Check Point FDE integration with Digipass Key devices

INTEGRATION GUIDE Check Point FDE integration with Digipass Key devices 1 VASCO Data Security

Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. 1

Table of Contents 1 Overview... 4 2 Problem Description... 4 3 Solution... 4 4 Technical Concept... 4 4.1 GENERAL OVERVIEW... 5 4.2 PROCEDURE... 5 4.3 PREREQUISITES... 5 5 Setting up Certificate based Digipass Logon... 6 5.1 CERTIFICATE AUTHORITY... 6 5.1.1 Issue the right type of certificates... 6 5.1.1 Security Groups for enrollment Stations and agents... 7 5.1.1 Specifying the Enrollment Policy... 10 5.2 ENROLLMENT STATION... 12 5.3 LOGON SETTINGS... 18 5.4 ENROLLING USERS... 19 5.4.1 Requesting Certificates... 19 6 Enabling Certificate based logon for Check Point FDE... 25 6.1 VASCO DRIVERS... 25 6.1.1 Copying vasco files to the Check Point installer.... 25 6.1.1.1 Automatic Install using the Vasco Batch files.... 25 6.2 INSTALL CHECK POINT FDE WITH CERTIFICATE LOGON... 27 6.3 Deploying Smart Card Drivers Together with Smart Card User Accounts in Installation Profiles... 30 6.4 To install smart card drivers at the same time as Full Disk Encryption is installed:... 30 6.5 Adding and Removing Preboot Drivers with the Preboot Drivers Setting... 31 6.6 Full Disk Encryption User Accounts... 31 2

7 Using a Digipass to authenticate.... 31 7.1 CHECK POINT LOGON... 31 7.2 LOGIN TO WINDOWS... 34 7.3 WINDOWS LOGON, OFFLINE USAGE... 35 8 References... 35 Reference guide ID Title Author Publisher Date ISBN PKI Getting Started Vasco Vasco PKI Installation Vasco Vasco Guide PKI Manual Vasco Vasco 3

1 Overview The purpose of this document is to demonstrate how to secure your Windows logon and Check Point Full Disk Encryption with a DIGIPASS supported by DIGIPASS CertiID. This device let s you add a certificate and be able to logon with the right user credentials. On removing the Digipass a controlled action can take place. 2 Problem Description The basic Check Point FDE and Windows logon requires a static password. We know static passwords are not secure. To use a DIGIPASS Key as logon device for Check Point login, we manually need to install and change a few things. 3 Solution By using a Digipass with an internal CA Certificate it is possible to logon to your computer in a Pre-Boot environment and also into Windows. Other functionalities such as email encryption might also be possible. 4 Technical Concept 4

4.1 GENERAL OVERVIEW The PKI token functionality provides document signing; strong authentication against PKI enables software systems (operating systems, virtual private networks, applications); as well as e-mail, file and disk encryption. 4.2 PROCEDURE To make a DIGIPASS work with the pre-boot login with Check Point and the interactive login in Windows, there are a few steps that need to be taken. First of all you have to setup a Certificate Authority. This will be the issuer for the certificates used on a DIGIPASS. Next we will make sure all the correct user rights are set. We will make a new group that will be responsible for issuing certificates. This will become a powerful group as they can generate certificates for all domain users, including administrators. And as last we have to enroll the users to a DIGIPASS and setup the workstations to be able to use it. 4.3 PREREQUISITES The initial prerequisites for setting up DIGIPASS Certificate logon for windows and Check Point are: Active Directory installed on a 2003 or 2008 domain server A Microsoft Certificate Authority (CA) configured with the Enterprise policy module. This may be a root or subordinate CA. DIGIPASS CertiID installed on the enrollment machine. Users PCs are equipped with Windows 2000 or higher. 5

5 Setting up Certificate based Digipass Logon 5.1 CERTIFICATE AUTHORITY 5.1.1 Issue the right type of certificates Start the Certification Authority Microsoft Management Console (MMC), located in the Administrative Tools folder on the Enterprise CA. Open the Certificate Templates (2003) or Policy Settings (2000) folder, and right-click on this folder. Select New Certificate Template to Issue. Figure 1: Issue the right type of certificates (1) Select, by holding the CTRL key, the following items and click OK: Enrollment Agent Smartcard Logon Smartcard User Figure 2: Issue the right type of certificates (2) 6

5.1.1 Security Groups for enrollment Stations and agents Open the Active Directory Users and Computers from the Administrative Tools folder on the Domain Controller. Right-click the Users folder and select New Group. Figure 3: Security groups for enrollment station and agents (1) Fill in a relevant group name (e.g. Enrollment_Group) and click OK. Figure 4: Security groups for enrollment station and agents (2) Now add users to this group that will be able to make certificates for a DIGIPASS. Caution: Please be aware that these users will become powerful users as they can create a certificate for any user in your domain, including administrators. 7

Right-click the group you just created and select properties. Figure 5: Security groups for enrollment station and agents (3) At the members tab, choose the Add button. Figure 6: Security groups for enrollment station and agents (4) 8

Select the user you want to add to the group. (E.g. Enrollment Agent or Administrator) Figure 7: Security groups for enrollment station and agents (5) As you can see below, a computer can also be an Enrollment Agent. You then have to take care of the physical access to this computer. Click OK to finish Figure 8: Security groups for enrollment station and agents (6) 9

5.1.1 Specifying the Enrollment Policy Certificates issued by the CA are based on certificate templates stored in the Active Directory. The Access Control Lists (ACL) set on these templates determine who (user or computer) can request what (certificates). Open the Active Directory Sites and Services MMC from the Administration Tools folder on the Domain Controller. If the Services folder is not visible, choose View Show Services Node. Open Services Public Key Services Certificate Templates, right-click the Enrollment Agent and select Properties. Figure 9: Specifying the Enrollment Policy (1) On the security tab, add the enrollment group. By clicking the Add button, add the enrollment group you created before. Figure 10: Specifying the Enrollment Policy (2) 10

Once added, give this group read and enroll permissions. Click OK to finish Figure 11: Specifying the Enrollment Policy (3) Now do the same steps for the Smartcard Logon and Smartcard User template. 11

5.2 ENROLLMENT STATION To setup your enrollment station you may need to install the DIGIPASS Drivers and also the DIGIPASS CertiID. Both can be found on the installation CD. Please refer to the PKI Installation guide included with CertiID Login on the enrollment Station (from any domain computer) with the enrollment Agent user. Click the Start Run mmc. Choose File Add/Remove Snap-in. Figure 12: Enrollment Station (1) Click the Add button. Figure 13: Enrollment Station (2) 12

Select Certificates and click the Add button. Figure 14: Enrollment Station (3) Choose My user account en press Finish. Figure 15: Enrollment Station (4) Afterwards click the Close button of the Add Standalone Snap-in window. 13

Click OK to go to the main console window. Figure 16: Enrollment Station (5) At the main console window, right-click the Personal folder and select All Tasks Request New Certificate Figure 17: Enrollment Station (6) 14

Click Next in the first window of the Certificate Request Wizard. Figure 18: Enrollment Station (7) Choose the Enrollment Agent certificate, check the Advanced checkbox and click Next. Figure 19: Enrollment Station (8) 15

Choose the Microsoft Enhanced Cryptographic Provider and a key length of 1024 bit. Click Next. Figure 20: Enrollment Station (9) Verify the settings and click Next. Figure 21: Enrollment Station (10) 16

Type in a Friendly name and type a meaningful description. Click Next. Figure 22: Enrollment Station (11) Review all the settings and click Finish if everything is OK. Figure 23: Enrollment Station (12) 17

5.3 LOGON SETTINGS In order to enforce a user to log on to the network with a DIGIPASS, you must change the account option as described below. Open the Active Directory Users and Computers on the domain controller. In the Users folder select the desired username. Right-click the username and select Properties. Figure 24: Logon Settings (1) In the Account tab, select in the Account options: Smart card is required for interactive logon. Click OK to finish. 18

Figure 25: Logon Settings (2) Note: If this option is not enabled the user will be able to log on either with a DIGIPASS or using interactive password logon. 5.4 ENROLLING USERS For enrollment of users, you have the choice of two templates: Smartcard logon: Logon, SSL Smartcard user: Logon, SSL and Secure Email So the Smartcard user has the extra ability to secure his email transfer with the created certificate. Note: The following instructions are for Windows XP. If you are using Windows Vista or later refer to Microsoft Article ID: 922706 How to use Certificate Services Web enrollment pages together with Windows Vista or Windows Server 2008 5.4.1 Requesting Certificates Open your browser and go to: http://ca-server/certsrv. (Where CA-Server is the name of the machine where your CA is installed) Click Request a certificate. 19

Figure 26: Requesting certificates (1) 20

Click the Advanced certificate request link. Figure 27: Requesting certificates (2) Click the Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station link. Figure 28: Requesting certificates (3) 21

Select the Certificate Template, CA and Cryptographic Service Provider (CSP). The CSP depends on the installation method of the DIGIPASS CertiID. If you installed it as a CSP then you will see VASCO CertiID Smart Card Crypto Provider V1.0. If it was installed as a card module (CM) then you will see Microsoft Base Smart Card Crypto Provider. For more information please refer to the CertiID Installation Guide. Note: The CertID software is included on the Digipass USB product. If it is not installed contact your Vasco representative. Defaults: CSP: XP/2003 and below CM: Vista/2008 and above If you are logged in as the Enrollment Agent, the right Administrator Signing Certificate should be selected by default. Otherwise you click the Select Certificate button. In the User To Enroll field, you can select the user you want to create a certificate for. Click the Select User button and a known wizard will start. Figure 29: Requesting certificates (4) Search the user you want to create a certificate for and click OK. Figure 30: Requesting certificates (5) 22

Now make sure your DIGIPASS is plugged in the USB port and initialised (refer to the PKI user manual for instructions on initialisation) then press the Enroll button. Figure 31: Requesting certificates (6) You will be asked for the pin of the DIGIPASS and press OK to continue. This can take a while. Do not navigate away from this page as long as the process is busy. Figure 34 shows the PIN box of the CSP method, while Figure 34 shows the PIN box from the Card Module (CM) method. Figure 32: Requesting certificates (7) Figure 33: Requesting certificates (8) 23

When the certificate is saved on a DIGIPASS, you will get a message in the window stating The smartcard is ready. You now have the possibility to view the recently created certificate. To do so, press the View Certificate button. Figure 34: Requesting certificates (9) 24

6 Enabling Certificate based logon for Check Point FDE 6.1 VASCO DRIVERS In order to use the DIGIPASS logon for the Check Point Full Disk Encryption it may be necessary to add the Vasco drivers into the Check Point pre-boot environment if Check Point already has reference to the vasco drivers (Check Point FDE version 7.4 HFA3) section 6.1 can be skipped. As Check Point runs before windows is enabled the vasco drivers already installed in windows will not work. 6.1.1 Copying vasco files to the Check Point installer. There are two processes that can be used to import the Vasco Drivers in to release version before 7.4 HFA3 6.1.1.1 Automatic Install using the Vasco Batch files. > To install the drivers for DP CertiID tokens 1) Open a command prompt. 2) Change to the folder containing the command files. 3) Type the following command (<CP_install_path> is the Check Point installation folder, optional): Install.bat [<CP_install_path>] > To uninstall the drivers for DP CertiID tokens 1) Open a command prompt. 2) Change to the folder containing the command files. 3) Type the following command (<CP_install_path> is the Check Point installation folder, optional): Uninstall.bat [<CP_install_path>] 'Install.bat' registers and installs the drivers. 'Uninstall.bat' unregisters and uninstalls the drivers. 25

Both command files search for an installed version of Check Point in the default location. If you have not installed Check Point Endpoint Security in the default program folder, you can specify it via the command line parameter. 6.1.1.1.1 INSTALLING DRIVERS MANUALLY (USING PSCONTROL) You can install the drivers manually using the 'PS Control Utility' installed with Check Point Endpoint Security. > To install the drivers for DP CertiID tokens manually 1) Open a command prompt. 2) Change to the folder containing the drivers for DIGIPASS CertiID. 3) Type the following commands (<CP_install_path> is the Check Point installation folder): <CP_install_path>\pscontrol -v register-prd vascoprd.inf <CP_install_path>\pscontrol -v install-driver prd_ccid.bin <CP_install_path>\pscontrol -v register-ptd vascop11.inf <CP_install_path>\pscontrol -v install-driver vascop11.bin You can see if the Vasco Drivers are installed in the modules directory:- 26

Figure 35: Vasco Drivers 6.2 INSTALL CHECK POINT FDE WITH CERTIFICATE LOGON Add a certificate to your DIGIPASS Key 200 as laid out in section 5.4 above. Then run through the installer for the Check Point full disk encryption and accept the relevant license fields. Pass the readme section and run through the wizard and enter the relevant details. 27

Figure 36: Check Point Install (1) When it comes to Add a user account choose an account name and select the certificate that has been registered for that user. Note: The following is an example only. User accounts are normally added within a configuration set profile after the initial installation. See the Check Point Full Disk Administrators Guide for more information. 28

Figure 37: Check Point Install (2) Choose the Vasco Key Drivers, in this case the DP Key 200 Figure 38: Check Point Install (3) 29

Choose to Encrypt and enable preboot authentication for all disk volumes. Figure 39 Continue the rest of the install process with your preferred settings. To complete the installation you will be required to re-boot. 6.3 Deploying Smart Card Drivers Together with Smart Card User Accounts in Installation Profiles When creating smart card user accounts via installation profiles, it is important that the required smart card drivers exist on the machine prior to logon. This is necessary if smart card user accounts are to be able to log on directly at first-time authentication. 6.4 To install smart card drivers at the same time as Full Disk Encryption is installed: Add the Driver setting to the precheck.txt file. Specify each driver file name if more than one driver is involved, separating the file names with semicolons (no spaces are allowed). Below is an example in which the smart card driver files prd_ccid.bin and vascop11.bin are specified where prd_ccid.bin is the smart card reader device driver and vascop11.bin is the smart card device driver. Drivers=prd_ccid.bin;vascop11.bin 30

6.5 Adding and Removing Preboot Drivers with the Preboot Drivers Setting In the FDE Management Console you can also use the Hardware Devices - Preboot Drivers setting to install: Smart card drivers Smart card reader drivers HID drivers on the configuration of the local machine or to push them to clients via an Update profile. 6.6 Full Disk Encryption User Accounts A temporary user account is most commonly used when deploying Full Disk Encryption to client computers. The administrator defines one temporary user account and password, and then deploys it to clients. When a user logs on using the temporary user account and password, he/she is immediately prompted for a new user account name and password, which Full Disk Encryption uses to create a new user account that replaces the temporary user account on that computer. To create a temporary smart card user, the user account must have the user account setting Change Credentials set to Yes. This setting is located under Group/User Account - Permissions Change Credentials. 7 Using a Digipass to authenticate. 7.1 CHECK POINT LOGON Ensure the Digipass is connected to the Encrypted PC, and power on the computer. Upon boot initiation you will be presented with a Check Poing Endpoint Security Login screen you should enter your PIN here. 31

Figure 40: Check Point Logon You will be given login information about the user account, choose to continue. 32

Figure 41: Check Point Confirmation 33

7.2 LOGIN TO WINDOWS Make sure, DIGIPASS CertiID is installed on the client pc. Afterwards, the login screen will look like the one below. Figure 42: Using The DIGIPASS (1) After connecting a DIGIPASS with the computer, it will automatically be recognized as a smartcard and you will be asked for your pin. Figure 43: Using The DIGIPASS (2) After filling in the pin, the computer logs on with the user which certificate is on a DIGIPASS. Figure 44: Using The DIGIPASS (3) 34

7.3 WINDOWS LOGON, OFFLINE USAGE When a user is disconnected from the network or the domain controller is unreachable due to failure somewhere along the network path, a user must still be able to logon to his or her computer. With passwords this capability is supported by comparing the hashed password stored by the LSA with a hash of the credential that the user supplied to the GINA during logon. If the hashes are the same then the user can be authenticated to the local machine. In the smart card case, offline logon requires the user s private key to decrypt supplemental credentials originally encrypted using the user s public key. In order to cache the supplemental credentials on the local PC, you need to set correctly the policy Number of previous logons to cache (in case domain controller is not available on the domain server. Here are the values you can assign to this policy: 0 this means no logons are cached locally. If the domain controller is not available you will not be able to log on to your PC using your domain account. n (from 1 to 50) this means that if the domain controller is not available, you can log on locally using the credentials of the latest n (from 1 to 50) domain accounts cached on your machine. For security reasons, it is advisable to: set this policy to 1. Only the user with a DIGIPASS (and obviously the administrator) will be able to logon to his machine when it is disconnected from the network; the administrator should remember to re-login the user if he accomplish some administrative operations on the user machine. 8 References Microsoft Article ID: 257480 Certificate enrollment using smart cards Check Point Full Disk Encryption Support Page 35