Pointsec Administration Guide

Pointsec Administration Guide

V1.0

May 22, 2008

OAAIS Enterprise Information Security

http://security.ucsf.edu

Pointsec Administrators Guide 2

Table of Contents

INSTALLATION PROCEDURES ................................................................................. 3

SUPPORTED PLATFORMS .................................................................................................. 3

Operating System Requirements/Limitations.............................................................. 3

PRE-INSTALLATION CHECKLIST....................................................................................... 5

Minimum Requirements Checklist .............................................................................. 5

System Preparedness Checklist................................................................................... 5

INSTALLATION INSTRUCTIONS ......................................................................................... 6

Verify Pointsec Installation......................................................................................... 8

End User experience with Pointsec .......................................................................... 10

RECOVERY PROCEDURES ....................................................................................... 11

BOOTABLE RECOVERY DISK.......................................................................................... 11

Creating a Recovery Disk ......................................................................................... 11

Booting from recovery disks ..................................................................................... 12

Pre-boot Customization screen................................................................................. 12

USING SLAVE DRIVE FUNCTIONALITY ........................................................................... 13

Compatibility of Drives............................................................................................. 13

Accessing a Slave Drive............................................................................................ 13

REMOTE PASSWORD RESETS.......................................................................................... 14


Installation Procedures

Supported Platforms

Pointsec PC is supported when installed on an x86-compatible computer with:

o Microsoft Windows Vista Enterprise, Business or Ultimate editions (32-bit).

o Microsoft Windows XP Tablet PC Edition.

o Microsoft Windows 2000 Professional SP4 UR1.

o Microsoft Windows XP Professional (SP1 or SP2, SP2 is recommended).

Pointsec PC is NOT supported when installed on a computer with:

o Microsoft Windows XP Home (all variants and SPs).

o Microsoft Windows Media Center Edition (all variants and SPs).

Operating System Requirements/Limitations

Stripe/Volume Sets

Pointsec PC should not be installed on partitions that are part of stripe or volume sets.

RAID

Pointsec PC should not be installed on machines with software or hardware RAID.

Compressed Root Directory

Pointsec PC cannot be installed if the root-directory (or root directories) is/are

compressed. The root directory must be decompressed before Pointsec PC is installed.

However, subdirectories of the root directory may be compressed.

Windows User Account requirements for Install and Uninstall

In order to install or uninstall Pointsec PC, the user account executing the action (either

directly, through "Run As…", or as a service) must be authorized to perform installations,

this usually means having Administrator permissions.

Windows User Account Registry Permission Requirements

In order to install, upgrade, change language and import profiles on a Windows XP PC, a

user account needs the following registry permissions: Query value, Set value, Create

subkey, Enumerate subkey, Notify, Create link, and Read control.

In order to remove on a Windows 2000 PC, a user account needs the above registry

permissions plus Delete.


Memory and Disk Space Requirements

The current memory and disk space requirements are:

Operating System Memory Disk Space

Windows Vista 512 MB RAM 100 MB, of which 2 MB

must be contiguous, free

space.

Windows XP 128 MB RAM 100 MB, of which 2 MB


space.

Windows 2000 64 MB RAM 100 MB, of which 2 MB


space.

Windows XP Tablet Edition 128 MB RAM 100 MB, of which 2 MB


space.

Note: The disk encryption process does not require extra space on the hard disk.

Fragmented Disks

2 MBS of contiguous disk space is required for Pointsec PC installation. If this amount of

continuous space is not available, the installation will fail.


Pre-Installation Checklist

Minimum Requirements Checklist

o Pointsec will be installed on a machine with one of the following 32 bit operating

systems:

o Microsoft Windows Vista Enterprise, Business or Ultimate editions (32-

bit).

o Microsoft Windows XP Tablet PC Edition.

o Microsoft Windows 2000 Professional SP4 UR1.

o Microsoft Windows XP Professional (SP1 or SP2, SP2 is recommended).

o 512 MB of RAM, 200 MB of hard drive space (2MB must be contiguous).

o Hard drive is less then 80% full.

o System does not have any of the following:

o Stripe/Volume sets

o Dynamic/Hidden Volumes

o Dual Boot operating systems

System Preparedness Checklist

o Machine is a member of the UCSF Active Directory Domain (CAMPUS, SOM,

UCSFMC)

o Account used to install Pointsec will be an active directory account with local

administrative privileges. (CAMPUS, SOM, UCSFMC)

o A full backup has been made of this machine

o Check Disk with repair enabled has been run on this machine

o BIOS anti-virus has been disabled

o This machine does not have any disk encryption software already installed.

o NOTE: Pointsec will need to be uninstalled before performing a major

software upgrade or re-partitioning the hard drive.


Installation Instructions

1. Run the ”Pointsec for PC (DEPARTMENT NAME).msi” installer from the media

provided. After a few seconds the program will prompt you to reboot.

2. On rebooting Pointsec installs code in the boot partition and reboots again, you

will now be prompted to enter a Pointsec login.

3. Login to Pointsec with your temporary user name and password. Click enable

WIL then click ok.

4. After logging in with your temporary user account, Pointsec will walk you

through creating your own login and password. The password must be 8

characters long. It is highly recommended to make this login the same as the

windows login name.



Verify Pointsec Installation

In the system tray locate the blue p icon and right click on it. Select Information

from the popup window

2. Once the information windows opens click on Volumes button. This screen will

list all volumes protected by Pointsec and at what percentage they are encrypted.

When the drive has been encrypted 100% Pointsec will list the hard drive as

encrypted.

Encryption in progress


Encryption completed


End User experience with Pointsec

End user experience will vary depending on the customizations of the Pointsec install.

A default installation of Pointsec will have Windows Integrated Logon (WIL) enabled;

this will bypass the pre-boot login screen and boot directly to the Windows logon screen.

If a user forgets their password a predetermined number of times WIL will automatically

become disabled and reboot their computer to the pre-boot login screen.

Pointsec Pre-boot login screen will appear for the following conditions:

Windows Integrated Logon (WIL) option is not enabled

Single Sign-On (SSO) is enabled

End Users with the default installation of Pointsec will only see the icon after

windows loads. The Pointsec taskbar program allows you to view information about the

Pointsec install, encryption algorithm used and progress of encryption.


Recovery Procedures Pointsec has two methods to recover data from an encrypted system, bootable recovery

disk and connecting the encrypted hard disk to another machine (Slave Drive). Only

Computer Support Coordinators (CSC) and OAAIS Enterprise Information Security

(EIS) can perform recovery tasks.

In order to perform the following tasks, you must have Pointsec installed on your

machine or access to a machine that has Pointsec installed. Pointsec Management

Console requires Microsoft .net 2.0 later.

http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-

8edd-aab15c5e04f5&displaylang=en

Bootable Recovery Disk

A common scenario in which recovery is required is when something fails in a computer

that is protected by Pointsec PC, and you are unable to start windows properly. To

Remedy this problem, the administrator creates a bootable media on another computer,

using the recovery file of the failed computer. The administrator, or whoever is

performing the recovery, then uses the bootable media to recover the faulty computer.

The bootable media performs the following tasks:

o Enables the administrator to recover data on the faulty computer.

o Decrypts the faulty computer’s encrypted volumes.

o Removes the pre-boot authentication from the faulty computer.

o Gives direct access to Windows on the faulty computer once decryption has

completed successfully.

Pointsec PC stores the recovery file in two locations, locally in the directory C:\Documents and Settings\All Users\Application

Data\Pointsec\Pointsec for PC and on the Pointsec file server.

Note: Recovery can only be performed if you have the appropriate Pointsec

administrator access on the machine that has Pointsec installed.

Creating a Recovery Disk

1. Insert a USB memory stick or floppy disk into your computer.

o Note: Pointsec will erase the contents of the disk.

2. Open Pointsec Management Console - Start Menu-> All Programs-> Check Point

-> Pointsec PC-> Management Console

3. Login to the Pointsec Management Console with your username and password

and select Remote from the left column. Click on Create recovery media.

4. The recovery wizard will open, and follow the on screen prompts to select the

machine’s recovery file.

5. After the recovery file is chosen Pointsec will prompt for administrator

authentication, enter in both administrator accounts in to the screen prompts.

6. Once authentication is complete select which device the recovery disk will be

created on.


Booting from recovery disks

Pointsec provides an alternative boot menu so you can easily change boot devices

without the need to make these changes in the BIOS. To activate the alternative boot

menu follow these instructions:

1. At the Pointsec pre-boot login screen, press CTRL + F10

2. Enter your user account name and password, and press enter.

Pre-boot Customization screen

The pre-boot customization screen allows you to turn off Windows Integrated Login

(WIL) without booting into windows and changing this setting from within windows. To

access the pre-boot customization screen press both shift keys at boot.


Using Slave Drive Functionality

There are circumstances under which you need to access information on the hard disk of

a Pointsec PC-protected machine and do not want to access this information by

performing a recovery, for example if you need to access a disk for forensic reasons or

because a failure of the operating system makes it impossible to retrieve data on a disk. In

such cases you can use Pointsec PC’s slave drive functionality.

A slave drive is a hard drive taken from one machine and installed (with the jumpers

correctly set) on another machine, the master machine.

The slave drive functionality enables you to take a hard drive from a Pointsec PC-

protected machine and, on another Pointsec PC-protected machine, unlock it in pre-boot

and then access the information on that disk in Windows.

Slave drive functionality requires that both the slave drive and the master machine have

been encrypted with the same algorithm.

Compatibility of Drives

Because of differences in the way different BIOSs handle disks, Pointsec PC slave-drive

functionality currently supports only slave drives of the same drive type as that of the

master machine (IDE, SATA, or SCSI).

Accessing a Slave Drive

The following is a typical example of how to access a slave drive:

1. As administrator, attach to your computer (now the master computer) an

encrypted drive from a client that allows slaving. Before authenticating, be sure

that the BIOS has located the slave drive. If it has not, you will not be able to

continue.

2. Start the master computer with the attached slave drive and complete the Pointsec

PC pre-boot authentication.

o Immediately after the successful pre-boot authentication, a slaving

authentication window is displayed. The authentication window and its

background are in grayscale to distinguish it from the other authentication

windows. The slave drive authentication uses the user account name and

fixed password, dynamic token, or smart card required by the slave drive.

The slave drive authentication window is displayed for approximately 30

seconds, after which it disappears if no action has been taken. After each

action, for example, a keystroke, the timer is reset and starts counting

down again.

3. After successful logon to the slave drive, proceed or cancel. The logon to the

slave drive is logged on the master machine. If you do not cancel, Windows starts

and the drive is mounted as a Windows drive.


Remote Password Resets

Verify the identity of the user before providing remote password assistance.

1. Open Pointsec Management Console - Start Menu-> All Programs-> Check Point

-> Pointsec PC-> Management Console

2. Login to the Pointsec Management Console with your username and password

and select Remote Help from the left column.

3. Click on remote password change radio button.

4. Instruct the end user to enter in their login name and select the remote help button

from the login screen.

Pre-boot login screen on end user machine


End user machine remote help logon


6. After the end user enters in response one, instruct them to click or tab to the

response two field. This will generate the challenge key. Have the end user read

the challenge number displayed on the screen to you and enter it into the

“Challenge from end user” field.

End user machine challenge key


In the Pointsec Management console enter in your Pointsec account password and

click on the generate button.

Management console remote help screen – Response Two


8. Read “Response Two” to the end user and have them click on ok button. This will

prompt them to reset their Pointsec password.

End user machine password reset screen

End user machine successful login screen