CheckPointWP SCVDeepDive v2 MLB 30AUG2019
CheckPointWP SCVDeepDive v2 MLB 30AUG2019
CheckPointWP SCVDeepDive v2 MLB 30AUG2019
“
that define a securely configured client system, such as the user’s browser
configuration, the current version of the Anti-Virus software installed on the
computer, the proper operation of the personal firewall policy, etc. The SCV
security compliance checks are performed at pre-defined intervals by the Check
Point Mobile client and depending on result of the SCV security compliance
ELEGANT checks, the Check Point Security Gateway decides whether to allow or block
connections from the Check Point Mobile client to the corporate network.
SOLUTION TO SCV provides capability for the following compliance checks:
ENHANCE OS Monitor - verifies Operating System version, Service Pack, and Screen
Saver configuration
CORPORATE
HotFix Monitor- verifies status operating system security patches are installed
Group Monitor - verifies that the user logged into the operating system and is
”
based on customer need.
Windows Security Monitor - verifies that components monitored by Window
Security Center are installed and enforced (for example, check if there is Anti -virus
installed and running). Define specific Windows components to check.
Third Party SCV Checks - SCV checks can be written by third party vendors
using Check Point’s OPSEC SCV SDK. After these applications are installed, the
administrator can use these SCV checks in the SCV Policy.
© 2019 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content 1
7 MAY 2019
Check Point Messaging Security Evolved | Solution Brief
For syntax details, review Remote Access VPN R80.20 Administration Guide Secure Configuration Verification
(SCV) Section.
The file contains one single root set (SCVObject) containing five (5) pre-defined subsets:
1. SCVNames Defines legacy checks and actions (parameters for the checks)
2. SCVPolicy Activates checks defined at SCVNames (which checks are to be enforced)
3. SCVEpsPolicy Activates checks defined at SCVEpsNames
4. SCVEpsNames Defines checks supported from R75HFA1
5. SCVGlobalParams Defines global parameters
Worldwide Headquarters | 5 Shlomo Kaplan Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected]
CONTACT US U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2117 | Fax: 650-654-4233 | www.checkpoint.com
SCV EXAMPLE
© 2019 Check Point Software Technologies Ltd. All rights reserved. [Prote cted] Non-confidential content 2
2 JAN 2019
Check Point Messaging Security Evolved | Solution Brief
(SCVObject
:SCVNames (
: (user_policy_scv
:type (plugin)
:parameters ()
)
: (BrowserMonitor
:type (plugin)
:parameters (
:browser_major_version (5)
:browser_minor_version (0)
:browser_version_operand (">=")
:browser_version_mismatchmassage ("Please upgrade your Internet browser.")
:intranet_download_signed_activex (disable)
:intranet_run_activex (disable)
:intranet_download_files (disable)
:intranet_java_permissions (disable)
:trusted_download_signed_activex (disable)
:trusted_run_activex (disable)
:trusted_download_files (disable)
:trusted_java_permissions (disable)
:internet_download_signed_activex (disable)
:internet_run_activex (disable)
:internet_download_files (disable)
:internet_java_permissions (disable)
:restricted_download_signed_activex (disable)
:restricted_run_activex (disable)
:restricted_download_files (disable)
:restricted_java_permissions (disable)
:send_log (alert)
:internet_options_mismatch_message ("Your Internet browser settings do not meet policy
requirements\nPlease check the following settings:\n1. In your browser, go to Tools -> Internet Options -> Security.\n2. For each
Web content zone, select custom level and disable the following items: DownLoad signed ActiveX, Run ActiveX Controls,
Download Files and Java Permissions.")
)
)
: (OsMonitor
:type (plugin)
:parameters (
:os_version_mismatchmessage ("Please upgrade your operating system. XP is outdated")
:enforce_screen_saver_minutes_to_activate (0)
:screen_saver_mismatchmessage ("Your screen saver settings do not meet policy
requirements\nPlease check the following settings:\n1. Right click on your desktop and select properties.\n2. Select the Screen
Saver tab.\n3. Under Wait choose 3 minutes and check the Password Protection box.")
:send_log (alert)
:major_os_version_number_vista (6)
:minor_os_version_number_vista (0)
:minor_os_version_operand_vista (">=")
:major_os_version_number_9x (4)
:minor_os_version_number_9x (10)
:os_version_operand_9x (">=")
:service_pack_major_version_number_9x (0)
:service_pack_minor_version_number_9x (0)
:service_pack_version_operand_9x (">=")
:major_os_version_number_nt (4)
:minor_os_version_number_nt (0)
:os_version_operand_nt ("==")
:service_pack_major_version_number_nt (5)
:service_pack_minor_version_number_nt (0)
:service_pack_version_operand_nt (">=")
:major_os_version_number_2k (5)
:minor_os_version_number_2k (0)
© 2019 Check Point Software Technologies Ltd. All rights reserved. [Prote cted] Non-confidential content 3
2 JAN 2019
Check Point Messaging Security Evolved | Solution Brief
:os_version_operand_2k ("==")
:service_pack_major_version_number_2k (0)
:service_pack_minor_version_number_2k (0)
:service_pack_version_operand_2k (">=")
:major_os_version_number_xp (0)
:minor_os_version_number_xp (0)
:os_version_operand_xp ("==")
:service_pack_major_version_number_xp (0)
:service_pack_minor_version_number_xp (0)
:service_pack_version_operand_xp (">=")
:major_os_version_number_2003 (5)
:minor_os_version_number_2003 (2)
:os_version_operand_2003 ("==")
:service_pack_major_version_number_2003 (0)
:service_pack_minor_version_number_2003 (0)
:service_pack_version_operand_2003 (">=")
)
)
: (ProcessMonitor
:type (plugin)
:parameters (
:begin_or (or1)
:TaniumClient.exe (true)
:mfetp.exe (true)
:masvc.exe (true)
:RemotePrinterService.exe (true)
:end (or1)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your device does not meet the <CUSTOMIZE WITH CUSTOMER NAME
HERE> standards for Remote Access.n/1")
:end (admin)
)
)
: (groupmonitor
:type (plugin)
:parameters (
:begin_or (or1)
:begin_and (1)
:"builtin\administrator" (false)
:"BUILTIN\Users" (true)
:end (1)
:begin_and (2)
:"builtin\administrator" (true)
:"BUILTIN\Users" (false)
:end (and2)
:end (or1)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("You are using SecureClient with a non-authorized user.\nMake sure you
are logged on as an authorized user.")
:securely_configured_no_active_user (false)
:end (admin)
)
)
: (HotFixMonitor
:type (plugin)
:parameters (
:147222 (true)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please install security patch Q147222")
© 2019 Check Point Software Technologies Ltd. All rights reserved. [Prote cted] Non-confidential content 4
2 JAN 2019
Check Point Messaging Security Evolved | Solution Brief
:end (admin)
)
)
: (AntiVirusMonitor
:type (plugin)
:parameters (
:type (Norton)
:Signature (">=20020819")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please update your AntiVirus (use the LiveUpdate option).")
:end (admin)
)
)
: (HWMonitor
:type (plugin)
:parameters (
:cputype (GenuineIntel)
:cpumodel (9)
:cpufamily (6)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your machine must have an\nIntel(R) Centrino(TM) processor installed.")
:end (admin)
)
)
: (ScriptRun
:type (plugin)
:parameters (
:exe (VerifyScript.bat)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Verification script has determined that your configuration does not meet
policy requirements.")
:end (admin)
)
)
: (RegMonitor
:type (plugin)
:parameters (
:begin_or (or1)
:string ("HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPointVPN\tnt-vpn=1")
:string
("HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\TRAC\EPCBuild>=986005008")
:string
("HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\Agent\AgentMode=1")
:end_or (or1)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your device does not meet the <CUSTOMIZE WITH CUSTOMER NAME
HERE> standards for Remote Access.n/2")
:end (admin)
)
)
: (SCVMonitor
:type (plugin)
:parameters (
:scv_version (54014)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please upgrade your Secure Configuration Verification products
package.")
© 2019 Check Point Software Technologies Ltd. All rights reserved. [Prote cted] Non-confidential content 5
2 JAN 2019
Check Point Messaging Security Evolved | Solution Brief
:end (admin)
)
)
: (sc_ver_scv
:type (plugin)
:parameters (
:Default_SecureClientBuildNumber (52032)
:Default_EnforceBuildOperand ("==")
:MismatchMessage ("Please upgrade your SecureClient.")
:EnforceBuild_9X_Operand (">=")
:SecureClient_9X_BuildNumber (52030)
:EnforceBuild_NT_Operand ("==")
:SecureClient_NT_BuildNumber (52032)
:EnforceBuild_2K_Operand (">=")
:SecureClient_2K_BuildNumber (52032)
:EnforceBuild_XP_Operand (">=")
:SecureClient_XP_BuildNumber (52032)
)
)
: (WindowsSecurityMonitor
:type (plugin)
:parameters (
:NetworkFirewallInstalledProgramsMismatchMessage ("There is no network firewall program
installed on the machine.")
:NetworkFirewallInstalledPrograms (any)
:NetworkFirewallRequiredMismatchMessage ("Please verify the your network firewall is turned
on.")
:NetworkFirewallRequired (true)
:SpywareProtectionInstalledProgramsMismatchMessage ("There is no anti-spyware program
installed on the machine.")
:SpywareProtectionInstalledPrograms (any)
:SpywareProtectionRequiredMismatchMessage ("Please verify that your spyware protection is
turned on.")
:SpywareProtectionRequired (true)
:WindowsUpdateRequiredMismatchMessage ("Please make sure that windows automatic
updates is turned on")
:WindowsUpdateRequired (false)
:VirusProtectionInstalledProgramsMismatchMessage ("There is no anti-virus program installed
on the machine.")
:VirusProtectionInstalledPrograms (any)
:VirusProtectionRequiredMismatchMessage ("Please verify that your virus protection is up to
date and virus scanning is on.")
:VirusProtectionRequired (true)
)
)
)
:SCVPolicy (
: (OsMonitor)
: (ProcessMonitor)
: (RegMonitor)
)
:SCVEpsPolicy (
: (WindowsSecurityMonitor)
)
:SCVEpsNames (
: (WindowsSecurityMonitor
:type (plugin)
:parameters (
:VirusProtectionRequired (true)
:VirusProtectionRequiredMismatchMessage ("Please verify that your virus protection is up to
date and virus scanning is on.")
:VirusProtectionInstalledProgram (any)
© 2019 Check Point Software Technologies Ltd. All rights reserved. [Prote cted] Non-confidential content 6
2 JAN 2019
Check Point Messaging Security Evolved | Solution Brief
FILE VERSION
Check PointWP_SCVDeepDive_v2_MLB_30AUG2019
© 2019 Check Point Software Technologies Ltd. All rights reserved. [Prote cted] Non-confidential content 7
2 JAN 2019