIDs, which means they are unique user accounts (In
Pointsec PC 6.0, a GUID is the internal user account ID).
Keeping track of which administrator user accounts are defined on which
machines can be of critical importance. This is illustrated in the following
example of a scenario involving installing Pointsec PC and subsequently
attempting to uninstall it from a machine using an uninstallation profile.
Manually Installing Pointsec PC on the Admin
Machine
Manually install Pointsec PC on what will be called the admin machine. In
the process of installing Pointsec PC you will have defined two
administrator user accounts, let us call them Admin_A and Admin_B.
To create an installation profile:
1. On the admin machine, create an installation profile, which you will
use to deploy Pointsec PC to 100 client machines.
2. In the installation profile, define two administrator user accounts,
Admin_C and Admin_D. These administrators are authorized to
authenticate the uninstallation of any of the 100 clients that will have
Pointsec PC installed on them via this installation profile.
3. Deploy the installation profile to the 100 client machines, and assume
that Pointsec PC is installed on the 100 client machines.
4. Create an uninstallation profile that you will use to remove Pointsec PC
from one machine. In the process of creating the profile, the two
administrator accounts on the admin machine, Admin_A and Admin_B,
must authenticate the uninstall profile.
5. Deploy the uninstallation profile to the machine from which you want
to uninstall Pointsec PC. You will see, however, that Pointsec PC is not
uninstalled from the machine.
Why Pointsec PC is not uninstalled
Pointsec PC is not uninstalled from the target machine because the client
machines were installed with an installation profile that included Admin_C
and Admin_D. When the target machine checked the uninstallation profile,
which was created on the admin machine, it finds that it was
authenticated by Admin_A and Admin_B, two administrators who are
unknown to the target machine (which knows of only Admin_C and
Admin_D). For this reason, the profile is not activated on the target
machine.
Chapter 7
123
Deploying Pointsec PC Using an Install Profile
You might think that you can define Admin_A and Admin_B on the target
machine via an update profile. But what this will result in is the creation
of two user accounts named Admin_A and Admin_B on the target machine,
but although these accounts have the same name as the accounts on the
admin machine, the accounts on the target machine had GUIDs that are
different from those of the Admin_A and Admin_B accounts on the admin
machine.
Ensuring that the Required User Accounts are on
the Machines that Require them
To get the relevant user accounts on the machines that require them:
Alternative 1
1. Install Pointsec PC on the admin machine.
2. Create the installation profile you will use to install Pointsec PC on the
client machines.
3. Create an update profile based on the installation profile used to
install on the client machines, including Admin_A and Admin_B in this
update profile. Thus, Admin_A, Admin_B, Admin_C, and Admin_D will be
on the admin machine and Admin_C and Admin_D will be on the client
machines.
4. Update the admin machine using the update profile created in the
previous step.
Alternative 2
1. Install Pointsec PC on the admin machine.
2. Create the installation profile that you will use to install Pointsec PC
on the client machines.
3. Uninstall Pointsec PC from the admin machine.
4. Use the installation profile created above to install Pointsec PC on the
admin machine after adding Admin_A and Admin_B to the profile. Now
Admin_A, Admin_B, Admin_C, and Admin_D are in the admin machine
and Admin_C and Admin_D are on the client machines.
Deploying Pointsec PC Using an Install
Profile
This section explains how to deploy Pointsec PC using a login script.
You can initiate a Pointsec PC silent install profile from any computer that
can map a drive and run an executable file.
124
Deploying in an MSI Package
To deploy Pointsec PC:
1. Copy the contents of the SetupFiles directory on the Pointsec PC CD
to the Install directory that contains the install profile.
Note - In order for installation, recovery, and updates to function
correctly, user accounts on Pointsec PC-protected computers must have
RX permissions to the entire Pointsec PC directory structure to handle
temporary information and updates.
2. Create and distribute the following login script to the computers on
which you want to install Pointsec PC:
If Not Exist %homedrive%\progra~1\Pointsec for PC\pscontrol.exe
goto Install
Exit
:Install
start \\[servername]\[installdirectory]\msiexec.exe /i "Pointsec
for PC.msi" /q
exit
The next time the users log in and the script runs, Pointsec PC will be
installed with the settings you have configured in the install profile and
the computers will be Pointsec PC protected.
Note - In order to log error information from a failed installation, the
user executing the script also needs rights to create folders and files in
the Install directory.
Local administrator permissions are required in order to install.
Deploying in an MSI Package
Note - When Pointsec PC is installed on a client using deployment
software such as SMS or Tivoli, the service that runs the msi.exe must
be run as LOCAL_SYSTEM, and the service must have “Interact with
desktop” activated. If the service is run as a normal user account, the
installation will fail.
Windows XP
If you are deploying Pointsec PC on Windows XP: the Pointsec PC MSI
package can be started using
msiexec.exe /i "Pointsec for PC.msi".
Chapter 7
125
Verifying a Pointsec PC Deployment
The following parameters are supported:
Table 7-1
Supported parameters
Parameter
Explanation
/i
Installation
/x
Uninstallation
/L
Logs installation information
/q
Silent installation
Note - Pointsec PC does not support any other parameters, transforms
or modifications to the .msi package!
Windows Vista
Windows Vista requires higher admin rights than Windows XP when
installing. You do not have these higher rights automatically even if you are
logged in as administrator on Vista, and therefore you cannot start the
msi-file in the same way as on Windows XP. However, these rights have
been added to the autorun.exe so if you run the autorun.exe it will
generate an msiexec command line with the correct rights.
You can use the same parameters for the autorun file as for the msi-file.
The parameters you use for the autorun file will automatically be added to
the msiexec command, for example:
the command
autorun.exe /install=q
generates the command line
msiexec /i "Pointsec for PC.msi" /q
Verifying a Pointsec PC Deployment
When you have deployed Pointsec PC on the clients, it is important to
verify that Pointsec PC has been installed and that the clients’ volumes
have been encrypted.
1. Verify the deployment by checking the text files found in the
predefined Log directory/directories on the file share(s).
One text (.txt) file for each client machine is created in the Central Log
directory if the System Settings → Install → Enable status export to file
checkbox has been selected in the profiles. The text file tells you if
Pointsec PC has been installed, which volumes have been encrypted
126
Running Pointsec PC as a Service on a PC
(provided that the client machine actually has been encrypted), and if
a recovery file has been created for the specific client machine. The
text files contain the client machine’s name in the file name, for
example:
london_office_pc_1.txt, london_office_pc_2.txt,
london_office_pc_3.txt and so on.
2. Check the recovery (.rec) files found in the predefined Recovery
directory/directories on the file share(s). The number of recovery files
should correspond to the number of clients deployed; that is, there
should be 200 recovery files in the directory/directories if Pointsec PC
was deployed to 200 clients. Each recovery file is identified with the
client machine’s name in the file name, for example:
london_office_pc_1.rec, london_office_pc_2.rec,
london_office_pc_3.rec and so on.
Running Pointsec PC as a Service on a PC
The Pointsec Service Start service allows system administrators to limit
user access to the Pointsec network share and the respective recovery,
update profile and software update directories. Authentication to the share
is made with the account assigned to the Pointsec Service Start service.
For more information, see Chapter 10, “Using a Service Start Account” on
page 149.
Note - This documentation does not cover permissions required to
install Pointsec PC from a network share.
Pointsec Service Start Service Account Specifics
The account assigned to the Pointsec Service Start service must be a
domain or Microsoft Active Directory account in order to allow the service
to authenticate across the client systems and file share properly.
It is also strongly recommended that this account be treated as a service
account, not a normal user account. Additional specific authorization and
restrictions (enforced by Group Policy Objects [GPOs] or system policies)
should be applied to the service account.
A strong and lengthy password is also recommended to secure this service
account.
Chapter 7
127
Pointsec Service Start Service Account Specifics
General Requirements
On the Local PC
•
The logged-on user account requires List, Read, Write, Execute, Modify
and Delete permissions to the local Pointsec program folder, generally:
C:\Program Files\Pointsec.
•
The logged-on user account requires full permissions to the Pointsec
registry items on the client PC, generally:
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec.
•
The account configured as the Pointsec Service Start account requires
List, Read, Write, Execute and Modify permissions to the local
Pointsec program folder, generally: C:\Program Files\Pointsec.
•
The account configured as the Pointsec Service Start service must be a
member of the Administrator group on the local PC.
•
The account configured as the Pointsec Service Start service account
requires full permissions to the Pointsec registry items on the client
PC, generally: HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile
Tech\Pointsec-
On the Network share
•
The user account logging on to the local client PC requires no
permissions on the network share once service is configured.
•
The account configured as Pointsec Service Start requires full control to
the network share.
What does the Pointsec Service Start Service do?
Once the Pointsec Service Start service is configured, it handles:
•
Creation of recovery file
•
Download of update profiles placed in the update path
•
Download of system upgrade package (patch files)
Limitations
Computer-specific Update Profile Folder
A computer-specific update profile folder is not created in the update
profile path, since this is not done via the Pointsec Service Start service
but by a process running in the user context (currently).
Note - If the folder is created manually, it will be used as normal.
128
Creating and Deploying Update Profiles
Software Updates
Software updates are downloaded and completed on the local PC, but the
upload of the log files from the update is not transferred, since this is not
done via the Pointsec Service Start service but by a process running in the
user context (currently).
Workaround possibility
In this scenario it is possible that a package can be written for provision
through a login script or systems management tool that executes
C:\Program Files\Pointsec\PpupdLog.exe with a Run As operation, where
the user account has the necessary rights to the Pointsec file share.
Example of Setup
The following is an example of the setup:
1. Create a domain-wide account (hereafter called ServiceAccount) that all
client PCs within the organization can use (e.g., added to the Power
Users on each machine via GPO). This account also needs to be
present on the local machines with the permissions described above.
2. Create a network share and assign full permission on the share,
including sub-folders and content to the ServiceAccount. Other
permissions can be set as desired.
3. Install Pointsec.
4. Set the Pointsec Service Start service to log on with the
ServiceAccount.
If configured correctly, the creation of recovery file, download of
update profiles and download of software upgrades is now performed
via the account assigned to the Pointsec Service Start service.
Note - If you are installing by means of an install profile, the Pointsec
Service Start service can be configured prior to rebooting the system
when completing the installation.
Doing so should avoid a possible -2 error when logging on (caused by
limited permissions for the logged-on user to the recovery folder).
Creating and Deploying Update Profiles
You can easily update security settings on Pointsec PC-protected
computers by creating and deploying an update profile. The best way to
create an update profile is to edit the original install profile and save it as
an update profile.
Chapter 7
129
To create an update profile:
Working with Accounts in an Update Profile
You can add, edit and delete group and user accounts on a
Pointsec PC-protected computer by configuring accounts in an update
profile.
Editing and Deleting Accounts in an Update
Profile
To edit or delete an account:
Deploying an Update Profile
Note - All computers on which you want to update Pointsec PC must
have read and execute permissions to the Update directory.
Pointsec PC-protected computers check for update profiles every three
hours, or if the computer is not connected to the network, the next time
the user next logs on to the network.
Deploying an Update Profile to a Specific
Computer
The first time a Pointsec PC-protected computer retrieves an update
profile, it creates a unique folder in the update profile path.
Whenever you need to deploy a specific update profile to the computer,
you can do so by placing the profile in this folder.
Pointsec PC uses the name of the computer as the folder name.
Pushing Update Profiles to Computers
If you want a Pointsec PC-protected computer to search for an update
profile outside the set interval, you can achieve this by using Pointsec PC’s
Push feature. This feature enables updates to be imported even if the
computer goes off-line once the update has been placed on the system.
To push an update profile:
1. On the local system, create the sub-folder Work in the Pointsec folder,
e.g. C:\Program Files\Pointsec\Work.
130
How does the Update Profile Affect a Logged-on User?
Pointsec PC checks if the Work folder is present on the local system.
If Pointsec PC finds an update or software update profile in the Work
folder, Pointsec PC verifies that the update is new, imports it and
deletes the update from C:\…\Pointsec\Work.
The import is completed within 10 seconds. Pointsec PC then
continues using the normal update interval as specified.
How does the Update Profile Affect a Logged-on
User?
If an update profile affects the logged-on user, Pointsec PC will execute
the new settings in one of two ways. Depending on the settings, they will
be implemented either immediately or the next time the user logs on after
rebooting the computer.
If the update profile contains a deletion of the logged-on user, this will be
implemented immediately and Pointsec PC will lock the keyboard and start
the screensaver so as not to allow the user access to the system.
Note - On Windows NT/2000/XP, Pointsec PC will display an additional
warning informing the user of what has happened.
Chapter 7
131
How does the Update Profile Affect a Logged-on User?
132
8
Chapter
Upgrading Pointsec for PC 4.x
and 5.x Installations
Upgrading is the process of replacing one version of software with a newer version of
that software.
This chapter describes how a 4.x or 5.x version of Pointsec for PC can be replaced
with Pointsec PC 6.2. Note that versions 4.x and 5.x are often called legacy versions
below.
For details on upgrading from Pointsec for PC 6.x.x to Pointsec PC 6.2, see
“Upgrading from Pointsec for PC 6.x.x to Pointsec PC” on page 145.
Overview
The (legacy) Pointsec for PC 4.x or 5.x functionality is used to perform the upgrade to
Pointsec PC 6.2. This means that the upgrade of legacy clients is performed by
distributing/deploying “upgrade packages” to the 4.x/5.x Directory path for software
upgrades or to the Pointsec/Work folder on the client computers.
Note - It is not possible to perform an update by executing the
Pointsec PC MSI package.
During the upgrade of a Pointsec for PC 4.x/5.x version to Pointsec PC 6.2 the
following things should be noted:
•
Protection of volumes is retained.
•
Legacy user/group and system settings are discarded.
•
Legacy user accounts can be kept or upgraded.
133
Overview
•
Upgraded legacy users keep their names and status. For example,
legacy accounts that are locked will be locked after upgrade.
•
User credentials are upgraded for legacy password and dynamic
token accounts. The credentials for legacy smart card accounts
cannot be upgraded, and these accounts are therefore converted
during upgrade.
•
An Upgrade profile is used to control the upgrade. Via the profile it
is possible to:
•
Configure which legacy accounts that shall be preserved during
upgrade.
•
Add new user accounts and groups.
•
Specify the System Settings, Group settings, and User Account
settings that will be set in the upgraded installation.
Remote Help
Upgraded legacy accounts can be used to provide Remote Help, but
upgraded legacy accounts that use a fixed password to authenticate must
have successfully logged on once before they will be able to provide
Remote Help on the upgraded system. Therefore, it is recommended that
you always include in the upgrade profile at least one user that is able to
provide Remote Help.
Conversion of Special Legacy Accounts
During upgrade, legacy TEMPSERVICEUSER users are converted to
“service user”-type accounts, see “Pointsec PC Service Start Account and
the Recovery File” below.
Smart Card Accounts
During upgrade, smart card accounts are either removed or converted to
temporary smart card accounts/fixed password accounts with a password
specified by the upgrade profile. If temporary smart card accounts are
used, the users must re-associate the smart card at Windows logon.
Recovery File
During the upgrade, a recovery file for the upgraded version is created and
stored in the Recovery path. If the creation of this file fails, the upgrade is
aborted.
Pointsec PC Service Start Account and the Recovery File
If a Pointsec PC service start account is configured in the upgrade profile,
it will be used to store the recovery file in the Recovery path.
134
From Which Legacy Versions Can You Upgrade?
During upgrade, the Pointsec Service Start Service in the 4.x/5.x version of
Pointsec PC, and information about the account configured to run the
service, will be removed. Consequently the 4.x/5.x version of the Pointsec
Service Start Service will not be used for recovery file handling during or
after upgrade.
From Which Legacy Versions Can You Upgrade?
You can upgrade to Pointsec PC 6.2 from the following legacy versions:
•
Pointsec for PC 4.1 sr 2.14 or later
•
Pointsec for PC 4.2 sr 1.4 or later
•
Pointsec for PC 4.3
•
Pointsec for PC 5 x.x
Requirements for Upgrading a 4.x/5.x Client
The following requirements must be met to upgrade a Pointsec for PC
4.x/5.x client:
•
Upgrade from the installed 4.x/5.x version must be supported (see
above).
•
Encryption on the client computer to be upgraded must be completed,
that is, no encryption may be in progress on that computer.
•
The currently logged in user must have access to all protected
volumes.
•
Upgrade is not supported on computers to which USB hard disk drives
or USB flash drives are attached.
The Process of Upgrading
The Pointsec PC administrator should perform the following operations to
upgrade the product on the clients:
1. Install Pointsec PC 6.2 on a machine; this is referred to as the ‘master
installation’.
The master installation is used to create upgrade profiles and to
construct an upgrade package.
2. Create the upgrade profile that will be used for this upgrade.
Before creating the upgrade profile, the central administrator must do
an inventory of the legacy accounts, legacy groups, and the legacy
settings that exist on the clients. The information collected in the
inventory will enable the central administrator to create an upgrade
profile that will upgrade the clients correctly. This inventory must be
performed manually.
Chapter 8
135
The Characteristics of an Upgrade Profile
3. Create the upgrade package via the upgrade wizard, which can be
accessed in the PCMC at Remote → Create 4.x/5.x Upgrade Package.
4. Deploy the upgrade package, if this has not been done via the wizard.
5. Check the progress of the upgrade on the clients by monitoring the
central log file directory for the log files from the upgraded clients.
6. Restart the upgrade on the clients on which it has failed.
Most of these steps are explained in detail below.
Settings That Are Specific to Upgrade Profiles
Upgrade profiles are similar to installation profiles, but they are unique in
having the following settings (found under Groups → ... → Group Settings
→ Upgrade, see Figure 8-1, below):
•
Choose Upgrade Action.
•
Choose How To Convert Upgraded Legacy Smart Card Accounts.
•
Set Password for Converted Legacy Smart Card Accounts.
•
Limited Volume Access Accounts
•
Default Legacy Group
Note - Upgrade profiles do not have volume protection settings because
the protection is inherited from the legacy installation.
Upgrade Settings
Figure 8-1
136
The following Upgrade settings are found under Group Settings:
Table 8-1
Upgrade settings
Text
Explanation
Choose Upgrade Action
This setting determines how legacy accounts matched
by the group/account will be upgraded. The following
values can be set for groups and for legacy accounts:
•
•
•
Choose How To Convert Upgraded Legacy
Smart Card Accounts
Ignore = Legacy account(s) are ignored (handled
by default group for authority level)
Upgrade = Upgrade legacy account(s) and utilize
settings for matching group.
Remove = Remove legacy account(s).
Credentials for legacy smart card accounts cannot be
upgraded, so they must be converted during upgrade.
This setting determines how to convert these
accounts. Note that this parameter has no effect
unless the parameter 'Legacy accounts handling' is set
to ‘Upgrade’.
•
•
•
Remove
Convert to temporary smart card accounts
Convert to fixed password account
Set Password for Converted Legacy Smart
Cart Accounts
Set the password for the legacy smart card accounts
that, during upgrade, will be converted to temporary
smart card accounts or password accounts.
Limited Volume Access Accounts
Specifies the action that will be taken when accounts
without access to all volumes are found.
•
•
Abort Installation
Remove legacy accounts
Default Legacy Groups
In an upgrade profile, a group can be marked as Default Legacy Group for
one or several legacy authority levels (Sysadmin, Admin, and User). This is
done by right clicking the group and selecting Default legacy group.
A legacy user is primarily upgraded according to the settings specified for
a group (in the upgrade profile) whose name is the same as the legacy
group to which the legacy user belongs. If no group name in the profile
matches the user’s legacy group name, the user is upgraded according to
the settings for a group designated the Default legacy group for the user’s
authority level. If no Default legacy group is found, the user is removed.
Chapter 8
137
Legacy Accounts
Legacy accounts are added to profiles for two purposes:
1. To specify a specific upgrade action for an account in a legacy
installation.
2. To enable management on user-account level for individual upgraded
accounts.
3. You can add legacy accounts to the upgrade profile. But for legacy
accounts, you can specify only the legacy user account name, and set
the Upgrade Action (and implicitly the group membership).
The Two Types of Upgrade Profile: Silent and
Interactive
Update profiles can be either silent or interactive. You choose whether you
want to create a silent or an interactive profile in the PCMC’s New Profile
wizard. The profile type determines whether the upgrade will be interactive
or silent.
Recommendations
The following recommendations apply to upgrade profiles:
•
All legacy users can be preserved during upgrade. However, we
recommend that legacy users with the authority level User are
upgraded and that legacy users with the authority level Admin and
Sysadmin are removed and replaced with new user accounts.
With this approach, all information (including credentials) related to
the administrative accounts is available in the PCMC. This enables you
to create installation/update profiles with the same administrative
accounts and thereby unify the configuration of clients with different
backgrounds (upgraded from 4.x/5.x or the direct installation of 6.x).
Note that an upgrade profile can be based on an installation/update
profile and that you thereby can achieve this effect in reverse order.
138
•
The upgrade profile should contain at least one new account with the
authority level and permissions required to perform Remote Help for all
users.
•
The Update Profile Path, Recovery Path, Central Log Path, and
Upgrade Path specified in the upgrade profile should be different from
those used for the 4.x/5.x versions.
•
The parameter Limited volumes access should be set to Abort
installation. If the setting Remove accounts is used, the following
scenario will result in one or several volumes not being upgraded
correctly:
•
A user with access to all volumes is logged on to Pointsec PC.
•
Upgrade is performed in the Windows environment, and the
computer is restarted.
Configuring an Upgrade Profile
•
Another user with limited volume access logs into the legacy PPBE.
•
Upgrade is done on all volumes to which that user has access. The
other volumes are not accessible and therefore cannot be
upgraded.
Configuring an Upgrade Profile
An upgrade profile can be based on:
•
Local settings
•
An update profile
•
An installation profile
When you create a new upgrade profile that is not based upon local
settings or on another profile, the new upgrade profile will contain three
groups: Sysadmins, Admins, and Users. Each of these groups has the
Default legacy group setting for the corresponding legacy authority level.
Note that the default groups can be renamed and removed in the same
way any other normal group can be.
Sanity-Check Warnings Related to the
Configuration of an Upgrade Profile
In addition to the warnings relevant for installation profiles, the following
situations trigger warnings for upgrade profiles:
•
No new account has been specified in the upgrade profile.
•
No default group exists for one or more of the legacy authority
levels.
•
The group authority level for the legacy sysadmin default group is
lower than the group authority level for legacy admin default group.
•
The group authority level for the legacy admin default group is
lower than the group authority level for legacy user default group.
Errors Related to the Configuration of an Upgrade
Profile
In addition to errors relevant for installation profiles, the following
situations trigger errors for upgrade profiles:
•
The setting, Upgrade Action, has been assigned the value Ignore
for a group that is a default group for a legacy authority level.
Legacy Account Handling
How legacy accounts are upgraded is determined by the contents of the
upgrade profile and by the following four legacy parameters for the
account:
Chapter 8
139
Upgrade Operations
•
Legacy account name
•
Group name
•
Authentication method
•
Authority level
Analysis of Legacy Accounts
During upgrade, the upgrade profile and these parameters are analyzed to
determine whether the account will be upgraded or removed.
Remove: The account is removed and will not be present in the upgraded
Pointsec PC installation.
Upgrade: The account is retained during upgrade, and it becomes a
member of one of the groups specified in the profile. The account will
receive the settings specified for the group in the upgrade profile.
The analysis that attempts to match a legacy account to an user account in
the upgraded system is primarily based on the legacy account’s group
name and secondarily based upon its authority level.
Upgrade Operations
This section describes how specific upgrade operations can be performed
via upgrade profiles.
Upgrading All Legacy Accounts in a Legacy Group
To upgrade all the accounts in a legacy group, define the group in the
upgrade profile and set the Upgrade Action to Upgrade.
Removing All Legacy Accounts in a Legacy Group
To remove all accounts in a legacy group, define the group in the upgrade
profile and set the Upgrade Action to Remove.
Removing All Legacy Accounts
To remove all legacy accounts, set the Upgrade Action to Remove in all
groups. Note that in this case new accounts must be added via the
upgrade profile.
Removing/Upgrading a Specific Legacy Account in a Legacy Group
Create a legacy account in the upgrade profile with the same name and
group as the account and set Upgrade Action to Remove/Upgrade.
Creating the Upgrade Package
To create the upgrade package, use the upgrade wizard, which you will find
in the PCMC.
140
Upgrade Operations
1. Select Remote in the folder tree to the left:
Figure 8-2
PCMC Remote
2. Click Create Upgrade Package, and the wizard opens. Then click Next.
Figure 8-3
Input File information
Chapter 8
141
Upgrade Operations
The Create Upgrade Package window contains the following information:
Table 8-2
Create Upgrade Package Information
Text
Explanation
Select directory
containing the Pointsec
PC installation package
The directory that contains the installation package for version of
Pointsec PC to which the clients will be upgraded.
Use the serial number
of the local installation
Clients accept only upgrade packages that have been created with
their current serial number. If the serial number used on the local
machine is identical to the serial number used by the clients, the Use
the serial number of the local installation checkbox can be selected.
Serial number currently
used by clients
Clients accept only upgrade packages that have been created with
their current serial number. If the serial number used on the local
machine is not identical to the serial number used by the clients,
enter the serial number used by the clients in the text box.
Algorithm
Select the algorithm Blowfish/CAST or AES/3DES used by the clients
that will be upgraded.
Upgrade profile
The upgrade profile to be used in the upgrade package.
3. Click the ... button, and browse to the directory that contains the
installation package for version of Pointsec PC to which the clients will
be upgraded. Select that directory. Some of the files used in the
upgrade package are located in the Pointsec PC installation package,
that is why it needs to be selected.
4. If the serial number used on the local machine is identical to the serial
number used by the clients, select the Use the serial number of the
local installation checkbox. If the serial number used on the local
machine is not identical to the serial number used by the clients, enter
the serial number used by the clients in the Serial number currently
used by clients field.
5. Select the algorithm, Blowfish/CAST or AES/3DES, that will be used by
the clients that will be upgraded.
6. Using the ... button, browse to and select the profile to be used in the
upgrade package. Then click Next.
142
Upgrade Operations
Figure 8-4
Upgrade package summary
7. If satisfied with the package information summary, click Finish.
Figure 8-5
Upgrade package
The actual package created will be similar in structure to the package
shown above.
Deployment
The upgrade package is deployed by copying it to the 4.x/5.x Directory
path for software upgrades or to the Pointsec/Work folder on the client
computers.
Error Handling and Logging
All major upgrade actions that are performed and any error that occur
during upgrade are logged in a clear text log: Upgrade_[computername].log.
During upgrade, the file is stored in the update folder in the Program
files.../Update folder. If the upgrade fails, the file is uploaded to the
“Directory for software upgrades”. If the upgrade is successful, the files is
stored in the [Documents and Settings/All Users/Application
Data/Pointsec/Pointsec for PC...] directory. This file contains valuable
information for tracing upgrade problems.
Chapter 8
143
Upgrade Operations
Restarting the Upgrade
Upgrade can be restarted in two ways. The first solution is the
recommended way to restart, while the other way can be considered a
fall-back solution when the first solution does not work:
Solution 1:
•
Create a new upgrade package via the PCMC.
•
Distribute the upgrade package to the clients’ Software update
directory/work folders.
Solution 2:
•
Clear the registry values PatchLast and PatchNetLast in key
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile
Tech\Pointsec on the clients.
•
Remove the files in C:\Program Files\Pointsec\Update on the
clients.
•
Distribute the upgrade package to the clients’ Software update
directory/work folders.
Recovery
Most of the upgrade operations are performed in Windows. However, to
finalize the upgrade, the system must be restarted and the user must
authenticate once in the legacy PPBE. If the upgrade fails after restart,
recovery must be performed on the system. Depending upon the progress
of the upgrade process, recovery is performed via a recovery media for the
legacy installation or/and the upgraded installation.
If the upgrade fails after restart, and the system becomes inaccessible;
perform the following steps:
1. Create recovery media for the legacy version.
2. Create recovery media for the upgraded version (that failed).
3. Attempt recovery using the legacy recovery media on all volumes. Pay
close attention to error messages that the recovery program displays.
You can, however, ignore the “Simulated boot record differs” error
message. This message depends on how the upgrade is carried out,
and the problem can be fixed using the recovery media for the
upgraded version.
4. Attempt recovery with the recovery media for the upgraded version and
perform “Recover all”.
5. Attempt to boot the system.
144
9
Chapter
Upgrading from Pointsec for
PC 6.x.x to Pointsec PC
This chapter describes how to upgrade Pointsec for PC 6.x.x installations to
Pointsec PC.
Upgrading from 6.x.x to 6.2
You can upgrade from Pointsec for PC 6.x.x to Pointsec PC 6.2 by running
Msiexec.exe. At the same time, if you wish, you can also change the graphic images
displayed in preboot.
Before Upgrading
Permissions Required to Run Upgrade
Upgrading requires the permissions needed to install msi packages on the local
machine. By default, the Pointsec for PC.msi program installs the upgrade using the
Local System account, which has the required permissions.
Changing the Graphic Images Displayed in Preboot
Before you perform the upgrade, you can change the following from the Pointsec PC
graphic image to, for example, your company’s logo:
•
Banner displayed in preboot
•
Background image displayed in preboot
•
Preboot screen saver image
145
Performing the Upgrade
To change the graphics displayed in preboot authentication:
1. Create a folder named oemvar in the folder that contains the Pointsec
for PC.msi file:
FIGURE P-1
2. Add the relevant files (described below) to the oemvar folder. During
upgrade, the files that have been added to this folder will be registered
as the files to be displayed during preboot.
Table 9-1
Files to add to oemvar folder
Filename
Description
Specifications
Banner.jpg
Banner displayed in preboot. Jpeg
images created with Photoshop 3.0
cannot be used.
447w * 98h
Desktop.jp
g
Background image displayed in
preboot. Jpeg images created with
Photoshop 3.0 cannot be used.
800w * 600h
Scrsvr.jpg
Preboot screen saver image. Jpeg
images created with Photoshop 3.0
cannot be used.
260w * 128h
3. Perform the relevant upgrade procedure as described in “Performing
the Upgrade” on page 146.
Note - When upgrading, the 1_Pointsec for PC folder (from the
Pointsec PC CD-ROM) must be deployed intact; that is, it must be
deployed with its contents as is - none of the subfolders or files should
be deleted or moved. Elements can be added to 1_Pointsec for PC as
long as the original content is intact, and, for example, precheck.txt
can be edited.
146
Note - Do not use copy and paste to enter the text shown in the
following instructions into the command prompt as this can alter the
double quotes, which will cause the command to fail.
Automatic Reboot
It is possible to set up an automatic reboot after the upgrade’s silent
installation. Note, however, that this might come as an unpleasant surprise
to end users currently working on these machines if they are not aware
that their machines will reboot without warning.
If you wish to upgrade without automatic reboot, see the instructions
below.
Manual Reboot
During the upgrade, the following upgrade log is maintained:
C:\Documents and Settings\All Users\Application
Data\Pointsec\Pointsec for PC\Upgrade.log
When a silent installation has completed successfully, an Upgrade Done
entry is written to the upgrade log. When you see this entry in the log, the
machine can be rebooted.
By default, all users have full permissions to the directory that contains
the upgrade log. If you experience problems writing or accessing the log,
check with your administrator to determine whether the default
permissions have been changed.
Smart Card Drivers Are Updated
When an upgrade is performed, the smart card and smart card reader .inf
files in the new installation are registered. The old entries are retained
unless they are replaced by new entries in the new .inf files. Then, the
installed driver files are upgraded, but only if the checksums match those
that were updated while the drivers were being registered.
To upgrade with automatic reboot:
1. Execute Msiexec.exe as follows:
Msiexec.exe /i ”PATH_TO_MSI\Pointsec for PC.msi”
REINSTALLMODE=vomus REINSTALL=ALL /q
To upgrade with manual reboot:
1. Execute Msiexec.exe as follows:
Msiexec.exe /i ”PATH_TO_MSI\Pointsec for PC.msi”
REINSTALLMODE=vomus REINSTALL=ALL REBOOT=ReallySuppress /q
Chapter 9
Upgrading from Pointsec for PC 6.x.x to Pointsec PC
147
2. When the upgrade log shows the entry Upgrade Done, reboot the
machine.
148
10
Chapter
This chapter describes the Pointsec PC Service Start service. It also describes the
creation of a Windows account you assign to run the service. Together, the service and
the account allow you to strictly limit the permissions of the user accounts on client
machines while still enabling those machines to access to the file share on which
profiles, upgrades, recovery files, and log files are stored.
In a Common Criteria validated environment, users of Pointsec PC-protected
computers are allowed to have only RX permissions to the Pointsec share. This can be
accomplished by setting up a Pointsec Service Start Account in the Pointsec PC profile
deployed on computers.
This chapter provides:
•
General information on the Pointsec PC Service Start service. See “Pointsec PC
Service Start Service Program - pstartsr.exe” on page 150 for details.
•
•
Guidance in defining the Windows user account that will run the service and in
including this user account in the Power Users group. See “Defining the Windows
User Account That Will Run the Service” on page 152
•
Instructions on how to assign Log on as a service rights to this Widows user account.
Log on as a service and Manage auditing and security log rights are required for the
Windows user account to be able to run the service. See “Specifying the Service
Start Account and Password in Pointsec PC” on page 157
•
Instructions on how to specify the Windows user account in Pointsec PC so it will
be used to access the file share on which profiles, upgrades, recovery files, and
logs are stored. See “Defining the Windows User Account That Will Run the
Service” on page 152
149
Pointsec PC Service Start Service Program - pstartsr.exe
Pointsec PC Service Start Service Program pstartsr.exe
The Pointsec PC Service Start service is the pstartsr.exe program. It is
added to the Windows services when Pointsec PC is installed.
To view the service:
1. In the Start menu, right click My Computer and click Manage:
Figure 10-1
2. In the Computer Management window, click Services and Application:
Figure 10-2
3. In the same window, click Services:
150
Pointsec PC Service Start Service Program - pstartsr.exe
Figure 10-3
A list of services on the machine is displayed:
Figure 10-4
4. Right click Pointsec service start and select Properties. The Pointsec
service start Properties window is displayed:
Chapter 10
151
Setting up the Pointsec Service Start Account
Figure 10-5
Here you can see the service in the path to the executable listed in the
Path to executable text box. The service is PSTARTSR.EXE.
To use the Pointsec Service Start service you must perform the following
steps, which are elaborated on the following pages:
•
Define the Windows user account and password that will run the
service.
•
Assign Log on as service and Manage auditing and security log rights to
the Windows user account that will run the service.
•
Specify the Windows account that will run the service and its password
in Pointsec PC.
Defining the Windows User Account That Will Run
the Service
To define the Windows user account that will run the service:
1. On the Control Panel, click User Accounts:
152
Figure 10-6
2. Select the Advanced tab:
Figure 10-7
Chapter 10
153
3. Click Advanced:
Figure 10-8
The Local Users and Groups window is displayed.
4. Right click Users and select New User...:
Figure 10-9
5. Enter the User name of the user account, enter a password, confirm the
password, and click Create:
154
Figure 10-10
The Windows user account that will run the service has now been
created.
You must still assign Log on as a service rights to this user account,
and you must specify this account to Pointsec PC. Both these steps are
described below.
Assigning Log on as a service Rights to the User
Account
To assign Log on as a service rights to the user account defined via the
Control Panel:
1. On the Control Panel, click Administrative Tools.
2. In the Administrative Tools window, click Local Security Policy.
3. In the tree structure on the left side of the window, under Security
Settings/Local Policies/User Rights Assignment, click Log on as a service
and Manage auditing and security log:
Chapter 10
155
Figure 10-11
4. Click Add User or Group:
Figure 10-12
156
•
Enter the domain and user account name, then click OK.
•
Click Advanced, then on the Select Users or Groups window click Find
Now and select the user account you have defined to run the
service.
Figure 10-13
You still need to specify this account to Pointsec PC so it will use this
account to access the share and its directories. This is described
below.
Specifying the Service Start Account and
Password in Pointsec PC
The Windows account and password required to run the Pointsec Service
Start service must be specified for Pointsec PC in one of the following
ways:
•
PCMC
•
During a manual (local) installation
•
In an installation profile
•
On the Log on tab of the Pointsec service start Properties window
Via the PCMC
To specify the domain name and username you want to run the Pointsec
Start service account in the PCMC:
1. In PCMC, go to Local and select Edit Settings.
2. Under System Settings → Install, click Pointsec Service Start Account
Username, enter the domain and username in the Pointsec Service Start
Account Username window, and click OK:
Chapter 10
157
Figure 10-14
3. To specify the password, under System Settings → Install click Pointsec
Service Start Account Password, enter the password and verify it in the
Pointsec Service Start Account Password window.
4. Click Verify and the Management Console checks whether or not you
can log on to Windows with the Windows user account and password
you have specified.
5. When you are finished, click OK.
158
Figure 10-15
During a Manual Installation
To specify the Windows account and password during a manual
installation:
1. In the Access to network paths window, select Use a configured Windows
account for access to the network path(s):
Figure 10-16
Chapter 10
159
In an Installation Profile
To specify the domain name and the username when creating or editing a
profile:
1. Under System Settings → Install, click Pointsec Service Start Account
Username, enter the domain name and the username in the Pointsec
Service Start Account Username window, and click OK:
Figure 10-17
2. To specify the password, under System Settings → Install click Pointsec
Service Start Account Password, enter the password and verify it in the
Pointsec Service Start Account Password window.
3. Click Verify and the Management Console checks whether or not you
can log on to Windows with the Windows user account and password
you have specified.
4. When you are finished, click OK:
160
Figure 10-18
On the Log On Tab of the Pointsec Service Start Properties
Window
The Windows user account and password can be specified on the Log On
tab on the Pointsec service start Properties window. This window (but not the
Log on tab) was described above.
To specify the Windows user account and password on the Log On tab on
the Pointsec service start Properties window:
1. Select the Log On tab on the Pointsec service start Properties window.
2. Select This account: and enter a valid Windows domain and username in
the format Domain\Username, for example
Domain_A\Run_P4PC_service.
3. Enter a valid Windows password, confirm it and click OK:
Chapter 10
161
Figure 10-19
Note - If you define the Windows account and password in this way, the
account is automatically assigned Logon as service rights, which are
required to run the service. See other requirements, below.
The Windows user account can also be defined via User Accounts in the
Control Panel.
On the Local PC
162
•
The logged-on user account requires List, Read, Write, Execute, Modify
and Delete permissions to the local Pointsec program folder, generally:
C:\Program Files\Pointsec.
•
The logged-on user account requires full permissions to the Pointsec
registry items on the client PC, generally:
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec.
•
The account configured as the Pointsec Service Start service requires
List, Read, Write, Execute and Modify permissions to the local
Pointsec program folder, generally: C:\Program Files\Pointsec.
•
The account configured as the Pointsec Service Start service must be a
member of the Administrator group on the local PC.
What does the Pointsec Service Start Service Do?
•
The account configured as Pointsec Service Start service requires full
permissions to the Pointsec registry items on the client PC, generally:
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec
On the Network share
•
The user account logging on to the local client PC requires no
permissions on the network share once service is configured.
•
The account configured as Pointsec Service Start requires full control to
the network share.
What does the Pointsec Service Start Service Do?
Once the Pointsec Service Start service is configured, it handles:
•
Creation of recovery file
•
Download of update profiles placed in the update path
•
Download of system upgrade packages (patch files)
Limitations
Computer-specific Update Profile Folder
A computer-specific update profile folder is not created in the update
profile path, since this is not done via the Pointsec Service Start service
but by a process running in the user context (currently).
Note - If the folder is created manually, it will be used as normal.
Example of Setup
The following is an example of the setup:
1. Create a domain-wide account (hereafter called ServiceAccount) that all
client PCs within the organization can use (e.g., added to the Power
Users on each machine via GPO). This account also needs to be
present on the local machines with the permissions described above.
2. Create a network share and assign full permission on the share,
including sub-folders and content to the ServiceAccount. Other
permissions can be set as desired.
3. Install Pointsec PC.
4. Set the Pointsec Service Start service to log on with the
ServiceAccount.
Chapter 10
163
Upgrade from Pointsec 4.x/5.x Installations
If configured correctly, the creation of recovery file, download of
update profiles and download of software upgrades is now performed
via the account assigned to the Pointsec Service Start service.
Note - If you are installing by means of an install profile, the Pointsec
Service Start service can be configured prior to rebooting the system
when completing the installation.
Doing so should avoid a possible -2 error when logging on (caused by
limited permissions for the logged-on user to the recovery folder).
Upgrade from Pointsec 4.x/5.x Installations
During upgrade from Pointsec PC 4.x/5.x, the 4.x/5.x version of the
Pointsec Service Start Service is removed; and information about the
account configured to run the service is lost. The service must therefore
be reconfigured in order to function correctly.
164
Chapter
Pointsec PC Logging
Functionality
11
Pointsec PC can create and store event logs in a central log file that can be made
available to a central management point of access. Pointsec PC also maintains local
log files on each Pointsec PC-protected local machine.
Note - Ensure that you use a reliable time source to set clients’ internal clocks so
that the audit trail from multiple clients, will contain synchronized time stamps.
Pointsec PC events are logged in one or more of the following:
•
Local event database
•
Local log file
•
Central log file(s)
•
Windows Event Log (if enabled)
The Local Event Database
Pointsec PC logs information about events such as login attempts, status of encryption
and time of each update to the configuration. This information is saved as log events
in the local event database. These log events comprise an audit trail of Pointsec PC
activities on the local computer.
Pointsec PC stores up to 255 events in the local event database. This information is
scrambled and cannot be viewed in a text editor. It can, however, be viewed
immediately after preboot authentication by clicking Show Log in the Logon Successful
window:
165
The Local Log File
Figure 11-1
The contents of the local event database can also be viewed by clicking
View Local Log under Local in the PCMC; see below.
The Local Log File
The contents of the local event database are transferred to the local log
file by the PC tray application (PTray.exe) each time a user logs on to
Windows.
The local log file (Windows 2000 and XP) is stored locally in the directory
C:\Documents and Settings\All Users\Application
Data\Pointsec\Pointsec for PC. Note that the Application
Data\Pointsec\Pointsec for PC directories are hidden.
The local log file (Windows Vista) is stored locally in the directory
C:\Users\All Users\Pointsec\Pointsec for PC.
The local log filename is composed of the computer name and the file
extension .log. For example, if the computer name is DEV-PC.024, the
local log file on this computer will be DEV-PC.024.log.
The following events are logged directly to the local log file and are
therefore never found in the internal log database:
166
•
101
Account status
•
1010
Configuration setting changed
The Central Log File
•
1100
Profile setting changed
Thus, these events cannot be viewed immediately after preboot
authentication or by clicking View Local Log under Local in the PCMC.
The Central Log File
The central log file is a network folder to which local log files are copied.
The central log file is located in the directory specified in Local → System
Settings → Install → Set Central Log Path.
If the central log path has been specified, the Pointsec PC tray application
(PTray.exe) transfers the local log file to the directory in that path each
time one of the following happens:
•
A user logs on to Windows
The tray application calls the CentralLog.exe program, which copies
the local log file to the specified directory.
•
The CentralLog.exe program is executed
Each time the CentralLog.exe program executes, it first transfers all
new log events from the local log database (which contains a maximum
of 255 events) to the local log file. Then it transfers all new log events
in the local log file to the central log file, and simultaneously to the
Windows Event Log.
The interval for log transfers can be set in the UpdateInterval registry
value. See the table below for default values.
The following registry values relevant to the transfer are found in:
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec
Table 11-1
Registry settings
Setting
Description
UpdateInterval
Time interval in minutes between each transfer. Default = 180.
ExtendedLogging
1 = Account status events will be included in the data transferred in
each execution of the program (Corresponds to CentralLog.exe /dump).
Default = 0.
0 = No account status events will be included in the data transferred in
each execution of the program. This is the default.
LogTransfer
1 = Events will also be transferred to the Windows Event Log. This is
the default.
0 = Events will not be transferred to the Windows Event Log. Default =
1.
Chapter 11
167
Manually Transferring the Local Log File to the Central Log File
Note - To view the central log file, you must have system administrator
privileges or the corresponding privileges under Vista.
Manually Transferring the Local Log File to
the Central Log File
To run the CentralLog.exe program manually:
•
Run CentralLog.exe and transfer the local log file to the central
log file.
•
Run CentralLog.exe /dump, copy the user account status
information to the local log file, and then transfer the local log file
(which now contains the user account status) to the central log file.
The manual execution can be customized using the registry values
described above. When you run the CentralLog.exe program manually,
you might need to run it more than once depending on how much data is
to be transferred from the local log file.
Timestamps and the Windows Event Log
Note that the date and timestamp of an event viewed in the Windows
Event Viewer might differ from the date and timestamp of that event in the
local log file. This is possible because events are reported to the
Pointsec PC logs and to the Windows Event Viewer via different
independent interfaces. Events logged in preboot are not replicated in the
Windows Event Log until the next Windows session, while events logged
while operating in Windows are written directly to the Windows Event Log
and thus can have an earlier time than that of corresponding events in the
local log file.
Exporting Logs
For information on exporting logs, see Appendix H, “The pslogexp.exe Log
Export Utility”.
168
Viewing a Local Log File
Note - To view the central log file, you must have system administrator
privileges.
To view local Pointsec PC log files:
1. Start the Pointsec PC Management Console (PCMC) and select Local in
the folder tree.
2. Click View Local Log Database:
Figure 11-2
The local log is displayed:
Chapter 11
169
Figure 11-3
In the Filter for Description Text field, you can specify the criteria that
will determine which events are displayed.
You can make various selections and review additional events that
Pointsec PC has logged. All log information is always available; these
selections merely filter what you choose to display or print.
170
Chapter
Remote Help
12
Pointsec PC users may be denied access to their workstations for a number of reasons.
For example, they might have entered an incorrect password too many times or
forgotten their password or, in a worst case scenario, a hacker may have tried to break
into their workstation.
Pointsec PC Remote Help is designed to assist users in these types of situations. All a
user has to do is call his/her designated Remote Help administrator and follow the
Remote Help procedure.
Implementing a Remote Help Procedure
Companies and organizations implement Remote Help procedures to suit their
individual needs and resources. One method of implementing Remote Help is as
follows:
•
Create designated administrator account(s) for Remote Help. The number accounts
you should create depends on your organization.
•
Once you have created the accounts, assign them to the people who will run the
Remote Help procedure.
•
Inform users who they should call when they need Remote Help.
•
For Remote Help to function, both the user account of the Remote-Help provider
and of the Remote-Help recipient must exist on the computer.
171
Types of Remote Help
•
Table 12-1
The Remote-Help provider’s group authority level must be equal to or
higher than the group authority level of the Remote-Help recipient.
Setting
Description
Provide ‘Remote
Password Change’
Set whether or not the account(s) are allowed to provide Remote
Password Change for other user accounts.
Set whether or not the account(s) are allowed to provide One Time
Logon for other user accounts.
Provide ‘One-Time
Logon’
Set whether or not the account(s) are allowed to receive Remote
Password Change.
Receive ‘Remote
Password Change’
Set whether or not the account(s) are allowed to receive One-Time
Logon.
Receive ‘One-Time
Logon’
Select whether to use Numeric or Alphanumeric format for the response
in Remote Help.
Response Format
•
Types of Remote Help
Pointsec PC provides two types of Remote Help for users who are denied
access to their workstations:
•
172
Remote Password Change
For users who use fixed passwords and have forgotten them. This type
of Remote Help is of no use to users who use either a dynamic token
or smart card/USB token for authentication.
Verifying Users
•
One-Time Logon
For users who have forgotten or lost their dynamic tokens or smart
card/USB tokens.
Note - When Remote Help is used to authenticate a Pointsec PC user
account that uses single sign-on (SSO), the recorded SSO credentials
for that user account are invalidated. This is to prevent Remote Help
administrators from leveraging SSO to ‘impersonate’ a user.
Verifying Users
Before you provide Remote Help to a user, you must be sure that the user
is actually authorized to access the workstation. You can do this in a
number of ways, for example:
•
Use predetermined questions and answers that only legitimate users
know
Keep a list of sample questions to ask, such as the user’s name and
favorite color, wife's maiden name, brand of car, etc. Some of the
questions could have randomized, fixed answers; for example, when
asked about his/her favorite pet, the user could answer clouds instead
of cat.
Store the questions and answers in a separate database that is
accessible to all Remote Help administrators.
•
Use voice verification software
Use security software to extract unique vocal characteristics of the
caller and compare them with the Pointsec PC user’s reference
voiceprint.
Providing Remote Help
The following section describes how to access the Remote Help screen and
how to help users change fixed passwords and give one-time access to
workstations.
To provide Remote Help:
1. Verify the user who needs Remote Help is legitimate. See “Verifying
Users” on page 173 for details.
2. Using an account with Remote Help privileges, start the Pointsec PC
Management Console and open the Remote Help screen:
Chapter 12
Remote Help
173
Figure 12-1
3. Enter the following information:
Table 12-2
Remote Help screen information
Field/option
Information/action
Type of end-user assistance to be
provided
Select the type of Remote Help the user needs:
• One-Time Logon
If the user does not have access to their dynamic
token or smart card/USB token.
• Remote password change
If the user has forgotten their password.
End-User Account Name
Enter the name of the end-user account.
Helper Account Name
Enter the name of the account you are using to provide
Remote Help.
Generate Response One to end user
1. Click Generate to generate Response One.
2. Read Response One to the user who enters it in the
Response field.
3. Tell the user to press the TAB key to generate a
challenge.
174
Table 12-2
Remote Help screen information
Field/option
Information/action
Type of helper authentication
Select the type of authentication used by the account
you are using to provide Remote Help:
• Password
For a fixed password.
• Dynamic Token
For a dynamic token or smart card/USB token.
Response One
This is the first response you read to the user.
Challenge from end user
Enter the challenge the user receives from Pointsec PC
after entering Response One and pressing the TAB key.
Helper Password
Enter the fixed password or dynamically generated
password for the account you are using to provide
Remote Help.
Generate Response Two to end user
1. Click Generate to generate Response Two.
2. Read Response Two to the user who enters it in the
Response field.
3. Tell the user to click OK.
Response Two
This is the second response you read to the user.
The user will now be forced to set a new password or will be given
one-time access to the workstation, depending on the type of Remote
Help you have provided.
Chapter 12
Remote Help
175
176
Chapter
13
This chapter describes the various Pointsec PC administration utilities available.
Pointsec PC Password Synchronization
Using Pointsec PC’s password synchronization, you can synchronize Windows and
Pointsec PC passwords with each other. The two synchronization settings you can
choose from are:
•
The Windows password is set as the password to be used for Pointsec PC preboot
authentication. Once synchronized, changing the Windows password will
automatically change the Pointsec PC password to the new Windows password.
•
The password used for Pointsec PC preboot authentication is set as the password
to be used for Windows authentication. Once synchronized, changing the
Pointsec PC password will automatically change the Windows password to the new
Pointsec PC password.
See “Password Synchronization Settings” on page 59 for details on how this is done in
the PCMC.
Password synchronization is associated with only the first user account that is used to
log on to Windows after rebooting the workstation. Password synchronization
functionality is not supported for third-party solutions.
Note - Password synchronization must be inactivated in a Common
Criteria validated environment.
177
Synchronizing Using the Windows Password for Authentication in Pointsec PC Preboot
Synchronizing Using the Windows Password for
Authentication in Pointsec PC Preboot
To synchronize and use the Windows password for authentication in
Pointsec PC preboot, the value of the Synchronize Windows Password to
Preboot setting must be Yes. This setting can be found under Local →
Groups or User Accounts → System → Group Settings → Password
Synchronization.
Synchronization takes place the first time the user logs on to Windows (see
below), and then the passwords are checked at every subsequent logon
until the value of this setting is set to No.
Example 1 - Different Passwords
Let us look at an example: In this example User1’s Pointsec PC and
Windows passwords are different:
•
Windows password XyZ123
•
Pointsec PC password XyZ1234
Synchronize Windows Password to Preboot has been set to Yes for User1.
User1 starts the computer and logs on to Pointsec PC with XyZ1234.
Windows starts, and User1 logs on to Windows with XyZ123.
Because the passwords differ, the following window is displayed:
Figure 13-1
User1 enters the Pointsec PC password, XyZ1234, and clicks OK.
Password synchronization is confirmed:
Figure 13-2
When User1 logs on to Pointsec PC again, the password XyZ123 is used.
Until the Windows password change is changed, User1’s Windows
password, XyZ123, will be used to log on to Pointsec PC.
178
Synchronizing Using the Pointsec PC Preboot Authentication Password for Authentication in Windows
Example 2 - Identical Passwords
Let us look at another example. In this example User1’s Pointsec PC and
Windows passwords are the same, but User1 changes the Windows
password:
•
Windows password XyZ123
•
Pointsec PC password iXyZ123
Synchronize Windows Password to Preboot has been set to Yes for User1.
User1 starts the computer and logs on to Pointsec PC with XyZ123.
Windows starts, and User1 logs on to Windows with XyZ123.
User1 presses Ctrl+Alt+Delete and changes the Windows password to
AbC456.
Pointsec PC confirms that its password has been successfully changed.
The next time User1 logs on to Pointsec PC, the password AbC456 must
be used.
Synchronizing Using the Pointsec PC Preboot
Authentication Password for Authentication in
Windows
To synchronize and use the Pointsec PC password for preboot
authentication for Windows authentication, the value of the Synchronize
Preboot Password to Windows setting must be Yes. This setting can be found
under Local → Groups or User Accounts → System → Group Settings → Password
Synchronization.
Synchronization takes place the first time the user logs on to Windows (see
below), and then the passwords are checked at every subsequent logon
until the value of this setting is set to No. Once the passwords are
synchronized, changing the Pointsec PC password will automatically
change the Windows password to the new Pointsec PC password. Note that
the Synchronize Preboot Password to Windows setting applies only to password
Chapter 13
179
Windows Password Complexity Requirements
changes made in Pointsec PC preboot authentication; it does not apply to
changes to the Pointsec PC password via PCMC, the Pointsec PC tray, or
an update profile.
Note - If you must reset a user’s password and the user’s passwords are
synchronized, you must reset both passwords.
When password synchronization is deployed, Pointsec PC stores domain
and user account names. The next time a password change is
requested, the user and domain account names are compared with the
stored user and domain account names.
This means that if the user logs out of Windows and a different
Windows account is used to log on again, the passwords will not be
synchronized.
Windows Password Complexity Requirements
Pointsec PC Wake-on-LAN (WOL)
Using Wake-on-LAN (WOL) network cards with security software that
enforces authentication early in the boot process is often not possible,
since it does not allow the operating system to start.
Pointsec PC supports the use of WOL network cards and can be set to start
the system in WOL mode. This allows the operating system to start and
remote updates to be performed.
Setting up WOL
You set up WOL in the PCMC.
Note - You cannot extend authority (see “Extending Authority” on
page 14) when WOL mode is active.
The Wake-on-LAN settings are located under System Settings → Wake on
LAN:
180
WOL Logon Example
Figure 13-3
For a description of the Wake-on-LAN settings, see “Wake-on-LAN
Settings” on page 30.
WOL Logon Example
The following is an example of working with Pointsec PC WOL. In this
example, the WOL boot time delay is set to 30 seconds and the number of
permitted WOL logons is five.
1. The Pointsec PC profile is deployed to the Pointsec PC-protected
computer and the WOL settings are implemented.
2. The computer is booted in Pre-Boot Authentication and the
Pointsec PC logon dialog box is displayed for 30 seconds.
3. WOL logs on and boots the machine. The WOL logon process is now
started and WOL will log on as many times as specified in the profile.
4. The computer is rebooted and the Pointsec PC logon dialog box is
displayed for 30 seconds. WOL logs on and boots the computer.
8. The computer is rebooted. Now, all the WOL logons specified have
been used and WOL is disabled on the computer.
Note - If a user logs on to the computer when WOL is activated,
Pointsec PC will deactivate WOL and no WOL logons will be performed.
You must deploy a new profile in order to activate WOL again.
Pointsec PC Windows Integrated Logon (WIL)
The Windows Integrated Logon (WIL) function enables users to log on
without preboot authentication.
Chapter 13
181
Security Features on WIL-enabled Computers
Settings
You set up WIL in the PCMC; the WIL settings are located under System
Settings → Windows Integrated Logon.
For a description of the WIL settings, see “Windows Integrated Logon
Settings” on page 32.
Security Features on WIL-enabled Computers
To increase security when this function is enabled, a number of security
feature are available in Pointsec PC. These features ensure that:
•
The computer has not been moved from the network
•
The hard drive has not been tampered with
•
The hard drive has not been moved to another computer.
If the system detects any indications of the three issues above, WIL is
disabled automatically, the computer reboots, and the user must
authenticate in preboot.
The security features which can be enabled together with WIL are:
•
Network Locational Awareness
If this feature is enabled, the system pings a defined number of IP
addresses during boot to make sure that the client is connected to the
correct network. If these IP addresses do not answer, WIL is disabled
automatically, the computer reboots and the user must authenticate in
preboot.
Note - All of the defined IP addresses must fail to answer for WIL to be
disabled. As long as one of the IP addresses answers, WIL will continue
to be enabled.
•
Hardware Hash
If this feature is enabled, the system generates a hardware hash from,
among other things, IDs found on the hard drive and on the CPU at
every start-up. If the hash is correct, the hard drive has not been
removed and re-inserted into another computer. If the hash is found to
be incorrect, WIL is disabled automatically, the computer reboots, and
the user must authenticate in preboot.
•
Max Failed Windows Logon Attempts
When this feature is enabled, WIL is disabled automatically after the
specified number of failed logon attempts, the computer will then
reboot and the user must authenticate in preboot.
Note - The Max Failed Windows Logon Attempts feature is not
supported in Windows Vista.
182
User Perspective on WIL
User Perspective on WIL
From the user perspective it is important to remember three things:
•
If the user removes his WIL-enabled computer from the network, WIL
will be disabled at the next boot, and the user will have to log on.
•
Adding hardware devices to a WIL-enabled computer may be
considered as tampering with the computer, and WIL will then be
automatically disabled.
•
Starting Windows in safe mode is not possible if Network Locational
Awareness is enabled.
Administrator Perspective on WIL
From the administrator perspective, the following is worth noting when
working with WIL-enabled computers:
•
If you use the Hardware Hash feature, you should disable WIL before
upgrading BIOS firmware and/or replacing hardware. When enabling
WIL after the upgrade, the hardware hash will match the new
configuration.
•
If you enable the security features together with WIL, you should set
up a Pointsec PC user account which the users can log in with if WIL
is automatically disabled for some reason. An alternative is to display
an instruction under the “PPBE Failure
•
message” saying that the user should call Help Desk if they get the
Pointsec PC preboot screen due to one of the security features.
Pointsec PC in Multi-language Environments
The following sections explain the Pointsec PC language options.
Language Support
Users can select from a number of supported languages to use in the
Graphical User Interface (GUI). See Appendix E, “Language Packs” for
information on supported languages.
Changing the Language Used
To change the language used in PCMC:
1. Right-click the Pointsec PC icon in the screen tray and select Choose
Language:
Chapter 13
183
Support for Multi-language Keyboards
Figure 13-4
The language in Pointsec Admin is changed immediately. The language
used in the Pointsec tray program will change to the language you
select the next time the program is restarted.
Support for Multi-language Keyboards
See Appendix F, “Keyboard Layouts” for information on supported
keyboards.
Switching Keyboard Layouts
To switch keyboard layouts:
1. At pre-boot authentication, press left shift + alt.
2. Click the Pointsec PC icon in preboot.
Pointsec PC installs the same keyboard layouts as Windows installs.
184
Single Sign-On (SSO)
Single Sign-On (SSO)
With SSO enabled for a Pointsec PC user account, the user can log on to
Pointsec PC and automatically be authenticated by other access control
systems.
About SSO
After enabling SSO for a Pointsec PC user account on a computer,
Pointsec PC must learn the account’s network credentials. This is done at
first logon by selecting the Enable Single Sign On option on the Pointsec PC
logon screen.
At this logon, the user logs on to the network as usual. Pointsec PC then
stores this information securely and uses it on subsequent logons where
SSO has been enabled. When the option is not selected no credentials are
passed to the network, allowing for the use of a different network account.
It should be noted that when SSO has been turned off, no network
credentials will be recorded or used, and the previous credentials will
continue to be stored. When SSO is then turned back on, those previous
credentials will be used again. After SSO has been turned back on, there
is a Record New Credentials option available on the SSO screen. By
selecting this option, the user can enter new network credentials at the
logon. This can be used for any changes, such as a different domain or
NDS Tree.
Note - When Remote Help is used to authenticate a user account that
uses single sign-on (SSO), the recorded SSO credentials for that user
account are invalidated. This is to prevent a Remote Help administrator
from leveraging SSO to ‘impersonate’ a user.
SSO and Password Changes
Periodically, it will be necessary to change the account’s network
password. Pointsec PC will look for Change Password dialog boxes to record
the changes. When a Change Password dialog box is opened, Pointsec PC
will input the old password into the corresponding field and then record
what is entered into the new password field. At the next reboot, SSO will
work as usual, as the new password has already been stored.
Entrust SSO
After implementing Entrust SSO on a computer, Pointsec PC must learn
the Entrust profile name. This is used to signify the name of the Entrust
account that will be used.
A requirement of the Entrust SSO implementation is that the Pointsec PC
password and the Entrust password be the same.
Chapter 13
185
Entrust Profile Revocation
Once SSO has been implemented, an Enable Single Sign On option is
displayed on the Pointsec PC logon screen. Selecting this option will use
the stored Entrust profile to log on to Entrust. When the option is not
selected, Entrust logon is manual.
It should be noted that when SSO has been turned off, no Entrust
credentials will be recorded or used and the previous credentials will
continue to be stored. When SSO is then turned back on, those previous
credentials will be used again. After SSO has been turned back on, there
is a Record New Credentials option on the SSO screen. By selecting this
option, the user can enter a new Entrust profile at the logon.
Note - The user will also need to request help for Entrust before logging
on. Otherwise, the account will be locked again.
Note - If there is any conflict between the Entrust and Pointsec PC user
password settings, SSO will not work. The Pointsec PC password must
be exactly the same as the Entrust password for Pointsec PC/Entrust
SSO to work.
Entrust SSO will lock a Pointsec PC user account if the corresponding
Entrust profile has been revoked. In this case, when the computer boots,
the profile will be checked before the Windows logon is activated. If the
Entrust user has been revoked the Pointsec PC user will be locked, and the
computer will be automatically rebooted. At this point, the user will not be
able to access the computer without Remote Help.
To ensure that Pointsec PC acts on the revocation, you need to configure
the Active Directory (AD) server as described below. Use the ADSIEdit
extension to the Microsoft Management Console (MMC) (For more
information, see
http://computerperformance.co.uk/w2k3/utilities/adsi_edit.htm).
Once the active directory server has been configured, Pointsec will be
notified of the revocation of Entrust profiles. When Pointsec PC encounters
such a notification of revocation, when the user account authenticates to
Pointsec PC the following occurs:
186
•
The message “Your Pointsec account has been locked due to a
revoked Entrust profile” is displayed
•
Authentication to Windows is denied
•
The event is logged.
Configuring the Active Directory Server
To configure the active directory server, follow the three steps described
below:
•
“Setting the dsHeuristic Attribute” on page 187
•
“Setting up ANONYMOUS LOGON” on page 188
•
“Enabling Issue Updated CRLs on the Entrust Server” on page 188
Setting the dsHeuristic Attribute
First, set the dsHeuristic attribute by following these directions:
1. Connect to Configuration.
2. Browse to CN=Configuration → CN=Services → CN=Windows NT →
CN=Directory Service.
3. Select Properties for CN=Directory Service.
4. Set the dsHeuristic attribute to 0000002 (Allow anonymous clients to
perform any operation that is permitted by the access control list
[ACL]). For more information, see
http://support.microsoft.com/default.aspx?scid=kb;en-us;326690.
Figure 13-5
Chapter 13
187
Setting up ANONYMOUS LOGON
Next, do the following to set up anonymous logon:
1. Connect to Configuration.
2. Browse to CN=Configuration → CN=Services → CN=Public Key Services →
CN=AIA.
3. Select Propterties for CN=AIA.
4. Select the Security tab.
5. Add ANONYMOUS LOGON and go to its Advanced properties.
6. Edit Permission Entries, making sure that the following are checked: List
Contents, Read All Properties, Read Permissions.
7. Apply to This object and all child objects.
Figure 13-6
Enabling Issue Updated CRLs on the Entrust Server
Finally, enable Issue Updated CRLs in the Entrust Security Manager
Administration.
188
Windows Smart Card
Windows Smart Card
Pointsec PC supports SSO for accounts that use Windows smart cards for
authentication. Once enabled for the Pointsec user account, all the user
has to do is enter their smart card PIN when prompted. Pointsec PC stores
the PIN securely and allows the user access to the computer once the user
has been successfully authenticated by Pointsec PC.
Enabling SSO
Single Sign-On (SSO) is a useful tool when users need to remember many
passwords, but it can be a security hole. If a Pointsec PC password is
compromised, SSO will allow access to the network resources associated
with the user account.
Note - SSO should never be enabled for Pointsec PC administrators or
Pointsec PC system administrators due to their domain administration
accounts and/or their high privilege access to domain resources.
Pointsec PC Single Sign-On settings are found under Group Settings and
under Account Settings:
Figure 13-7
Chapter 13
189
Enabling SSO
To enable SSO:
1. In the Single Sign-On area, select from the following options:
Table 13-1
Option
Description
Enable SSO
SSO is enabled with Windows. User names and passwords will be stored
and passed on to the network logon prompt.
Once the account user has been successfully authenticated by
Pointsec PC, he/she will not need to be authenticated by Windows.
Entrust SSO
SSO is enabled with Entrust.
Pointsec PC saves the path to the Entrust profile used. The password
used is the Pointsec PC password, and must be the same as the Entrust
password for Entrust SSO to work.
Once the account user has been successfully authenticated by
Pointsec PC, he/she will not need to be authenticated by Entrust.
Smart Card Triggers
Windows SSO Logon
SSO is enabled for accounts that use Windows smart card
authentication.
The first time the user logs on, Pointsec PC prompts for the Windows
smart card PIN and stores it securely. All the account user needs to do
at the next logon is to be successfully authenticated by Pointsec PC.
2. Close PCMC for the settings to take effect.
The next time the user account logs on, Pointsec PC informs the user
that it will record the user's account name and password for future
authentication. Now, the user only needs to enter his/her Pointsec PC
details when starting up the PC.
190
Chapter
14
You can remove Pointsec PC by:
•
Creating and deploying an uninstall profile, which allows for easy removal from
many computers; see “Uninstall Profiles” on page 191
•
Using Add/Remove Programs; see “Windows Add/Remove Programs” on page 194
•
Allowing a user to remove Pointsec PC and decrypt their computer using Remote
Help; see Chapter 12, “Remote Help”.
Uninstall Profiles
The following sections explain how to create and deploy an uninstall profile.
Creating an Uninstall Profile
An uninstall profile enables you to remotely remove Pointsec PC from multiple
machines within your organization without having to visit each machine.
You can use an uninstall profile in a variety of scenarios, for example:
•
an employee is no longer with the company
•
a machine needs to change its operating system from Windows 98 to Windows
2000
•
an employee is traveling to a country where strong disk encryption is illegal
To create an uninstall profile:
1. Open PCMC and click the Remote button.
2. Click New Profile to launch the profile wizard, click Next and select Set Accounting,
and click Next:
191
Creating an Uninstall Profile
Figure 14-1
3. Select Uninstall, click Next and enter the profile name. Click Next and
then Finish.
4. Enter the user account name and password of the first user account
that is authorized to uninstall Pointsec PC and click OK:
Figure 14-2
5. Enter the user account name and password of the second user account
that is authorized to uninstall Pointsec PC and click OK:
192
Configuring Uninstall Profiles
Figure 14-3
The uninstallation profile is created:
Figure 14-4
Configuring Uninstall Profiles
Deploying an Uninstall Profile
Note - If you want to deploy an uninstall profile directly after installing
Pointsec PC, check first that the installation and encryption process is
complete. An uninstall profile can only be deployed when Pointsec PC
is fully installed on the computer.
The logged-on user account on the computer from which you want to
remove Pointsec PC must have read and execute permissions to the
Publish directory.
The logged-on account must also have access to all volumes on the
computer in order to remove Pointsec PC.
Once you have configured the uninstall profile, you are ready to deploy it.
Chapter 14
193
Windows Add/Remove Programs
To deploy an uninstall profile:
1. Simply move the uninstall profile from wherever it is stored to the
Publish directory you have specified.
Note - When the PC has finished the decryption process, it will no
longer be protected.
You can use Windows Add/Remove Programs to remove Pointsec PC.
When Windows Add/Remove is used, one Pointsec PC administrator or
system administrator and one Pointsec PC user (who could also be an
administrator), both with the right to remove Pointsec PC, must be
authenticated before the removal process can start. This ensures that users
cannot remove Pointsec PC.
To remove Pointsec PC using the Windows Add/Remove Program:
1. On the Windows Add/Remove Programs menu, select Pointsec PC and
click Add/Remove. The following dialog box opens:
Figure 14-5
2. Click Yes and the following dialog box opens. Enter the user account
name and password of the first user account that is authorized to
uninstall Pointsec PC and click Next:
Figure 14-6
194
3. Enter the user account name and password of the second user account
that is authorized to uninstall Pointsec PC:
Figure 14-7
4. Click Next. The following dialog box opens, displaying the volumes
protected by Pointsec PC:
Figure 14-8
5. Select a volume from which you want to remove Pointsec PC and click
the > button to move it to the Volumes to Uninstall window. Repeat this
procedure until the required volumes are in the list for uninstallation.
6. Click Next.
Note - Select all volumes to decrypt. Leaving one volume encrypted
might leave some information inaccessible. Also, if any volumes are to
be left encrypted, the volume containing the operating system must
also remain encrypted.
7. When the message stating that the computer must be restarted for the
process to be completed is displayed, click OK.
Chapter 14
195
When the computer has restarted and logon is successful, background
decryption will start in Windows. When this is completed and the
computer has been restarted, boot protection and Pointsec Admin will
be removed.
196
15
Chapter
Recovery, Repair and Bootable
Media
This chapter discusses recovering information that is encrypted, repairing master boot
records and reviewing hard disk information. It also explains how to boot from media
other than floppy disks.
The Pointsec PC Recovery File
Pointsec PC stores the recovery file locally in the directory C:\Documents and
Settings\All Users\Application Data\Pointsec. By default, all users have full
permissions to this directory. If you experience problems writing or accessing the
recovery file, ensure that the default permissions have not been changed. Pointsec PC
transfers the recovery file from C:\Documents and Settings\All Users\Application
Data\Pointsec to the directory specified in the PCMC under Local → Edit Settings →
Pointsec PC → System Settings → Install → Set Recovery Path.
If the Recovery File Path is not Found
If no valid recovery path can be found when Pointsec PC is trying to write to the
recovery file, the following error message will be displayed:
“The path to the recovery file is not accessible. This is OK if you are working off line
and it will reset when connected to your regular network. Otherwise, please contact
your administrator or technical support for more information.”
197
Recovery and the Pointsec PC Version on the Client
If you receive this message, encryption will not start until Pointsec PC has
ascertained that it will be possible to carry out a recovery later. Until then,
the PC will be left unprotected.
Recovery and the Pointsec PC Version on the
Client
In most cases, the administrator (or other user account performing
recovery) has the same version of Pointsec PC as the version installed on
the client to be recovered. When this is the case, recovery can be
performed via two methods, described below.
Otherwise, when creating recovery media, for example when performing
‘stand-alone’ recovery, ensure that you use the Volume Recovery Utility for
the version of Pointsec PC that is installed on the client you want to
recover. All versions of the utility are available in the 1_Pointsec for
PC\Tools\Reco_img directory on the installation CD-ROM. In this directory
you will find a folder for each release; each folder contains the correct
utility and files for creation of recovery media for that release.
Recovery via the Start menu
To perform recovery via the Start menu:
1. From the Start menu, select Pointsec.
2. Select Pointsec PC and then Create Recovery Disk.
Recovery from the PCMC
See “Creating a Recovery Disk from the PCMC” on page 199 for details.
Note - In Vista, you will not be able to open the recovery file, from
which you create recovery media, if the Recovery Path specified in the
Set is specified as a mapped network drive, and you are trying to create
the media from the PCMC. The Recovery Path should be specified in
UNC format: \<server>\<share>\.... Alternatively, execute Create
Recovery Media from the Start menu.
198
Creating a Recovery Disk from the PCMC
Using the Recovery Utility, you can create a recovery disk containing
recovery, review and repair options on a floppy disk or removable media.
Note - The removable media option is only available if the Recovery
Utility detects that supported removable media is available on the
system.
Note - If you must perform a forced removal of Pointsec PC before
encryption has started, create a generic recovery floppy disk by
executing reco_img.exe, which is in the Tools directory.
To create a recovery disk:
1. On the Pointsec PC system administrator’s workstation, click Remote.
2. Under Recovery, click Create Recovery Media:
Figure 15-1
The Recovery wizard opens:
Chapter 15
199
Figure 15-2
3. Choose either Find recovery file via a configuration set or Browse file system
for recovery file. In the example below we select the former:
Figure 15-3
4. Select the set that contains the recovery file from Available Configuration
Sets, and click Next:
Figure 15-4
5. Select the recovery file from Available Recovery Files, and click Next:
200
Creating a Recovery CD-ROM
Figure 15-5
6. Click Finish to launch the recovery tool for the recovery file displayed in
the Finish Recovery Wizard:
Figure 15-6
Note - Whatever medium you choose for the recovery disk, it must be
properly formatted. Any information saved on the medium will be
destroyed.
It is also possible to use a recovery disk, from a floppy or removable
media, to create a CD-ROM containing many recovery and repair
options. For details, see “Creating a Recovery CD-ROM” on page 201.
Creating a Recovery CD-ROM
If a computer can only boot from a CD-ROM, you can write its recovery
disk to a CD-ROM using standard CD burning software.
Note - When running the recovery program any changes you make to
settings, for example language and keyboard settings, will not be saved
on the CD-ROM.
Chapter 15
201
Recovering Information
To create a recovery CD-ROM:
1. For the workstation that needs recovery or repair, create a recovery disk
on a floppy disk or removable media. See “Creating a Recovery Disk
from the PCMC” on page 199 for instructions.
2. Using CD burning software, create a bootable CD-ROM based on the
recovery disk. Refer to your CD burning software’s documentation for
information on creating a bootable CD-ROM.
3. Ensure that the workstation is configured to boot from the CD drive.
Insert the CD-ROM and reboot the workstation to access the recovery
and repair information on the CD-ROM
Note - CD-ROMs containing recovery information must be handled
securely. Only create them when required and ensure that they are
securely destroyed when no longer needed.
Recovering Information
Occasionally you might need to recover information that is stored
encrypted. This requires authentication similar to that required in normal
preboot.
Note - When using a USB device to store the recovery disk, the USB
device may be recognized as the first physical device. If this happens,
the recovery program will consider the device to be the first hard disk
and display the encrypted volumes (in the PVR file) as non-encrypted.
To work around this, use option 8 in the Recovery menu to choose the
correct physical device.
Note - Floppy disks and other removable media containing recovery
information must be handled securely. Only create them when required
and ensure that they are securely destroyed when no longer needed.
Using Slave Drive Functionality to Recover
Information
There are circumstances under which you need to access information on
the hard disk of a Pointsec PC-protected machine and do not want to
access this information by performing a recovery, for example if you need
to access a disk for forensic reasons or because a failure of the operating
system makes it impossible to retrieve data on a disk. In such cases you
can use Pointsec PC’s slave drive functionality.
A slave drive is a hard drive taken from one machine and installed (with
the jumpers correctly set) on another machine, the master machine.
202
Using Slave Drive Functionality to Recover Information
The slave drive functionality enables you to take a hard drive from a
Pointsec PC-protected machine and, on another Pointsec PC-protected
machine, unlock it in preboot and then access the information on that disk
in Windows.
Slave drive functionality requires that both the slave drive and the master
machine have been encrypted with the same algorithm.
The machine from which the hard drive is taken must have the Allow the
Hard Drive To Be Slaved setting set to Yes, and the master machine must
have the Allow Slave Hard Drive setting set to Yes. These settings can be
seen in the following screen image:
Figure 15-7
Accessing a Slave Drive
The following is a typical example of how to access a slave drive:
1. As administrator, attach to your computer (now the master computer)
an encrypted drive from a client that allows slaving. Before
authenticating, be sure that the BIOS has located the slave drive. If it
has not, you will not be able to continue.
2. Start the master computer with the attached slave drive and complete
the Pointsec PC preboot authentication.
Immediately after the successful preboot authentication, a slaving
authentication window is displayed. The authentication window and its
background are in grayscale to distinguish it from the other
authentication windows. The slave drive authentication uses the user
account name and fixed password, dynamic token or smart card
required by the slave drive. The slave drive authentication window is
displayed for approximately 30 seconds, after which it disappears if no
action has been taken. After each action, for example, a keystroke, the
timer is reset and starts counting down again.
Note - Press Esc at any time to exit authentication.
3. After successful logon to the slave drive, proceed or cancel. The logon
to the slave drive is logged on the master machine.
Chapter 15
203
Using Slave Drive Functionality to Recover Information
If you do not cancel, Windows starts and the drive is mounted as a
Windows drive. It can now be accessed in Windows.
Authenticating
Authentication with fixed passwords and dynamic tokens is supported.
Authentication with smart cards is also supported, but the master machine
must contain the smart card drivers required to authenticate the slave
drive.
Compatibility of Drives
Because of differences in the way different BIOSs handle disks,
Pointsec PC slave-drive functionality currently supports only slave drives of
the same drive type as that of the master machine (IDE, SATA or SCSI).
Slave Drive Integrity
Settings and user accounts, etc., on the slave drive cannot be changed
locally. Changes to settings and user accounts on the local machine via
profiles will not affect the slave drive.
Wake-on-LAN
Wake-on-LAN is supported on the master machine, but you will not be able
to access the slave drive via Wake-on-LAN.
Windows Integrated Logon
When a slave drive is connected to a master machine, authentication on
the master machine is required even though Windows Integrated Logon is
enabled in the Pointsec PC settings for this machine. Authentication on
the slave drive is always required. If the slave drive is removed from the
master machine and Windows Integrated Logon is enabled on that
machine, Windows Integrated Logon will again be active.
Remote Help
One-time Logon
One-time logon is supported on both the master machine and the slave
drive, but the user account and password of both the slave drive user and
the helper must be on the slave drive for one-time logon to work.
Remote Password Change
Remote password change is supported on the master machine but not on
the slave drive.
204
Booting from Alternative Media
Recovery
The slave drive must be removed before performing recovery on the master
machine.
Hibernation
Hibernation is supported on the master machine, but you must
authenticate on the slave drive. The slave drive may not be attached to a
hibernated machine. If a slave drive is to be connected to a master
machine, the master machine must be shut down instead of hibernated.
Uninstalling
Do not uninstall Pointsec PC from a master machine; remove the slave
drive before uninstalling.
Booting from Alternative Media
Using Pointsec PC’s alternative boot media menu, you can boot from
media other than floppy disks. This is useful if, for example, the PC you
are working on does not have a floppy disk drive.
Accessing the Alternative Boot Media Menu
The options displayed in the alternative boot menu depend on what the
BIOS of the machine supports and the hardware that is currently installed.
Therefore, the fact that an option is listed does not mean it is supported
by Pointsec PC.
To access the alternative boot media menu:
1. When the PC reboots and the User Identification dialog box is displayed,
press CTRL + F10.
Chapter 15
205
Accessing the Alternative Boot Media Menu
2. Enter your user account name and password, and press Enter.
Pointsec PC displays the Alternative Boot Menu. Depending on the
PC’s BIOS and hardware some or all of the following options, or other
options, are displayed:
Table 15-1
Examples of Alternative Boot Menu options
Number
Option
Boot using:
0
Floppy
Standard floppy.
This option is always displayed, even if no floppy disk drive is
available.
1
Harddrive
Integrated Drive Electronics (IDE) hard disk – not SCSI.
2
CD/DVD-R
OM
CD/DVD-ROM.
3
[network
adaptor]
Network adaptor, which can launch the Preboot Execution
Environment (PXE). This enables the computer to boot via a
network resource without requiring an installed operating system.
4
BIOS IPL
devices
Initial Program Load (IPL) device. This can be virtually any
device that has the ability to load and execute an operating
system. This includes floppy drives, hard drives and CD-ROM
drives.
5
Windows
PE
Microsoft Windows Preinstallation Environment (PE).
This option is always displayed last, and it is displayed even if
Windows PE is not available.
3. Enter the option number of the media you want to boot from and press
Enter. Pointsec PC boots using the media you have selected.
206
Appendix
Being Authenticated by
Pointsec PC
A
This appendix discusses how end-users use fixed passwords, dynamic
tokens and smart cards/USB tokens to authenticate themselves in order to
access their Pointsec PC-protected computer.
Note - Pointsec PC administrators should distribute this information, as
deemed appropriate, to end-users before users access their
Pointsec PC-protected computers for the first time.
About Authentication
Being authenticated means being verified by Pointsec PC as someone who
is authorized to use a specific computer. When you switch on or restart a
Pointsec PC-protected computer, the User Identification dialog box opens:
207
Navigating
Figure A-1
Here you must enter a valid username and password. Pointsec PC verifies
that you are authorized to access the computer and allows the computer to
start.
Navigating
You can use a mouse to navigate in the Pointsec PC user identification
boxes and select options.
You can also move around in the dialog boxes by pressing TAB and ENTER,
and you can select options using the space bar.
Ensuring that your Computer has not been Tampered
with
Before authenticating yourself, you should always press CTRL+ALT+DEL to
restart your computer. This guarantees that your computer is tamper-free
and that your username and password cannot be hijacked.
Being Authenticated for the First Time
The following sections explain how to access a Pointsec PC-protected
computer as a new user.
The first time Pointsec PC authenticates you, you must use a temporary
username and password. Once you have successfully entered the name and
password, Pointsec PC prompts you to change them to the username and
password you will use in the future.
208
Using a Fixed Password
A fixed password is a private string of characters, known only to you and
Pointsec PC, which you use each time you want to access the computer.
Note - Your Pointsec PC administrator will tell you which username and
password to use the first time you access the Pointsec PC-protected
computer.
To authenticate yourself using a fixed password:
1. Start your Pointsec PC-protected computer. The User Identification
dialog box opens:
Figure A-2
2. To ensure that your computer has not been tampered with, press
CTRL+ALT+DEL. Your computer restarts and Pointsec PC re-displays the
User Identification dialog box.
3. In the Username field, enter the username you received from your
administrator and press the TAB key to move to the Password field:
Figure A-3
4. Enter the password you received from your administrator and click OK.
Pointsec PC confirms that you have entered a valid username and
password:
Appendix A
209
Figure A-4
5. Click OK to close the message box. The following dialog box opens:
Figure A-5
6. Enter your username and click OK. The following dialog box opens:
Figure A-6
7. Enter and confirm the password you want to use and click OK.
Pointsec PC confirms that you have successfully accessed the
computer for the first time using your Pointsec credentials:
Figure A-7
8. Click Continue to close the dialog box. Pointsec PC now allows Windows
to start.
210
Using a Dynamic Token
Using a Dynamic Token
A dynamic token is a password you generate using a password token every
time you want to be authenticated by Pointsec PC.
Note - Your Pointsec PC administrator will provide you with a dynamic
token, the information you need to use it, and a username.
To authenticate yourself using a dynamic token:
dialog box opens:
Figure A-8
2. In the Username field, enter the username you received from your
administrator and press TAB.
Pointsec PC recognizes that you will be using a dynamic token to
authenticate yourself and displays the following dialog box:
Figure A-9
3. In the dynamic token, enter the Pointsec PC challenge to generate a
response. Enter the response in the Response field and click OK.
Appendix A
211
Using a Smart Card/USB Token
Pointsec PC confirms that you have successfully accessed the
computer for the first time using your Pointsec credentials:
Figure A-10
4. Click Continue to close the dialog box. Pointsec PC now allows your
computer to start.
Smart cards and USB tokens store passwords. To be authenticated by
Pointsec PC, you must connect the card or token to the computer and
enter a valid card or token PIN.
Note - Your Pointsec PC administrator will supply you with your smart
card/USB token, the information you need to use it and a temporary
username and password to use the first time you access the
Pointsec PC-protected computer.
Ensure that your smart card/USB token is connected to your computer
before you start to authenticate yourself.
To authenticate yourself using a smart card/USB token:
dialog box opens:
Figure A-11
212
3. In the User account name field, enter the temporary user account name
you received from your administrator and press the TAB key to move to
the Password field:
Figure A-12
4. Enter the password you received from your administrator and click OK.
Pointsec PC confirms that you have entered a valid user account name
and password:
Figure A-13
5. Click OK to close the message box. The following dialog box that opens:
Figure A-14
6. Enter your new user account name and click OK.
7. Pointsec PC recognizes that you have a user account that uses a smart
card for authentication. It confirms that this is the first time you are
logging on with the new user account name. The following dialog box is
displayed:
Appendix A
213
Figure A-15
8. Click Continue. The following dialog box is displayed:
Figure A-16
9. Select the certificate you want to use and click OK. Pointsec PC
confirms your selection of a certificate:
214
Figure A-17
10. Click OK. The following dialog box is displayed:
Figure A-18
11. Enter your PIN and click OK.
Appendix A
215
Synchronizing Passwords
Figure A-19
Note - Regardless of the keyboard layout used, we recommend that you
use smart card PINs that are comprised only of ASCII characters:
!"#$%&'()*+,-./ 0123456789:;<=>?@
ABCDEFGHIJKLMNOPQRSTUVWXYZ
[\]^_àbcdefghijklmnopqrstuvwxyz{|}~
The space character is also an ASCII character.
12. Pointsec PC communicates with the smart card and performs
authentication:
Figure A-20
13. Click OK.
Synchronizing Passwords
If your Pointsec PC password is synchronized with your Windows password,
you can use your Windows password to authenticate yourself to
Pointsec PC.
To synchronize passwords:
1. Authenticate yourself as usual to Pointsec PC and Windows. The
following dialog box opens:
216
What if I forget my password?
Figure A-21
2. Enter your Pointsec PC password and click OK. The following dialog box
opens:
Figure A-22
3. Click OK. From now on, use your Windows password when
authenticating yourself to Pointsec PC.
Note - Whenever you change your Pointsec PC password or your
Windows password, Pointsec PC automatically synchronizes the
passwords again.
What if I forget my password?
If you forget your password, you can use Pointsec PC's Remote Password
Change option.
To change your password:
dialog box opens:
Figure A-23
2. Enter your username and select Remote Help. The following dialog box
opens:
Appendix A
217
What if I don't have access to my token/smart card?
Figure A-24
3. Call your Pointsec PC administrator or helpdesk to guide you through
the password change process.
What if I don't have access to my token/smart
card?
If you do not have access to your dynamic token or smart card, you can
use Pointsec PC's One-time logon option.
To use the One-time logon option:
dialog box opens:
Figure A-25
1. Enter your username and select Remote Help. The following dialog box
opens:
218
Pointsec PC Single Sign-on (SSO)
Figure A-26
2. Call your Pointsec PC administrator or helpdesk to guide you through
the one-time logon process.
SSO automatically logs you onto Windows once you have been
authenticated by Pointsec PC.
Note - Your Pointsec PC administrator decides if you will have access to
SSO.
To enable SSO:
1. Authenticate yourself as usual, for example:
Figure A-27
Tip - If you do not want to use SSO, deselect the SSO Active option.
Appendix A
219
2. Click OK.
220
Appendix
Status Information When
Exported to File
B
The information reflecting the status of an installation can be exported to
a file. The fields in such a file whose meanings might not be clear are
described in the table below. A sample status export file is also listed
below, see “Sample Export Status File” on page 222.
Table B-1
Item
Explanation
Autologon
0 = Windows Integrated Logon is not enabled.
1 = Windows Integrated Logon is enabled.
Disk Number
A zero-based index of the hard drives on this
computer.
Volume Number
A zero-based index of the volumes on this computer.
Source
Algorithm
The algorithm that is currently in use. It can one of
the following values:
• AES
• 3DES
• Blowfish 56/256 bits
• CAST
• None
• Invalid Key
221
Table B-1
Destination
Algorithm
If this algorithm is different from the source
algorithm, the driver is currently encrypting/decrypting
in the background. It can one of the following values:
• AES
• 3DES
• CAST
• None
• Invalid Key
Volume State
Indicates the state of the volume or the encryption
action currently being carried out. It can have one of
the following values:
• 0 = Unencrypted
• 1 = Encrypting
• 2 = Decrypting
• 3 = Encrypted
• 4 = Reencrypting
• 255 = Missing
Current State
Value
Indicates the current state of the volume encryption;
it can have one of the following values:
• 0-100 = % completed
• 101 = Internal error
• 255 = Completed
Sample Export Status File
Status
-----Misc
---System ID:b3b393261b4906bac15c29077ad1793c
Version:6.2.0
Driver:5.0 sr1.1
Update Password:0
Wake On LAN:0
Autologon:0
User:ADMIN
Management Console User:
222
Config
-----Last Local Configuration Change:
Last Profile Configuration Change:
Recovery
-------Last Recovery File Update:2007-05-30 12:32:13+02:00
Last Recovery File Delivery:2007-05-30 12:32:13+02:00
Logfile
------Last Log File Update:2007-05-30 12:32:13+02:00
Last Log File Delivery:2007-05-30 12:32:13+02:00
Encryption
---------Disk Number:0
Volume Number:0
Source Algorithm:AES
Destination Algorithm:AES
Volume State:3
Current State Value:255
Disk Number:1
Volume Number:1
Volume State:3
Disk Number:1
Volume Number:2
Volume State:3
Appendix B
Status Information When Exported to File
223
224
C
Appendix
This appendix describes the permissions Pointsec PC requires.Permissions
Overview
Table C-1
Permissions
Directory/
Application
Admin
Install
dir
Registry
Recovery
dir
Profile
dir
\System
32
Update
dir
Install
Yes
-
-
-
-
-
-
Remove
Yes
-
-
-
-
-
-
Uninstall profile
No
R,L,X,D,
M,C,W
R
-
(R,L,D,
M,C,W)1
-
-
PCMC
No
R,L,X
R
-
-
-
-
Create recovery
disk(s)
No
R,L,X
-
-
-
-
-
Tray (Px2)
No
R,L,X,(D
,M,C,W)
F3
-
-
-
-
2
Recovery
No
R,L,X,D,
M,C,W
R
R,L,X,D,
M,C,W
-
-
-
Central log
No
R,L,X,D,
M,C,W
R
R,L,X,D,
M,C,W
-
-
-
PCMCUtil
No
-
R
-
R,L,(D,
M,C,W)4
-
-
PS Control
No
-
-
-
-
R,L,X,D,
M,C,W
-
R=Read, W=Write, L=List, X=Execute, M=Modify, D=Delete, C=Create.
A dash (-) means Not Applicable.
225
1
Required to publish profiles.
2
Required for Profile.dat.
3
Full access is required because the language setting for the Pointsec PC
Management Console (PCMC) is stored in the registry.
4
D,M,C and W are required for the creation of the Px2 directory.
Install
Install corresponds to performing an installation of Pointsec PC. This
requires that the user be logged in with Administrator permissions.
Remove
Remove corresponds to removing the Pointsec PC application via the
Windows Add/Remove Programs tool. This requires that the user be logged
in with Administrator permissions.
Uninstall Profile
Uninstall profile corresponds to removing the Pointsec PC protection of
volumes. In the Windows environment this process is handled by P95tray.
PCMC
PCMC corresponds to the executable file PointsecForPC. The application
normally does not require any permissions for the Profile directory, however
in order to publish profiles it requires the permissions specified in the
table above.
Create Recovery Disk(s)
Create recovery disk(s) corresponds to the executable file UseRec.
Tray (Px2)
Tray corresponds to the executable P95tray, which uses two other
executables for performing some actions. The required permissions for
these executables are presented in their own chapters.
Tray Recovery
Tray Recovery corresponds to the actions performed by the executable
CreRec. The permissions listed above are required by CreRec for the
C:\Documents and Settings\All Users\Application Data\Pointsec
directory and for the directory specified in the PCMC (under Local → Edit
Settings → Pointsec for PC → System Settings → Install → Set Recovery Path)
because CreRec writes the recovery file to these directories. If these
permissions are not granted, recovery file functionality will not work
properly.
226
Permissions: With Pointsec PC Service Start
Note that, by default, all users have full permissions for C:\Documents and
Settings\All Users\Application Data\Pointsec. If you experience
problems writing or accessing the recovery file, ensure that the default
permissions have not been changed.
Central Log
Central Log corresponds to the actions performed by the executable
CentralLog. CentralLog requires the permissions shown in the Pointsec install
dir and the Recovery dir since it writes log files to these directories. If these
permissions are not granted, the remote logging and Event viewer will not
receive new log events.
PCMCUtil
PCMCUtil corresponds to the actions performed by the tray using the DLL
PCMCUtil.dll. The DLL requires the shown permissions in the Profile
directory since it writes recovery and log files the directory.
PS Control
PS Control corresponds to the actions performed by the executable
pscontrol. The executable requires the shown permissions in the Pointsec
install dir and the System32 directory in order to install Windows language
files.
Permissions: With Pointsec PC Service Start
Recommended Users
The table below describes which users are recommended to run
applications and perform specific tasks. X(O) denotes that this is the only
possible solution, and X(P) denotes that it is controlled by P4PC.
Table C-2
Recommended users for Service Start
User/Application
Administrator
Install
X(O)
Remove
X(O)
X
X
X(P)
Tray
Recovery
X(P)
Central log
X(P)
PS Control
User
X(P)
Uninstall profile
PCMC
Service Account
X
Appendix C
227
Required Permissions
Required Permissions
The table below describes the required permissions for the recommended
setup above. Note that the Service account must be a member of the
Administrator group in order to run Service Start.
Table C-3
Required permissions for Service Start
Application/Directory
Admin
Normal User
Computer Admin
X
N
R,L,X,D,M,C,W
Pointsec Install directory
R,L,X,(D,M,C,W)
2
Service Account
X
1
R,L,X,D,M,C,W
Pointsec Registry
F
F
F
Recovery directory
R,L,X
R,L,X
R,L,X,D,M,C,W
Profile directory
N
N
R,L,X
System32
R,L,X,D,M,C,W
R,L,X
R,L,X
Update directory
N
N
R,L,X,C
1These
permissions are required in order for Recovery and Log files to be
handled correctly (Profile.dat and possibly more files).
2Full
control is required for updating the Language setting in the registry.
Permissions: Without Pointsec PC Service
Start
If Pointsec Service Start is not used, the normal user requires the same
access permissions the Service account has (apart from being a member of
the Administrator group). In this case, all applications normally run via the
service are executed by the normal user.
Permissions: Remote Desktop
The permissions needed by Remote Desktop users on a
Pointsec PC-installed machine are those required by a locally logged-on
user: full permissions for Program Files → Pointsec and Pointsec PC registry
keys.
228
Windows User Account Registry Permissions
To install, upgrade, change language, and import profiles on a Windows
PC, a user account needs the following registry permissions: Query value,
Set value, Create subkey, Enumerate subkey, Notify, Create link, and Read
control.
In order to uninstall on a Windows PC, a user account needs the above
registry permissions plus Delete.
Appendix C
229
230
Appendix
Language Support
D
Language Packs
This appendix describes the language support provided in Pointsec PC.
Languages in Pointsec PC are divided into the following two groups:
•
Tier1 languages:
English (UK and US), French, German, Japanese, Italian, and
Spanish.
•
Tier 2 languages:
Chinese Simplified, Chinese Traditional, Czech, Danish, Dutch,
Estonian, Finnish, French Canadian, Greek, Hungarian, Icelandic,
Italian, Korean, Latvian, Lithuanian, Norwegian, Polish, Portuguese
(Brazilian), Portuguese (Iberian), Slovakian, Swedish, and Thai.
The two groups have different levels of supprort in Pointsec PC.
Support for Tier 1 Languages
Tier 1 languages are supported in the:
•
Pointsec PC Management Console (PCMC)
•
Windows envirionment: the logon dialog and the Pointsec PC tray
application)
•
Pointsec PC Preboot Environment (PPBE).
The language must be installed and specified in the PCMC (System
Settings → Install → Select Language) or selected in the tray.
Tier 2 languages are supported only in the:
231
•
Windows envirionment (the logon dialog and the Pointsec PC tray
application)
•
Pointsec PC Preboot Environment (PPBE).
They are not supported in in the Pointsec PC Management Console
(PCMC).
The language must be installed and specified in the PCMC (System
Settings → Install → Select Language) or selected in the tray.
Which Language Is Displayed in the PCMC When Using a Tier 2
Language?
When using a tier 2 language, the language displayed in the PCMC is US
English, with the following exception: if French (Canadian) is used, French
is displayed in the PCMC.
232
Appendix
Language Packs
E
Language Packs
The language packs listed in this appendix are delivered with Pointsec PC.
The default language pack is compliant with legacy releases of
Pointsec for PC. Language packs can be installed either before or after
installation.
For Language Pack - 4 Asia and Pacific (APAC) to function correctly, the
required Windows language support must be installed. Other languages, for
example Greek, can also require the installation of Windows language
support, depending on which version of Windows is installed.
Installing Language Packs
Language packs other than the default pack can be installed either before
or after the installation of Pointsec PC.
Before Installation of Pointsec PC
To install language packs before installing Pointsec PC:
1. Open the Language Pack folder.
2. Copy the LANGUAGE.LNG and the Plang32.lng file for the language
pack(s) you want to the directory that contains the Pointsec for
PC.msi file.
3. Proceed with the Pointsec PC installation.
233
After Installation of Pointsec PC
After Installation of Pointsec PC
The PS Control command line utility is used for installing language packs
other than the default pack after the installation of Pointsec PC. The PS
Control program, pscontrol.exe, is found in the Pointsec PC folder, which
is located in the Pointsec folder under Program Files. For more information
on the PS Control program and details on using it to install language
packs, see Appendix G, “PS Control Command Line Utility”.
Language Packs
The tables below list the language packs delivered with Pointsec PC.
Legacy Language Pack (Default)
Table E-1
Legacy language pack
Languages in the Legacy (Default) Language Pack
English - US
English - UK
Swedish
German
Spanish
French
Japanese
Slovak
2 - Americas
Table E-2
Americas language pack
Languages in Language Pack 2 - Americas
English - US
English - UK
Canadian French
Spanish
234
3 - Scandinavian and Baltic
Table E-2
Americas language pack
Languages in Language Pack 2 - Americas
Brazilian Portuguese
Iberian Portuguese
Dutch
3 - Scandinavian and Baltic
Table E-3
Scandinavian and Baltic language pack
Languages in Language Pack 3 - Scandinavia and Baltic
English - US
Swedish
Finnish
Norwegian
Danish
Icelandic
Estonian
Latvian
Lithuanian
4 - Asia and Pacific (APAC)
Note that the relevant APAC language resources must be available in
Windows for an APAC language to function correctly in the Management
Console.
Table E-4
Asia and Pacific (APAC) language pack
Languages in Language Pack 4 - Asia and Pacific (APAC)
English - US
English - UK
Japanese
Simplified Chinese
Traditional Chinese
Korean
Thai
Appendix E
Language Packs
235
5 - Europe 1
5 - Europe 1
Table E-5
Europe 1 language pack
Languages in Language Pack 5 - Europe 1
English - US
English - UK
German
French
Spanish
Italian
Greek
Dutch
Iberian Portuguese
6 - Europe 2
Table E-6
Europe 2 language pack
Languages in Language Pack 6 - Europe 2
English - US
English - UK
Czech
Hungarian
Polish
Slovak
German
7 -All
Table E-7
All language pack
Languages in Language Pack 7 - All
All languages in the above packages
236
F
Appendix
Keyboard Layouts
Keyboard Layouts
This appendix presents the keyboard layouts supported by Pointsec PC.
Supported Keyboard Layouts
Pointsec PC supports the following keyboard layouts:
Table F-1
Supported keyboard layouts
Keyboard Layout
Locale Code
English (Canada)
0x1009
English (Ireland)
0x1809
English (United Kingdom)
0x0809
English (United States)
0x0409
French (Belgium)
0x080c
Danish (Denmark)
0x0406
Dutch (Belgium)
0x0813
Dutch (Netherlands)
0x0413
Estonian (Estonia)
0x0425
Finnish (Finland)
0x040b
French (France)
0x040c
French (Switzerland)
0x100c
German (Germany)
0x0407
German (Switzerland)
0x0807
Greek (Greece)
0x0408
Icelandic (Iceland)
0x040f
237
Supported Keyboard Layouts
Table F-1
Supported keyboard layouts
Keyboard Layout
Locale Code
Italian (Italy)
0x0410
Japanese (Japan) (Only Latin letters and
symbols are supported)
0x0411
Latvian (Latvia)
0x0426
Lithuanian (Lithuania)
0x0427
Norwegian (Bokmål) (Norway)
0x0414
Portuguese (Brazil)
0x0416
Portuguese (Portugal)
0x0816
Slovak (Slovakia)
0x041b
Spanish (Spain)
0x040a
Swedish (Sweden)
0x041d
Note - The keyboard layouts available in Windows can also be selected
in the Pointsec PC preboot environment by pressing ALT+Shift.
238
Appendix
PS Control Command Line
Utility
G
The PS Control command line utility is meant for administrators. An
administrator uses the utility to develop a script (for example, a .bat file)
that carries out certain tasks on a machine. The script can also be
deployed to carry out tasks on remote machines when users log on.
The PS Control command line utility can be used to manage drivers related
to smart cards, export the status information of a machine and install
language packs.
The PS Control program file, pscontrol.exe, is found in the Pointsec PC
folder, which is located in the Pointsec folder under Program Files.
Using the PS Control Utility
The PS Control utility is command based. Each command carries out only
one specific task, and only one command can be executed per call. The
format of the command is as follows:
pscontrol [option] <command>
where option and command can be any of those in the respective table
below.
239
Options
Options
PS Control offers the following options:
Table G-1
PS Control utility options
Option
Description
-l
Write a log to <filename>.
-v
Be verbose.
Commands
The following commands can be executed using PS Control:
Table G-2
PS Control utility commands
Command
Description
install-driver
Installs the driver whose filename is specified in the command. The
driver must be registered in the Pointsec PC registry before it can be
installed.
remove-driver
Removes the driver whose filename is specified in the command. The
driver must be unregistered before it can be removed.
list-drivers
Displays a list of currently installed drivers on this machine.
register-prd
Registers the smart card reader driver whose .inf file is specified as the
filename in the command. The driver must be registered in the
Pointsec PC registry before it can be installed.
register-ptd
Registers the smart card driver whose .inf file is specified as the filename
in the command. The driver must be registered in the Pointsec PC
registry before it can be installed.
unregister-prd
Unregisters the smart card reader driver whose .inf file is specified as the
filename in the command.
unregister-ptd
Unregisters the smart card driver whose .inf file is specified as the
filename in the command.
extract-prd
Extracts the contents of the smart card reader driver registry and writes
this information to the filename specified in the command.
extract-ptd
Extracts the contents of the smart card driver registry and writes this
information to the filename specified in the command.
install-pb-language
Installs the preboot language file (LANGUAGE.LNG) whose filename is
specified in the command.
install-win-language
Installs the Windows language file (Plang32.lng) whose filename is
specified in the command.
export-status
Exports the status of the machine to <filename>. The file is in XML
format.
240
Error Codes
Error Codes
The error codes in the table below are returned by the PS Control utility so
a script can determine whether it has completed successfully.
Table G-3
PS Control utility error codes
Error
Code
Description
0
Operation successful.
1
An incorrect argument was specified in the pscontrol
command.
2
Incorrect filename specified. Issued if the file cannot be
opened, if the file does not exist in the registry (when
installing a driver), or if the file format is incorrect.
3
A Pointsec PC installation cannot be found on this
machine.
4
The operation terminated unexpectedly. This can happen
when a read/write to the Pointsec PC system area fails,
which indicates an error in the local installation of
Pointsec PC or a corrupt local installation.
Examples of Using the PS Control Utility
Registering Drivers
C:\Program Files\Pointsec\Pointsec for PC>pscontrol -v
register-ptd D:\Modules\ptd.inf
Connected to Pointsec 6.0.0 (2005-12-14 19:21:55 Build 1018).
Replacing section "RSA SecureID 800".
Replacing section "RSA Smart Card 5200".
Replacing section "RSA Smart Card 6100(eGate)".
Replacing section "Schlumberger Cyberflex e-Gate".
Replacing section "Schlumberger Cyberflex e-Gate 32K".
Replacing section "Schlumberger Cyberflex 32K".
Replacing section "Schlumberger Cyberflex 8K".
Replacing section "Aladdin eToken".
Installing a Driver
C:\Program Files\Pointsec\Pointsec for PC>pscontrol -v
install-driver D:\Modules\msc_p11.bin
Appendix G
241
Smart Cards, Smart Card Readers and their Drivers
Connected to Pointsec 6.0.0 (2005-12-14 19:21:55 Build 1018).
Writing 285274 bytes...
Exporting Status Information
C:\Program Files\Pointsec\Pointsec for PC>pscontrol.exe
export-status mystatus.xml
Executing query – STATUS
Creating output status file as ‘mystatus.xml’
SUCCESS: Export complete
Smart Cards, Smart Card Readers and their
Drivers
Pointsec PC 6.x supports authentication using smart cards. To authenticate
a user via a smart card, Pointsec PC must be able to communicate with
both the smart card and the smart card reader. This requires one driver for
communicating with the card and another driver for communicating with
the card reader. Note that smart cards that function as a combined card
and card reader unit (for example, the RSA SecureID 800) still require two
drivers, one for the card and one for the reader. Note also that some
drivers support more than one smart card or smart card reader.
Because smart cards from different manufacturers, and even different
models of smart cards from the same manufacturer, communicate
differently, Pointsec PC provides a variety of drivers. Pointsec PC
maintains a registry of the supported smart cards and smart card readers
(There are smart cards on the market that Pointsec PC does not support,
and no drivers for these smart cards are provided).
You use the PS Control command line utility to register smart cards and
smart card readers in the Pointsec PC registry and to unregister smart
cards and smart card readers in that registry. The utility also enables you
to install drivers on the Pointsec PC system after they have been
registered. Note that a driver must be registered before it can be installed.
This enables you to use smart cards and smart card readers that are
supported after the release of Pointsec PC.
242
Managing Smart Cards, Smart Card Readers and Drivers
Managing Smart Cards, Smart Card Readers and
Drivers
Drivers supported by Pointsec PC at the time of delivery are provided on
the Pointsec PC CD. The drivers required to communicate with the smart
cards and smart card readers your enterprise uses must be installed on the
machines that will use this smart card authentication. The installation is
usually done by a script that executes PS Control commands.
Similarly, you can also remove a driver or unregister a driver via a script, as
well as list all the currently installed drivers, using PS Control.
Registering a Driver
To register a driver you must have an .inf file, which is usually delivered
together with the driver. The .inf file contains information about the driver
or drivers, for example identifying the driver or drivers and the hardware it
or they communicate with.
Note - The drivers on the Pointsec PC installation CD have already been
registered. Registration is required only for drivers that have not been
released together with the Pointsec PC package.
See “Registering Drivers” on page 241 for an example of using the PS
Control utility to register a driver.
Installing a Driver
See “Installing a Driver” on page 241 for an example of using the PS
Control utility to install a driver.
Removing a Driver
Exporting a Machine’s Status Information
The PS Control utility can be used to export status information about a
specific machine. The information is exported in an XML file, which can
be input to a program that processes the status information.
See the following table for a description of tags in an export status file,
and see “Exporting Status Information” on page 242 for an example of
using the PS Control utility to export status information.
Appendix G
243
Export Status File
Export Status File
Description of Tags
The following table contains a description of the most significant tags in
the Export Status file. See “Sample Export Status File” on page 246 for
an example of the file.
Table G-4
Significant tags in the Export Status file
Tag
Description of Tag Contents
VERSION
The version of Pointsec PC currently installed on the machine.
UPDPWD
Specifies if the update validation password has been set. 0 = No, 1 = Yes.
WAKEONLA
N
Specifies whether Wake-on-LAN is enabled. 0 = No, 1 = Yes.
AUTOLOGON
Specifies whether Windows Integrated Logon is enabled. 0 = No, 1 = Yes.
USER
User account name of the user account currently logged on to this machine.
This information is Base64 encoded.
LOCAL
Date, time, and user account name of the user account that last updated the
configuration of Pointsec PC on this machine. The date, time, and user
account name are in the following format:
yyyy-mm-dd hh:mm:ss - USERACCOUNTNAME.
This information is Base64 encoded.
PROFILE
User account name of the person who created or edited the profile that last
updated this machine. This information is Base64 encoded.
RECOVERY
UPDATE
Date and time when recovery information was last updated. This information is
Base64 encoded.
RECOVERY
DELIVERY
Date and time when recovery information was last sent to the directory defined
in the specified recovery path. This information is Base64 encoded.
LOGFILE
UPDATE
Date and time when log information was last updated. This information is
Base64 encoded.
LOGFILE
DELIVERY
Date and time when log information was last sent to the directory defined in
the specified log path. This information is Base64 encoded.
DISKNR
Number of the hard disk drive. Numbering begins with zero.
VOLNR
Volume number of the hard disk. Numbering begins with zero.
244
Export Status File
Table G-4
Significant tags in the Export Status file
Tag
Description of Tag Contents
ALGO1
Current algorithm in use. The tag can have one of the following values:
AES
• 3DES
• CAST
• None
• Invalid Key
See also the description of ALGO2, below.
ALGO2
The target algorithm. During encryption, this is the algorithm being used to
encrypt the volume. During decryption, the value will be None. When encryption
is completed, the values of ALGO1 and ALGO2 are identical.
The tag can have one of the following values:
• AES
• 3DES
• CAST
• None
• Invalid Key
STATE
State of encryption of this volume (VOLNR) on the disk. Can be one of the
following values:
• 0 = Clear
• 1 = Encrypting
• 2 = Decrypting
• 3 = Encrypted
• 4 = Re-encrypting
• 255 = Missing
VALUE
Value may have one of the following values:
• 0-100 = % of encryption completed
• 255 = Encryption completed
Note that 255 can also mean “processing completed” when both ALGO1
and ALGO2 are None, as there has been no encryption and this fact has
been registered.
Appendix G
245
Export Status File
Sample Export Status File
The following is an example of an export status file:
<?xml version="1.0" encoding="UTF-8"?>
<RETURN>
<STATUS>
<MISC>
<VERSION>6.1.3 (2006-11-06 09:17:12 Build 1113)</VERSION>
<DRIVER>5.0 sr1.1</DRIVER>
<UPDPWD>1</UPDPWD>
<WAKEONLAN>0</WAKEONLAN>
<AUTOLOGON>0</AUTOLOGON>
<USER>QURNSU4=</USER>
<MCUSER/>
</MISC>
<CONFIG>
<LOCAL>MjAwNi0xMS0xNiAxNDo1NDoxMCswMjowMCAtIFN5c3RlbVxBRE1JTg==</
LOCAL>
<PROFILE>MjAwNi0xMS0xNiAxNDo...DXFdPUktcdXBkLnVwcA==</PROFILE>
</CONFIG>
<RECOVERY>
<UPDATE>MjAwNi0xMS0xNiAxNDo1NTozNg==</UPDATE>
<DELIVERY>MjAwNi0xMS0xNiAxNDo1NTozNg==</DELIVERY>
</RECOVERY>
<LOGFILE>
<UPDATE>MjAwNi0xMS0xNiAxNDo1NTozNg==</UPDATE>
<DELIVERY>MjAwNi0xMS0xNiAxNDo1NTozNg==</DELIVERY>
</LOGFILE>
<ENCRYPTION>
<VOL>
<DISKNR>0</DISKNR>
246
<VOLNR>0</VOLNR>
<ALGO1>AES</ALGO1>
<ALGO2>AES</ALGO2>
<STATE>3</STATE>
<VALUE>255</VALUE>
</VOL>
<VOL>
<DISKNR>0</DISKNR>
<VOLNR>1</VOLNR>
<ALGO1>None</ALGO1>
<ALGO2>AES</ALGO2>
<STATE>1</STATE>
<VALUE>36</VALUE>
</VOL>
<VOL>
<DISKNR>0</DISKNR>
<VOLNR>2</VOLNR>
<ALGO1>None</ALGO1>
<ALGO2>None</ALGO2>
<STATE>0</STATE>
<VALUE>255</VALUE>
</VOL>
</ENCRYPTION>
</STATUS>
</RETURN>
The PS Control utility can also be used to install language packs. Both the
preboot language file and the Windows language file must be installed for
each pack.
Appendix G
247
Take special care to use the command that corresponds to the respective
file (install-pb-language for the preboot language file and install-win-language
for the Windows language file).
To install a language pack:
1. Issue an install-pb-language command in pscontrol.exe, specifying the
file name of the preboot language file (LANGUAGE.LNG) for the language
pack you want to install. If this file is not in the same folder as the
pscontrol.exe program, the entire directory path to the file must be
specified.
2. Issue an install-win-language command in pscontrol.exe, specifying the
file name of the Windows language file (Plang32.lng) for the language
pack you want to install. If this file is not in the same folder as the
pscontrol.exe program, the entire directory path to the file must be
specified.
248
H
Appendix
The pslogexp.exe Log Export
Utility
The pslogexp.exe utility is meant for administrators; Read and Execute
permissions are required to run it. This utility must be executed on a
machine running Pointsec for PC 6.1.x or later.
An administrator can use pslogexp.exe to export the local log or the logfile
to console or to redirect the data to a file. Available formats are CSV
(Comma Separated Values), TSV (Tab Separated Values) or XML.
The utility can be used in a script.
pslogexp.exe Utility Syntax and Commands
The syntax and commands for pslogexp.exe are described in this section.
Syntax
The syntax for using pslogexp.exe is as follows:
pslogexp.exe [/?] [commands] [filename]
Description:
Export the log file or local log to console
in the specified format.
Use '>' to redirect to file.
249
Commands
Commands
The following commands are available:
Table H-1
pslogexp.exe commands
Command
Description
csv
Export the log data as comma separated values (default).
tsv
Export the log data as tab separated values.
xml
Export the log data in XML format.
local
Export the local machine’s log data.
heads
Include headings in the log data that is exported. The following headings
are included: Version, Type, Level, Category, Event ID, Source ID, Date and Time, Host,
Heading, Body, Caller, Target, Param3, Param4.
Headings are available only in CSV and TSV data.
?
Help for the pslogexp.exe utility.
The following table contains information on filenames:
Table H-2
Filename information
Filename
Description
filename
On a local machine, the filename will be logfile.log, where logfile is the
computer name of the local machine, for example MYCOMPUTER.
On a remote machine, the filename will be the full path name of the file
to which you will export the log, for example \\Share\COMPUTER02.log.
Examples of Using the pslogexp.exe Utility
Exporting the Local Log
Below is an example of exporting the local log database to a file:
pslogexp.exe /tsv /heads /local >local.tsv
pslogexp.exe /xml /local >local.xml
Note the use of > to redirect the data to the file local.tsv.
Exporting the (remote) logfile
Below is an example of exporting the log files to a file:
pslogexp.exe /tsv /heads "MYCOMPUTER.log" >logfile.tsv
pslogexp.exe /xml "\\Share\COMPUTER02.log" >logfile.xml
pslogexp.exe /xml "c:\logs\MYLOG.log" >logfile.xml
250
Correct Display of National Characters in Exported Files
Note the use of > to redirect the data to the file logfile.tsv.
Correct Display of National Characters in
Exported Files
To ensure the correct display of national characters in the exported logs,
display the CSV or TSV file in Excel after specifying the following settings
(in Excel):
1. In the File drop down menu, select Open.
2. Select the exported CSV or TSV formatted log file and click Open.
3. When the text import guide is displayed, select the Origin:
65001: Unicode (UTF-8)
4. Click OK.
Chapter H
251
Correct Display of National Characters in Exported Files
252
Appendix
I
This appendix contains the information you will need for accessing the
IBM Rapid Restore Ultra (RRU) on a system with Pointsec PC installed.
Installing the InstallRRU.msi Package
Before you can access RRU functionality on a system with Pointsec PC
installed, you need to install the InstallRRU.msi package.
Note - Before you install the InstallRRU.msi add-on package, ensure that
you have installed ISScript.msi Version 11 on the computer. Otherwise,
InstallRRU.msi will not work correctly.
To install the InstallRRU.msi package:
1. Locate the InstallRRU.msi add-on package in the 1_Pointsec for
PC\Tools\WinPE directory on your Pointsec PC CD.
2. Install the package.
RRU Functionality on a Pointsec PC Machine
Accessing
After installing the InstallRRU.msi add-on package, you can access RRU
functionality.
253
Using
To restore a backup via RRU, do not access RRU through Windows but
instead as described in the procedure below.
To access RRU functionality for restoring a backup:
1. Log on to the Pointsec PC preboot environment.
2. Immediately after you have logged on to Pointsec PC and before
Windows starts to load, press F11. This will boot the machine into the
RRU partition.
3. Select the backup you want to restore in RRU and continue.
Using
When using RRU on a Pointsec PC machine, never attempt to restore to an
RRU image taken prior to the installation of Pointsec PC.
254
J
Appendix
Pointsec PC Common Criteria
Configuration
Common Criteria (CC) defines a broad, flexible set of requirements for
security products, focusing on development best practices and assurances
that advertised features have been implemented securely. With a CC EAL4
validated product, you are assured that the product is designed according
to strict security engineering standards and quality control.
The CC is a set of functional and assurance IT security requirements that
were developed to provide a common baseline against which IT products
and systems could be tested and evaluated. The results of these
comprehensive security tests are compiled to produce a composite security
score or evaluation level for any given security product. The CC evaluation
methodology can be used for both hardware and software security
products.
Initially supported by the United States, United Kingdom, Germany,
France, Canada and the Netherlands, the CC has since been recognized by
many other countries. Evaluations consider not only the product itself, but
the intended environment for use and the policies and procedures that will
be enforced. The CC has also been codified as ISO standard 15408.
Pointsec Mobile Technologies provides world-class security software for the
protection of personal computers, smart phones and PDAs. A commitment
to achieve CC EAL4 validation is part of the ongoing process of providing
the highest quality security products to our most important security
partners, our customers.
In This Appendix
Common Criteria EAL4 Configuration Requirements
page 256
255
Common Criteria EAL4 Configuration Requirements
Common Criteria EAL4 Configuration
Requirements
The validation of Pointsec PC is done in a specific secure configuration. To
use Pointsec PC as a validated product, this configuration must be used on
the installed computer. To properly implement a CC EAL4 validated
configuration of Pointsec PC, specific settings must be configured in the
profile that will be deployed.
Cryptographic Algorithms and Key Sizes
The algorithms and key sizes allowed in a CC configuration are:
•
3DES 168-bit
•
AES 256-bit
All Partitions Encrypted, Boot Protection Enabled
To ensure that the system is secure, all partitions must be encrypted
and preboot protection must be enabled.
In an Installation Profile
Use the Select Volume Protection setting under System Settings/Install to:
•
specify the algorithm to be used
•
select Encryption for all the volumes, and
•
select Preboot Auth. (preboot authentication) for all volumes.
In a Master Installation
Select Boot protection and Encryption, then choose the required
algorithm in the Protect volumes InstallShield Wizard window.
No Delete Access to the Pointsec File Share
Users of Pointsec PC-protected computers may have only RX
permissions to the Pointsec share. This is accomplished by setting up
a Pointsec Service Start Account in the Pointsec PC profile deployed
on computers. See Chapter 10, “Using a Service Start Account” for
instructions.
Wake on LAN
The setting Enable Wake on LAN must be disabled. This setting is found
under System Settings → Wake on LAN. Wake-on-LAN is a feature in
many computers today whereby the computer can be automatically
256
started when it receives a specific signal from the network. The
administrator can then perform maintenance on the computer without
having to visit its physical location.
The setting Windows Integrated Logon must be disabled. This setting is
found under System Settings → Windows Integrated Logon. Windows
Integrated Logon enables to user to bypass preboot authentication at
startup.
User Level Privileges
The user account authority level must not have any administrative
privileges, and must not have more than the privileges View Logs and
Uninstall. These settings are located under System → Group Settings →
Permissions for groups and under System → Account Settings →
Permissions for user accounts.
The View Logs privilege is only necessary if normal users are allowed to
view the logs of the system in question. The Uninstall setting will allow
a user to uninstall the Pointsec PC software from the computer if, and
only if, the uninstallation is performed together with an administrator
(or another user) who has Uninstall authority.
Local Administration Disabled
The local administration program must be disabled for all clients, that
is, machines not used for system administration and administration,
e.g. creating profiles, updating profiles and providing remote help. The
setting Management Console Logon must be disabled on all clients. These
settings are located under System → Group Settings → Permissions for
groups and under System → Account Settings → Permissions for user
accounts.
Administration and Configuration via Profiles
All administration and configuration of client installations must be
performed via profiles. The only local administration allowed is the first
initial administration of an administration installation that is used to
create an initial installation profile to be used to install the clients. All
updates and new installation profiles for both clients and
administration are then maintained via profiles, created on an
administration installation.
Appendix J
257
Software Upgrade between Common Criteria Versions Only
Software Upgrade between Common Criteria Versions
Only
Only upgrading between CC-certified versions of Pointsec PC is
allowed.
Password Requirements
If fixed passwords are used for authentication, they should match the
strength requirements of the information they are protecting. The
required configuration is:
•
Minimum length of 8 characters
•
Numbers and letters
•
Both uppercase and lowercase letters
•
No more than two consecutive identical characters
The following configuration is recommended, but not required:
•
Disallow 6 previous passwords
•
Expiration of 90 days
These recommendations do not apply to users using dynamic tokens or
smart cards for authentication.
Password Synchronization Requirements
Password synchronization must be inactivated in a CC-validated
environment.
Maximum Failed Logons before Reboot
The value of Max Failed Logons Before Reboot must be set to three or
fewer in a CC-validated environment.
258
Appendix
K
In Pointsec PC, partition keys (used for encryption of volumes) and the
material used for protecting them are normally generated using an internal
random number generator. However, externally generated keys (random
data) can also be imported for use as partition keys and data used to
protect partition keys.
This appendix includes an explanation of the key import directory structure
and the settings that must be specified in the precheck.txt file. It also
describes end-user interactions related to key import that might be
required during Pointsec PC installation.
Preparing to Use Imported Encryption Keys
Key Import Directory Structure
The system administrator must prepare a key import directory structure
that contains the keys that will be imported, among other things. This
directory must have the following structure:
•
Keys folder
Contains the keys. The keys must be stored in PKIF format.
The files must have a filename with the format KEYnnnn.DAT, where
the first key file is KEY0001.DAT, the second is KEY0002.DAT, and so
on.
•
FLOPKEY.DAT file
A transport key used to ensure the integrity of the key files.
259
precheck.txt File
•
Optional PWD.DAT file
Contains the password that has been used to protect the key files.
If this password is provided in a PWD.DAT file in this directory
structure, it does not have to be entered by the user. If it is not
provided in a PWD.DAT file, the user will be prompted to enter the
password when it is time for the system to use the key file to
encrypt a partition.
precheck.txt File
precheck.txt contains settings for the Pointsec PC installation, including
two settings that are relevant to importing keys. The precheck.txt file is
located in the same folder as the Pointsec PC.msi file.
The settings relevant to key import are described below - for a full
description of the precheck.txt file, see the Pointsec PC Installation
Guide.
precheck.txt Settings for Encryption Key Import
The following table describes the settings relevant to encryption key import
that you can configure in precheck.txt:
260
Administrator Checklist for Importing Encryption Keys
Table K-1
precheck.txt key import settings
Setting
Description
KeyImportDirectory=
Path to the key import directory.
Specifying a path for this setting activates encryption key import. If
this path is not supplied, key import will not be activated.
KeyImportMethod=
Specify how the imported random data will be processed when used
to make keys:
• Combine (Default)
Partition keys are generated by combining the imported random
data with random data generated by Pointsec PC.
Data used to protect partition keys is generated by combining
partition keys with random data generated by Pointsec PC.
• Direct
The imported random data is used ‘as is’ as a partition key.
Data used to protect partition keys is generated by combining
partition keys with random data generated by Pointsec PC.
You cannot use the key import directory’s PWD.DAT file when
using this method.
Administrator Checklist for Importing
Encryption Keys
The following list consists of administrator actions related to importing
encryption keys, focusing on tasks the administrator will want to ensure
have been completed before implementing the import of encryption keys:
•
Be familiar with the tool used to generate random data to be used
for encryption keys.
•
Ensure that the password used to protect the key files is provided.
The password must consist of uppercase ASCII characters, and can
be from 0 to 31 characters long. The length 0 corresponds to an
empty password.
•
If the password protecting the key files is to be provided
automatically during installation, ensure that the password is
stored in a PWD.DAT file and that this file is stored correctly in the
key import directory. Note that an empty password can be provided
in the same way (empty PWD.DAT file).
Appendix K
261
End-user Interaction During Installation
•
Calculate the number of key files required for each installation (the
number of volumes that will be encrypted + the number of smart
card user accounts that will be added during installation).
•
Specify the required precheck.txt settings to enable encryption
key import.
•
Ensure that the KeyImportDirectory setting correctly specifies the
path to the key import directory.
End-user Interaction During Installation
The following list explains the end-user interaction required if a password
used to protect the key files is not provided in a PWD.DAT file in the key
import directory.
262
•
If smart card user accounts are being added during installation, the
end user must enter a password to unlock the key file. Five
attempts are allowed.
•
The first time the Pointsec PC preboot environment starts, the end
user will be prompted to supply the password required to unlock
the key files. The end user has five attempts in which to supply the
correct password. If the password authentication fails, a dialog
informs the user that the authentication has failed, that the
computer is unprotected, and that Pointsec PC must be uninstalled
manually via Add/Remove Programs.
•
If a PWD.DAT file is used during installation, error information might
be displayed to the end user. End users should contact the
administrator if they are unsure about how they should respond to
this information.
Appendix
Glossary
L
Glossary
Numeric
2-factor authentication
The password to a token used with the token. In
other words: 2-factor authentication is something you know, used together
with something you have. Access is granted only when you use the two
together.
A
Access control The process of preventing unauthorized access to
computers, programs, processes, or systems. Pointsec for PC access
control includes preventing logged-on users from accessing files, devices,
etc. for which they have no authorization.
AES (Advanced Encryption Standard) A method of encryption selected by
NIST as a replacement for DES and 3DES. AES supports key lengths of
128-bit, 192-bit and 256-bit. AES provides high security with fast
performance across multiple platforms.
Algorithm
In Pointsec products, an algorithm is a mathematical
procedure that manipulates data to encrypt and decrypt it.
Authentication The process of verifying identity or authorization.
Pointsec for PC provides boot protection by enforcing authentication in
Pre-Boot Authentication before the Windows operating system starts.
263
C
Cipher
A cryptographic algorithm.
Ciphertext
Encrypted data.
Cryptography
The study and use of methods designed to make
information unintelligible.
D
DES (Data Encryption Standard) A widely used method of data
encryption.
Dynamic token
A device which generates one-time passwords based on a
challenge/response procedure.
E
Encryption The transformation of plaintext into a less readable form
(called ciphertext) through a mathematical process. A ciphertext may be
read by anyone who has the key to decrypt (undoes the encryption) it.
F
FIPS
Federal Information Processing Standards. See NIST.
K
Key A string of bits used with an algorithm to encrypt and decrypt data.
Given an algorithm, the key determines the mapping of the plaintext to
ciphertext.
Key file In Pointsec for PC, encryption keys are stored in a key file. The
keys are themselves strongly encrypted, i.e. you must enter a password to
access the key file, but you do not then need to enter each key as it is
used.
Key space
The name given to the range of possible values for a key. The
key space is the number of bits needed to count every distinct key. The
longer the key length (in bits), the greater the key space.
264
L
Lockout A method to stop an unauthorized attempt to gain access to the
computer. For example, a three try limit when entering a password. After
three attempts, the system locks out the user.
N
NIST
(National Institute of Standards and Technology) The institute
produces security and cryptography related standards and publishes them
as FIPS documents.
P
Password
A protected/private string of characters, known only to the
authorized user(s) and the system, used to authenticate a user as
authorized to access a computer or data.
Plaintext
Data that has not been encrypted, or ciphertext that has been
decrypted.
S
Security Policy A system of password policies, account lockout policies,
logging policies, administrator and user rights and other policies designed
to protect your system.
Single Sign-on
(SSO) The ability to log on to multiple computers or
servers in a single action by entering a single password.
Smart card
A device which contains the credentials for authentication to
any device that is smart card-enabled.
Strong encryption
A term given to describe a cryptographic system that
uses a key so long that, in practice, it becomes impossible to break the
system within a meaningful time frame.
T
Triple DES (3-DES) Encryption A method of data encryption which uses
three encryption keys and runs DES three times Triple-DES is substantially
stronger than DES.
Appendix L
Glossary
265
U
User name / user ID
system.
266
A unique name by which each user is known to the
THIRD PARTY TRADEMARKS AND COPYRIGHTS
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service
names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1
and SecuRemote incorporate certificate management technology from Entrust.
Verisign is a trademark of Verisign Inc.
The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996
Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is
preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote
products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty.
Copyright © Sax Software (terminal emulation only).
The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.
Copyright 1997 by Carnegie Mellon University. All Rights Reserved.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that
the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN
NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The following statements refer to those portions of the software copyrighted by The Open Group.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT
OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the
OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `ÀS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.
The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly
and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising
from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and
redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an
acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute
it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at
your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have
received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA.
The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001,
2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files
(the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute,
sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The
above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS
IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR
267
ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of
the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions
copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National
Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,
2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999,
2000, 2001, 2002 John Ellson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson ([email protected]). Portions relating
to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information.
Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and
modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation.
This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your
productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible
documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to
implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code
does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior
contributions.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of
the License at http://www.apache.org/licenses/LICENSE-2.0
The curl license
COPYRIGHT AND PERMISSION NOTICE
Copyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.All rights reserved.
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright
notice and this permission notice appear in all copies.
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT
SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in
this Software without prior written authorization of the copyright holder.
The PHP License, version 3.0
Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/
or other materials provided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission,
please contact [email protected].
4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from
[email protected]. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number.
Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You
may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the
PHP Group has the right to modify the terms applicable to covered code created under this License.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes PHP, freely available from <http://www.php.net/>".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM `ÀS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
268
This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at
[email protected].
For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at
<http://www.zend.com>.
This product includes software written by Tim Hudson ([email protected]).
Copyright (c) 2003, Itai Tzur <[email protected]>
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Neither the name of Itai Tzur nor the names of other contributors may be used to endorse or promote products derived from this software without specific
prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this
permission notice shall be included in all copies or substantial portions of the Software.
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved.
Confidential Copyright Notice
Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded,
displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise,
without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this document for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices
contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of
NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity,
and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination,
any downloaded and printed materials must be immediately destroyed.
Trademark Notice
The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of
NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners.
Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in
the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any
way, including in advertising or publicity pertaining to distribution of, or access to, materials in
this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such
a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600.
U.S. Government Restricted Rights
The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government
("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce,
release, perform, display or disclose are
restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at
DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14,
Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial
Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).
269
Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator.
The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government
is subject to restrictions as set forth in applicable laws and regulations.
Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty
THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST
EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF
MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR
RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.
Limitation of Liability
UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES,
INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS
DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR
USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU
ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES,
SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.
Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.
BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))
Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release
PCRE LICENCE
PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release
5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is
distributed under the same terms as the software itself.
Written by: Philip Hazel <[email protected]>
University of Cambridge Computing Service, Cambridge, England. Phone:
+44 1223 334714.
Copyright (c) 1997-2004 University of Cambridge All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
270
Index
A
Access to Local setting 54
Access to Remote setting 54
Account Settings 45
accounts 71
delete 130
edit 130
group 71
service 127
administering 259
administration
levels 9
administrators 10
algorithms 256
Allow 20
Allow a Slave Hard Drive 20
Allow Consecutive, Identical
Characters
default and effective value 74
Characters setting 30, 49
setting 30, 50
Allow Hard Drive To Be Slaved
setting 20
Allow Hibernation and Crash
Dumps setting 27
Characters
setting 56
Allow Password of Adjoining
Characters
setting 30, 49
Allow Windows Logon setting 31
Allow Windows Screen Saver
setting 29
July 2007
asdf 43
Attempts Before Temporary
Lockout
authenticating 207
dynamic token 211
first time 208
fixed password 209
smart card/USB token 212
Authentication Settings-Fixed
Password 48
Authentication Settings-Smart Card
Windows Smart Card Insertion/
Removal Handling 52
automatic reboot 147
B
background image 145
preboot 145
banner 145
preboot 145
Banner.jpg 146
boot protection 5
bootable
CD-ROM 201
media menu 205
Bypass PPBE WIL Message
setting 34
C
Case Sensitivity setting 30, 49
central log 170
certificate
smart card 87
Change Credentials in the Pointsec
for PC tray
Change Credentials in the Pointsec
for PC Tray setting 56
Change Password
Change Password setting 55
Change Permissions
Change Permissions setting 54
Change Priviliged Permissions
setting 54
Change Single Sign-on setting 55
setting 56
setting 56
Change to Smart Card setting 56
Common Criteria
configuration
recommendations 258
configuration
requirements 256
max failed logons before
reboot 258
password synchronization 258
configuring system settings
system settings
configuring 17
contact information 3
Creat Groups
Create Groups setting 54
Create Profiles
Create Recovery Media setting 56
Create User Accounts setting 54
creating
update profiles 129, 164
D
default
Characters 74
Characters 74
Space Characters 74
271
Allow Logon to Hibernated
System 76
Characters 74
Allow Special Characters 74
Attempts Before Temporary
Lockout 75
Change Credentials in the
Pointsec for PC tray 76
Change Password 75
Change Permissions 75
Change Privileged
Permissions 75
Change Single Sign-On 75
Change to Dynamic Token 76
Change to Fixed Password 76
Change to Smart Card 76
Create Groups 75
Create Profiles 75
Create Recovery Media 76
Create User Accounts 75
Edit System Settings 75
Enable Case Sensitivity 74
Enable SSO 76
Mangement Console Logon 76
Password History 75
Provide ’One-Time Logon’ 76
Provide ’Reset Password’ 76
Receive ’One-Time Logon’ 76
Receive ’Reset Password’ 76
Remote Help 75
Remove Groups 75
Remove Profiles 75
Remove User Accounts 75
Require Letters and
Integers 74
Require Upper and Lower
Case 74
Response Format’ 76
Set Logon Limit 75
Set Max Failed Logons 75
Set Maximum Age 75
Set Minimum Length 75
Smart Card insertion triggers
Windows SSO logon 76
Synchronization Mode 76
Temporary Lockout Time 75
Uninstall 75
Use Entrust for SSO 76
View Logs 75
defaults
Logon Settings 75
Password Settings 74
Password Synchronization
Settings 76
Permissions Settings 75
Settings 75
Remote Help Settings 76
Single Sign-On Settings 76
deploying Pointsec for PC 107
Desktop.jpg 146
272
Display Enable WIL Switch
setting 33
drivers
smart card 121
dynamic token 211
Challenge Format 83
Challenge Length 83
importing values 83
Response Format 83
Response Length 83
dynamic token authentication
new user account 81
Dynamic Token Key 83
Dynamic Token Serial Number 81,
83
E
Edit System Settings setting 54
effective values
settings 74
Enable Case Sensitivity
Enable Export of Status to File
setting 23
Enable Hardware Hash setting 34
Enable Low Graphics Mode
setting 20
Enable Mouse in Preboot
setting 20
Enable Network Locational
Awareness setting 33
Enable PCMCIA setting 20
Enable Remote Help setting 28
Enable Serial setting 20
Enable SSO
Enable SSO setting 58
Enable Wake on LAN setting 31
encryption
algorithms 256
file and full disk 5
Entrust SSO setting 58
error message
recovery file path not
accessible 197
Expiration Date
setting 47
Expiration Date setting 73
exporting logs with
pslogexp.exs 249
extend authority 14
F
fixed password 209
security standards for 51
Fixed Password settings 49
force change of password at next
logon 81
G
graphic images displayed in
preboot 145
group
adding user account to 77
new 72
Group Settings 45, 73
Authentication Settings-Fixed
Password 48
Logon 47
group settings 43
GUID Setting 46
GUID setting 46
H
hibernation 27
I
I 247
IBM Rapid Restore Ultra 253
install profile
silent 108
install profiles
deploying 108, 124
interactive install 103
silent install 102
Install settings 21
installation profile
creating 113
installation profiles 101
creating 108
deploying 108
smart card drivers 121
K
keyboard layouts 184
supported 237
switching 184
L
N
language files
Windows 227
language packages 233
default 234
language packs
installing 247
language support 231
languages 183
changing 183
installing using PS
Control 248
keyboard layouts 184
Select Language setting 22
languages supported 7
local log 145, 165
Local Settings 43
Authentication Settings-Smart
Card Windows Smart Card
Insertion/Removal
Handling 52
localization 7
Log 23
Log Password setting 23
Log Path 24
logging 145, 165
central 170
local 145, 165
Logon Authorized setting 46
Logon Settings 47
defaults and effective
values 75
Logon Verification setting 26
logs
exporting with
pslogexp.exe 249
new account wizard 77
normal user account
user account
normal 79
M
setting 56
managing Pointsec PC 6
manual reboot 147
Minimum 20, 21, 26, 28, 29, 30,
31, 33
Minimum Group Authority Level
Required setting 20, 21, 26,
28, 29, 30, 31, 33
Msiexec.exe 147
O
oemvar 146
one-time logon 173, 218
Organization setting 21
P
password
forgotten 217
password authentication
new user account 80, 81
Password History
Password History setting 50
Password Settings
values 74
Password Synchronization Settings
values 76
Password Synchronization
settings 59
passwords
synchronizing 177
PC security overview 3
PCMC 9
Local Installation 14
overview 13
Remote Help 14
Remote Installation 14
permission settings 11
Permissions
Remote Help 12
permissions
required by Remote
Desktop 228
Permissions (settings) 12
values 75
Permissions settings 54
Pointsec for PC
add/remove 194
administering 9, 89
recovery 197
removing 133, 191
updating settings 107
updating software 107
utilities 177
Pointsec for PC Management
Console, see PCMC
Pointsec PC
environment requirements 6
Pointsec Service Start service 127
preboot
background image 145
banner 145
graphic images 145
screen saver image 145
precheck.txt file 121
(settings) 11
values 75
Privileged Permissions settings 53
Product 21
Product Owner setting 21
Product Serial Number setting 22
profiles 61, 101, 149
graphical overview 105
group information 104
installation
interactive 103
silent 102
publish directory 105
recommendations 105
sets 106
storage directory 105
system information 103
System Settings 118
uninstall 103, 108
update 103
update directory 105
user information 104
Provide ’One- Time Logon’
setting 57, 172
Provide ’One-Time Logon’
Provide ’Remote Password Change’
setting 57, 172
Provide ’Reset Password’
PS Control command line
utility 239
commands 240
error codes 241
examples 241
exporting status
information 243
installing language packs 247
options 240
smart cards, smart card
readers, drivers 242
pscontrol.exe 239
pslogexp.exe utility 249
publish directory for profiles 105
publish path 107
273
R
Rapid Restore Ultra (RRU) 253
reboot
manual 147
reboot, automatic 147
Receive ’One-Time Logon’
Receive ’One-Time Logon’
setting 58, 172
Receive ’Remote Password Change’
setting 58, 172
Receive ’Reset Password’
recovering information from a slave
drive 202
recovery 197
CD-ROM 201
floppy disk 199
removable media 199
recovery and decryption 202
recovery directory 105
recovery disk 197
creating 199
recovery files
path
not accessible 197
Remote Desktop 228, 229
Remote Help 14, 171
one-time login 173
permissions 12
providing 173
remote password change 172
types 172
verifying users 173
values 76
Remote Help settings 56
remote password change 172, 217
remove
Windows add/remove 194
Remove Groups
Remove Groups setting 54
Remove Profiles
Remove Profiles setting 54
Remove User Accounts setting 54
removing Pointsec for PC 108
Require Letters and Digits
setting 30
Require Letters and Integers
274
Require Letters and Integers
setting 49
setting 30
requirements
Pointsec for PC environment 6
Response Format
Response Format setting 58, 172
S
screen saver 145
screen saver image
preboot 145
Screen Saver Timeout setting 47,
73
Scrsvr.jpg 146
security standards for fixed
passwords 51
Select Language setting 22
service user account 79
set
creating 91, 108
Set Expiration Date (WOL)
setting 31
Set Failed Attempts Before
Temporary Lockout setting 48
Set Group Authority Level
setting 47
Set Log Path setting 24
Set Logon Limit
Set Logon Limit setting 48
Set Max Failed Logon setting 47
Set Max Failed Logons Before
Reboot setting 26
Set Max Failed Windows Logon
Attempts setting 33
Set Max Number of Logons Allowed
(WOL) setting 31
Set Maximum Age
Set Maximum Age setting 50
Set Minimum Age setting 50
Set Minimum Length
Set Minimum Length setting 30,
50
Set Network Locations setting 33
Set PKCS#11 dll Path setting 25
Set PPBE Failure WIL Message
setting 33
Set Profile Path setting 24
Set Profile Validation Password
setting 23
Set Recovery Path setting 24
Set Screen Saver Text setting 29
Set Start Delay (WOL) setting 31
Set Upgrade Path setting 24
Set WIL User Screen Saver Timeout
setting 34
sets 106
setting
Access to Local 54
Access to Remote 54
Characters 30, 49
Characters 30, 50
Allow Hard Drive To Be
Slaved 20
Allow Hibernation and Crash
Dumps 27
Space Characters 30, 50
Allow Logon to Hibernated
System 56
Characters 30, 50
Allow Special Characters 30,
49
Allow Windows Logon 31
Allow Windows Screen
Saver 29
Bypass PPBE WIL
Message 34
Case Sensitivity 30, 49
Change Credentials in the
Pointsec for PC Tray 56
Change Password 55
Change Permissions 54
Change Priviliged
Permissions 54
Change Single Sign-on 55
Change to Dynamic Token 56
Change to Fixed Password 56
Change to Smart Card 56
Create Groups 54
Create Profiles
Create Profiles setting 54
Create Recovery Media 56
Create User Accounts 54
default values 74
Display Enable WIL Switch 33
Edit System Settings 54
Enable Export of Status to
File 23
Enable Hardware Hash 34
Enable Low Graphics
Mode 20
Enable Mouse in Preboot 20
Enable Network Locational
Awareness 33
Enable PCMCIA 20
Enable Remote Help 28
Enable Serial 20
Enable SSO 58
Enable Wake on LAN 31
Entrust SSO 58
Expiration Date 47, 73
Fixed Password 49
GUID 46
Log Password 23
Logon Authorized 46
Logon Authorized
setting 73
Logon Verification 26
Management Console
Logon 56
Minimum Group Authority
Level Required 20, 21, 26,
28, 29, 30, 31, 33
Organization 21
Password History 50
Product Owner 21
Product Serial Number 22
Provide ’One- Time Logon’ 57,
172
Provide ’Remote Password
Change’ 57, 172
Receive ’One-Time Logon’ 58,
172
Receive ’Remote Password
Change’ 58, 172
Remove Groups 54
Remove Profiles 54
Remove User Accounts 54
Require Letters and Digits 30
Require Letters and
Integers 49
Case 30
Case setting 50
Response Format 58, 172
Screen Saver Timeout 47, 73
Select Language 22
Set Expiration Date (WOL) 31
Set Failed Attempts Before
Temporary Lockout 48
Set Group Authority Level 47
Set Log Path 24
Set Logon Limit 48
Set Max Failed Logons 47
Set Max Failed Logons Before
Reboot 26
Set Max Failed Windows Logon
Attempts 33
Set Max Number of Logons
Allowed (WOL) 31
Set Maximum Age 50
Set Minimum Age 50
Set Minimum Length 30, 50
Set Network Locations 33
Set PKCS#11 dll Path 25
Set PPBE Failure WIL
Message 33
Set Profile Path 24
Set Profile Validation
Password 23
Set Recovery Path 24
Set Screen Saver Text 29
Set Start Delay (WOL) 31
Set Upgrade Path 24
Set WIL User Screen Saver
Timeout 34
Skip Management Console
Logon 26
Smart Card Triggers Windows
SSO Logon 58
Synchronize Windows
Passwords to Preboot 60
Temporary Lockout Time 48
Uninstall 55
USB 20
Use 20-Character
Challenge 28
View Logs 55
Windows Complexity
Requirements 49
Windows Integreted Logon 33
settings 43
default values 74
effective values 74
group 43
Install 21
Logon 47
Password Synchronization 59
Permissions 54
Privileged Permissions 53
Remote Help 56
Single Sign-On 58
user account 43
Single Sign-On settings 58
Sinle Sign-On Settings
values 76
Skip Management Console Logon
setting 26
slave drives 202
Smart 242
smart card
lost 218
registering with PS
Control 242
unregistering with PS
Control 242
smart card authentication
new user account 86
smart card certificate 87
smart card driver
installing with PS Control 242
registering with PS
Control 242
unregistering with PS
Control 242
smart card drivers
in installation profiles 121
Smart Card insertion triggers
Windows SSO logon
Smart Card Triggers Windows SSO
Logon setting 58
smart card/USB token 212
SSO 185, 219
about 185
changing passwords 185
enabling 189
Entrust 185
Windows smart card 189
SSynchronize Windows Passwords
to Preboot setting 60
status Information 243
storage directory for profiles 105
storage path 93, 106, 109
Synchronization Mode
synchronizing users 130
system administrator 9
system settings 17, 43
accessing 17, 43
T
Temporary Lockout Time
Temporary Lockout Time setting 48
temporary user account 79
troubleshooting 221, 225, 231,
233, 237, 239, 249, 253, 255
type
user account 79
U
Uninstall 75
uninstall profiles 101, 103, 191
creating 191
deploying 193
Uninstall setting 55
update directory for profiles 105
update profiles 101, 103, 129,
164
creating 130
deploying 130
updating Pointsec for PC
software 107
upgrade log 147
USB setting 20
275
USB token
lost 218
Use 20-Character Challenge
setting 28
Use Entrust for SSO
user account
adding to group 77
authenitcation method 79
authentication method 80
Dynamic Token Key 83
Dynamic Token Serial
Number 81, 83
force change of password at
next logon 81
service 79
temporary 79
type of 79
user account name 78
user account name
user account 78
user account settings 43
user accounts 13
smart card 121
synchronizing 130
utilities
language support 183
SSO 185
V
View Logs
View Logs setting 55
W
Wake on LAN (WOL)
example 181
setting-up 180
Windows
language files 227
Windows Complexity Requirements
setting 49
Windows Integreted Logo
setting 33
276

Pointsec_PC_EW_6.2_Admin_A

Transcription

Similar documents

Veterinary Medical Center

How to reset your existing Nurre Caxton password:

Registration Process for Lyryx I. Students without an account on Lyryx

Setting up my WiFi - Alaska Communications

These instructions are for the first time users of CIE/WC electronic

Logging into ClassLink Outside of School

How to Access ZipForm Plus

1. Click on your Buffalo Bills Mobile App to access your

Clik here to open the Sterkinekor Moviestop: Membership Card Guide