Full Disk Encryption 7.4

Full Disk Encryption 7.4 HFA 3 Release Notes 15 July 2010 © 2010 Check Point Software Technologies Ltd. All rights reserved. This product and relate...
Author: Douglas Freeman
52 downloads 1 Views 166KB Size
Report
Download PDF
Full Disk Encryption 7.4 HFA 3 Release Notes 15 July 2010

© 2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information Latest Version The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11134 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History Date

Description

15 July 2010

Initial version

Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:[email protected]?subject=Feedback on Full Disk Encryption 7.4 HFA 3 Release Notes).

Contents Important Information .............................................................................................3 Introduction .............................................................................................................5 New in this Release ............................................................................................. 5 Server Information and Requirements ..................................................................5 Client Information and Requirements ...................................................................6 Included Client Versions ...................................................................................... 6 Supported Platforms and Devices ....................................................................... 6 Hardware Requirements ................................................................................. 6 Additional Supported Devices ......................................................................... 6 Important Security Considerations ....................................................................... 7 Windows Integrated Logon (WIL) .................................................................... 7 SSO with Remote Desktop Applications ......................................................... 7 Additional Specifications ...................................................................................... 7 System Requirements and Limitations ............................................................ 7 Modifying the Pointsec for PC.msi Package.................................................... 8 Software Incompatibilities ............................................................................... 8 Installation ...............................................................................................................9 Supported Upgrade Paths ................................................................................... 9 Verifying Package Integrity .................................................................................. 9 Installing on a Mac............................................................................................... 9 Configuring New Features ...................................................................................10 Configuring the Remote Help Challenge.............................................................10 Configuring Hidden Volume Encryption ..............................................................10 Resolved Issues ....................................................................................................11 Resolved Login and Authentication Issues .........................................................11 Resolved Hardware Issues .................................................................................11 Resolved Errors and Instability Issues ................................................................12 Resolved General Issues....................................................................................12 Known Limitations ................................................................................................13

New in this Release

Introduction Check Point Full Disk Encryption combines boot protection, Preboot authentication, and strong encryption to ensure that only authorized users are granted access to information stored in desktop and laptop PCs. This HFA for Full Disk Encryption for Windows resolves issues from previous releases and provides new enhancements to improve performance and security.

New in this Release Highlights of this release include: 

You can now install Full Disk Encryption for Windows on Mac machines running a Windows operating system.



Full Disk Encryption no longer requires USB 1.x for Preboot USB devices. This resolves USB related problems on machines with a new Intel chipset, such as Intel 5-series 3400.



Hibernation on 64-bit machines is now supported



You can now install Full Disk Encryption on machines with active volume type 27. See Configuring Hidden Volume Encryption (on page 10).



You can now configure the length of Response Two in Remote Help. See Configuring the Remote Help Challenge (on page 10).

Server Information and Requirements This release uses the R73 License server. For more information, see the Endpoint Security R73 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10608).

Introduction

Page 5

Included Client Versions

Client Information and Requirements This section lists the requirements for endpoint computers on which you want to install FDE 7.4 HFA 3 and version information.

Included Client Versions The version included in FDE 7.4 HFA 3 at the time of the release is: Product

Version

Full Disk Encryption for Windows

FDE 7.4 HFA3 Build 1618

Supported Platforms and Devices Supported Platforms for Full Disk Encryption for Windows 

Microsoft Windows 7 (Enterprise/Professional/Ultimate) 32-bit and 64-bit



Microsoft Windows Vista (Enterprise/Business SP1 and higher) 32-bit and 64-bit



Microsoft Windows XP (Professional SP2 and higher) 32-bit only

Hardware Requirements The minimum hardware requirements for Full Disk Encryption for Windows clients are: Hardware

RAM

Disk Space

Pentium III 450 MHz

512 MB

500 MB

Note - If the machine is running the Full Disk Encryption Management Console, it also requires Microsoft .NET Framework 2.0 or higher.

Additional Supported Devices 

Dynamic Tokens- Full Disk Encryption supports any dynamic token that conforms to the ANSI X.9.9 security standard as long as the DES or 3DES algorithms are used together with these tokens.



Touch-Pen Logon- Full Disk Encryption supports Preboot authentication with touch pens on the following tablet PCs: 

HP TC1100



HP TC4200



IBM X41



Toshiba Portégé M200



Toshiba Portégé M400



Motion Computing LS800



Motion Computing LS1600



Motion Computing LS1700



Motion Computing C5



AMTek Smart Caddie SCA002

Client Information and Requirements

Page 6

Important Security Considerations

Important Security Considerations When you choose which Full Disk Encryption features to implement, consider these important factors.

Windows Integrated Logon (WIL) Before you implement Windows Integrated Logon (WIL), weigh the impact of implementing Preboot Authentication against the need for strong security when accessing the encrypted data at rest. WIL simplifies the user's experience when logging on to encrypted machines at the cost of limiting the strength of the PC's security configuration. Consider using Single Sign-On (SSO) in conjunction with proper Preboot Authentication as an alternative to WIL. Carefully weigh the usage of WIL versus using user-authenticationbased Pre-Boot Authentication according to the requirements of implemented enterprise security standards and goals.

SSO with Remote Desktop Applications Consider the possible security risk when of using SSO with a remote desktop application. Normally this is not a problem because only Administrators have permission to connect to a remote computer via the remote desktop application. However, if you allow other users to connect with a remote desktop application, consult a Check Point Support representative.

Additional Specifications Full Disk Encryption for Windows has specific requirements.

System Requirements and Limitations 

Stripe/Volume Sets - On Windows XP, do not install Full Disk Encryption on partitions that are part of stripe or volume sets.



IRRT - You can install Full Disk Encryption on an IRRT enabled Hard Drive. However actual RAID configuration is not supported.



Compressed Root Directory - Full Disk Encryption cannot be installed if the root directory (or root directories) is/are compressed. The root directory must be decompressed before Full Disk Encryption is installed. However, subdirectories of the root directory may be compressed.



Fragmented Disks - 2 MB of contiguous disk space is required for Full Disk Encryption installation. If this amount of continuous space is not available, the installation will fail. In general, it is considered good practice to avoid fragmented disks to enhance overall performance and to defragment disks prior to installing Full Disk Encryption.



Resizing Partitions and Using Disk Management Features/Utilities - Never use software that alters the workstation's disk partitions when Full Disk Encryption is installed on the workstation. If you need to resize a partition, remove Full Disk Encryption completely first and then resize the partition.



Overlapping Partitions - When moving disks between computers where the computers have different head counts (for example, H=64 to H=16) FDISK may produce overlapping partitions. The operating system does not notice this. Full Disk Encryption will not start encryption if overlapping partitions are found. This problem can sometimes occur on machines with multiple volumes.



Disk Utilities - Do not use disk utilities to change file systems or resize any volumes on the hard disk if Full Disk Encryption is installed on the computer. In most scenarios, doing so leads to an unusable system and loss of system data.



OS Upgrades - Do not upgrade from one operating system version to another while Full Disk Encryption is installed. This may lead to an unusable system. However, you can install hotfix upgrades.

Client Information and Requirements

Page 7

Additional Specifications

Modifying the Pointsec for PC.msi Package Do not modify the Pointsec for PC.msi package in any way. For example, do not attempt to modify the Pointsec for PC.msi package by using transforms. If you modify the Pointsec for PC.msi package the product is no longer supported.

Software Incompatibilities 

Remote Help Malfunctions on Slaved Hard Disk Drives - Remote Help's remote password change and one-time logon do not function on slaved hard disk drives.



Full Disk Encryption and VMware - Full Disk Encryption does not support VMware in a production environment. VMware is supported only for testing and demonstrations. In addition, note that the use of smart cards and smart card readers together with Full Disk Encryption is severely restricted in VMware sessions.



Full Disk Encryption and Windows Vista BitLocker Drive Encryption - Windows Vista BitLocker Drive Encryption cannot be used together with Full Disk Encryption.



Smart Card Feature in the Full Disk Encryption Preboot Environment - Systems that do not allow the disabling of USB Legacy support in the BIOS may be incompatible with the smart card feature in the Full Disk Encryption Preboot environment.



If you have the Enable USB devices in Preboot setting activated and you use the USB Legacy in the BIOS, you might experience incompatibility issues in the Preboot. To avoid this, make sure that either the USB Legacy or the Full Disk Encryption USB setting is disabled on the machine.

Client Information and Requirements

Page 8

Supported Upgrade Paths

Installation You can install this release as a new installation of Full Disk Encryption or as an upgrade to a previous version of Full Disk Encryption.

To install this release: 1. Download Check_Point_Endpoint_Security_Full_Disk_Encryption_EW_ed_7.4HFA3.zip ('http://supportcenter.checkpoint.com/file_download?id=11136). 2. For instructions on how to install Full Disk Encryption for the first time, see the Endpoint Security Full Disk Encryption EW 7.4 Installation Guide (http://downloads.checkpoint.com/dc/download.htm?ID=10579). For instructions on how to upgrade from an older version of Full Disk Encryption to FDE 7.4 HFA 3, see the Endpoint Security Full Disk Encryption EW 7.4 Administration Guide (http://downloads.checkpoint.com/dc/download.htm?ID=10578).

Supported Upgrade Paths You can upgrade to FDE 7.4 HFA 3 from these Full Disk Encryption versions: 

Pointsec 5.x



PointSec 6.x



Full Disk Encryption for Windows 7.x up to and including 7.4 HFA 2 Note - Endpoint Security Client components from different R7x versions can co-exist on the same client computer. For example, if you use the Media Encryption version included in R72, you can also use the Full Disk Encryption version included in this release.

Verifying Package Integrity After you download the FDE 7.4 HFA 3 installation package, we recommend that you verify the integrity of the package before you install it. Use the MD5 hash value of the downloaded package to do this. 1. Run: C:\>md5.exe package.exe 2. Make sure the output is: 3. 4f470db12a87cfccd3f052ea0adcb244.exe

Installing on a Mac In this release you can install Full Disk Encryption for Windows on an Intel based Macintosh machine running a Windows operating system that is supported by Full Disk Encryption. Use Boot Camp to install Windows. After the Windows operating system is correctly installed you can install Full Disk Encryption for Windows. Use the Endpoint Security Full Disk Encryption EW 7.4 Installation Guide (http://downloads.checkpoint.com/dc/download.htm?ID=10579). When you use Boot Camp, you can install Full Disk Encryption for Windows on a Windows partition and install Full Disk Encryption for Mac on an OS X partition.

To configure the Full Disk Encryption Preboot to work on the Macintosh machine: In the Full Disk Encryption Management Console, under System Settings, select Hardware Devices > Enable USB Devices in Preboot.

Installation

Page 9

Configuring the Remote Help Challenge

Configuring New Features This release contains new feature options that you can configure.

Configuring the Remote Help Challenge You can now configure the length of Response Two in Remote Help. The options are 30, 20, or 10 characters, however 10 is not recommended due to the low security this option gives. To use the new settings you must use the webRH Full Disk Encryption Module 7.4 HFA3 or Full Disk Encryption Management Console. Configure the challenge in the installation profile for the Full Disk Encryption Management Console, webRH, or both. Install the new webRH extension that is part of the FDE 7.4 HFA 3 installation package. Install this extension on the existing webRH installation according to the installation process described in the Endpoint Security webRH 2.4 HFA 2 Installation Guide (http://downloads.checkpoint.com/dc/download.htm?ID=8828).

Configuring Hidden Volume Encryption This HFA includes a new feature for encrypting hidden FAT and NTFS volumes that do not have a drive letter, and Windows Recovery volumes of Type 27.

To enable hidden volume encryption: 1. In the Management Console, under Select volume protection, select the option Enable encryption or boot protection of hidden volumes or volumes without a drive letter. 2. To make sure that hidden volumes are encrypted automatically, select the Dynamic Volume Encryption option when you upgrade to Full Disk Encryption 7.4 HFA 3. 3. To enable Hidden Volume Encryption in an installation profile a) When you create a new installation profile, select Encrypt all visible volumes. b) Select Boot protect hidden volumes and Encrypt hidden volumes. Important - If you encrypt a bootable partition (such as Recovery Utility partition) that should be accessed before the Preboot authentication, the partition will become non-bootable. To encrypt a bootable partition, install the Full Disk Encryption filter driver into the operating system unless this hidden volume has only boot protection. For Windows RE and Windows Recovery Console, see the "..\Tools" folder in the Full Disk Encryption install package.

Configuring New Features

Page 10

Resolved Login and Authentication Issues

Resolved Issues The issues shown below are resolved after FDE 7.4 HFA 3 is properly installed.

Resolved Login and Authentication Issues ID

Description

00545504

Clients can change the SSO setting, even if they do not have permissions to do so in their profiles.

00514474

Authentication issues occur when you use Full Disk Encryption with the eToken PKI Client 5.0SP1.

00514232

The hostname does not display in the Preboot.

00514118

It is possible to change the password during a One Time Login session.

00514883 00514783

Issues occur with Full Disk Encryption Management Console Remote Help when using the 20-Character Challenge.

00514974

Smart Card Crescendo C700 fails in the Preboot.

00514993

Remote Help gives an "Invalid Logon" message after the challenge length is changed from 20 characters to 10, the default.

00514910

When the pssoGina.dll Full Disk Encryption GINA is present, Full Disk Encryption does not properly handle the removal of an Active Identity Smart Card.

00456309

The Aladdin eToken PRO 64k 4.2b Smart Card does not work with 2048 bit certificates in Preboot.

Resolved Hardware Issues ID

Description

00515008

A USB mouse periodically freezes in the Preboot on Dell D820/D830 machines.

00513043

If a USB device is connected, there is a blinking cursor on Dell D510 machines in Preboot.

00515000

A black screen hang occurs on Acer Aspire One AOD250.

00515009

A USB Headset causes a freeze in Preboot.

00515054

IBM X301 machines do not resume from hibernation.

00512709

When you try to install Full Disk Encryption on Dell Inspiron Mini Netbooks, the installation fails and you see a blinking cursor.

Resolved Issues

Page 11

Resolved Errors and Instability Issues

Resolved Errors and Instability Issues ID

Description

00514938

The error BSOD 0x050010FD occurs when you decrypt a drive.

00514853

On Windows 7, 32 and 64 bit, blue screens randomly occur when you hibernate the system.

00513337

During an upgrade, this error shows: Fatal error 24 while loading language.

00558643

If you are using Windows 7 with password complexity and User Acquisition is enabled in a Full Disk Encryption profile, this error might show: Mpnotify.exe has encountered an error and must close.

00513108

An application error occurs after you edit the User Acquisition settings.

00514923

An "Unhandled exception has occurred in your application" error shows when you create a new profile.

Resolved General Issues ID

Description

00454833

Silent install is not possible if IgnoreOld Installation=Yes in the Precheck.txt file.

00515034

Installation on drives without drive letters causes problems.

00514732 00532081

Upgrading from Full Disk Encryption 6.3 HFA X to 7.3 HFA 1 corrupts additional global language files.

00513300

The recovery file is not updated when a client is added to a domain.

00513833

There are no limits for the values of the input boxes in the File Transfer Delay window.

00514570

UseRec.exe becomes unstable when you try to create recovery media on a machine that does not have Pointsec or Full Disk Encryption installed.

00514662

The "Last log file update" value in the Local settings window is missing information.

00514665

There is a timestamp-mismatch between "Last log file delivery"/"Last log file update," which is displayed in the management console on the clients, and the modification timestamp of the logfile stored on the central log share.

00515041

There is a Non Paged Pool memory leak in prot_srv.

00539269

The etUpdate Profile path(s) is not translated correctly in the Japanese Full Disk Encryption management console.

00539538

The legal notice shows incorrectly after you install Full Disk Encryption 7.3 HFA1 with OneCheck.

00514999

Reco_img.exe does not run successfully on Windows 7 if you select Writing on Drive.

00514647

If you install Full Disk Encryption with a reversed partition layout, the second volume will not be accessible after installation.

Resolved Issues

Page 12

Resolved General Issues

ID

Description

00514991

On Hibun Full Disk Encryption, you cannot do a silent installation by running autorun.exe /install=q.

00514845

When running CPClean(R73, ver 1.2.2.0) on Windows Vista and Windows 7, some registry keys/files are not removed properly.

Known Limitations This release includes limitations for Full Disk Encryption from Endpoint Security R73, found in sk42156 (http://supportcontent.checkpoint.com/solutions?id=sk42156). Additional limitations for this release are below. ID

Description

00557389

You cannot run Full Disk Encryption for Windows using Boot Camp on a Macintosh machine that uses OHCI as the USB controller.

00560347

Full Disk Encryption Preboot does not support USB 3.0 ports or devices.

00559604

RSA SID800 Rev D does not work with 2048 bit certificates. After you enter a PIN in Preboot, this error appears: Invalid Logon - The token or reader driver encountered an unexpected error condition. Workaround: Use 1024-bit certificates.

00515058

You cannot access encrypted volumes using WinPE 2.x or 3.0 and the Full Disk Encryption Alternative Boot Menu (PABM). Workaround: Use WinPE 2.0.

00560352

There are intermittent issues with graphics not becoming visible during FDE Preboot when using a Sony VPCS11 Computer. This occurs if the Full Disk Encryption option Enable USB devices in Preboot is selected. Workaround: Restart the computer.

00515079

Dynamic encryption does not work on 64 bit systems.

00515075

Dynamic volume encryption does not work on boot protected volumes.

00515074

It is not possible to boot into a build-in OS recovery console when Full Disk Encryption has been installed and the recovery partition is protected by Full Disk Encryption.

00515071

It is not possible to hibernate a Windows 7 computer if the system reserve partition or the active partition is only boot protected and not encrypted.

00515085

Password synchronization does not work if you change credentials from the Full Disk Encryption icon in the system tray.

Known Limitations

Page 13

Suggest Documents

Endpoint Security MI. Full Disk Encryption Module 7.4 Installation Guide

Endpoint Security MI. Full Disk Encryption Module 7.4 Installation Guide
Read more
Password KDF and Disk encryption

Password KDF and Disk encryption
Read more
Functional Encryption for Inner Product with Full Function Privacy

Functional Encryption for Inner Product with Full Function Privacy
Read more
4 (74), 68-74

4 (74), 68-74
Read more
General Certificateless Encryption and Timed-Release Encryption

General Certificateless Encryption and Timed-Release Encryption
Read more
74

74
Read more
74

74
Read more
74

74
Read more
74

74
Read more
74

74
Read more
74!

74!
Read more
74)

74)
Read more
74)

74)
Read more
Sophos SafeGuard Disk Encryption 5.50 Sophos SafeGuard Easy 5.50 Tools guide

Sophos SafeGuard Disk Encryption 5.50 Sophos SafeGuard Easy 5.50 Tools guide
Read more
74

74
Read more
74

74
Read more
74

74
Read more
74

74
Read more
74 -

74 -
Read more
74

74
Read more
74

74
Read more
74*

74*
Read more
74

74
Read more
PGP Whole Disk Encryption Command Line Version 10.2 for Linux Release Notes

PGP Whole Disk Encryption Command Line Version 10.2 for Linux Release Notes
Read more