Pointsec Administration

Guide

V1.0
May 22, 2008

OAAIS Enterprise Information Security

http://security.ucsf.edu
Table of Contents
INSTALLATION PROCEDURES ................................................................................. 3

SUPPORTED PLATFORMS .................................................................................................. 3

Operating System Requirements/Limitations.............................................................. 3

PRE-INSTALLATION CHECKLIST ....................................................................................... 5

Minimum Requirements Checklist .............................................................................. 5

System Preparedness Checklist................................................................................... 5

INSTALLATION INSTRUCTIONS ......................................................................................... 6

Verify Pointsec Installation......................................................................................... 8

End User experience with Pointsec .......................................................................... 10

RECOVERY PROCEDURES ....................................................................................... 11

BOOTABLE RECOVERY DISK .......................................................................................... 11

Creating a Recovery Disk ......................................................................................... 11

Booting from recovery disks ..................................................................................... 12

Pre-boot Customization screen................................................................................. 12

USING SLAVE DRIVE FUNCTIONALITY ........................................................................... 13

Compatibility of Drives............................................................................................. 13

Accessing a Slave Drive............................................................................................ 13

REMOTE PASSWORD RESETS .......................................................................................... 14

Pointsec 2 Administrators Guide

Installation Procedures

Supported Platforms

Pointsec PC is supported when installed on an x86-compatible computer with:

o Microsoft Windows Vista Enterprise, Business or Ultimate editions (32-bit).
o Microsoft Windows XP Tablet PC Edition.
o Microsoft Windows 2000 Professional SP4 UR1.
o Microsoft Windows XP Professional (SP1 or SP2, SP2 is recommended).
Pointsec PC is NOT supported when installed on a computer with:
o Microsoft Windows XP Home (all variants and SPs).
o Microsoft Windows Media Center Edition (all variants and SPs).

Operating System Requirements/Limitations

Stripe/Volume Sets
Pointsec PC should not be installed on partitions that are part of stripe or volume sets.

RAID
Pointsec PC should not be installed on machines with software or hardware RAID.

Compressed Root Directory

Pointsec PC cannot be installed if the root-directory (or root directories) is/are
compressed. The root directory must be decompressed before Pointsec PC is installed.
However, subdirectories of the root directory may be compressed.

Windows User Account requirements for Install and Uninstall

In order to install or uninstall Pointsec PC, the user account executing the action (either
directly, through "Run As…", or as a service) must be authorized to perform installations,
this usually means having Administrator permissions.

Windows User Account Registry Permission Requirements

In order to install, upgrade, change language and import profiles on a Windows XP PC, a
user account needs the following registry permissions: Query value, Set value, Create
subkey, Enumerate subkey, Notify, Create link, and Read control.
In order to remove on a Windows 2000 PC, a user account needs the above registry
permissions plus Delete.

Pointsec 3 Administrators Guide

Memory and Disk Space Requirements
The current memory and disk space requirements are:

Operating System Memory Disk Space

Windows Vista 512 MB RAM 100 MB, of which 2 MB

must be contiguous, free
space.
Windows XP 128 MB RAM 100 MB, of which 2 MB
must be contiguous, free
space.
Windows 2000 64 MB RAM 100 MB, of which 2 MB
must be contiguous, free
space.
Windows XP Tablet Edition 128 MB RAM 100 MB, of which 2 MB
must be contiguous, free
space.
Note: The disk encryption process does not require extra space on the hard disk.

Fragmented Disks
2 MBS of contiguous disk space is required for Pointsec PC installation. If this amount of
continuous space is not available, the installation will fail.

Pointsec 4 Administrators Guide

Pre-Installation Checklist

Minimum Requirements Checklist

o Pointsec will be installed on a machine with one of the following 32 bit operating
systems:
o Microsoft Windows Vista Enterprise, Business or Ultimate editions (32-
bit).
o Microsoft Windows XP Tablet PC Edition.
o Microsoft Windows 2000 Professional SP4 UR1.
o Microsoft Windows XP Professional (SP1 or SP2, SP2 is recommended).
o 512 MB of RAM, 200 MB of hard drive space (2MB must be contiguous).
o Hard drive is less then 80% full.
o System does not have any of the following:
o Stripe/Volume sets
o Dynamic/Hidden Volumes
o Dual Boot operating systems

System Preparedness Checklist

o Machine is a member of the UCSF Active Directory Domain (CAMPUS, SOM,
UCSFMC)
o Account used to install Pointsec will be an active directory account with local
administrative privileges. (CAMPUS, SOM, UCSFMC)
o A full backup has been made of this machine
o Check Disk with repair enabled has been run on this machine
o BIOS anti-virus has been disabled
o This machine does not have any disk encryption software already installed.
o NOTE: Pointsec will need to be uninstalled before performing a major
software upgrade or re-partitioning the hard drive.

Pointsec 5 Administrators Guide

Installation Instructions

1. Run the ”Pointsec for PC (DEPARTMENT NAME).msi” installer from the media
provided. After a few seconds the program will prompt you to reboot.
2. On rebooting Pointsec installs code in the boot partition and reboots again, you
will now be prompted to enter a Pointsec login.
3. Login to Pointsec with your temporary user name and password. Click enable
WIL then click ok.

4. After logging in with your temporary user account, Pointsec will walk you
through creating your own login and password. The password must be 8
characters long. It is highly recommended to make this login the same as the
windows login name.

Pointsec 6 Administrators Guide

  




 




 


 


  







  




 

 

 

 





 












 










 




















 

 




Pointsec 7 Administrators Guide

Verify Pointsec Installation
 In the system tray locate the blue p icon and right click on it. Select Information
from the popup window

2. Once the information windows opens click on Volumes button. This screen will
list all volumes protected by Pointsec and at what percentage they are encrypted.
When the drive has been encrypted 100% Pointsec will list the hard drive as
encrypted.

Encryption in progress

Pointsec 8 Administrators Guide
 Encryption completed

Pointsec 9 Administrators Guide

End User experience with Pointsec
End user experience will vary depending on the customizations of the Pointsec install.
A default installation of Pointsec will have Windows Integrated Logon (WIL) enabled;
this will bypass the pre-boot login screen and boot directly to the Windows logon screen.
If a user forgets their password a predetermined number of times WIL will automatically
become disabled and reboot their computer to the pre-boot login screen.
Pointsec Pre-boot login screen will appear for the following conditions:
Windows Integrated Logon (WIL) option is not enabled
Single Sign-On (SSO) is enabled

End Users with the default installation of Pointsec will only see the icon after
windows loads. The Pointsec taskbar program allows you to view information about the
Pointsec install, encryption algorithm used and progress of encryption.

Pointsec 10 Administrators Guide

Recovery Procedures
Pointsec has two methods to recover data from an encrypted system, bootable recovery
disk and connecting the encrypted hard disk to another machine (Slave Drive). Only
Computer Support Coordinators (CSC) and OAAIS Enterprise Information Security
(EIS) can perform recovery tasks.
In order to perform the following tasks, you must have Pointsec installed on your
machine or access to a machine that has Pointsec installed. Pointsec Management
Console requires Microsoft .net 2.0 later.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-
8edd-aab15c5e04f5&displaylang=en

Bootable Recovery Disk

A common scenario in which recovery is required is when something fails in a computer

that is protected by Pointsec PC, and you are unable to start windows properly. To
Remedy this problem, the administrator creates a bootable media on another computer,
using the recovery file of the failed computer. The administrator, or whoever is
performing the recovery, then uses the bootable media to recover the faulty computer.
The bootable media performs the following tasks:
o Enables the administrator to recover data on the faulty computer.
o Decrypts the faulty computer’s encrypted volumes.
o Removes the pre-boot authentication from the faulty computer.
o Gives direct access to Windows on the faulty computer once decryption has
completed successfully.
Pointsec PC stores the recovery file in two locations, locally in the directory
C:\Documents and Settings\All Users\Application
Data\Pointsec\Pointsec for PC and on the Pointsec file server.
Note: Recovery can only be performed if you have the appropriate Pointsec
administrator access on the machine that has Pointsec installed.

Creating a Recovery Disk

1. Insert a USB memory stick or floppy disk into your computer.
o Note: Pointsec will erase the contents of the disk.
2. Open Pointsec Management Console - Start Menu-> All Programs-> Check Point
-> Pointsec PC-> Management Console
3. Login to the Pointsec Management Console with your username and password
and select Remote from the left column. Click on Create recovery media.
4. The recovery wizard will open, and follow the on screen prompts to select the
machine’s recovery file.
5. After the recovery file is chosen Pointsec will prompt for administrator
authentication, enter in both administrator accounts in to the screen prompts.
6. Once authentication is complete select which device the recovery disk will be
created on.
Pointsec 11 Administrators Guide
Booting from recovery disks
Pointsec provides an alternative boot menu so you can easily change boot devices
without the need to make these changes in the BIOS. To activate the alternative boot
menu follow these instructions:

1. At the Pointsec pre-boot login screen, press CTRL + F10

2. Enter your user account name and password, and press enter.

Pre-boot Customization screen

The pre-boot customization screen allows you to turn off Windows Integrated Login
(WIL) without booting into windows and changing this setting from within windows. To
access the pre-boot customization screen press both shift keys at boot.

Pointsec 12 Administrators Guide

Using Slave Drive Functionality

There are circumstances under which you need to access information on the hard disk of
a Pointsec PC-protected machine and do not want to access this information by
performing a recovery, for example if you need to access a disk for forensic reasons or
because a failure of the operating system makes it impossible to retrieve data on a disk. In
such cases you can use Pointsec PC’s slave drive functionality.
A slave drive is a hard drive taken from one machine and installed (with the jumpers
correctly set) on another machine, the master machine.
The slave drive functionality enables you to take a hard drive from a Pointsec PC-
protected machine and, on another Pointsec PC-protected machine, unlock it in pre-boot
and then access the information on that disk in Windows.
Slave drive functionality requires that both the slave drive and the master machine have
been encrypted with the same algorithm.

Compatibility of Drives
Because of differences in the way different BIOSs handle disks, Pointsec PC slave-drive
functionality currently supports only slave drives of the same drive type as that of the
master machine (IDE, SATA, or SCSI).

Accessing a Slave Drive

The following is a typical example of how to access a slave drive:

1. As administrator, attach to your computer (now the master computer) an

encrypted drive from a client that allows slaving. Before authenticating, be sure
that the BIOS has located the slave drive. If it has not, you will not be able to
continue.
2. Start the master computer with the attached slave drive and complete the Pointsec
PC pre-boot authentication.
o Immediately after the successful pre-boot authentication, a slaving
authentication window is displayed. The authentication window and its
background are in grayscale to distinguish it from the other authentication
windows. The slave drive authentication uses the user account name and
fixed password, dynamic token, or smart card required by the slave drive.
The slave drive authentication window is displayed for approximately 30
seconds, after which it disappears if no action has been taken. After each
action, for example, a keystroke, the timer is reset and starts counting
down again.
3. After successful logon to the slave drive, proceed or cancel. The logon to the
slave drive is logged on the master machine. If you do not cancel, Windows starts
and the drive is mounted as a Windows drive.

Pointsec 13 Administrators Guide

Remote Password Resets

Verify the identity of the user before providing remote password assistance.
1. Open Pointsec Management Console - Start Menu-> All Programs-> Check Point
-> Pointsec PC-> Management Console
2. Login to the Pointsec Management Console with your username and password
and select Remote Help from the left column.
3. Click on remote password change radio button.
4. Instruct the end user to enter in their login name and select the remote help button
from the login screen.

Pre-boot login screen on end user machine

Pointsec 14 Administrators Guide

  































































 





 



 


End user machine remote help logon

Pointsec 15 Administrators Guide

 6. After the end user enters in response one, instruct them to click or tab to the
response two field. This will generate the challenge key. Have the end user read
the challenge number displayed on the screen to you and enter it into the
“Challenge from end user” field.
End user machine challenge key

Pointsec 16 Administrators Guide

  In the Pointsec Management console enter in your Pointsec account password and
click on the generate button.







 


 















Management console remote help screen – Response Two

Pointsec 17 Administrators Guide

 8. Read “Response Two” to the end user and have them click on ok button. This will
prompt them to reset their Pointsec password.
End user machine password reset screen

End user machine successful login screen

Pointsec 18 Administrators Guide