Tuesday, September 23, 2008

Pointsec for PC 6.3.1 HFA4

I've been having some trouble with Pointsec support lately. It seems that something is wrong with the way that we bought our licenses and support contracts and despite three months of work, Checkpoint has not been able to get it all worked out. So I'm a little behind on the latest Pointsec developments. Namely, I just now got my hands on Pointsec for PC 6.3.1 HFA4.

Reading through the release notes, I found that most of the bug fixes aren't something that affect me too much. We don't use smart cards here at my organziation, we don't use Turkish keyboards, and we don't speak Japanese. There are a couple bugs that I have been annoyed by that did get fixed in HFA4. We've had a problem where a computer doesn't always reboot after enough failed logon attempts when using WIL, and we've been getting a strange error message in the event logs. Both of those problems are cleared up now.

The biggest annoyance for me (besides my lack of support right now) is the unacknowledged bug: namely, you can't cut and paste in the Pointsec management console. I know that I've brought this up before with the support people, but it may not have been recorded because I'm just some crazy guy that thinks he has a support contract.

In a nutshell: When you install Pointsec for PC you can cut and paste in the installer. However, after the reboot if you open up the management console you can't ACCURATELY cut and paste anymore. You can test this by creating a new user account, and select password authentication. Open up Notepad and type in a good password. At the screen where you enter the new users password, type the password into one of the boxes, but paste the password from Notepad into the other box. You will not be able to move on because the passwords do not match.

Depending on how you do your passwords, this could be a minor annoyance or a major headache. For example, at one time we were protecting the Windows share that holds our recovery files by making the Pointsec service run with a service account. The password on our service account is a 64 character randomly generated string. Do you know how much it sucks that I can't paste that in?

Anyway, I hope that this problem is going to get fixed in the next release of Pointsec, but considering that it isn't even listed as a problem I am not very hopeful.


Anonymous said...

presumably the reason you're using a 64 character random string as a password is for security. It wouldn't be particularly secure if cut and paste were allowed as clipboard caches remain unflushed for long periods of time.

I'd not be happy with encryption software that allowed a password cut and paste at this level.

Nyllet said...

I can partly agree with what the "anonymous" said above, but still not. If the password already has been copy-pasted into memory it doesn't help that you can't paste it into the password box.

But let's discuss the blog entry, I think you should stay hopeful. I'm quite sure (not 100% though) that this specific bug actually is resolved in the last release of Pointsec PC which has been rebranded to "Full Disk Encryption R70" (where R70 is just another name for 7.0). Have you had any chance to look at it yet? Beside new images (banners and backgrunds) and tray application there is some new features such as the "User Acquisition" which allows a new ways to configure installation profiles for deplyment. Perhaps the "news" in the 7.0 version is something to discuss in your next article on your blog?

Anyway, I just found my way to your blog and I'm impressed by your knowledge on the Pointsec product. Looking forward to read more in the future.

Black Fist said...

I just read the other comment you posted where you described user acquisition. It sounds really cool. I've always had a nagging dislike for temporary accounts and viewed them as a necessary evil. User acquisition sounds more secure. I'm going to have to lean on my sales rep to see if I can get an evaluation copy of R70.

Black Fist said...

I don't think that security is the reason that copy and paste isn't working in the Management Console. If that were the case, then I would guess that you wouldn't be able to paste at all. However, in this case you can paste data into the Management Console, it just has extra characters or funny encoding. For example, if I have a password stored in my clipboard, then I can paste that into the Management Console, and as long as I paste it into both fields Pointsec will work fine. The problem will come later when I need to enter that password and find out that whatever was pasted into the Management Console is not what I thought I had copied to the clipboard. That feels more like a bug to me than a security feature.

As for the security of information copied to the clipboard, you're probably right that it isn't the safest thing in the world. But security is all about tradeoffs. Which of the following options sounds worse to you: 1. Pointsec passwords are held in memory on one computer that is managed by the information security manager or 2. Every computer running disk encryption has a weaker password because the information security manager couldn't copy and paste?

lapen said...

BlackFist - Great Post!


I'm currently on 6.3.1 HFA2 and I'm in need of upgrading to HFA4 myself also. Doing some search, i found your article above for HFA3. Will this procedure work for HFA4 also? Many thanks for all your help.

Black Fist said...

lapen: Yes, the process that I described for upgrading should work for any version of Pointsec version 6. Don't try upgrading a Pointsec version 4 and 5 that way.

BTW, before you go an upgrade to Pointsec 6.3.1 HFA4, you should check and see if your license allows you to put on HFA5 since that came out recently.

lapen said...

blackfist - thanks for the info again. I'm just writing to confirm that the process of copying the files to the upgrade path (temporary) and having my test machine point to that worked. I will also try the other way where you copy it to the work folder of the local machine manually and see how that goes.

One thing to mention tho...although the above process (upgrade from the upgrade path) worked fine, when the machine rebooted after the upgrade, i lost my customized pre-boot authentication screen (banner/logos). I checked other settings in pointsec console once i got back to windows and they seem to be there (i.e. users/groups/password settings/...) - i still need to check this more thoroughly tho as i need to put this out on 900+ laptops and i don't' want that kinda headache. :-)

heck with the release of HFA5, i might even put that out!

BTW - Checkpoint website sucks!!!

Black Fist said...

Lapen: I can't agree more about the Checkpoint web site. Pe-eww!

One thing that I haven't played around with much is customizing the pre-boot environment. At my university we use Windows Integrated Logon so customizing the pre-boot isn't really an issue. I know, there are security concerns that are raised by using WIL, but I work for a University, not the CIA.

Lapen said...

Update: Both methods worked as mentioned for HFA4 installation. I was able to get the customized pre-boot screen also...had to reintroduce the files tho....but all went smoothly.

I think i'll go with copying it to the local progfiles\pointsec for pc\work folder via sms and let it do the update rather than from the update path. I'll have more control this way as to who to target, when etc.

Thanks for the help and the post. Keep it up! looking forward to new posts.

Black Fist said...

Lapen: Glad to hear that everything worked out. You might want to check out this series of posts I made about using Microsoft System Center to create Pointsec collections and deploy software. http://blackfistsecurity.blogspot.com/2008/11/pointsec-for-pc-using-sccm-to-upgrade.html

Lapen said...

thanks for the link to the MSC! when we went from 5 to 6.3, i went thru the same procedure with the sms packages etc. I really liked your shrinking query methods and found it quite useful and have it setup as well!! thanks.

i had looked into queries before in the hopes of trying to setup something so i can find out how many of my machines are actually encrypted and how many aren't...or how far they are....and get the names of them....i know there is registry entry that is set to eitehr 1 or 0...so i wanted to query for that and try to get the names of the machine....but i didn't see any straight forward way of creating such query in SMS....any ideas?? thanks in advance.