Pointsec PC...ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, Zo neAlarm Internet Security...

Pointsec PCrelease 6.2

Quick Start Guide

Revision AJune 2007

Pointsec_PC_Quick_Start.book Monday, June 11, 2007 11:48 AM

3

© 2003-2007 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

©2003-2007 Check Point Software Technologies Ltd. All rights reserved.

Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Office, SecureClient, SecureKnowledge, SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, SiteManager-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

For third party notices, see “THIRD PARTY TRADEMARKS AND COPYRIGHTS” on page 149.


4


i

Contents

Chapter 1 Introduction

Welcome...................................................................................2Overview ...................................................................................3Definitions of Terms...................................................................4Before You Begin.......................................................................6

Hardware Requirements .................................................... 6Software Requirements...................................................... 7Server Share..................................................................... 7

Related Documentation ..............................................................8Feedback ..................................................................................9

Chapter 2 Master Installation

Before You Begin ............................................................ 11Performing the Master Installation.................................... 11After Installing................................................................ 25

Chapter 3 Pointsec PC Management Console - an Overview

Overview .................................................................................28Starting PCMC.........................................................................29Local Pointsec PC Settings .......................................................32

Accessing Local Settings ................................................. 32Editing Local Settings ..................................................... 34Overview of Local Settings ............................................... 35

Pointsec_PC_Quick_Start.book Page i Monday, June 11, 2007 11:48 AM

ii

Chapter 4 Creating a Pointsec PC Profile

Overview .................................................................................72Creating an Update Validation Password.....................................73Creating a Configuration Set......................................................74Creating a Profile .....................................................................79

Creating a New Profile ..................................................... 79Configuring the New Profile.............................................. 82Adding a Group to the New Profile .................................... 90Creating a User Account .................................................. 98Adding User Accounts to the Group................................. 101Configure the Temporary User ........................................ 104

Chapter 5 Deploy Pointsec PC to Your Clients

Overview ...............................................................................108Deploy Pointsec PC to a Client ................................................109

Utilize Logon Scripts ..................................................... 111Results of Script Execution ............................................ 111

Chapter 6 FAQ

Index .................................................................. 157

Pointsec_PC_Quick_Start.book Page ii Monday, June 11, 2007 11:48 AM

1

Chapter 1Introduction

In This Chapter

Welcome page 2

Overview page 3

Definitions of Terms page 4

Before You Begin page 6

Related Documentation page 8

Feedback page 9

Pointsec_PC_Quick_Start.book Page 1 Monday, June 11, 2007 11:48 AM

Definitions of Terms

2

WelcomeThank you for choosing Pointsec PC. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today.

Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel to ensure that you get the most out of your security investment.

For additional information on Pointsec PC and other Check Point products, please visit http://www.checkpoint.com or call Check Point at 1(800) 829-8391. For additional technical information, refer to: http://support.checkpoint.com.

Welcome to the Check Point family. We look forward to meeting all of your current and future network, application and management security needs.


http://www.checkpoint.com

http://support.checkpoint.com

Before You Begin

Chapter 1 Introduction 3

OverviewPointsec PC is a centrally managed, full disk encryption product that can encrypt data, operating systems and temporary files without relying on user interaction. Pointsec PC performs the encryption transparently to the user, who never needs to bother about what to encrypt and when.

Because Pointsec PC is centrally managed, a Pointsec system administrator can deploy, update, and upgrade settings, accounts and software from a central location.

Figure 1-1 illustrates the difference between file based encryption and full disk encryption.

Figure 1-1 Full Disk vs. File Based Encryption



4

Definitions of TermsIn this document, the following basic terms are used:

Table 1-1 Basic terms used in this document

Term Explanation

Client The user’s computer where you deploy Pointsec PC after creating an installation profile.

Interactive Installation

Information about the installation is displayed for the user during the installation process.

Master installation The administrator performs the initial installation. This installation includes installing Pointsec PC Management Console, the tool used for creating and configuring an installation profile, and for deploying that profile onto users’ workstations in order to install Pointsec PC.

Live installation The installation on users’ workstations.

Locked out A user becomes locked out from a Pointsec PC-protected computer if he or she has entered the wrong password too many times.

To re-gain access to the information on the computer, the user must get help from a Remote Help administrator.

Profile To allow you to centrally manage Pointsec PC on users’ computers (so-called clients), the system uses install, update and uninstall profiles. This concept allows you to install, update and uninstall Pointsec PC from a central location.


Before You Begin


Silent Installation No information about the installation is displayed for the user during the installation process.

Table 1-1 Basic terms used in this document

Term Explanation



6

Before You BeginBefore installing Pointsec PC (that is, the master and live installations), verify that a server share has been prepared and that the required software and hardware have been installed as described in the following three sections.

Hardware RequirementsThe minimum hardware requirements for installing Pointsec PC are as follows:

• Microsoft Windows XP Professional or Microsoft Windows 2000 Professional

• 128 MB of RAM

• 100 MB of free disk space

• Microsoft .NET Framework 2.0 or later is required in order to run the Pointsec PC Management Console

Note - Systems that will not be used for system administrative purposes do not need .NET Framework

• Root directory may not be compressed

• RAID is not supported

• Drives that are to be protected by Pointsec PC must be assigned a permanent drive letter and must not be hidden.

Note - For additional details on system requirements please see the Pointsec PC 6.2 Release Notes.


Before You Begin


Software Requirements

GINAA Pointsec-specific GINA is installed during the Pointsec PC installation. The Pointsec-specific GINA replaces the system’s existing GINA. Once this is done, Pointsec PC will chain the GINA that was replaced.

Although interoperability issues are rare, it is considered best practice to review your system for additional software that utilizes the GINA component.

Note - To configure Pointsec to not add the Pointsec GINA, please see the Pointsec PC Installation Guide.

At the time of writing, general information on GINAs is available at http://www.webopedia.com/term/g/gina.html.

Boot RecordDuring the Pointsec PC installation, the client’s boot record is replaced.

Verify whether or not your system contains additional software that inserts a boot record.

Server ShareBefore installing, it is very important that you prepare a secure server share to be used for storing the Pointsec PC recovery file. The recovery file is needed to restore encrypted information if the user account becomes locked out.

Note - Since anything you store on the local hard disk will be encrypted, you must NOT store the recovery file on the local hard disk.


http://www.webopedia.com/term/g/gina.html


8

Related DocumentationIn addition to this Quick Start Guide, the following documentation is supplied together with the Pointsec for PC software:

Table 1-2 Pointsec PC documentation

Title This document contains ...

Pointsec PC Installation Guide

Information relevant when installing the master installation of Pointsec PC.

Pointsec PC Administrator’s Guide

Information relevant when creating and configuring an installation profile, and when installing Pointsec PC on users’ workstations (=live installations).

Pointsec PC Release Notes

• System requirements

• Current information about the product, such as:

• new features and functions in the current release

• problems that have been fixed since the previous release, and

• any known issues about the current release.


Before You Begin


FeedbackCheck Point is engaged in a continuous effort to improve its documentation.

Please contact your technical sales contact if you have comments on this guide.



10


11

Chapter 2Master Installation

The master installation is the initial Pointsec PC installation process. It includes Pointsec PC Management Console, the tool used for creating and configuring an installation profile, and deploying Pointsec PC on users’ workstations.

During the master installation, you create two user accounts. These accounts are needed to authenticate to Pointsec PC after the installation, otherwise the system will be unable to boot.

Before You BeginBefore you begin to perform the master installation, make sure you have the Pointsec PC license number available.

Performing the Master InstallationTo install the Pointsec PC master installation:

1. Run the Pointsec for PC.msi file.

The Pointsec for PC.msi file is available on the installation media in the following location:

\Pointsec_PC_EW_Ed_6.2.0\1_Pointsec for PC\

The License Agreement window opens:


Performing the Master Installation

12

Figure 2-1 License Agreement

2. Read the license agreement and click Accept to continue or Cancel to abort the installation.

If you click Accept, the Read me text window opens:



Chapter 2 Master Installation 13

Figure 2-2 Readme Text

3. Select whether or not you would like to view the README.txt and click Next to continue.

If you selected not to view the README.txt file, the following Welcome window opens with a brief explanation on what to expect during the installation:



14

Figure 2-3 Welcome Window

4. Read the text in the window and click Next to continue.

The following dialog opens:




Figure 2-4 Identification Information

5. Add the following info:

a. Name:

i. Your name

b. Company:

i. Your company’s name

c. One of the following:

i. Serial Number

Write your license number as stated on your license card.

ii. Check Point license

Click Insert to browse for the Check Point license file (*.lic) to use.



16

Note - The information entered in this dialog can be changed when you prepare the installation profile to be deployed on users’ workstations during the live installation. If you get "Invalid entry, Please correct and resubmit" message, the license key or Check Point license is not valid.

6. Click Next to continue.

Next, you will add user accounts:Figure 2-5 Add a User Account

7. Create the first two master installation user accounts.

The user accounts created in the following steps are required to authenticate to Pointsec PC before booting the system. Without authentication, the system will not boot.

a. In the User account name field, type ADMIN1.

b. Under Authentication method, make sure Password is selected.




c. In the Password and Confirm password fields, type Password1.

d. Click Next to continue.

e. The Add a user account dialog opens again.

f. In the User account name field type ADMIN2.

g. Under Authentication method, make sure Password is selected.

h. In the Password and Confirm password fields, type Password2.

i. Click Next to continue.

The Select Drivers window opens: Figure 2-6 Select Drivers



18

Note - This dialog is relevant only if you have selected smart card as the authentication method for the user accounts you just created. In this Quick Start Guide, the use of smart cards is not described. Please see the Pointsec PC Installation Guide for more information.

8. Do not select anything here. Just click Next to continue.

The Protect Volumes window opens: Figure 2-7 Protect Volumes

9. Clear the Encryption checkbox for each volume in the list that appears.

Note - Mounted volumes will not appear in the Volume list. Pointsec PC does not support mounted volumes. To protect a mounted volume, permanently assign a drive letter and restart the installation process.





The Recovery File Search Path dialog opens: Figure 2-8 Recovery File Search Path

11. In the fields provided, set the location of your recovery and log files.

Note - Do not store the recovery file on a local hard drive that is selected for encryption.


The Access to Network Paths dialog opens:



20

Figure 2-9 Access to Network Paths

Access to network paths - If a specific Windows user account has to be used to access the previously configured paths it can be configured here.

In this guide we assume that the local system account (which is set by default) has access to the configured paths.


The Ready to Install windows opens:




Figure 2-10 Ready to Install

14. Click Next to begin the Pointsec PC installation.

The Installing Pointsec window opens:



22

Figure 2-11 Installing Pointsec PC

When the installation is complete, the InstallShield Wizard Completed window opens:




Figure 2-12 InstallShield Wizard Completed

15. Click Finish. The Pointsec PC Installer Information window opens:

Figure 2-13 Pointsec PC Installer Information

16. Click Yes to reboot the system now.

During the reboot process, Pointsec PC is activated and performs the second part of the master installation. As part of the reboot process, you will be prompted to enter the user account name and password.



24

The User Account Information dialog opens:Figure 2-14 User Account Identification

17. In the User account name field, enter ADMIN1. In the Password field, enter Password. Click OK to continue.

The Confirmation window opens:Figure 2-15 Confirmation Window

The Confirmation window displays the date and time of your last successful logon.

18. Press Continue or wait for the window to automatically disappear.

At this point, the operating system will reboot.


After Installing


After InstallingOnce the operating system is up and running, the following Pointsec PC icon will be displayed in the task bar:

Figure 2-16 Pointsec PC Icon

Note - During this master installation process, encryption was not selected and therefore it will not be initiated.

Now that you have performed the initial master installation of Pointsec PC, you will need to become acquainted with Pointsec PC Management Console, PCMC, the administration tool used for managing Pointsec PC installation profiles and deployment onto users’ workstations. See “Pointsec PC Management Console - an Overview” on page 27 for an overview of this tool.


After Installing

26


27

Chapter 3Pointsec PC Management Console - an Overview

In This Chapter

Overview page 28

Starting PCMC page 29

Local Pointsec PC Settings page 32

Accessing Local Settings page 32

Editing Local Settings page 34

Overview of Local Settings page 35


Overview

28

OverviewThis chapter presents an overview of the Pointsec administration tool, Pointsec PC Management Console, or PCMC in short. PCMC is used for managing Pointsec PC installation profiles and deployment onto users’ workstations.

If you need a more detailed description of how to use PCMC and its settings, please see the Pointsec PC Administrator’s Guide.

The accounts used in this overview were specified in Chapter 2, “Master Installation”.

Note - Do not change any of the Pointsec PC settings while working through this chapter. Pointsec PC is highly configurable, selecting an unintended setting may lock you out of the system.


Starting PCMC

Chapter 3 Pointsec PC Management Console - an Overview 29

Starting PCMCThis section provides step-by-step instructions on how to open and run Pointsec PC.

To run Pointsec PC:

1. Start the Pointsec PC Management Console (PCMC) by selecting Start → All Programs.

2. In the list that appears, select Pointsec → Pointsec PC → Management Console.

The Management Console Authentication window opens:Figure 3-1 Management Console Authentication

3. Enter the following:

Table 3-1 Authenticating to PCMC

In the field Enter the following ...

User account name ADMIN1

Password Password1


Starting PCMC

30

Note - The account you use to authenticate is one of the accounts you created during the master installation. See chapter 2, “Master Installation” on page 11.

4. Click OK to start PCMC.

The following window opens:Figure 3-2 PCMC GUI

5. Navigate among the three different sections using the folder tree on the left side of the window or using the large icons under the Pointsec PC section of the window.

These are the three sections of PCMC:

• Local enables you to edit settings for the PC where PCMC is installed.

• Remote enables you to create and manage deployment profiles for your client PCs.

• Remote Help enables you to remotely reset user account passwords.


Starting PCMC


In this chapter, only Local settings will be described. For information on

• Remote settings, see chapter 4, “Creating a Pointsec PC Profile” on page 71

• Remote Help settings, see chapter 5, “Deploy Pointsec PC to Your Clients” on page 107.


Local Pointsec PC Settings

32

Local Pointsec PC SettingsIn This Section

This section contains a brief overview of the features in the Local Pointsec PC section. A full description of the settings is beyond the scope of this Quick Start guide, but can be found in the Pointsec PC Administrator’s Guide accompanying the product.

The Local settings apply to the computer where you performed the master installation, including PCMC.

Accessing Local SettingsTo access the Local settings:

1. Click the Local folder (see Figure 3-2).

The following window opens:

Accessing Local Settings page 32

Editing Local Settings page 34

Overview of Local Settings page 35

System Settings page 35

Groups page 52


Accessing Local Settings


Figure 3-3 Local Settings Overview

The Local window contains the following sections:

• Actions

• Edit Settings enables you to edit the Pointsec PC settings for the local PC.

• Print Settings enables you to print the active Pointsec PC settings on the local PC.

• Export Settings to CSV File exports the active Pointsec PC settings to a CSV file.

• View Local Log Database enables you to view the Pointsec PC logs generated by the local PC.


Editing Local Settings

34

• Export Local Log Database enables you to export the Pointsec PC logs generated by the local PC.

• Status displays general status information regarding Pointsec PC on your local PC.

• Encryption displays the encryption status for your local PC.

Note - Encryption is not enabled in this example since it was not selected during installation.

Editing Local SettingsTo edit local Pointsec PC settings:

1. Click Edit Settings to access this feature of Pointsec PC.

The following window opens:Figure 3-4 Edit Settings

The Local settings contain the following levels:

• System Settings - the global settings for Pointsec PC. If a setting is not enabled on this level, it will not be available on the group level. See System Settings page 35 for information on the individual settings.


Overview of Local Settings


• Groups - decides what settings will be available for individual user accounts. See Groups page 52 for information on the individual settings.

2. To edit a setting, double-click the setting. The available options for the setting are displayed, and you can set the appropriate option.


System SettingsThis section describes the System Settings.

System Settings is divided into the following eight categories:

• “Hardware Devices” on page 35

• “Install” on page 37

• “Logon” on page 40

• “Remote Help” on page 42

• “Screen Saver” on page 43

• “System Passwords Policy” on page 44

• “Wake on LAN” on page 47

• “Windows Integrated Logon” on page 49

Hardware Devices

Hardware Devices contains settings relevant to computer hardware connected to the use of Pointsec PC, most settings are for the preboot environment, but also settings for hard drive slaving are contained in this folder.

If you are not going to use smart cards in preboot, do not change the Hardware Devices settings default values.



36

Note - If you want to use smart cards in preboot, you will need to prepare in a number of ways. Please see the Pointsec PC Administrator’s Guide for additional information.

To see the Hardware Devices settings:

1. Select System Settings → Hardware Devices. The following settings are displayed:

Figure 3-5 Hardware Devices Settings

The following table explains each of the Hardware Devices settings:

Table 3-2 Hardware Devices Settings

Setting Description

Required Group Authority Level

The required authority level a user account must have in order to change settings within this folder.

Enable PCMCIA Set this setting to Yes to enable the use of PCMCIA smart cards during Pointsec PC preboot.

Enable Serial Set this setting to Yes to enable the use of serial port connected smart cards during Pointsec PC preboot.

Enable USB Set this setting to Yes to enable the use of USB port connected smart cards during Pointsec PC preboot.




Note - The Mouse in Preboot and Low Graphics Mode settings are not associated with the use of smart cards. They are preboot generic settings.

Install

Install contains settings relevant to the installation sequence.

To see the Install settings window:

Mouse in Preboot Set this setting to Yes to enable the use of a mouse during Pointsec PC preboot.

Low Graphics Mode Set this setting to Yes to enable the use of low graphics during Pointsec PC preboot.

Allow a Slave Hard Drive

If enabled the PC will allow a secondary encrypted slave hard drive to be connected.

Allow Hard Drive to Be Slaved

Should it be possible to connect this hard drive as a slave drive on another system?

If this is set to No the drive cannot to be slaved.

The No value on "Allow a Slave Drive" will override the Yes value on "Allow Hard Drive to Be Slaved".

It will still be possible to connect a non-encrypted hard drive to the system as a slave, settings above is only regarding Pointsec PC protected drives.


Setting Description



38

1. Select System Settings → Install. The following settings are displayed:

Figure 3-6 Install Settings

The following table explains the Install settings:

Table 3-3 Install Settings

Setting Description



Organization The company name specified during the installation.

Product Owner The product owner specified during the installation.

Select Language Language used by Pointsec PC in the preboot environment, the tray application and PCMC.

Product Serial Number

Your serial number or license file.




Set Update Validation Password

This password is required in order to enable remote profile management. Basically the validation password is the shared key between a client and a profile.

If a profile carries a different key than what is set on the client the profile will be rejected and settings not applied.

A profile will inherit its password from the system on which the profile is created.

Log Password The log password prevents unauthorized access to log files. If a user wants to view a log, and the local log password doesn't match with the log password used when creating the log, you will be prompted for that log's password.

Enable Status Export to File

When enabled a text file with status information on the local installation will be exported to a text file. (The text file is exported to the Log Path).

Set Upgrade Path Path where Pointsec PC will look for software upgrades. Legacy setting not used in all version 6 environments.

Set Update Profile Path

Path where Pointsec PC will look for configurations changes (configuration update profiles, i.e., new accounts, changed settings).


Setting Description



40

Logon

Logon contains settings that control how Pointsec PC behaves during the preboot logon.

To see the Logon settings:

1. Select System Settings → Logon. The following window appears:

Set Recovery Path Path Pointsec PC will use to write computer unique recovery files.

Note - Never store the recovery file on your local drive.

Set Central Log Path Path where Pointsec PC writes computer unique log files.

Set PKCS#11 dll Path

If smart cards are used and you want Pointsec PC to allow differentiation between different smart cards with the same certification, the PKCS#11 path has to be defined. The PKCS#11 dll file should be included with your smart card drivers.

Pointsec Service Start Account Username

If a specific Windows account should be used for writing recovery, log and status files that account name can be specified here.

Pointsec Service Start Account Password

If a specific Windows account should be used for writing recovery, log and status files that account password can be specified here.


Setting Description




Figure 3-7 Logon Settings

The following table explains each of the Logon settings:

Table 3-4 Logon Settings

Setting Description



Set Logon Verification Time

The logon verification window can be displayed after the user account successfully authenticates to Pointsec PC. The window contains information on the last logon date and time. In this field, you either • set the number of seconds that the

logon verification window is displayed to the user, or

• disable the display of the logon verification.



42

Remote Help

Remote Help is the possibility within the product for administrators to remotely help users to log in. Here some Remote Help settings can be configured at the system level.

Set Max Failed Logons Before Reboot

Here you specify how many failed logon attempts can be made before the system requires a reboot.This system feature/setting is in place to stop (automated) malicious attempts to gain access to the system.Note - This feature is not associated with the number of allowed failed logon attempts a user can make before being locked out from the system.

Skip Management Console Logon

When logging on to the PCMC, should the user accounts credentials from Pointsec PC automatically be re-used or should an additional logon be required. Remember! If automatic logon is selected, you might have to restart your computer and log on again in Pointsec PC preboot environment in order to reach the PCMC.

Allow Hibernation Should it be possible to hibernate this PC? Hibernation will still have to be enabled in the operating system (power options).


Setting Description




Figure 3-8

The following table explains each of the Remote Help settings:

Screen Saver

In order to provide further security, Pointsec PC can handle screen saver settings on computers with Pointsec PC installed. Pointsec PC also has its own screensaver bundled.

Table 3-5 Remote Help Settings

Setting Description



Enable Remote Help If set to No, the Pointsec PC installation won't allow users to authenticate by using Remote Help at all.

Use 20-Character Challenge

If a 20-character challenge is used the user will have a 20-character long challenge to present to their helper instead of the default 10-character challenge.



44

Figure 3-9

The following table explains each of the Screen Saver settings:

System Passwords Policy

These settings will govern the requirement for fixed passwords used within the system (except for user account password requirements which are set in the group or user account settings).

In Pointsec PC 6.2, the system passwords policy is used when setting a new update validation password, log password, and setting a profile password.

Table 3-6 Screen Saver Settings

Setting Description



Set Screen Saver Text The text to be shown when the Pointsec PC screensaver is displayed.

Allow Windows Screen Saver

If this is set to No users won't be able to use any other screensaver then the Pointsec PC screensaver.




Figure 3-10

The following table explains each of the System Passwords Policy settings:

Table 3-7 System Password Policy Settings

Setting Description



Windows complexity requirements

Passwords must meet the Windows complexity requirements, which are:

The password must be at least 6 characters long. (Even if the minimum length setting is set to 4 or 5).

The password can't contain the user account name (regardless of upper/lowercase).



46

Windows complexity requirements (cont.)

The password must contain letters from three out of the following four groups:• Uppercase characters:

ABCDEFGHIJKLMNOPQRSTUVWXYZÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝ

• Lowercase characters: abcdefghijklmnopqrstuvwxyzßàáâãäåæçèéêëìíîïðñòóôõöøùúûüýþÿ

• Base 10 digits: 0123456789• Nonalphanumeric characters:

!"#$%&'()*+,./:;<=>?@[\]^_`{|}~

Require Letters and Digits

The password must contain both letters and digit(s).

Case Sensitivity If this setting is set to No the password will be interpreted as uppercase regardless how it was entered.

This can be useful to avoid users locking themselves out on laptops if NumLock is active but unnoticed.

Note - This is a decrease in security when setting the password since there will be no practical difference between "PasswoRd" and "password", both will be interpreted and accepted as "PASSWORD".

Allow Special Characters

Should :; ! " # $ % && ' ( ) * + , - . / : < = > ? @ { } be allowed in passwords?

Allow Consecutive, Identical Characters

Should more than two identical characters be allowed in consecutive order in the password?


Setting Description




Wake on LAN

Wake on LAN contains settings that determine how the Pointsec PC Wake on LAN feature behaves. This feature allows the system to be remotely booted via the network, without halting at the preboot authentication prompt.

Require Upper and Lower Case

Should the password be required to contain both upper and lower case characters?

Allow Embedded Space Characters

Should space be allowed in the password?

Allow Leading or Trailing Space Characters

Should the password be allowed to start or end with a space?

Allow Password of Adjoining Characters

Should the password be allowed to consist of characters that are on adjoining keys on the keyboard?

This setting should only be used on US Keyboard layout "QWERTY" Keyboards.

Set Minimum Length How many characters is the minimum required for the password?


Setting Description



48

To see the Wake on LAN settings:

1. Select System Settings → Wake on LAN. The following window appears:

Figure 3-11 Wake On LAN Settings

The following table explains each of the Wake on LAN settings:

Table 3-8 Wake on LAN Settings

Setting Description



Enable Wake on LAN Enables the Pointsec PC Wake on LAN feature.

Set Start Delay Enables you to configure how long the Pointsec PC preboot authentication window displays before Pointsec performs a Wake on LAN logon.The purpose of this delay is to allow a user to log on locally.Note - If a user account logs on during this delay, the Wake on LAN feature will be disabled.




Windows Integrated Logon

If you want a bypass of the Pointsec PC preboot environment and automatic unlocking of the disk decryption keys, it is possible to achieve this by enabling Windows Integrated Logon. Also, in order to provide security for this feature Pointsec PC allows several configurable checks to be executed during the startup of the computer. If a check fails, the system can be shut down and the user is forced to authenticate in Pointsec PC preboot.

Allow Windows Logon Set this option to:

• No if you want the system to be locked when booted, allowing only remote access.

• Yes if you want it to be possible to log on to Windows when the system has been booted via the Pointsec PC Wake on LAN logon.

Set Expiration Date Enables you to configure the date on which the Wake on LAN feature will be disabled automatically.After this date, all Wake on LAN settings are discarded.

Set Max Number of Logon Allowed

Set the number of sequential Wake on LAN logons allowed.


Setting Description



50

Figure 3-12

The following table explains each of the Windows Integrated Logon settings:

Table 3-9 Windows Integrated Logon Settings

Setting Description



Windows Integrated Logon

Enable or disable the bypass of the preboot authentication.

If enabled the disk decryption keys will automatically be unlocked and Windows will load.

Set PPBE Failure WIL Message

If a Pointsec PC has detected a Windows Integrated Logon security issue according to its configuration, it will reboot the PC and when started again the user account will be forced to authenticate in Pointsec PC preboot environment. This message is presented to the user immediately after the preboot environment is loaded.




Enable Network Locational Awareness

If enabled Pointsec PC will, at startup, see if a pre-defined set of network locations can be found in the currently connected network. If not, the computer will be restarted in Pointsec PC preboot environment.

Set Network Locations This is where the network locations used for the Network Location Awareness check at startup are specified.

Note - If Network Locational Awareness is enabled, you won't be able to save the settings unless at least one network location is defined.

Set Max Failed Windows Logon Attempts

If Windows Integrated Logon is enabled this number of failed logon attempts defines how many times a user can fail to logon to Windows before the computer restarts and forces the user to authenticate in Pointsec PC preboot.

Display Enable WIL Switch

Defines whether an "Enable WIL" (WIL = Windows Integrated Logon) choice should be shown in Pointsec PC preboot and on the Pointsec PC tray icon menu.

Enable Hardware Hash

Specifies if a unique hash should be generated based on the computer's hardware. If the hash mismatches with the current hardware when the computer boots, the user will have to enter credentials in preboot.


Setting Description



52

GroupsThe settings configured for Groups are the same settings available at the user level. The settings configured here will be inherited by all users within the group.

Note - System settings will override Group settings.

Mainly group settings will be covered in this guide; stricter values can be set on user account level.

To see the entire Groups settings tree, click Group in the Edit Settings window (see Figure 3-4).

The following folder tree opens:Figure 3-13 Groups Settings

Bypass PPBE WIL message

If this setting is set to Yes the message defined in "Set PPBE Failure WIL Message" is shown in preboot, if set to No the message won't be shown. (Users themselves can also set this in preboot by selecting the check box "Don't show this message again" below the message.)

Set WIL User Screen Saver Timeout

If a user is logged on with Windows Integrated Logon, what should be the timeout be for their screensaver in minutes?


Setting Description




Note - In this figure, the System folder is the name of the group that is created by default when you install Pointsec PC.

Group settings are divided into the following categories:

• “Group Settings” on page 54

• “Authentication Settings - Fixed Password” on page 55

• “Authentication Settings - Smart Card” on page 58

• “Authentication Settings - Smart Card - Windows Smart Card Insertion/Removal Handling” on page 58

• “Logon” on page 60

• “Password Synchronization” on page 61

• “Permissions” on page 61

• “Permissions - Remote Help” on page 65

• “Privileged Permissions” on page 66

• “Single Sign-On” on page 69

The following pages contain tables that explain each of the Group settings categories.



54

Group Settings

Table 3-10 Group Settings

Setting Description

Logon Authorized Select Yes if the users in this group are to be allowed to log on to the PC.If you select No, the system cannot be booted using this account.

Screen Saver Timeout Here you set how many minutes the user must be inactive before the screen saver is activated.

Expiration Date Enables you to configure the date after which the group and its users are expired, so that they no longer can authenticate to Pointsec PC.To activate the group and its users, an update profile is required.

Set Group Authority Level

The Group Authority Level is related to what a group is permitted to do. A group with higher group authority level can change settings of a group with a lower group authority level.




Authentication Settings - Fixed Password

Note - If you intend to use the Password Synchronization feature, the password rules must be the same in order for the synchronization to operate properly.

Table 3-11 Fixed Password Settings

Setting Description

Windows Complexity Requirement

Passwords must meet the Windows complexity requirements, which are:

The password must be at least 6 characters long. (Even if the minimum length setting is set to 4 or 5.)

The password can't contain the user account name (regardless of upper/lowercase).

The password must contain letters from three out of the following four groups:• Uppercase characters:

ABCDEFGHIJKLMNOPQRSTUVWXYZÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝ

• Lowercase characters: abcdefghijklmnopqrstuvwxyzßàáâãäåæçèéêëìíîïðñòóôõöøùúûüýþÿ

• Base 10 digits: 0123456789• Nonalphanumeric characters:

!"#$%&'()*+,./:;<=>?@[\]^_`{|}~

Require Letters and Digits

The password must contain both letters and digits.



56

Case Sensitivity If the password is not case sensitive, it will be interpreted as upper case regardless of how it was entered.This is useful since it avoids incidents in which users lock themselves out of their laptops because they did not notice the NumLock was on.However, this causes a decrease in security, since there will be no practical difference between "PasswoRd" and "password". Both will be interpreted and accepted as "PASSWORD".

Allow Special Characters

Enables you to configure whether :; ! " # $ % && ' ( ) * + , - . / : < = > ? @ { } are allowed in the password.

Allow Consecutive Identical Characters

Enables you to configure whether more than two identical characters are allowed in consecutive order in the password.

Require Upper and Lower Case

Enables you to configure whether the password is required to contain both upper and lower case characters.

Allow Embedded Space Characters

Enables you to configure whether embedded space is allowed in the password.


Enables you to configure whether the password is allowed to start or end with a space.


Setting Description




Allow Password of Adjoining Characters

Enables you to configure whether the password is allowed to consist of keys that are placed in adjoining places on the keyboard.Note - This setting is used only on US Keyboard layout "QWERTY" Keyboards.

Set Minimum Length Enables you to configure the minimum number of characters that must be included in the password.

Set Minimum Age Enables you to configure how many days must pass before the user is allowed to change the password again.This setting is intended to avoid users changing passwords back to an old password after being forced to change the password.

Set Maximum Age Enables you to configure how many days must pass before the user is prompted to change the password.

Password History Enables you to configure how many passwords are kept in the history file to stop users from reusing passwords.


Setting Description



58

Authentication Settings - Smart Card

The settings in this section govern how Pointsec PC acts in association with smart card certificate expiration and revocation dates.

The actions that are available are:

• No Action - Pointsec PC will do nothing.

• Show a notification window - Pointsec PC will display information to the end user.

• Lock the account and shut down the computer - The system will be shut down and the account will be locked.

Authentication Settings - Smart Card - Windows Smart Card Insertion/Removal Handling

This section contains configuration settings enabling Pointsec PC to handle the events in Windows which occurs when a smart card is inserted or removed from a computer. The current version only supports actions taken when a smart card is removed.

The actions that are available are:

• Do Nothing - Pointsec PC will do nothing.

Table 3-12 Smart Card Settings

Setting Description

Certificate Expiration Warning

Enables you to configure the number of days of warning a user receives before his or her certificate expires.

Certificate Expiration Action

Enables you to configure what Pointsec PC does when the certificate expires.

Certificate Revocation Action

Enables you to configure what Pointsec PC does when the certificate is revoked.




• Lock the workstation - The workstation will be locked until the user authenticates again.

• Log off the user - The user will be logged off their Windows session.

• Log off and shut down - The user will be logged off and their computer shut down.

• Shut down immediately - Pointsec PC will try and force a shutdown as soon as possible without logging off the user first.

Table 3-13 Pointsec Token Insertion/Removal Handling

Setting Description

Use Pointsec Token Insertion/Removal Handling

Use Pointsec PC to manage smart card removal and reinsertion in Windows. This has to be enabled for the setting(s) below to work.

Choose Action If Smart Card Is Removed

What should Pointsec PC do if a smart card is removed?



60

Logon


Setting Description

Set Max Failed Logons

Here you configure how many failed logon attempts users in the group are allowed to make before the account is locked.When the account is locked, authentication will not be allowed. A Remote Password change is required to unlock the user.

Set Logon Limit Here you configure how many times users within this group are allowed to log on.Tip! This setting is useful for temporary employees.

Attempts before Temporary Lockout

Here you configure how many failed attempts users in the group are allowed to make before being temporarily locked out.Being temporarily locked out means that a user will not be able to authenticate for a period of X minutes.The lock will automatically release after the time-out set in Temporary Lockout Time.

Temporary Lockout Time

Here you configure how many minutes the temporary lock will be in effect.




Password Synchronization

The settings in this section enable you to allow the Pointsec PC password to be synchronized with the Windows password.

Permissions

The settings in this section enable you to configure what the user in the group can be allowed to do in regards to the Pointsec PC operative features (for example: view logs, change password, etc.) once Pointsec PC is deployed to their systems.

Table 3-15 Password Synchronization Settings

Setting Description

Synchronize Windows Password to Preboot

If set to Yes, when you change the password for your Windows user account, your Pointsec PC user account will also be updated to use the same password.

Synchronize Preboot Password to Windows

If set to Yes, when you change the password for your user account for Pointsec PC, your Windows user account will also be updated to use the same password.

Table 3-16 Permissions Settings

Setting Description

Change Credentials Enables you to configure whether the user accounts in the group are allowed to change their credentials.This setting must be reviewed when using the password synchronization feature. If the user account is not allowed to change a password, the password synchronization feature will not work.



62

Change Single Sign-On

Enables you to configure whether the user accounts in this group are able to temporarily disable single sign-on.This can be useful if a user occasionally logs on to different domains.

View Logs Enables you to configure whether the user accounts in this group are allowed to view the Pointsec PC logs.Note - Even if this is not allowed, users will still be able to view the Pointsec PC logs from the operating system’s Event viewer if the user is granted permissions in the operating system.

Uninstall Enables you to configure whether the user accounts in this group are allowed to uninstall Pointsec PC.Note - When uninstalling Pointsec PC from the operating system, authentication by two accounts is required.Best practice is to allow your users to uninstall without allowing them to create recovery media. Combined with the concept of temporary users, this will ensure that two users will not be able to uninstall systems.


Setting Description




Access to Local Enables you to configure whether the user accounts in this group are allowed to access the PCMC Local Settings.Note - If the user cannot access the local PCMC settings, the user may not be able to exercise other granted permissions since he will not have access to the PCMC GUI.

Access to Remote Enables you to configure whether the user accounts in this group are allowed to access the PCMC Remote Settings.Note - If the user cannot access the remote PCMC settings, the user may not be able to exercise other granted permissions since he will not have access to the PCMC GUI.

Remote Help Enables you to configure whether the users in the group are allowed to help another user with a password reset.

Management Console Logon

Enables you to configure whether the user is allowed to open the PCMC.Note - If users cannot open the PCMC they will not have access to additional granted permissions.

Create Recovery Media

Enables you to configure whether the user accounts in this group are allowed to participate in creating recovery media. To do this, two authentications are required.We recommended that you reserve this setting for system administrators.


Setting Description



64

Allow Logon to Hibernated System

If this permission is granted, the user will be able to resume a PC that was hibernated by another user.Note - The user must be able to authenticate to Windows. As a result, the hibernated content will be discarded.

Change to Fixed Password

Enables you to configure whether the user accounts in this group are able to change the authentication method from Smart Card or Dynamic Token to Fixed Password.

Change to Dynamic Token

Enables you to configure whether the user accounts in this group can change the authentication method from Dynamic Token to Smart Card or Fixed Password.

Change to Smart Card Enables you to configure whether the user accounts in this group can change the authentication method from Smart Card to Dynamic Token or Fixed Password.

Change Credentials from Pointsec PC tray

If this is allowed, the user accounts in this group will be able to change the password via the Pointsec PC tray application.As a result, the user will also be able to change the authentication method via the tray.Note - Please consider the risk of spyware before granting this permission. We recommend that the password is changed via the Pointsec PC preboot authentication.


Setting Description




Permissions - Remote Help

The settings in this section enable you to specify the Remote Help detail settings on a more granular level.

Remote Help is a collective name for the following two different types of authentication assistance:

• Remote Password Change - Forces users to change their password and subsequently grants them access to the system.

This is the most common authentication assistance method.

• One-time Login - Grants users access to the system without forcing a password change.

This type of authentication can be used when a smart card user is granted a one-time access to the system without a smart card (For example, in an "I forgot my card at home" scenario).

Note - There are system settings that govern Remote Help on a system level.


Setting Description

Provide "Remote Password Change"

Enables you to configure whether the user account can help other users to reset their password.

Provide "One-Time Logon"

Enables you to configure whether the user account can grant other users one-time login.

Receive "Remote Password Change"

Enables you to configure whether the user account can get assistance when resetting the password.

Receive "One-Time Logon"

Enables you to configure whether the user account can be granted a one-time logon.



66

Privileged Permissions

The settings in this section enable you to configure administration rights for users in the group (for example, adding/deleting groups, adding/deleting users and editing system settings).

Note - Privileged Permission settings are administrator settings and are not normally granted to end users.

Response Format Enables you to configure how the challenge/response is presented (Numeric or Alphanumeric).The default and mostly used response format is numeric.

Table 3-18 Privileged Settings

Setting Description

Change Permissions Enables you to configure whether or not the users in this group will be able to edit the values of the settings under the Permissions sections.

Change Privileged Permissions

Enables you to configure whether or not the users in this group will be able to edit the values of the settings under the Privileged Permissions sections.

Create User Accounts Enables you to configure whether the users in the group are allowed to create accounts.

Create Groups Enables you to configure whether the users in the group are allowed to create groups.


Setting Description




Advanced Profile Editing

If this setting is set to Yes it allows you to open and edit profiles created with a previous Pointsec PC version. It also allows the changing of group and user account GUIDs.

Create Profiles Enables you to configure whether the users in the group are allowed to create Pointsec PC profiles.

Remove User Accounts

Enables you to configure whether the users in the group are allowed to delete user accounts.

Remove Groups Enables you to configure whether the users in the group are allowed to delete groups.Note - In effect, enabling this setting also enables Remove User Accounts. Deleting a group will also delete all users within the group.

Remove Profiles Enables you to configure whether the users in the group are allowed to delete Pointsec PC profiles.This setting is in effect only when working inside the Pointsec PC Installations interface. A profile can still be deleted from the operating system.

Edit System Settings Enables you to configure whether the users in the group are allowed to edit the system settings.


Setting Description



68

Access to Local Should the user accounts in the group be able to access the Local Settings in PCMC?Note - If this is not granted, users may not be able to exercise other granted permissions in the Local section of the PCMC GUI because they cannot access them.

Access to Remote Should the user accounts in this group be able to access the Remote Settings in PCMC?Note - If this is not granted, users may not be able to exercise other granted permissions in the Remote section of the PCMC GUI because they cannot access them.


Setting Description




Single Sign-On

The settings in this section enable you to specify Single Sign-On settings for the group.

Table 3-19 Single Sign-On Settings

Setting Description

Enable SSO Enables you to configure whether Pointsec PC records the credentials and re-uses them during the next logon to reduce the number of authentications for the user.

Entrust SSO Enables you to configure whether Pointsec PC will perform single sign-on to Entrust.

Smart Card Triggers Windows SSO Logon

Enables you to configure whether Single Sign-On is automatically activated for user accounts that authenticate with smart cards.If this is enabled, Pointsec PC stores the smart card PIN and re-uses it the next time the user account logs on.



70


71

Chapter 4Creating a Pointsec PC Profile

In This Chapter

Overview page 72

Creating an Update Validation Password page 73

Creating a Configuration Set page 74

Creating a Profile page 79


Overview

72

OverviewAs described in “Pointsec PC Management Console - an Overview” on page 27, PCMC consists of a section called Remote. Pointsec PC profiles are created, edited and managed in the Remote section.

To centrally manage your clients, Pointsec PC uses four types of profiles: install profiles, update profiles, upgrade profiles, and uninstall profiles. This concept allows you to install, update, upgrade from Pointsec for PC 4.x/5.x, and uninstall clients, all from a central location.

In this chapter, you will learn how to create a working profile that is ready for client deployment. You can modify the profile after creating it.

Creating a profile can be divided into the following steps:

• Creating an update validation password, see page 73

• Creating a configuration set, see page 74

• Creating a profile, see page 79.

When working through the steps outlined in this chapter, modify the search paths, user account names, password, etc., to personalize the profile to your environment.

Note - Please read and follow the steps in Chapter 2, “Master Installation” prior to working and reading through this chapter. Remember that once the profile is created, the Master Install profile should be removed and subsequently reinstalled using the profile created in this chapter.


Creating an Update Validation Password

Chapter 4 Creating a Pointsec PC Profile 73

Creating an Update Validation Password

To create a profile, you must first set an Update Validation Password.

To use profiles securely, a shared secret is required between your profiles and the clients that you are managing. This shared secret is a password that is set for your clients and your profiles.

The profile will inherit its password from the workstation on which the profile is created.

To create the Update Validation password:

1. Start Pointsec PC Management Console (PCMC) as described in “Starting PCMC” on page 29.

2. Select Local → Edit Settings → Install.

3. Double click Set Update Validation Password and enter the password in the field provided.

The password entered in this step will be used in the profile you create as the shared secret which verifies whether or not a profile can be imported.


Creating a Configuration Set

74

Creating a Configuration SetBefore creating the new profile, you must first create a Configuration set. Configuration sets make profile management, editing and deployment easier.

To create a configuration set:

1. In PCMC, select Remote. The following window opens:Figure 4-1 Remote Settings

1. In the New Configuration Set box (see Figure 4-1) click New Set.





Figure 4-2 New Configuration Set Wizard


The following window opens:Figure 4-3 New Configuration Set Wizard - Name

3. Enter a descriptive name for the configuration set.



76

Note - You can select to automatically create a directory structure if you want Pointsec PC to create folders, however this won't be described in this guide. For more information on this, see the Pointsec PC Administrator’s Guide.


The following window opens:Figure 4-4 New Configuration Set Wizard - Path Settings

5. Specify a Profile Storage Path, the path to a directory that will hold the profiles while you edit them. The profiles you are working on will be stored in this directory until you publish them. When you've configured a storage path, click Next.

Best practice is to specify all paths in UNC format (Written in the form: \\<server>\<share>\...).

Note - You must click Add for the path to be included in the set.




6. Specify an Update Profile Path, the path to a directory from which clients will pull update and uninstall profiles. When finished, click Next.

IMPORTANT - Never set your Update Profile Path so it matches the Profile Storage Path. If the same settings are implemented on the clients it will cause them to start importing profiles that you're still working on and that haven't been published. The Profile Storage path is your "personal profiles in progress" storage.

7. Specify an Install Path, the path to a directory containing the Pointsec PC installation package. When finished, click Next.

8. Specify a Central Log Path, a path to a directory into which the clients in the set will copy their log files. When finished, click Next.

9. Specify a Recovery Path, a path to a directory into which the clients in the set will copy their recovery files. When finished, click Next.

10. Specify an Upgrade Path, a path to a directory in which upgrade package files are located and from which clients download these files. When finished, click Next.

11. Create the set by clicking Finish:



78

Figure 4-5

12. The set is created and you are now returned to the PCMC GUI.

Note that the set configuration is saved when the set is created.

You see the configuration set you created under the Remote branch of the PCMC folder tree, as shown in the following image:

Figure 4-6 Configuration Set

Next, you will create the profile.


Creating a Profile


Creating a ProfileIn This Section

Creating a New ProfileOnce the Update Validation password is set and the configuration set has been created, you can create a Pointsec PC profile.

To create a Pointsec PC profile:

1. Right-click the Profile icon and select New Profile as shown in the following figure:

Figure 4-7 New Profile

Creating a New Profile page 79

Configuring the New Profile page 82

Adding a Group to the New Profile page 90

Creating a User Account page 98

Adding User Accounts to the Group page 101

Configure the Temporary User page 104


Creating a New Profile

80

The New Profile menu contains the following options:

2. Select Install Silent.

Table 4-1 New Profile Menu Options

Name Comments

Install Silent This profile type will install Pointsec PC on the clients silently to the user. The silent nature of this type of profile can be useful when increasing the enforceability of the installation.

Install Interactive This profile type will allow you to communicate to your users during installation. It can also allow/force some user interaction during the installation. Note - Allowing user interaction decreases the enforceability of the installation, since completion of the installation process is somewhat dependent on the user´s interaction.

4.x/5.x Upgrade Silent

This profile type is used to create automatic silent installations of Pointsec PC v6.x on legacy Pointsec for PC v4.x and v5.x installations.

4.x/5.x Upgrade Interactive

This profile type is used to create automatic interactive installations of Pointsec PC v6.x on legacy Pointsec for PC v4.x and v5.x installations.

Update This profile type enables you to add user accounts, edit settings, etc., from a central location.

Uninstall Uninstall profiles enables you to use a central location to remove Pointsec PC from users’ computers.


Creating a New Profile


The following dialog opens:Figure 4-8 Name and Protection

3. Enter the name of the profile and its password in the fields provided.

Note - The Profile Protection password is used to protect the profile from unauthorized editing and should not be confused with the Update Validation password.

The following dialog opens:Figure 4-9


Configuring the New Profile

82

4. Since we are making this profile from scratch we do not want to base the profile on our existing settings or any existing profiles, so leave that check box unchecked. Then click Next and Finish to complete the wizard.

Configuring the New ProfileTo create a working standard profile that is able to work in a variety of environments, the profile must be configured. See “Editing Local Settings” on page 34 for more information.

To configure the new profile settings:

1. In the PCMC GUI, select Remote.

2. Select the set containing your profile and then Profiles. Double-click on the profile you want to configure. You will have to enter the profile protection password in order to open it and to be able to edit it.

3. Edit or review the settings as specified in the following sections.

When creating a profile, the Install section contains three settings that were not covered in Chapter 3, “Pointsec PC Management Console - an Overview”:

Table 4-2

Setting Comments

Set Installation Message

Here you can enter text that will be displayed to the end user prior to the installation start.Text will not be displayed if a silent profile is used.




Reviewing Hardware Devices SettingsSelect Hardware Devices. Leave the default values as shown in the following table:

Set Post-Installation Message

Here you can enter text that will be displayed to the end user when the installation is completed and the system is ready to be rebooted.Text will not be displayed if a silent profile is used.

Select Volume Protection

This is where you select which volumes you would like to protect.Again, remember to never store the recovery file on the volume selected for encryption.By default, the first 12 volumes on the first disk are selected for preboot authentication and encryption.


Name Comments

Required Group Authority Level 9

PCMCIA No

Serial No

USB No

Mouse in Preboot Yes

Low Graphics Mode No

Allow a Slave Hard Drive No

Allow Hard Drive to be Slaved No

Table 4-2

Setting Comments



84

Editing Install SettingsSelect Install, and edit the Install settings according to the following table:


Setting Comments


9

Organization Enter the name of your company.

Product Owner Pointsec Client at

Set Installation Message

-

Set Post-Installation Message

-

Select Language US English

Product Serial Number

Enter you Pointsec PC license number number or choose your Check Point license file.

Set Log Password Enter a strong password that you'll remember. This password will be used to protect the log files.

Set Update Validation Password

Has already been done, see Creating an Update Validation Password page 73.

Enable export of status to file

No

Set Upgrade Path -

Set Update Profile Path

Set the path that you want your client to use for downloading configuration updates, for example:\\My_Server\Same_as_the_Update_Profile_Path_set_on_the_clients




Set Recovery Path Set the path where you want your clients to store recovery files, for example:\\My_Server\Same_as_the_Recovery_Path_set_on_the_clients

Set Central Log Path Set the path where you want your clients to store log files\\My_Server\Same_as_the_Log_Path_set_on_the_clients

Set PKCS#11 dll Path

-

Select Volume Protection

Open and check that the following default values are set:Algorithm: AES Volumes 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 and 11 selected for preboot authentication and encryption.

Pointsec Service Start Account Username

-

Pointsec Service Start Account Password

-


Setting Comments



86

Reviewing Logon SettingsSelect Logon. Leave the default values as shown in the following table:

Reviewing Remote Help SettingsSelect Remote Help. Leave the default settings as shown in the following table:


Name Comments


Logon Verification Disabled

Set Max Failed Logons Before Reboot 5

Skip Management Console Logon No

Allow Hibernation Yes


Setting Description


Enable Remote Help Yes

Use 20-Character Challenge No




Reviewing Screen Saver SettingsSelect Screen Saver. Leave the default settings as shown in the following table:

Reviewing System Passwords Policy SettingsSelect System Passwords Policy. Leave the default settings as shown in the following table:

Table 4-7 Screen Saver Settings

Setting Description


9

Set Screen Saver Text Enter the text "This computer has been protected by Pointsec PC."

Allow Windows Screen Saver

Yes

Table 4-8 System Passwords Policy Settings

Name Comments


Windows complexity requirements No

Require Letter and Digits No

Case Sensitivity Yes

Allow Special Characters Yes

Allow Consecutive, Identical Letters No

Require Upper and Lower Case No

Allow Embedded Space Characters Yes



88

Reviewing Wake on LAN SettingsSelect Wake on LAN. Leave the default settings as shown in the following table:

Reviewing Windows Integrated Logon SettingsSelect Windows Integrated Logon. Leave the default settings as shown in the following table:

Allow Leading or Trailing Space Characters No

Allow Password of Adjoining Characters No

Set Minimum Password Length 6


Name Comments


Enable Wake on LAN No

Set Start Delay 0

Allow Windows Logon No

Expiration Date -

Set Max Number of Logon Allowed 10


Setting Description


Windows Integrated Logon Disabled

Set PPBE Failure WIL Message -

Table 4-8 System Passwords Policy Settings

Name Comments




This completes the system settings part of your new profile. Next, you will populate the system with groups.

Enable Network Locational Awareness No

Set Network Locations -

Set Max Failed Windows Logon Attempts 10

Display Enable WIL Switch No

Enable Hardware Hash No

Bypass PPBE WIL message No

Set WIL User Screen Saver Timeout 10


Setting Description


Adding a Group to the New Profile

90

Adding a Group to the New ProfileThe group created in this section will be the group that contains the System Administrator users. For this reason, this group will be assigned system administration level permissions.

To add a group to the new profile:

Figure 4-10 Create New Group

1. Right-click the Groups icon and select New Group.

The following dialog opens:Figure 4-11 New Group Dialog Box

2. In the field provided, enter ‘My System Admins’ as the name for the group and click OK.




Note - Pointsec PC can only be as secure as its configuration. There are several considerations to be made related to group and user account settings. Therefore you need to review what settings best suite your organization.

For example, in this guide we will not grant permissions to anyone besides members of the system admin group to provide Remote Help. The reason for this is that we have configured the System Administrators as fixed password user accounts who are allowed to receive remote help. If user accounts outside the system administrators group would be allowed to provide remote help, they could potentially gain System Administrator access.

Please contact your Sales Engineers for assistance with suggestion for a best practice for your organization.

Editing Group Settings1. Select the group you want to edit, for example My Sys Admins,

and then Group Settings.

2. Assign the following permissions/values for the group you just created:


Setting Assign this value:

Logon Authorized Yes

Set Screen Saver Timeout

10

Set Expiration Date -

Set Group Authority Level

<=9 (Group Authority Level of 9, and allow changing settings of groups with equal authority level)



92

Editing Fixed Passwords Settings1. Select Group Settings → Authentication Settings → Fixed

Password.




Windows complexity requirements No

Require Letters and Digits No

Case Sensitivity Yes

Allow Special Characters Yes

Allow Consecutive Identical Characters No

Require Upper and Lower Case No

Allow Embedded Space Characters Yes


No

Allow Password of Adjoining Characters No

Set Minimum Length 6

Set Minimum Age No Minimum age for Password

Set Maximum Age No Maximum age for Password

Password History 1




Editing Smart Card Settings1. Select Group Settings → Authentication Settings → Smart Card.


Editing Windows Smart Card Insertion/Removal Handling1. Select Group Settings → Authentication Settings → Smart Card →

Windows Smart Card Insertion/Removal Handling.


Table 4-13 Smart Card Settings


Certificate Expiration Warning 15

Certificate Expiration Action No action

Certificate Revocation Action No action

Table 4-14 Windows Smart Card Insertion/Removal Handling Settings


Use Pointsec Token Insertion/Removal Handling

No

Choose Action if Smart Card is Removed

Do nothing



94

Editing Logon Settings1. Select Group Settings → Logon.


Editing Password Synchronization Settings1. Select Group Settings → Password Synchronization.




Set Max Failed Logons Disabled

Set Logon Limit Disabled

Attempts before Temporary Lockout Disabled

Temporary Lockout Time Disabled

Table 4-16 Password Synchronization Settings


Synchronize Windows Password to Preboot

No

Synchronize Preboot Password to Windows

No




Editing Permissions Settings1. Select Group Settings → Permissions.



Setting: Assign this value:

Change Credentials Yes

Change Single Sign-On Yes

View Logs Yes

Uninstall Yes

Management Console Login Yes

Create Recovery Media Yes

Allow Logon to Hibernated System Yes

Change to Fixed Password Yes

Change to Dynamic Token Yes

Change to Smart Card Yes

Change Credentials in the Pointsec PC tray

No



96

Editing Privileged Permissions Settings1. Select Group Settings → Privileged Permissions.

Assign the following permissions/values for the group you just created:



Change Permissions Yes

Change Privileged Permissions Yes

Create User Accounts Yes

Create Groups Yes

Advanced Profile Editing Yes

Create Profiles Yes

Remove User Accounts Yes

Remove Groups Yes

Remove Profiles Yes

Edit System Settings Yes

Access to Local Yes

Access to Remote Yes




Editing Remote Help Settings1. Select Group Settings → Permissions → Remote Help.


Editing Single Sign-On Settings1. Select Group Settings → Single Sign-On.


This concludes the creation of the System Administrators group. Next, you must create the group that will hold the user accounts.



Provide "Remote Password Change" Yes

Provide "One-Time Logon" Yes

Receive "Remote Password Change" Yes

Receive "One-Time Logon" Yes

Response Format Numeric



Enable SSO No

Entrust SSO No


Disabled


Creating a User Account

98

Creating a User AccountTo avoid having to set up a specific user account per workstation, Pointsec PC offers an user account type called temporary user. A temporary user account contains the following characteristics:

• A temporary user account is converted into a normal user account when a successful login is completed.

• The temporary user account’s username and password can be communicated to your organization.

• The first time your users are prompted to authenticate themselves to Pointsec PC in the preboot environment, they will use the temporary user account’s username and password. When the user logs on again, she will be prompted to change her username and password to personalize the user account.

To create a temporary user account:

1. Create a new group. See “Adding a Group to the New Profile” on page 90 for additional information.

For example purposes, name the group Local Users.

Normally the default settings can be given to end users. However, since the default values are a compromise between security and usability, some of the values will be changed in the following steps.

2. Select Edit Settings → Groups → Local Users.

3. Select Group Settings.

Edit the settings for the group according to the instructions below; leave all settings not listed with the default value:


Name Comments

Expiration Date Set an expiration date for this group.




Note - Remember to set the expiration date well within the time frame that you expect your users to activate the temporary user account. If the configured date has passed, logon will not be possible with the temporary account.

4. Select Group Settings → Logon.

For Logon settings, assign the following permissions/values for the group you just created:

5. Select Group Settings → Authentication Settings → Fixed Password.

For Fixed Password settings, assign the following permissions/values for the group you just created:

6. Select Group Settings → Permissions.

For Permissions settings, assign the following permissions/values for the group you just created:


Name Comments

Set Max Failed Logons 5


Name Comments

Set Minimum Age 1

Set Maximum Age 90

Password History 5


Name Comments

Change Credentials Yes

Change Single Sign-On Yes

Uninstall Yes



100

Note - user accounts are allowed to uninstall so that they can run recovery. The Uninstall permission means that users’ credentials will be accepted as one of two required authentications during uninstall. Since the Temporary User feature is already used, the only account on the workstation will be the user’s and the System Administrator’s. As a result, a System Administrator must approve the removal of Pointsec PC.

7. Select Group Settings → Permissions → Remote Help.

For Remote Help settings, assign the following permissions/values for the group you just created:

8. Select Group Settings → Single Sign-On.

For Single Sign-On settings, assign the following permissions/values for the group you just created:

The group and user accounts are complete. The PCMC GUI appears as follows:


Name Comments

Receive "Remote Password Change" Yes

Receive "One-Time Logon" Yes

Table 4-26 Single Sign-ON Settings

Name Comments

Enable SSO Yes


Adding User Accounts to the Group


Figure 4-12 Pointsec PC GUI

Next, you must add user accounts to your groups.

Adding User Accounts to the GroupTo populate the My System Admins group:

1. Select Groups → My System Admins.Figure 4-13 Add User Account



102

2. Right-click User Accounts and select Add User Account.

The following dialog opens:Figure 4-14 User Account Details


• In the User account name field, enter SYSADMIN1.

• In the Type of user account field, select Normal.

• In the Authentication method section, select Password.

Click Next to continue.

The following window appears:




Figure 4-15 Password Details

4. In the Password and Confirm Password fields, enter My1secretpw.

Remember the password requirements that was specified for the My System Admin group. In this dialog you can also force a password change.

Click Next to continue. The summary window appears.

5. Click Finish.

Repeat step 1 through step 5 to add the following two additional user accounts.

Next, add the temporary user account.

Name Password

SYSADMIN2 My2secretpw

SYSADMIN3 My3secretpw


Configure the Temporary User

104

Configure the Temporary UserTo configure the temporary user:

1. Collapse the My System Admins group and expand the Local Users to show the User Account icon.

2. Right-click the User Account icon connected to the Local Users group and choose Add User Account.

The following dialog opens:Figure 4-16 User Account Details


• In the User account name field enter TEMPUSER.

• In the Type of user account field select Temporary.

• In the Authentication method section select Password.

Click Next to continue. Another dialog box opens.

4. In the Password and Confirm Password fields, enter T3mpPWD.




Remember the password requirements that were specified for the "Local Users" group.

Click Next to continue, a summary dialog opens.

5. Click Finish.

Note - When adding the temporary user account, you do not have the option of forcing a password change in the Password Details dialog (see Figure 4-15). When deploying Pointsec PC with the temporary user account feature, you must manage the user account via the group the user account belongs to since when the temporary user account is activated to a normal user account, it changes username and unique identifier.

Now your profile is ready to be deployed to your client workstations.



106


107

Chapter 5Deploy Pointsec PC to Your Clients

In This Chapter

Overview page 108

Deploy Pointsec PC to a Client page 109


Overview

108

OverviewDeploying Pointsec PC to your clients essentially means that the software will be installed with the configurations set during the creation of the Installation profile (see chapter 4, “Creating a Pointsec PC Profile” on page 71).

To recap: this is what we selected when creating our profile:

• Silent installation profile.

• Specified our "global" system settings.

• Created the groups that should be available on the clients.

• Populated the groups with user accounts.

Now we should prepare and copy the Pointsec PC install package to a central location that our clients can access.


Deploy Pointsec PC to a Client

Chapter 5 Deploy Pointsec PC to Your Clients 109

Deploy Pointsec PC to a ClientIn This Section

In this section, the Pointsec PC installation package is prepared and copied to a central location to which clients have access.

Note - For example purposes it will be assumed that the share that is used for hosting the installation, recovery log, and update paths is available and that full permissions are granted to all users in your environment. In addition, we will assume that users are local administrators on their systems. For complete information on permission requirements, see the Pointsec PC Installation Guide and the Pointsec PC Administrator’s Guide.

To deploy Pointsec PC to a client:

1. When you created the Configuration Set (see “Creating a Configuration Set” on page 74), you also created a storage path (see Figure 4-5).

a. Open an Explorer window to the path specified in the Storage Path field.

b. Locate the Silent_Install_Profile.isp file. This file contains your configuration.

2. Browse to the folder 1_Pointsec for PC in the Pointsec PC installation media.

3. Copy the Silent_Install_Profile.isp profile file to the root of 1_Pointsec for PC.

Utilize Logon Scripts page 111

Results of Script Execution page 111


Deploy Pointsec PC to a Client

110

Figure 5-1

4. Copy the 1_Pointsec for PC folder (along with its content) to a server share that your end users can access.

Go through the following checklist to make sure you are ready for the deployment.

Item Check

Profile configuration is done.

You have stored your system administrator credentials in a secure place.

Server shares are set up.

User permissions to server shares have been set up.

Your clients meet the system requirements.

You have done the software inventory on your clients.

You have communicated the credentials for the Temporary User account to your end users.

You have set up a location from which the clients will be deployed.

Your users have the appropriate permissions on their local machines.


Utilize Logon Scripts


Utilize Logon ScriptsPointsec for PC.msi is the file that starts the Pointsec PC installation; there are various ways to get the Pointsec for PC.msi running on the clients. This guide will not go into details on this; the important thing is that you get the command to run on your clients. In this example we will utilize logon scripts.

To run Pointsec for PC.msi on the clients:

1. Add the following command to the logon script that is executed when your users log on:

Msiexec.exe /i "[PATH TO MSI]\Pointsec for PC.msi" REBOOT=R /q

Note: Exclude "[" and text within from the command. The /q switch instructs InstallShield to run the installation silently.

Results of Script ExecutionSince the Silent Install was selected and the /q command was used, the user will not see anything during the first phase of the Pointsec PC installation. When the system is rebooted, the following can be seen on the user’s screen:Figure 5-2 Preboot Environment Preparation

Once the system completes the reboot process, the following preboot authentication dialog opens:


Results of Script Execution

112

Figure 5-3 Preboot Authentication

1. Authenticate with the Temporary User credentials (see to “Creating a User Account” on page 98) and click OK.

The following window opens:Figure 5-4 Warning to Change Password and Username

2. Click OK to continue.





Figure 5-5 Change Account Name

3. In the User account name field, enter a new name and click OK.

The following dialog opens:Figure 5-6 Change Password

4. In the New Password and Confirm you new password fields, enter a new password and click OK.

The first logon is complete and the system boots normally.



114


115

Chapter 6FAQ

This chapter will briefly cover some of the most common Pointsec PC questions.

For additional information see the documentation provided with the product:

• Pointsec PC Installation Guide

• Pointsec PC Administrator’s Guide

• Pointsec PC Release Notes

Question 1:

I want to add a user account and change settings on the PCs on which I have deployed Pointsec. How do I do this?

Answer 1:

The best way to achieve this is to add the user to an update profile and deploy this profile to the system where you want the user account to be added.

To create an update profile:

1. Start PCMC and select Remote.

2. Open the configuration set that you used to create the installation profile.

3. Right-click Profiles, and select New Profile → Update.

4. Give your update profile a meaningful name.

5. Set a Profile protection password (to avoid unauthorized editing).


116

6. Select Base the new profile on existing settings.

7. Select Base on existing profile.

8. Depending on what you want to achieve with the update profile, select one or more of the options below:

a. Select System Settings if you want to edit and update your clients’ system settings.

b. Select Groups if you want to edit group settings.

c. Select User Accounts if you want to edit specific user accounts within the groups.

9. Browse to the profile that you want to use as a base (normally the last profile you deployed), and click OK.

Tip - If this is your first update profile, use the Installation profile you used to install the clients.

10. Authenticate to the profile that you want to base your setting on

11. Edit the profile, and click OK.

You now have an update profile that you can deploy to your clients.

IMPORTANT - To avoid unintended changes when creating a profile based on an existing profile, it is important to understand difference between the actions Remove user account/group and Mark for Removal.

• Remove: Do not include in profile, leave account/group unaffected by profile.

• Mark for Removal: Use profile to remove/delete account/group from client PC.

When you base the update profile on an existing profile and select to include groups and users, select Remove to remove the users/groups that you want to leave unaffected when the profile is deployed.

Question 2:

How do I deploy an update profile to my client PCs?


Chapter 6 FAQ 117

Answer 2:

Here are two methods to deploy an update profile, via PCMC or manually.

Deploying an update profile via PCMC:

Prerequisites: You must have an update profile created with the intended configuration set.

1. Open PCMC

2. Open the Configuration Set that contains the profile you would like to deploy

3. In the main window to the right: press Publish Profile.

4. Click Next in the first wizard window

5. Select the profile that you would like to deploy and click Next

6. Review the Predefined Publication Path

a. If this is the same path that you set for your clients to check for update profiles, click Next.

b. If the path is not the same path that you set for your clients to check for update profiles, check the Use a user-specified path checkbox.

7. Either enter or browse to the same path that you set your clients to and check for update profiles, and click Next.

8. Review the summary window and click Next.

9. Click Finish in last wizard window.

The update profile is now available for client download.

Deploying an update profile manually:

Prerequisites: You must have an update profile with the appropriate Profile Validation Password set.

1. Locate the profile in the location that serves as the storage path for your configuration set.


118

2. Copy the profile to the path you designated for your clients to check for update profiles.

The update profile is available for client download.

Question 3:

I can access my client system directly via my network. Is there a way for me to push an update to my clients?

Answer 3:

Yes, you can deploy a profile by placing it directly on your clients.

Copy the profile you would like to deploy to the client folder: C:\Program Files\Pointsec\Pointsec for PC\Work

The client PC will import the profile automatically within a few moments.

Question 4:

I noticed a file called Precheck.txt in the installation folder. What is this file?

Answer 4:

The Precheck.txt file is a configuration file that Pointsec PC reads when the installation starts that determines how Pointsec PC will be installed. The default settings in this file will work in most environments. Any edits to this file must be made prior to deployment. Note that the file may be read-only.

The Precheck.txt file contains the following entries:

• ShowRecoverMessages=

• Default is No. This is normally the best option to avoid unwanted messages being displayed to the users.


Chapter 6 FAQ 119

• Set to Yes to notify end users when the recovery file is edited unsuccessfully.

• ExtendedLogging=

• Default is No.Set to Yes to enable the logging of user/group status at each boot.

• UpdateSSO=0

• Default is 0 (zero).Pointsec PC will add the Pointsec GINA to the system, replacing existing GINAs. If you are experiencing interoperability issues with other software that utilize GINA you can set UpdateSSO=4 to instruct Pointsec not to add the Pointsec GINA to the system.

Note - You will lose functionality in Pointsec PC. For example, single sign-on and password synchronization requires the Pointsec GINA to be in place in order to operate.

Question 5:

I want to deploy software during the weekend on my client PCs and will be using Wake on LAN to boot up the systems. I will need to configure Pointsec for Wake on LAN. How do I do this?

Answer 5:

1. Open PCMC and select Remote → <set name> → Profiles, and choose to create a new Update profile.


120

Figure 6-1

2. Click Next to continue from the welcome page in the wizard.

3. Select a name and password for the profile, then click Next.

The following is an example of the New Profile window:Figure 6-2 New Profile

4. Choose to base it on an existing profile, and then click Next.


Chapter 6 FAQ 121

5. Select the profile to base it on from the tree view and make sure to only base it on "System Settings" by unchecking the "Base on: Groups" and "Base on: User Accounts". After making these selections, click Next.

Figure 6-3

6. Enter the profile password for the base profile, then click Next.

7. Click Finish.

8. Select Edit Settings → System Settings → Wake on LAN.


122

The Wake on LAN settings as shown in the following table:

9. Save and deploy the profile to your clients.

10. Boot the clients via the NIC.

Pointsec PC will now boot the system. It will allow Windows to start and remote maintenance to be performed.

Note - A local user logon will disable Wake on LAN on the client. Therefore, it is best practice to instruct your users to leave their systems running when they leave. The profile enabling Wake on LAN is then deployed (either to the work folder or to the update profile path). Once the profile is imported, reboot the systems. This will reduce the number of systems that abort the Wake on LAN session.


Name Comments

Enable Wake on LAN YesEnables the feature.

Set Start Delay 0Do not wait for the local user logon and boot directly.

Allow Windows Logon NoProhibits the local logon to Windows when the system is booted in WOL-mode.

Set Expiration Date Set the date.Give yourself enough time buffer to complete maintenance.

Set Max Number of Logons Allowed

Set the number or reboots your maintenance will require.Give yourself a buffer by adding a few extra logons.


Chapter 6 FAQ 123

Question 6:

Is there a way to reduce the number of logons my users must perform?

Answer 6:

You can enable single sign-on in the user accounts via group settings.

To enable single sign-on on the group level:

1. Open PCMC and select Remote → <Set name> → Profiles, and choose to create a new Update profile. Create a new update profile based on a previous profile. See “Configuring the New Profile” on page 82 for additional details.

Figure 6-4

2. Click Next to continue from the welcome page in the wizard.



124

Figure 6-5



5. Select the profile to base it on from the tree view and make sure to only base it on "Groups" by deselecting the "Base on: System Settings" and "Base on: User Accounts". After making these deselections, click Next.


Chapter 6 FAQ 125

Figure 6-6


7. Click Finish.

8. Expand the group for which you would like to enable Single Sign-On and navigate to the Single Sign-On section.

Figure 6-7


126

9. Set the values under the Single Sign-On according below:


When the profile is imported on the clients, single sign-on will be enabled for all users in the group that you edited. Users will now receive the following information prior to the Windows logon the next time they boot the system:Figure 6-8 Pointsec PC Single Sign-On Information

Once the user clicks OK, the user is logged on normally to Windows. Credentials are now stored and will be used during the next boot, eliminating the need for the user to authenticate to Windows during boot up.


Name Comments

Enable SSO YesEnables the feature

Entrust SSO NoEnables SSO to Entrust/


Disabled


Chapter 6 FAQ 127

Note -

• Users will still be required to authenticate with their Windows password when the workstation is locked in Windows.

• Entrust SSO will enable single sign-on with the Entrust certificate. This feature requires that the Pointsec PC password exactly matches the Entrust certificate password.

Question 7:

My users tend to forget their passwords. Is there anything that I can do?

Answer 7:

You can enable single sign-on to remove the need for Windows authentication during reboot. To make things even easier, you can enable both single sign-on and password synchronization.

To enable single sign-on to remove the need for Windows

authentication:

1. Open the PCMC, navigate to Remote → <Set name> → Profiles, and choose to create a new Update profile. Create a new update profile based on a previous profile. See “Configuring the New Profile” on page 82 for additional details.

Figure 6-9

2. Click Next to continue from the welcome window in the wizard.



128

Figure 6-10


5. Select the profile to base it on from the tree view, and make sure to base it on only "Groups" by deselecting the "Base on: System Settings" and "Base on: User Accounts". After making these deselections, click Next.


Chapter 6 FAQ 129

Figure 6-11


7. Click Finish.

8. Expand the group for which you would like to enable Password Synchronization.

9. Move to the group’s Password Synchronization section.


130

Figure 6-12

10. Set "Synchronize Windows Password to Preboot" to Yes.

11. Set "Synchronize Preboot Password to Windows" to Yes.


Result: The Pointsec PC user accounts in the group for which you enabled Password Synchronization will see the following window next time they logon:

Figure 6-13

They enter their Pointsec password and click OK to synchronize the Pointsec PC password with the password used in the Windows authentication.


Chapter 6 FAQ 131

Figure 6-14

The user has now changed the Pointsec PC password and the new password (the same one as used in Windows) should now be used in Pointsec PC preboot authentication.

Note -

• In order for the password synchronization feature to work, the Pointsec settings that govern the password will need to allow for the new password, length, complexity etc. If the password used in Windows does not comply with the password setting: the synchronization will not be successful.

• User account will also need to be granted the Pointsec permission to change password.

Question 8:

What can my users do via the Pointsec tray application?

Answer 8:

The Pointsec tray application enables end users to configure the following Pointsec PC features:

• Information - Provides information regarding the encryption status.

• Change credentials - If enabled for the user account, this feature allows the user to change credentials.

• Lock workstation - Enables the Windows lock workstation function.


132

• Choose Language - Allows users to change the language Pointsec uses. The language change affects both PCMC and Pointsec preboot authentication.

Question 9:

All of my clients were deployed via an installation profile except one that I installed manually (stand-alone) with the same user accounts and passwords. Now I would like to uninstall this system but I cannot get the stand-alone machine to import the uninstallation profile. It imports regular update profiles successfully. What is wrong?

Answer 9:

Always use the installation profile to install new clients in such environments, since each Pointsec PC user account is tied to a unique ID that is used internally.

When you create an uninstall profile, you internally authenticate with the unique IDs created via the installation profile. These IDs are not available on the stand alone machine.

In order to uninstall this machine remotely you must:

1. Create an update profile that adds two user accounts with permissions to uninstall.

2. Apply the update profile both to the stand alone machine and the system that you use to create the uninstall profile.

3. Create a new uninstall profile and use the two new user accounts to authorize the uninstall process.

Question 10:

I created a new profile and configured the settings on the group level. When I adjusted the settings on the user account level, some settings were shown in red and had different values. Why?


Chapter 6 FAQ 133

Answer 10:

A specified value at the group level is blocking your ability to make changes at the user level. The specified setting instructs PCMC that the specific group level value may not be replaced on the user account level with settings that are less secure.

In order to remove the inheritance:

1. Select the specific Group level.

2. Right-click the Specified Value setting.

3. Select Reset Value.

The specified value is removed and changes on the user account level will be allowed.

Question 11:

Why are some settings sections grayed out on the user account level in PCMC?

Answer 11:

The grayed-out settings indicate that they are not applicable for the current settings. For example; smart card settings are not applicable for a user account that is using a fixed password. If the authentication method is changed to smart card, the settings are made available.

Question 12:

How do I create Pointsec PC recovery media?

Answer 12:

Recovery media is created from the PCMC. Two user accounts with permission to create recovery media are required to perform this procedure.


134

To create recovery media:

1. Set the PC on which recovery is to be performed to boot on the media of your choice, and then shut it down.

1. On the administrator’s PC, open PCMC and select Remote.

2. Click Create Recovery Media (see Figure 4-1).

3. The wizard starts. Click Next to continue.

4. Select Browse file system for recovery file, and Click Next.

5. Browse to the recovery file for the system you would like to recover, and click Next.

The following authentication dialog opens:Figure 6-15 Authentication Prompt

6. Authenticate as a user allowed to create recovery media.

7. Authenticate using a second user account that is authorized to create recovery media.

You are informed that the recovery file is unlocked.

8. Click OK.


Chapter 6 FAQ 135

9. Select the media that you would like to use as your recovery media and click OK.

A bootable recovery media is now created.

You can now boot your system and run the recovery file.

Question 13:

How is a recovery performed on a machine?

Answer 13:

To perform recovery on a machine:

Note - There is no reboot button in the recovery application. Therefore, if you boot a system on Pointsec recovery media by mistake, you must remove the media and press Ctrl-Alt-Del.

1. Ensure that your recovery media is set correctly in the system BIOS boot order.

2. Connect the recovery media to the system.

3. Press the Power On button.



136

Figure 6-16 Authentication

4. Authenticate with user credentials that have permission to uninstall.

5. Click OK.



Chapter 6 FAQ 137

Figure 6-17 Recovery File

6. Click Recover All.



138

Figure 6-18 Decryption Process

The decryption process begins. The length of the decryption process depends on the size and condition of the hard drive.

Once the disk is decrypted, the following message is displayed:


Chapter 6 FAQ 139

Figure 6-19 Recovery Message

7. Remove the recovery media and press Ctr-Alt-Del to reboot the system.

The disk is now decrypted. The Pointsec PC program files and registry components must be removed by uninstalling Pointsec PC via Add/Remove programs in the Control Panel. This must be done before Pointsec PC can be reinstalled.

Question 14:

How does a user change the Pointsec password in the preboot authentication?

Answer 14:

To change the Pointsec password:

1. In the Pointsec logon dialog box, enter the Username and Password.


140

2. Click Change Password.

3. Enter a new password.

4. Confirm the new password, and click OK.

The password is changed successfully and the system reboots.

Note -

• Users require permission to change their password.

• Users can change their password via the Pointsec PC tray application, if they have the permission to do so.

Question 15:

What are Dynamic Tokens and how are they used with Pointsec PC?

Answer 15:

A Dynamic Token is a hardware device that generates one-time passwords. These passwords can be connected to your Pointsec user account to allow logon with a one-time generated password. Pointsec PC supports the X9.9 standard for Dynamic Tokens.

The following process shows how to add a Dynamic Token to a user account manually via a profile.

Note - If you have a Pointsec PC Dynamic Token, see the documentation provided for additional information.

1. Ensure that you have the Dynamic Token key information.

2. Open PCMC and select Remote.

3. Create a new update profile based on a previous profile. See “Configuring the New Profile” on page 82 for additional details.

4. In the New Profile window (see Figure 6-2), select User Accounts.

5. Ensure that System Settings is not selected.


Chapter 6 FAQ 141

6. Remove the users who you do not want to be affected by the profile.

7. Right-click the user account for which you would like to change the authentication method and select Name and Authentication.

8. Select Dynamic Token, and click Next.

9. Select Add dynamic token by manually entering values, and click Next.

The following dialog opens:Figure 6-20 Add Dynamic Token Manually

10. Add the Token information for the token device that you want to connect to the user, and click Next.

11. Click Next in the Summary window that appears.

12. Save and deploy the profile to your clients. See “Deploy Pointsec PC to Your Clients” for additional information.

The user account will now use the Dynamic Authentication method during the Pointsec PC preboot authentication.


142

Question 16:

What is the end user’s interaction when using the Dynamic Token authentication method?

Answer 16:

The Dynamic Token authentication method presents a challenge to the user and the user must respond to authenticate to the system.

To authenticate via a Dynamic Token:

1. In the Pointsec PC preboot authentication dialog box, enter the user account name.

2. A challenge is displayed.

3. Enter your PIN in the token.

4. Enter the challenge you received in step 2 in the token.

5. A response is displayed in the token.

6. Enter the response in the Pointsec PC preboot authentication, and click OK.

If the response to the challenge is correct, the system will boot.

Question 17:

What permissions do I need to set for my organization’s users on the server share?

Answer 17:

The network share should allow the RXWD permission to all users. You can limit the permission on the network share by activating the Pointsec Service Start service. See the documentation provided with the product for additional information.

Question 18:

How do I reset a Pointsec password remotely?


Chapter 6 FAQ 143

Answer 18:

Use the following Remote Help step-by-step process to reset the Pointsec password remotely. Remote Help requires the participation of both an administrator and a user.

Note - The administrator must grant the user permission at the group and user level to enable the user to reset the Pointsec password remotely.

1. The administrator opens PCMC and selects Remote Help.

2. During Pointsec preboot, the user enters a username and clicks Remote Help.

3. In the following PCMC Remote Help window, the administrator performs these tasks:

Figure 6-21 PCMC Remote Help

a. Select Remote Password Change.

b. Enter an End-User Account Name.

c. In Helper Account Name field, enter the username associated with the account on the user’s system that has permissions to provide Remote Help, and click Generate.

4. The administrator reads the challenge presented in Step 2 to the user.

In this example the number is 6141673450.3


144

Figure 6-22 PCMC Remote Help

5. In Pointsec preboot, the user enters the challenge in the field Response One.

In this example, the number is 6141673450.Figure 6-23 Challenge Response Sequence

6. In Pointsec preboot, the user reads the Challenge to the administrator.

In this example the number is 2508182273.

7. In PCMC Remote Help, the administrator enters the challenge in the field Challenge from end user.


Chapter 6 FAQ 145

Figure 6-24 Remote Help

8. In PCMC Remote Help, the administrator peforms the following tasks:

a. Enters the password for the account specified as Helper Account

In this example, the account is SYSADMIN1.

b. Clicks the Generate button

c. Reads the output in field Response Two to the user

9. In Pointsec preboot, the user performs the following tasks:

a. Enters Response two from administrator and presses OK

b. Changes password when prompted and presses OK

If the user’s account was locked due to too many failed logon attempts, it is now unlocked and the password is changed.

Question 19:

What are the steps that I must perform to uninstall Pointsec PC from Add/Remove Programs in the Control Panel locally on a system?


146

Answer 19:

To uninstall Pointsec PC locally:

1. Perform two authentications using user accounts that are permitted to uninstall.

Figure 6-25 Uninstallation

2. Once the authentications are complete, you will be asked to select which volumes you want to uninstall. Normally, you would select all available volumes.


Chapter 6 FAQ 147

Figure 6-26 Uninstallation

3. Once you select the volumes, click Next.

4. Click Next in the Summary window that appears to start uninstallation.

Pointsec PC will now initiate uninstallation. The process will begin with decryption. preboot authentication will be enforced until decryption is completed. Pointsec PC Windows components will be uninstalled during the first reboot after decryption is complete.

Question 20:

Can I resize partitions when Pointsec PC is installed?

Answer 20:

Do not resize or move partitions while Pointsec PC is installed. Doing so may lead to permanent loss of data.


148

Question 21:

It seems practical to set C: as the recovery path for my clients. Is this a bad idea?

Answer 21:

Yes. The recovery file is used to recover your system in case of a system failure. Storing the recovery file on the encrypted disk will prohibit any recovery attempts.


Check Point Software Technologies Ltd.

U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

THIRD PARTY TRADEMARKS AND COPYRIGHTS

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The Open Group.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


150

The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.

The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.


151

The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson ([email protected]). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICE

Copyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright


152

notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from [email protected]. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from <http://www.php.net/>".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR


153

SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>.

This product includes software written by Tim Hudson ([email protected]).

Copyright (c) 2003, Itai Tzur <[email protected]>

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Neither the name of Itai Tzur nor the names of other contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.


154

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed.

Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600.

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial


155

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release

PCRE LICENCE

PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself.

Written by: Philip Hazel <[email protected]>

University of Cambridge Computing Service, Cambridge, England. Phone:

+44 1223 334714.

Copyright (c) 1997-2004 University of Cambridge All rights reserved.


156

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


Index 157

Index

Aaccessing

local settings 32Remote Help 142remote settings 72

adding groups and user accounts 90, 101

Bboot record 7

Cchecklist for deployment 110client 4, 109configuration set, creating 74configuring temporary user 104creating a user account 98

Ddefinition

client 4GINA 7

interactive installation 4live installation 4locked out 4master installation 4profile 4silent installation 5

deploymentchecklist 110overview 108update profile 116, 118using logon scripts 111using Wake on LAN 119

documentationfeedback 9related 8

Dynamic Tokens 140, 142

Eediting

fixed password settings 92group settings 91install settings 84local settings 34logon settings 94password sync settings 94permissions settings 95, 96Remote Help settings 97single sign-on settings 97smart card settings 93


Index 158

Ffixed password settings 55, 92frequently asked questions 115

GGINA, Pointsec-specific 7group

adding to new profile 90adding user accounts to 101settings 52, 54, 91troubleshooting 132

Hhardware devices 83

Iinformation

other Check Point products 2technical 2

installationinteractive, definition of 4master 11settings 84

interactive installation, definition of 4

Llive installation, definition of 4local settings

accessing 32editing 34for Pointsec PC 32overview 35

locked out, definition of 4logging on after installation on

client 111logon

scripts, utilizing for deployment 111

settings 40, 60, 86, 94

Mmaster installation 4, 11

Oother settings 86, 87, 88overview

creating a profile 72deployment 108local settings 35Pointsec PC Management

Console 28

Ppartitions, resizing 147


Index 159

passwordchanging 139resetting remotely 142synchronization 61, 94, 127

PCMC, overview of 28permissions 61, 95

for users on server share 142privileged 66Remote Help 65

PointsecPC Management Console,

overview 28tray application 131

Precheck.txt file 118privileged permissions 66, 96profile

adding a group to 90configuration set, creating 74configuring 82creating 72, 79definition of 4types 72update validation password 73

Qquestions and answers 115

Rrecovery

creating recovery media 133file, storage of 7path, do not use C

148performing 135

Remote Helpediting settings 97permissions 65resetting password remotely

with 142resizing partitions 147

Sserver share

for recovery file 7permissions for users on 142

settingsauthentication, fixed

password 55changing 115fixed password 92group 52, 91hardware devices 83local 32logon 40, 86, 94other 86, 87, 88password synch 61, 94permissions, editing 95, 96Remote Help, editing 97single sign-on 69, 97smart card 58, 93Wake on LAN 47, 88

silent installation, definition of 5single sign-on

and password synchronization 127

enabling 123settings 69, 97

smart card settings 58, 93


Index 160

Ttechnical info, additional 2temporary user, configuring 104terms 4troubleshooting 132, 133

Uuninstalling Pointsec PC 132, 145update

profile 116, 118validation password,

creating 73user

account 115adding 101creating 98

level settings, troubleshooting 132

temporary 104

WWake on LAN

deploying Pointsec PC using 119

settings 47, 88


Pointsec PC...ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, Zo neAlarm Internet Security...

Documents

Transcript of Pointsec PC...ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, Zo neAlarm Internet Security...