Check Point FDE integration with Digipass Key devices - Vasco

Check Point FDE integration with 

Digipass Key devices 

1 | VASCO Data Security 

INTEGRATION GUIDE

Check Point FDE integration with Digipass Key Devices

1 

Check Point FDE integration with Digipass Key Devices 

Disclaimer 

Disclaimer of Warranties and Limitation of Liabilities 

All information contained in this document is provided 'as is'; VASCO Data Security assumes no 

responsibility for its accuracy and/or completeness. 

In no event will VASCO Data Security be liable for damages arising directly or indirectly from any 

use of the information contained in this document. 

Copyright 

Copyright © 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All 

rights reserved. VASCO ® , Vacman ® , IDENTIKEY ® , aXsGUARD, DIGIPASS ® and ® logo 

are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data 

Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. 

and/or VASCO Data Security International GmbH own or are licensed under all title, rights and 

interest in VASCO Products, updates and upgrades thereof, including copyrights, patent 

rights, trade secret rights, mask work rights, database rights and all other intellectual and 

industrial property rights in the U.S. and other countries. Microsoft and Windows are 

trademarks or registered trademarks of Microsoft Corporation. Other names may be 

trademarks of their respective owners.

2 


Table of Contents 

1 Overview................................................................................................................... 4 

2 Problem Description ................................................................................................. 4 

3 Solution .................................................................................................................... 4 

4 Technical Concept ..................................................................................................... 4 

4.1 GENERAL OVERVIEW ............................................................................................. 5 

4.2 PROCEDURE ......................................................................................................... 5 

4.3 PREREQUISITES .................................................................................................... 5 

5 Setting up Certificate based Digipass Logon ............................................................. 6 

5.1 CERTIFICATE AUTHORITY ....................................................................................... 6 

5.1.1 Issue the right type of certificates ..................................................................... 6 

5.1.1 Security Groups for enrollment Stations and agents ............................................ 7 

5.1.1 Specifying the Enrollment Policy ...................................................................... 10 

5.2 ENROLLMENT STATION ........................................................................................ 12 

5.3 LOGON SETTINGS ............................................................................................... 18 

5.4 ENROLLING USERS .............................................................................................. 19 

5.4.1 Requesting Certificates .................................................................................. 19 

6 Enabling Certificate based logon for Check Point FDE ............................................. 25 

6.1 VASCO DRIVERS ................................................................................................. 25 

6.1.1 Copying vasco files to the Check Point installer. ................................................ 25 

6.1.1.1 Automatic Install using the Vasco Batch files. ............................................. 25 

6.2 INSTALL CHECK POINT FDE WITH CERTIFICATE LOGON .......................................... 27 

6.3 Deploying Smart Card Drivers Together with Smart Card User Accounts in Installation 

Profiles ........................................................................................................................ 30 

6.4 To install smart card drivers at the same time as Full Disk Encryption is installed: ....... 30 

6.5 Adding and Removing Preboot Drivers with the Preboot Drivers Setting ..................... 31 

6.6 Full Disk Encryption User Accounts ........................................................................ 31

3 


7 Using a Digipass to authenticate. ............................................................................ 31 

7.1 CHECK POINT LOGON .......................................................................................... 31 

7.2 LOGIN TO WINDOWS ........................................................................................... 34 

7.3 WINDOWS LOGON, OFFLINE USAGE ...................................................................... 35 

8 References .............................................................................................................. 35 

Reference guide 

ID Title Author Publisher Date ISBN 

PKI Getting Started Vasco Vasco 

PKI Installation 

Guide 

Vasco Vasco 

PKI Manual Vasco Vasco

4 


1 Overview 

The purpose of this document is to demonstrate how to secure your Windows logon and Check 

Point Full Disk Encryption with a DIGIPASS supported by DIGIPASS CertiID. This device let’s you 

add a certificate and be able to logon with the right user credentials. On removing the Digipass a 

controlled action can take place. 

2 Problem Description 

The basic Check Point FDE and Windows logon requires a static password. We know static 

passwords are not secure. To use a DIGIPASS Key as logon device for Check Point login, we 

manually need to install and change a few things. 

3 Solution 

By using a Digipass with an internal CA Certificate it is possible to logon to your computer in a 

“Pre-Boot” environment and also into Windows. Other functionalities such as email encryption 

might also be possible. 

4 Technical Concept

5 


4.1 GENERAL OVERVIEW 

The PKI token functionality provides document signing; strong authentication against PKI enables 

software systems (operating systems, virtual private networks, applications); as well as e-mail, 

file and disk encryption. 

4.2 PROCEDURE 

To make a DIGIPASS work with the pre-boot login with Check Point and the interactive login in 

Windows, there are a few steps that need to be taken. First of all you have to setup a Certificate 

Authority. This will be the issuer for the certificates used on a DIGIPASS. Next we will make sure 

all the correct user rights are set. We will make a new group that will be responsible for issuing 

certificates. This will become a powerful group as they can generate certificates for all domain 

users, including administrators. And as last we have to enroll the users to a DIGIPASS and setup 

the workstations to be able to use it. 

4.3 PREREQUISITES 

The initial prerequisites for setting up DIGIPASS Certificate logon for windows and Check Point 

are: 

• Active Directory installed on a 2003 or 2008 domain server 

• A Microsoft Certificate Authority (CA) configured with the Enterprise policy module. This 

may be a root or subordinate CA. 

• DIGIPASS CertiID installed on the enrollment machine. 

Users PCs are equipped with Windows 2000 or higher.

6 


5 Setting up Certificate 

based Digipass 

Logon 

5.1 CERTIFICATE AUTHORITY 

5.1.1 Issue the right type of certificates 

Start the Certification Authority Microsoft Management Console (MMC), located in the 

Administrative Tools folder on the Enterprise CA. 

Open the Certificate Templates (2003) or Policy Settings (2000) folder, and right-click on this 

folder. Select New Certificate Template to Issue. 

Figure 1: Issue the right type of certificates (1) 

Select, by holding the CTRL key, the following items and click OK: 

• Enrollment Agent 

• Smartcard Logon 

• Smartcard User 

Figure 2: Issue the right type of certificates (2)

7 


5.1.1 Security Groups for enrollment 

Stations and agents 

Open the Active Directory – Users and Computers from the Administrative Tools folder on the 

Domain Controller. 

Right-click the Users folder and select New Group. 

Figure 3: Security groups for enrollment station and agents (1) 

Fill in a relevant group name (e.g. Enrollment_Group) and click OK. 


Now add users to this group that will be able to make certificates for a DIGIPASS. 

Caution: Please be aware that these users will become powerful users as they can create a 

certificate for any user in your domain, including administrators.

8 


Right-click the group you just created and select properties. 


At the members tab, choose the Add… button. 

Figure 6: Security groups for enrollment station and agents (4)

9 


Select the user you want to add to the group. (E.g. Enrollment Agent or Administrator) 


As you can see below, a computer can also be an Enrollment Agent. You then have to take care of 

the physical access to this computer. 

Click OK to finish 

Figure 8: Security groups for enrollment station and agents (6)

10 


5.1.1 Specifying the Enrollment Policy 

Certificates issued by the CA are based on certificate templates stored in the Active Directory. 

The Access Control Lists (ACL) set on these templates determine who (user or computer) can 

request what (certificates). 

Open the Active Directory – Sites and Services MMC from the Administration Tools folder on the 

Domain Controller. If the Services folder is not visible, choose View Show Services Node. 

Open Services Public Key Services Certificate Templates, right-click the Enrollment 

Agent and select Properties. 

Figure 9: Specifying the Enrollment Policy (1) 

On the security tab, add the enrollment group. By clicking the Add… button, add the enrollment 

group you created before. 

Figure 10: Specifying the Enrollment Policy (2)

11 


Once added, give this group read and enroll permissions. Click OK to finish 

Figure 11: Specifying the Enrollment Policy (3) 

Now do the same steps for the Smartcard Logon and Smartcard User template.

12 


5.2 ENROLLMENT STATION 

To setup your enrollment station you may need to install the DIGIPASS Drivers and also the 

DIGIPASS CertiID. Both can be found on the installation CD. Please refer to the PKI Installation 

guide included with CertiID 

Login on the enrollment Station (from any domain computer) with the enrollment Agent user. 

Click the Start Run… “mmc”. 

Choose File Add/Remove Snap-in. 

Figure 12: Enrollment Station (1) 

Click the Add… button. 

Figure 13: Enrollment Station (2)

13 


Select Certificates and click the Add button. 


Choose My user account en press Finish. 


Afterwards click the Close button of the Add Standalone Snap-in window.

14 


Click OK to go to the main console window. 


At the main console window, right-click the Personal folder and select All Tasks Request New 

Certificate… 


15 


Click Next in the first window of the Certificate Request Wizard. 


Choose the Enrollment Agent certificate, check the Advanced checkbox and click Next. 


16 


Choose the Microsoft Enhanced Cryptographic Provider and a key length of 1024 bit. Click 

Next. 


Verify the settings and click Next. 


17 


Type in a Friendly name and type a meaningful description. Click Next. 


Review all the settings and click Finish if everything is OK. 


18 


5.3 LOGON SETTINGS 

In order to enforce a user to log on to the network with a DIGIPASS, you must change the 

account option as described below. Open the Active Directory – Users and Computers on the 

domain controller. In the Users folder select the desired username. Right-click the username and 

select Properties. 

Figure 24: Logon Settings (1) 

In the Account tab, select in the Account options: Smart card is required for interactive 

logon. Click OK to finish.

19 


Figure 25: Logon Settings (2) 

Note: If this option is not enabled the user will be able to log on either with a DIGIPASS or using 

interactive password logon. 

5.4 ENROLLING USERS 

For enrollment of users, you have the choice of two templates: 

• Smartcard logon: Logon, SSL 

• Smartcard user: Logon, SSL and Secure Email 

So the Smartcard user has the extra ability to secure his email transfer with the created 

certificate. 

Note: The following instructions are for Windows XP. If you are using Windows Vista or later refer 

to Microsoft Article ID: 922706 How to use Certificate Services Web enrollment pages together 

with Windows Vista or Windows Server 2008 

5.4.1 Requesting Certificates 

Open your browser and go to: http://CA-Server/certsrv. (Where CA-Server is the name of the 

machine where your CA is installed) 

Click Request a certificate.

20 


Figure 26: Requesting certificates (1)

21 


Click the Advanced certificate request link. 

Figure 27: Requesting certificates (2) 

Click the Request a certificate for a smart card on behalf of another user by using the 

smart card certificate enrollment station link. 


22 


Select the Certificate Template, CA and Cryptographic Service Provider (CSP). 

The CSP depends on the installation method of the DIGIPASS CertiID. If you installed it as a CSP 

then you will see “VASCO CertiID Smart Card Crypto Provider V1.0”. If it was installed as a card 

module (CM) then you will see “Microsoft Base Smart Card Crypto Provider”. For more 

information please refer to the CertiID Installation Guide. 

Note: The CertID software is included on the Digipass USB product. If it is not installed contact 

your Vasco representative. 

Defaults: 

• CSP: XP/2003 and below 

• CM: Vista/2008 and above 

If you are logged in as the Enrollment Agent, the right Administrator Signing Certificate 

should be selected by default. Otherwise you click the Select Certificate… button. 

In the User To Enroll field, you can select the user you want to create a certificate for. Click the 

Select User… button and a known wizard will start. 


Search the user you want to create a certificate for and click OK. 


23 


Now make sure your DIGIPASS is plugged in the USB port and initialised (refer to the PKI user 

manual for instructions on initialisation) then press the Enroll button. 


You will be asked for the pin of the DIGIPASS and press OK to continue. This can take a while. 

Do not navigate away from this page as long as the process is busy. 

Figure 34 shows the PIN box of the CSP method, while Figure 34 shows the PIN box from the 

Card Module (CM) method. 



24 


When the certificate is saved on a DIGIPASS, you will get a message in the window stating “The 

smartcard is ready …”. You now have the possibility to view the recently created certificate. To 

do so, press the View Certificate button. 


25 


6 Enabling Certificate 

based logon for 

Check Point FDE 

6.1 VASCO DRIVERS 

In order to use the DIGIPASS logon for the Check Point Full Disk Encryption it may be necessary 

to add the Vasco drivers into the Check Point pre-boot environment if Check Point already has 

reference to the vasco drivers (Check Point FDE version 7.4 HFA3) section 6.1 can be skipped. As 

Check Point runs before windows is enabled the vasco drivers already installed in windows will not 

work. 

6.1.1 Copying vasco files to the Check Point 

installer. 

There are two processes that can be used to import the Vasco Drivers in to release version before 

7.4 HFA3 

> To install the drivers for DP CertiID tokens 

1) Open a command prompt. 

2) Change to the folder containing the command files. 

6.1.1.1 Automatic Install using the Vasco Batch files. 

3) Type the following command ( is the Check Point installation folder, 

optional): 

Install.bat [] 

> To uninstall the drivers for DP CertiID tokens 


2) Change to the folder containing the command files. 

3) Type the following command ( is the Check Point installation folder, 

optional): 

Uninstall.bat [] 

'Install.bat' registers and installs the drivers. 

'Uninstall.bat' unregisters and uninstalls the drivers.

26 


Both command files search for an installed version of Check Point in the default location. 

If you have not installed Check Point Endpoint Security in the default program folder, you can 

specify it via the command line parameter. 

6.1.1.1.1 INSTALLING DRIVERS MANUALLY (USING 

PSCONTROL) 

You can install the drivers manually using the 'PS Control Utility' installed with Check Point 

Endpoint Security. 

> To install the drivers for DP CertiID tokens manually 


2) Change to the folder containing the drivers for DIGIPASS CertiID. 

3) Type the following commands ( is the Check Point installation folder): 

\pscontrol -v register-prd vascoprd.inf 

\pscontrol -v install-driver prd_ccid.bin 

\pscontrol -v register-ptd vascop11.inf 

\pscontrol -v install-driver vascop11.bin 

You can see if the Vasco Drivers are installed in the modules directory:-

27 


Figure 35: Vasco Drivers 

6.2 INSTALL CHECK POINT FDE 

WITH CERTIFICATE LOGON 

Add a certificate to your DIGIPASS Key 200 as laid out in section 5.4 above. Then run through 

the installer for the Check Point full disk encryption and accept the relevant license fields. 

Pass the readme section and run through the wizard and enter the relevant details.

28 


Figure 36: Check Point Install (1) 

When it comes to Add a user account choose an account name and select the certificate that has 

been registered for that user. 

Note: The following is an example only. User accounts are normally added within a configuration 

set profile after the initial installation. See the Check Point Full Disk Administrators Guide for 

more information.

29 


Figure 37: Check Point Install (2) 

Choose the Vasco Key Drivers, in this case the DP Key 200 

Figure 38: Check Point Install (3)

30 


Choose to Encrypt and enable preboot authentication for all disk volumes. 

Figure 39 

Continue the rest of the install process with your preferred settings. 

To complete the installation you will be required to re-boot. 

6.3 Deploying Smart Card Drivers 

Together with Smart Card User 

Accounts in Installation Profiles 

When creating smart card user accounts via installation profiles, it is important that the required 

smart card drivers exist on the machine prior to logon. This is necessary if smart card user 

accounts are to be able to log on directly at first-time authentication. 

6.4 To install smart card drivers at the 

same time as Full Disk Encryption 

is installed: 

Add the Driver setting to the precheck.txt file. Specify each driver file name if more than one 

driver is involved, separating the file names with semicolons (no spaces are allowed). Below is an 

example in which the smart card driver files prd_ccid.bin and vascop11.bin are specified where 

prd_ccid.bin is the smart card reader device driver and vascop11.bin is the smart card device 

driver. 

Drivers=prd_ccid.bin;vascop11.bin

31 


6.5 Adding and Removing Preboot 

Drivers with the Preboot Drivers 

Setting 

In the FDE Management Console you can also use the Hardware Devices - Preboot Drivers setting 

to install: 

• Smart card drivers 

• Smart card reader drivers 

• HID drivers 

on the configuration of the local machine or to push them to clients via an Update profile. 

6.6 Full Disk Encryption User Accounts 

A temporary user account is most commonly used when deploying Full Disk Encryption to client 

computers. The administrator defines one temporary user account and password, and then 

deploys it to clients. When a user logs on using the temporary user account and password, 

he/she is immediately prompted for a new user account name and password, which Full Disk 

Encryption uses to create a new user account that replaces the temporary user account on that 

computer. 

To create a temporary smart card user, the user account must have the user account setting 

Change Credentials set to Yes. This setting is located under Group/User Account - Permissions – 

Change Credentials. 

7 Using a Digipass to 

authenticate. 

7.1 CHECK POINT LOGON 

Ensure the Digipass is connected to the Encrypted PC, and power on the computer. Upon boot 

initiation you will be presented with a Check Poing Endpoint Security Login screen you should 

enter your PIN here.

32 


Figure 40: Check Point Logon 

You will be given login information about the user account, choose to continue.

33 


Figure 41: Check Point Confirmation

34 


7.2 LOGIN TO WINDOWS 

Make sure, DIGIPASS CertiID is installed on the client pc. Afterwards, the login screen will look 

like the one below. 

Figure 42: Using The DIGIPASS (1) 

After connecting a DIGIPASS with the computer, it will automatically be recognized as a 

smartcard and you will be asked for your pin. 

Figure 43: Using The DIGIPASS (2) 

After filling in the pin, the computer logs on with the user which certificate is on a DIGIPASS. 

Figure 44: Using The DIGIPASS (3)

35 


7.3 WINDOWS LOGON, OFFLINE 

USAGE 

When a user is disconnected from the network or the domain controller is unreachable due to 

failure somewhere along the network path, a user must still be able to logon to his or her 

computer. With passwords this capability is supported by comparing the hashed password stored 

by the LSA with a hash of the credential that the user supplied to the GINA during logon. If the 

hashes are the same then the user can be authenticated to the local machine. 

In the smart card case, offline logon requires the user’s private key to decrypt supplemental 

credentials originally encrypted using the user’s public key. 

In order to cache the supplemental credentials on the local PC, you need to set correctly the 

policy “Number of previous logons to cache (in case domain controller is not available” on the 

domain server. 

Here are the values you can assign to this policy: 

0 – this means no logons are cached locally. If the domain controller is not available you will not 

be able to log on to your PC using your domain account. 

n (from 1 to 50) – this means that if the domain controller is not available, you can log on locally 

using the credentials of the latest n (from 1 to 50) domain accounts cached on your machine. 

For security reasons, it is advisable to: 

• set this policy to 1. Only the user with a DIGIPASS (and obviously the administrator) will 

be able to logon to his machine when it is disconnected from the network; 

• the administrator should remember to re-login the user if he accomplish some 

administrative operations on the user machine. 

8 References 

Microsoft Article ID: 257480 Certificate enrollment using smart cards 

Check Point Full Disk Encryption Support Page

Check Point FDE integration with Digipass Key devices - Vasco

Create successful ePaper yourself

Delete template?

Save as template?