CheckPointWP SCVDeepDive v2 MLB 30AUG2019

Download as pdf or txt
Download as pdf or txt
You are on page 1of 7

Check Point SCV Deep Dive | White Paper

CHECK POINT SECURE


CONFIGURATION
VERIFICATION (SCV) DEEP
DIVE
BACKGROUND
Secure Configuration Verification (SCV) provides an elegant solution for
enterprises with Check Point Mobile client. SCV strengthens enterprise security by
ensuring client machines are configured in accordance with the enterprise Security
Policy. SCV augments and complements Desktop Security Policy. SCV is the
platform for creating and using SCV checks. SCV checks are sets of conditions


that define a securely configured client system, such as the user’s browser
configuration, the current version of the Anti-Virus software installed on the
computer, the proper operation of the personal firewall policy, etc. The SCV
security compliance checks are performed at pre-defined intervals by the Check
Point Mobile client and depending on result of the SCV security compliance
ELEGANT checks, the Check Point Security Gateway decides whether to allow or block
connections from the Check Point Mobile client to the corporate network.
SOLUTION TO SCV provides capability for the following compliance checks:

ENHANCE  OS Monitor - verifies Operating System version, Service Pack, and Screen
Saver configuration
CORPORATE 

HotFix Monitor- verifies status operating system security patches are installed
Group Monitor - verifies that the user logged into the operating system and is

SECURITY a member of specified Domain User Groups.


 Process Monitor - verifies that a process is running, or not running

COMPLIANCE  Browser Monitor - verifies Internet Explorer version and configuration


settings, such as Java and ActiveX options.

FOR CHECK
Registry Monitor - verifies System Registry keys, values, and their contents.
 Anti-virus Monitor - verifies that an Anti-virus is running and checks its
version.
POINT VPN  SCVMonitor - verifies the version of the SCV product, specifically the versions
of the SCV DLLs installed on the client's machine.
USERS 

HWMonitor - verifies CPU type, family, and model.
ScriptRun - runs a specified executable on the client machine and checks the
return code of the executable. For example, a script can check if a certain file is
present on the client machine. It can perform additional configuration checks that


based on customer need.
 Windows Security Monitor - verifies that components monitored by Window
Security Center are installed and enforced (for example, check if there is Anti -virus
installed and running). Define specific Windows components to check.
 Third Party SCV Checks - SCV checks can be written by third party vendors
using Check Point’s OPSEC SCV SDK. After these applications are installed, the
administrator can use these SCV checks in the SCV Policy.

© 2019 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content 1
7 MAY 2019
Check Point Messaging Security Evolved | Solution Brief

SCV POLICY SETS AND SYNTAX


Location at the MDS/SMS $FWDIR/conf/local.scv

The policy file contains: sets, subsets and expressions.

For syntax details, review Remote Access VPN R80.20 Administration Guide Secure Configuration Verification
(SCV) Section.

The file contains one single root set (SCVObject) containing five (5) pre-defined subsets:

1. SCVNames Defines legacy checks and actions (parameters for the checks)
2. SCVPolicy Activates checks defined at SCVNames (which checks are to be enforced)
3. SCVEpsPolicy Activates checks defined at SCVEpsNames
4. SCVEpsNames Defines checks supported from R75HFA1
5. SCVGlobalParams Defines global parameters

SCV PARAMETERS EXAMPLES


WindowsSecurityMonitor - This check uses Windows Security Center to monitor the status of computer security
settings. Configure it in the SCVEpsNames section and activate it in the SCVEpsPolicy section. It includes the
following checks:

 Network Firewall check


 Virus Protection check
 Spyware and Unwanted Software Protection check
 Windows Update check

Worldwide Headquarters | 5 Shlomo Kaplan Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected]
CONTACT US U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2117 | Fax: 650-654-4233 | www.checkpoint.com

SCV EXAMPLE
© 2019 Check Point Software Technologies Ltd. All rights reserved. [Prote cted] Non-confidential content 2
2 JAN 2019
Check Point Messaging Security Evolved | Solution Brief

(SCVObject
:SCVNames (
: (user_policy_scv
:type (plugin)
:parameters ()
)
: (BrowserMonitor
:type (plugin)
:parameters (
:browser_major_version (5)
:browser_minor_version (0)
:browser_version_operand (">=")
:browser_version_mismatchmassage ("Please upgrade your Internet browser.")
:intranet_download_signed_activex (disable)
:intranet_run_activex (disable)
:intranet_download_files (disable)
:intranet_java_permissions (disable)
:trusted_download_signed_activex (disable)
:trusted_run_activex (disable)
:trusted_download_files (disable)
:trusted_java_permissions (disable)
:internet_download_signed_activex (disable)
:internet_run_activex (disable)
:internet_download_files (disable)
:internet_java_permissions (disable)
:restricted_download_signed_activex (disable)
:restricted_run_activex (disable)
:restricted_download_files (disable)
:restricted_java_permissions (disable)
:send_log (alert)
:internet_options_mismatch_message ("Your Internet browser settings do not meet policy
requirements\nPlease check the following settings:\n1. In your browser, go to Tools -> Internet Options -> Security.\n2. For each
Web content zone, select custom level and disable the following items: DownLoad signed ActiveX, Run ActiveX Controls,
Download Files and Java Permissions.")
)
)
: (OsMonitor
:type (plugin)
:parameters (
:os_version_mismatchmessage ("Please upgrade your operating system. XP is outdated")
:enforce_screen_saver_minutes_to_activate (0)
:screen_saver_mismatchmessage ("Your screen saver settings do not meet policy
requirements\nPlease check the following settings:\n1. Right click on your desktop and select properties.\n2. Select the Screen
Saver tab.\n3. Under Wait choose 3 minutes and check the Password Protection box.")
:send_log (alert)
:major_os_version_number_vista (6)
:minor_os_version_number_vista (0)
:minor_os_version_operand_vista (">=")
:major_os_version_number_9x (4)
:minor_os_version_number_9x (10)
:os_version_operand_9x (">=")
:service_pack_major_version_number_9x (0)
:service_pack_minor_version_number_9x (0)
:service_pack_version_operand_9x (">=")
:major_os_version_number_nt (4)
:minor_os_version_number_nt (0)
:os_version_operand_nt ("==")
:service_pack_major_version_number_nt (5)
:service_pack_minor_version_number_nt (0)
:service_pack_version_operand_nt (">=")
:major_os_version_number_2k (5)
:minor_os_version_number_2k (0)
© 2019 Check Point Software Technologies Ltd. All rights reserved. [Prote cted] Non-confidential content 3
2 JAN 2019
Check Point Messaging Security Evolved | Solution Brief

:os_version_operand_2k ("==")
:service_pack_major_version_number_2k (0)
:service_pack_minor_version_number_2k (0)
:service_pack_version_operand_2k (">=")
:major_os_version_number_xp (0)
:minor_os_version_number_xp (0)
:os_version_operand_xp ("==")
:service_pack_major_version_number_xp (0)
:service_pack_minor_version_number_xp (0)
:service_pack_version_operand_xp (">=")
:major_os_version_number_2003 (5)
:minor_os_version_number_2003 (2)
:os_version_operand_2003 ("==")
:service_pack_major_version_number_2003 (0)
:service_pack_minor_version_number_2003 (0)
:service_pack_version_operand_2003 (">=")
)
)
: (ProcessMonitor
:type (plugin)
:parameters (
:begin_or (or1)
:TaniumClient.exe (true)
:mfetp.exe (true)
:masvc.exe (true)
:RemotePrinterService.exe (true)
:end (or1)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your device does not meet the <CUSTOMIZE WITH CUSTOMER NAME
HERE> standards for Remote Access.n/1")
:end (admin)
)
)
: (groupmonitor
:type (plugin)
:parameters (
:begin_or (or1)
:begin_and (1)
:"builtin\administrator" (false)
:"BUILTIN\Users" (true)
:end (1)
:begin_and (2)
:"builtin\administrator" (true)
:"BUILTIN\Users" (false)
:end (and2)
:end (or1)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("You are using SecureClient with a non-authorized user.\nMake sure you
are logged on as an authorized user.")
:securely_configured_no_active_user (false)
:end (admin)
)
)
: (HotFixMonitor
:type (plugin)
:parameters (
:147222 (true)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please install security patch Q147222")
© 2019 Check Point Software Technologies Ltd. All rights reserved. [Prote cted] Non-confidential content 4
2 JAN 2019
Check Point Messaging Security Evolved | Solution Brief

:end (admin)
)
)
: (AntiVirusMonitor
:type (plugin)
:parameters (
:type (Norton)
:Signature (">=20020819")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please update your AntiVirus (use the LiveUpdate option).")
:end (admin)
)
)
: (HWMonitor
:type (plugin)
:parameters (
:cputype (GenuineIntel)
:cpumodel (9)
:cpufamily (6)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your machine must have an\nIntel(R) Centrino(TM) processor installed.")
:end (admin)
)
)
: (ScriptRun
:type (plugin)
:parameters (
:exe (VerifyScript.bat)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Verification script has determined that your configuration does not meet
policy requirements.")
:end (admin)
)
)
: (RegMonitor
:type (plugin)
:parameters (
:begin_or (or1)
:string ("HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPointVPN\tnt-vpn=1")
:string
("HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\TRAC\EPCBuild>=986005008")
:string
("HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\Agent\AgentMode=1")
:end_or (or1)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your device does not meet the <CUSTOMIZE WITH CUSTOMER NAME
HERE> standards for Remote Access.n/2")
:end (admin)
)
)
: (SCVMonitor
:type (plugin)
:parameters (
:scv_version (54014)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please upgrade your Secure Configuration Verification products
package.")
© 2019 Check Point Software Technologies Ltd. All rights reserved. [Prote cted] Non-confidential content 5
2 JAN 2019
Check Point Messaging Security Evolved | Solution Brief

:end (admin)
)
)
: (sc_ver_scv
:type (plugin)
:parameters (
:Default_SecureClientBuildNumber (52032)
:Default_EnforceBuildOperand ("==")
:MismatchMessage ("Please upgrade your SecureClient.")
:EnforceBuild_9X_Operand (">=")
:SecureClient_9X_BuildNumber (52030)
:EnforceBuild_NT_Operand ("==")
:SecureClient_NT_BuildNumber (52032)
:EnforceBuild_2K_Operand (">=")
:SecureClient_2K_BuildNumber (52032)
:EnforceBuild_XP_Operand (">=")
:SecureClient_XP_BuildNumber (52032)
)
)
: (WindowsSecurityMonitor
:type (plugin)
:parameters (
:NetworkFirewallInstalledProgramsMismatchMessage ("There is no network firewall program
installed on the machine.")
:NetworkFirewallInstalledPrograms (any)
:NetworkFirewallRequiredMismatchMessage ("Please verify the your network firewall is turned
on.")
:NetworkFirewallRequired (true)
:SpywareProtectionInstalledProgramsMismatchMessage ("There is no anti-spyware program
installed on the machine.")
:SpywareProtectionInstalledPrograms (any)
:SpywareProtectionRequiredMismatchMessage ("Please verify that your spyware protection is
turned on.")
:SpywareProtectionRequired (true)
:WindowsUpdateRequiredMismatchMessage ("Please make sure that windows automatic
updates is turned on")
:WindowsUpdateRequired (false)
:VirusProtectionInstalledProgramsMismatchMessage ("There is no anti-virus program installed
on the machine.")
:VirusProtectionInstalledPrograms (any)
:VirusProtectionRequiredMismatchMessage ("Please verify that your virus protection is up to
date and virus scanning is on.")
:VirusProtectionRequired (true)
)
)
)
:SCVPolicy (
: (OsMonitor)
: (ProcessMonitor)
: (RegMonitor)
)
:SCVEpsPolicy (
: (WindowsSecurityMonitor)
)
:SCVEpsNames (
: (WindowsSecurityMonitor
:type (plugin)
:parameters (
:VirusProtectionRequired (true)
:VirusProtectionRequiredMismatchMessage ("Please verify that your virus protection is up to
date and virus scanning is on.")
:VirusProtectionInstalledProgram (any)
© 2019 Check Point Software Technologies Ltd. All rights reserved. [Prote cted] Non-confidential content 6
2 JAN 2019
Check Point Messaging Security Evolved | Solution Brief

:VirusProtectionInstalledProgramsMismatchMessage ("Please verify that the ant i-virus


programs are installed.")
:WindowsUpdateRequired (false)
:WindowsUpdateRequiredMismatchMessage ()
:SpywareProtectionRequired (false)
:SpywareProtectionRequiredMismatchMessage ()
:SpywareProtectionInstalledPrograms (none)
:SpywareProtectionInstalledProgramsMismatchMessage ()
:NetworkFirewallRequired (true)
:NetworkFirewallRequiredMismatchMessage ("Please verify your network firewall is turned
on.")
:NetworkFirewallInstalledPrograms (any)
:NetworkFirewallInstalledProgramsMismatchMessage ("Please verify that the firewall is
installed.")
:PassCheckWhenSecurityCenterIsUnavailable (false)
:MinutesForWscsvToStart (5)
)
)
)
:SCVGlobalParams (
:enable_status_notifications (true)
:status_notifications_timeout (10)
:disconnect_when_not_verified (true)
:block_connections_on_unverified (true)
:scv_policy_timeout_hours (24)
:enforce_ip_forwarding (false)
:not_verified_script ()
:not_verified_script_run_show (false)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (true)
:skip_firewall_enforcment_check (true)
)
)

FILE VERSION
Check PointWP_SCVDeepDive_v2_MLB_30AUG2019

Author: Micki Boland [email protected]

© 2019 Check Point Software Technologies Ltd. All rights reserved. [Prote cted] Non-confidential content 7
2 JAN 2019

You might also like