Full Disk Encryption 7.4 HFA 3 Release Notes 15 July 2010
© 2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information Latest Version The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11134 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History Date
Description
15 July 2010
Initial version
Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:
[email protected]?subject=Feedback on Full Disk Encryption 7.4 HFA 3 Release Notes).
Contents Important Information .............................................................................................3 Introduction .............................................................................................................5 New in this Release ............................................................................................. 5 Server Information and Requirements ..................................................................5 Client Information and Requirements ...................................................................6 Included Client Versions ...................................................................................... 6 Supported Platforms and Devices ....................................................................... 6 Hardware Requirements ................................................................................. 6 Additional Supported Devices ......................................................................... 6 Important Security Considerations ....................................................................... 7 Windows Integrated Logon (WIL) .................................................................... 7 SSO with Remote Desktop Applications ......................................................... 7 Additional Specifications ...................................................................................... 7 System Requirements and Limitations ............................................................ 7 Modifying the Pointsec for PC.msi Package.................................................... 8 Software Incompatibilities ............................................................................... 8 Installation ...............................................................................................................9 Supported Upgrade Paths ................................................................................... 9 Verifying Package Integrity .................................................................................. 9 Installing on a Mac............................................................................................... 9 Configuring New Features ...................................................................................10 Configuring the Remote Help Challenge.............................................................10 Configuring Hidden Volume Encryption ..............................................................10 Resolved Issues ....................................................................................................11 Resolved Login and Authentication Issues .........................................................11 Resolved Hardware Issues .................................................................................11 Resolved Errors and Instability Issues ................................................................12 Resolved General Issues....................................................................................12 Known Limitations ................................................................................................13
New in this Release
Introduction Check Point Full Disk Encryption combines boot protection, Preboot authentication, and strong encryption to ensure that only authorized users are granted access to information stored in desktop and laptop PCs. This HFA for Full Disk Encryption for Windows resolves issues from previous releases and provides new enhancements to improve performance and security.
New in this Release Highlights of this release include:
You can now install Full Disk Encryption for Windows on Mac machines running a Windows operating system.
Full Disk Encryption no longer requires USB 1.x for Preboot USB devices. This resolves USB related problems on machines with a new Intel chipset, such as Intel 5-series 3400.
Hibernation on 64-bit machines is now supported
You can now install Full Disk Encryption on machines with active volume type 27. See Configuring Hidden Volume Encryption (on page 10).
You can now configure the length of Response Two in Remote Help. See Configuring the Remote Help Challenge (on page 10).
Server Information and Requirements This release uses the R73 License server. For more information, see the Endpoint Security R73 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10608).
Introduction
Page 5
Included Client Versions
Client Information and Requirements This section lists the requirements for endpoint computers on which you want to install FDE 7.4 HFA 3 and version information.
Included Client Versions The version included in FDE 7.4 HFA 3 at the time of the release is: Product
Version
Full Disk Encryption for Windows
FDE 7.4 HFA3 Build 1618
Supported Platforms and Devices Supported Platforms for Full Disk Encryption for Windows
Microsoft Windows 7 (Enterprise/Professional/Ultimate) 32-bit and 64-bit
Microsoft Windows Vista (Enterprise/Business SP1 and higher) 32-bit and 64-bit
Microsoft Windows XP (Professional SP2 and higher) 32-bit only
Hardware Requirements The minimum hardware requirements for Full Disk Encryption for Windows clients are: Hardware
RAM
Disk Space
Pentium III 450 MHz
512 MB
500 MB
Note - If the machine is running the Full Disk Encryption Management Console, it also requires Microsoft .NET Framework 2.0 or higher.
Additional Supported Devices
Dynamic Tokens- Full Disk Encryption supports any dynamic token that conforms to the ANSI X.9.9 security standard as long as the DES or 3DES algorithms are used together with these tokens.
Touch-Pen Logon- Full Disk Encryption supports Preboot authentication with touch pens on the following tablet PCs:
HP TC1100
HP TC4200
IBM X41
Toshiba Portégé M200
Toshiba Portégé M400
Motion Computing LS800
Motion Computing LS1600
Motion Computing LS1700
Motion Computing C5
AMTek Smart Caddie SCA002
Client Information and Requirements
Page 6
Important Security Considerations
Important Security Considerations When you choose which Full Disk Encryption features to implement, consider these important factors.
Windows Integrated Logon (WIL) Before you implement Windows Integrated Logon (WIL), weigh the impact of implementing Preboot Authentication against the need for strong security when accessing the encrypted data at rest. WIL simplifies the user's experience when logging on to encrypted machines at the cost of limiting the strength of the PC's security configuration. Consider using Single Sign-On (SSO) in conjunction with proper Preboot Authentication as an alternative to WIL. Carefully weigh the usage of WIL versus using user-authenticationbased Pre-Boot Authentication according to the requirements of implemented enterprise security standards and goals.
SSO with Remote Desktop Applications Consider the possible security risk when of using SSO with a remote desktop application. Normally this is not a problem because only Administrators have permission to connect to a remote computer via the remote desktop application. However, if you allow other users to connect with a remote desktop application, consult a Check Point Support representative.
Additional Specifications Full Disk Encryption for Windows has specific requirements.
System Requirements and Limitations
Stripe/Volume Sets - On Windows XP, do not install Full Disk Encryption on partitions that are part of stripe or volume sets.
IRRT - You can install Full Disk Encryption on an IRRT enabled Hard Drive. However actual RAID configuration is not supported.
Compressed Root Directory - Full Disk Encryption cannot be installed if the root directory (or root directories) is/are compressed. The root directory must be decompressed before Full Disk Encryption is installed. However, subdirectories of the root directory may be compressed.
Fragmented Disks - 2 MB of contiguous disk space is required for Full Disk Encryption installation. If this amount of continuous space is not available, the installation will fail. In general, it is considered good practice to avoid fragmented disks to enhance overall performance and to defragment disks prior to installing Full Disk Encryption.
Resizing Partitions and Using Disk Management Features/Utilities - Never use software that alters the workstation's disk partitions when Full Disk Encryption is installed on the workstation. If you need to resize a partition, remove Full Disk Encryption completely first and then resize the partition.
Overlapping Partitions - When moving disks between computers where the computers have different head counts (for example, H=64 to H=16) FDISK may produce overlapping partitions. The operating system does not notice this. Full Disk Encryption will not start encryption if overlapping partitions are found. This problem can sometimes occur on machines with multiple volumes.
Disk Utilities - Do not use disk utilities to change file systems or resize any volumes on the hard disk if Full Disk Encryption is installed on the computer. In most scenarios, doing so leads to an unusable system and loss of system data.
OS Upgrades - Do not upgrade from one operating system version to another while Full Disk Encryption is installed. This may lead to an unusable system. However, you can install hotfix upgrades.
Client Information and Requirements
Page 7
Additional Specifications
Modifying the Pointsec for PC.msi Package Do not modify the Pointsec for PC.msi package in any way. For example, do not attempt to modify the Pointsec for PC.msi package by using transforms. If you modify the Pointsec for PC.msi package the product is no longer supported.
Software Incompatibilities
Remote Help Malfunctions on Slaved Hard Disk Drives - Remote Help's remote password change and one-time logon do not function on slaved hard disk drives.
Full Disk Encryption and VMware - Full Disk Encryption does not support VMware in a production environment. VMware is supported only for testing and demonstrations. In addition, note that the use of smart cards and smart card readers together with Full Disk Encryption is severely restricted in VMware sessions.
Full Disk Encryption and Windows Vista BitLocker Drive Encryption - Windows Vista BitLocker Drive Encryption cannot be used together with Full Disk Encryption.
Smart Card Feature in the Full Disk Encryption Preboot Environment - Systems that do not allow the disabling of USB Legacy support in the BIOS may be incompatible with the smart card feature in the Full Disk Encryption Preboot environment.
If you have the Enable USB devices in Preboot setting activated and you use the USB Legacy in the BIOS, you might experience incompatibility issues in the Preboot. To avoid this, make sure that either the USB Legacy or the Full Disk Encryption USB setting is disabled on the machine.
Client Information and Requirements
Page 8
Supported Upgrade Paths
Installation You can install this release as a new installation of Full Disk Encryption or as an upgrade to a previous version of Full Disk Encryption.
To install this release: 1. Download Check_Point_Endpoint_Security_Full_Disk_Encryption_EW_ed_7.4HFA3.zip ('http://supportcenter.checkpoint.com/file_download?id=11136). 2. For instructions on how to install Full Disk Encryption for the first time, see the Endpoint Security Full Disk Encryption EW 7.4 Installation Guide (http://downloads.checkpoint.com/dc/download.htm?ID=10579). For instructions on how to upgrade from an older version of Full Disk Encryption to FDE 7.4 HFA 3, see the Endpoint Security Full Disk Encryption EW 7.4 Administration Guide (http://downloads.checkpoint.com/dc/download.htm?ID=10578).
Supported Upgrade Paths You can upgrade to FDE 7.4 HFA 3 from these Full Disk Encryption versions:
Pointsec 5.x
PointSec 6.x
Full Disk Encryption for Windows 7.x up to and including 7.4 HFA 2 Note - Endpoint Security Client components from different R7x versions can co-exist on the same client computer. For example, if you use the Media Encryption version included in R72, you can also use the Full Disk Encryption version included in this release.
Verifying Package Integrity After you download the FDE 7.4 HFA 3 installation package, we recommend that you verify the integrity of the package before you install it. Use the MD5 hash value of the downloaded package to do this. 1. Run: C:\>md5.exe package.exe 2. Make sure the output is: 3. 4f470db12a87cfccd3f052ea0adcb244.exe
Installing on a Mac In this release you can install Full Disk Encryption for Windows on an Intel based Macintosh machine running a Windows operating system that is supported by Full Disk Encryption. Use Boot Camp to install Windows. After the Windows operating system is correctly installed you can install Full Disk Encryption for Windows. Use the Endpoint Security Full Disk Encryption EW 7.4 Installation Guide (http://downloads.checkpoint.com/dc/download.htm?ID=10579). When you use Boot Camp, you can install Full Disk Encryption for Windows on a Windows partition and install Full Disk Encryption for Mac on an OS X partition.
To configure the Full Disk Encryption Preboot to work on the Macintosh machine: In the Full Disk Encryption Management Console, under System Settings, select Hardware Devices > Enable USB Devices in Preboot.
Installation
Page 9
Configuring the Remote Help Challenge
Configuring New Features This release contains new feature options that you can configure.
Configuring the Remote Help Challenge You can now configure the length of Response Two in Remote Help. The options are 30, 20, or 10 characters, however 10 is not recommended due to the low security this option gives. To use the new settings you must use the webRH Full Disk Encryption Module 7.4 HFA3 or Full Disk Encryption Management Console. Configure the challenge in the installation profile for the Full Disk Encryption Management Console, webRH, or both. Install the new webRH extension that is part of the FDE 7.4 HFA 3 installation package. Install this extension on the existing webRH installation according to the installation process described in the Endpoint Security webRH 2.4 HFA 2 Installation Guide (http://downloads.checkpoint.com/dc/download.htm?ID=8828).
Configuring Hidden Volume Encryption This HFA includes a new feature for encrypting hidden FAT and NTFS volumes that do not have a drive letter, and Windows Recovery volumes of Type 27.
To enable hidden volume encryption: 1. In the Management Console, under Select volume protection, select the option Enable encryption or boot protection of hidden volumes or volumes without a drive letter. 2. To make sure that hidden volumes are encrypted automatically, select the Dynamic Volume Encryption option when you upgrade to Full Disk Encryption 7.4 HFA 3. 3. To enable Hidden Volume Encryption in an installation profile a) When you create a new installation profile, select Encrypt all visible volumes. b) Select Boot protect hidden volumes and Encrypt hidden volumes. Important - If you encrypt a bootable partition (such as Recovery Utility partition) that should be accessed before the Preboot authentication, the partition will become non-bootable. To encrypt a bootable partition, install the Full Disk Encryption filter driver into the operating system unless this hidden volume has only boot protection. For Windows RE and Windows Recovery Console, see the "..\Tools" folder in the Full Disk Encryption install package.
Configuring New Features
Page 10
Resolved Login and Authentication Issues
Resolved Issues The issues shown below are resolved after FDE 7.4 HFA 3 is properly installed.
Resolved Login and Authentication Issues ID
Description
00545504
Clients can change the SSO setting, even if they do not have permissions to do so in their profiles.
00514474
Authentication issues occur when you use Full Disk Encryption with the eToken PKI Client 5.0SP1.
00514232
The hostname does not display in the Preboot.
00514118
It is possible to change the password during a One Time Login session.
00514883 00514783
Issues occur with Full Disk Encryption Management Console Remote Help when using the 20-Character Challenge.
00514974
Smart Card Crescendo C700 fails in the Preboot.
00514993
Remote Help gives an "Invalid Logon" message after the challenge length is changed from 20 characters to 10, the default.
00514910
When the pssoGina.dll Full Disk Encryption GINA is present, Full Disk Encryption does not properly handle the removal of an Active Identity Smart Card.
00456309
The Aladdin eToken PRO 64k 4.2b Smart Card does not work with 2048 bit certificates in Preboot.
Resolved Hardware Issues ID
Description
00515008
A USB mouse periodically freezes in the Preboot on Dell D820/D830 machines.
00513043
If a USB device is connected, there is a blinking cursor on Dell D510 machines in Preboot.
00515000
A black screen hang occurs on Acer Aspire One AOD250.
00515009
A USB Headset causes a freeze in Preboot.
00515054
IBM X301 machines do not resume from hibernation.
00512709
When you try to install Full Disk Encryption on Dell Inspiron Mini Netbooks, the installation fails and you see a blinking cursor.
Resolved Issues
Page 11
Resolved Errors and Instability Issues
Resolved Errors and Instability Issues ID
Description
00514938
The error BSOD 0x050010FD occurs when you decrypt a drive.
00514853
On Windows 7, 32 and 64 bit, blue screens randomly occur when you hibernate the system.
00513337
During an upgrade, this error shows: Fatal error 24 while loading language.
00558643
If you are using Windows 7 with password complexity and User Acquisition is enabled in a Full Disk Encryption profile, this error might show: Mpnotify.exe has encountered an error and must close.
00513108
An application error occurs after you edit the User Acquisition settings.
00514923
An "Unhandled exception has occurred in your application" error shows when you create a new profile.
Resolved General Issues ID
Description
00454833
Silent install is not possible if IgnoreOld Installation=Yes in the Precheck.txt file.
00515034
Installation on drives without drive letters causes problems.
00514732 00532081
Upgrading from Full Disk Encryption 6.3 HFA X to 7.3 HFA 1 corrupts additional global language files.
00513300
The recovery file is not updated when a client is added to a domain.
00513833
There are no limits for the values of the input boxes in the File Transfer Delay window.
00514570
UseRec.exe becomes unstable when you try to create recovery media on a machine that does not have Pointsec or Full Disk Encryption installed.
00514662
The "Last log file update" value in the Local settings window is missing information.
00514665
There is a timestamp-mismatch between "Last log file delivery"/"Last log file update," which is displayed in the management console on the clients, and the modification timestamp of the logfile stored on the central log share.
00515041
There is a Non Paged Pool memory leak in prot_srv.
00539269
The etUpdate Profile path(s) is not translated correctly in the Japanese Full Disk Encryption management console.
00539538
The legal notice shows incorrectly after you install Full Disk Encryption 7.3 HFA1 with OneCheck.
00514999
Reco_img.exe does not run successfully on Windows 7 if you select Writing on Drive.
00514647
If you install Full Disk Encryption with a reversed partition layout, the second volume will not be accessible after installation.
Resolved Issues
Page 12
Resolved General Issues
ID
Description
00514991
On Hibun Full Disk Encryption, you cannot do a silent installation by running autorun.exe /install=q.
00514845
When running CPClean(R73, ver 1.2.2.0) on Windows Vista and Windows 7, some registry keys/files are not removed properly.
Known Limitations This release includes limitations for Full Disk Encryption from Endpoint Security R73, found in sk42156 (http://supportcontent.checkpoint.com/solutions?id=sk42156). Additional limitations for this release are below. ID
Description
00557389
You cannot run Full Disk Encryption for Windows using Boot Camp on a Macintosh machine that uses OHCI as the USB controller.
00560347
Full Disk Encryption Preboot does not support USB 3.0 ports or devices.
00559604
RSA SID800 Rev D does not work with 2048 bit certificates. After you enter a PIN in Preboot, this error appears: Invalid Logon - The token or reader driver encountered an unexpected error condition. Workaround: Use 1024-bit certificates.
00515058
You cannot access encrypted volumes using WinPE 2.x or 3.0 and the Full Disk Encryption Alternative Boot Menu (PABM). Workaround: Use WinPE 2.0.
00560352
There are intermittent issues with graphics not becoming visible during FDE Preboot when using a Sony VPCS11 Computer. This occurs if the Full Disk Encryption option Enable USB devices in Preboot is selected. Workaround: Restart the computer.
00515079
Dynamic encryption does not work on 64 bit systems.
00515075
Dynamic volume encryption does not work on boot protected volumes.
00515074
It is not possible to boot into a build-in OS recovery console when Full Disk Encryption has been installed and the recovery partition is protected by Full Disk Encryption.
00515071
It is not possible to hibernate a Windows 7 computer if the system reserve partition or the active partition is only boot protected and not encrypted.
00515085
Password synchronization does not work if you change credentials from the Full Disk Encryption icon in the system tray.
Known Limitations
Page 13