Secure Configuration Verification

Note - The procedures in this section are relevant for SecureClient. For other clients, see the most updated documentation for that client.

The Need to Verify Remote Client's Security Status

Network and Firewall administrators can easily control computers inside their organization. In a Microsoft domain based environment, this is done by controlling the user's privileges through the network domain controller. The administrator can disable hazardous components such as Java and ActiveX controls in browsers, install Anti-Virus checkers and make sure they are running correctly.

In the case of remote users, the administrator's options are limited, because remote users access the organization from outside the LAN (e.g., across the Internet), and are usually unable to connect to the domain. The administrator cannot control and verify their configuration through the domain controller.

For example, suppose the remote user has ActiveX enabled, and connects to a website containing a malicious ActiveX control which infects his or her computer. When the remote user connects to the organization's LAN, the LAN becomes vulnerable as well.

Even a properly configured Desktop Security Policy, important as it is, does not afford protection against this type of attack, because the attack does not target a vulnerability in the access control to the user's machine, but rather takes advantage of the vulnerable configuration of applications on the client.

The Secure Configuration Verification Solution

Introducing Secure Configuration Verification

Secure Configuration Verification (SCV) enables the administrator to monitor the configuration of remote computers, to confirm that the configuration complies with the organization's Security Policy, and to block connectivity for machines that do not comply. SCV does not replace the Desktop Security Policy, but complements it. SCV strengthens enterprise security by ensuring SecureClient machines are configured in accordance with the enterprise Security Policy.

SCV is a platform for creating and using SCV checks. SCV checks include sets of conditions that define a securely configured client system, such as the user's browser configuration, the current version of the Anti-Virus software installed on the desktop computer, the proper operation of the personal firewall policy, etc. These security checks are performed at pre-defined intervals by SecureClient. Depending on the results of the SCV checks, the Security Gateway decides whether to allow or block connections from the client to the LAN.

Check Point's SCV solution comes with a number of predefined SCV checks for the operating system and user's browser, and it also allows OPSEC partners, such as Anti-Virus software manufacturers, to add SCV checks for their own products.

How does SCV work?

SCV works in six steps:

Installing SCV plugins on the client.
Configuring and SCV Policy on the Security Management server.
Downloading the SCV Policy to the Client.
Verifying the SCV Policy.
Runtime SCV checks.
Making the organizational Security Policy SCV aware.

Installing SCV Plugins on the Client

SCV checks are performed through special DLLs which check elements of the client's configuration and return the results of these checks. An SCV application registers its SCV DLLs in the system registry.

The first step in configuring SCV is for the administrator to install the applications that provide the SCV checks on the client. During installation, these applications register themselves as SCV plug-ins and write a hash value of their SCV DLLs to prevent tampering.

Configuring an SCV Policy on the Security Management server

An SCV Policy is a set of rules or conditions based on the checks that the SCV plug-ins provide. These conditions define the requested result for each SCV check, and on the basis of the results, the client is classified as securely configured or non-securely configured. For example, an administrator who wishes to disallow a file-sharing application would define a rule in the SCV Policy verifying that the file-sharing application process is not running.

Note - The SCV check described in this example is among the pre-defined SCV checks included with Security Management server (see Check Point SCV Checks). This check must be configured to test for the specific process.

If all the SCV tests return the required results, the client is considered to be securely configured. If even one of the SCV tests returns an unexpected result, the client is considered to be non-securely configured.

Downloading the SCV Policy to the Client

When SecureClient downloads its Desktop Policy from the Policy Server, it downloads its SCV Policy at the same time.

Verifying the SCV Policy

After downloading the SCV Policy, SecureClient confirms that the SCV DLL's specified in the SCV Policy have not been tampered with by calculating their hash values and comparing the results with the hash values specified for the DLLs when they were installed (see Installing SCV Plugins on the Client).

Runtime SCV Checks

At regular intervals (default is every 15 seconds), SecureClient performs the SCV checks specified in the SCV Policy by invoking the SCV DLLs, and compares the results to the SCV Policy. The SCV Policy can be configured to display a popup notification on non-securely configured clients and/or send a log to the Security Management server.

Making the Organizational Security Policy SCV-Aware

SecureClient is now able to determine whether the client is securely configured. Once all the organization's clients have been configured according to the previous steps, the administrator specifies the actions to be taken on the Security Gateway based on the client's SCV status. For example, the administrator can specify that non-securely configured clients cannot access some or all of the resources on the corporate LAN, protecting the organization from the dangers associated with the client's poor security configuration.

The administrator can choose whether to enforce SCV for remote clients. If SCV is enforced, only securely configured clients are allowed access under the rule. If SCV is not enforced, all clients are allowed access under the rule.

In simplified mode, this is configured globally. In traditional mode, this is configured individually for each rule. See Server Side Configuration for more information.

When the client connects to a Security Gateway, an IKE negotiation takes place between SecureClient and the Security Gateway. If the Security Gateway's Security Policy requires an SCV check to be made, the Security Gateway holds the connection while it checks if the client is securely configured (checked by SCV). If the Security Gateway already knows the client's SCV status (i.e., the SCV status was checked in the last 5 minutes), then:

If the client is securely configured, the Security Gateway allows the connection.
If the client is not securely configured, the Security Gateway either drops the connection, or accepts and logs it (this behavior is configurable).

If the Security Gateway does not know the client's SCV status, it initiates an SCV check by sending an ICMP unreachable error message containing an SCV query to the client. When a client gets this SCV query, it tries to determine its SCV status. In Connect mode, the client also connects to a Policy Server to download an updated SCV Policy. In parallel, when the client gets the SCV query, it starts sending SCV status replies to the Security Gateway via UDP port 18233 every 20 seconds for 5 minutes. These replies are used as a keep-alive mechanism, in order to keep the user's connection alive in the Security Gateway's state tables while the client is trying to determine its SCV status. The keep alive packets also allow the user to open subsequent connections in the 5 minute period in which they are sent without a need for further SCV queries. When the client determines its SCV status, it sends an SCV reply containing the status back to the Security Gateway via UDP port 18233. When the Security Gateway receives the SCV status of the user, it decides how to handle the user's connection.

SCV Checks

Check Point SCV Checks

A number of SCV checks are provided as part of the SecureClient installation, including:

SC_VER_SCV — a version check that verifies that the SecureClient version is up to date, according to the administrator's specification.
Network Configuration Monitor — verifies that:
the Desktop Policy is enforced by SecureClient on all network interface cards
non-IP protocols are not enabled on any interface
OS Monitor — verifies the remote user's Operating System version, Service Pack, and Screen Saver configuration (activation time, password protection, etc.).
HotFix Monitor — verifies that operating system security patches are installed, or not installed.
Group Monitor — verifies whether the user had logged on the machine and that the user is a member of certain Domain User Groups specified by the administrator.
Process Monitor — checks whether a specified process is running on the client machine (e.g. that a file sharing application is not running, or that Anti-Virus software is running). Process Monitor may also check whether a process is not running.
user_policy_scv — checks the state of the desktop policy, i.e. whether the user is logged on to a policy server, and whether the desktop policy is recent.
Browser Monitor — verifies the Internet Explorer version and specific IE configuration settings, such as various Java and ActiveX options.
Registry Monitor — verifies that a certain key or value is present in the system registry. RegMonitor may check not only for the existence/exclusion of keys but also their content.
ScriptRun — runs a specified executable on SecureClient machine and tests the return code of the executable (e.g. a script that checks whether a certain file is present and sets a return code accordingly). ScriptRun can run a script which performs additional configuration checks.
Anti-Virus Monitor — detects whether an Anti-Virus program is running and checks its version. Supported Anti-Virus programs: Norton, Trend Office Scan, and McAfee.
SCVMonitor — verifies the version of the SCV product, specifically the versions of the SCV DLLs installed on the client's machine.
HWMonitor — verifies the CPU type, family, and model.

Third Party SCV Checks

SCV checks can be written by third party vendors using Check Point's OPSEC SCV SDK. After these applications are installed, the administrator can use these SCV checks in the SCV Policy.

Additional Script Elements

SCVpolicy — selects SCV checks out of the ones defined in SCVNames (see: SCVNames) that will run on the user's desktop.
SCVGlobalParams — is used to define general SCV parameters.

A network administrator can easily enable a set of specific SCV checks (e.g. only check that the user's SecureClient is enforcing a security policy) or as many SCV checks as required (e.g. all of the above SCV checks). The SCV checks are performed independently by the SCV Dynamic Link Libraries, and SecureClient checks their status through the SCV plugins every 15 seconds, and determines whether the user is securely configured or not. If one or more of the tests fails, the SecureClient is considered to be non-securely configured.

Note - To enforce a specific SCV check, set the parameters of the check in the SCVNames section, and include the name of the check in SCVPolicy

Considerations regarding SCV

The following sections describe things that are important to know before configuring SCV.

Planning the SCV Policy

The file $FWDIR/conf/local.scv on the Security Management server contains a sample of a basic SCV policy for checks that are supplied with any SCV installation. You can review this file to help you decide which SCV tests to perform. If you need additional SCV checks for OPSEC products, such as Anti-Virus and Endpoint security SCV checks, visit: http://www.opsec.com.

User Privileges

To implement SCV effectively, it is suggested that you consider not to allow your remote users to have administrative privileges on their desktops. Giving the users administrative privileges can allow them to change system settings and cause SCV tests to fail. A desktop which fails an SCV check is a potential security threat to the organization.

For example, as an administrator you may want to configure the user's browser not to allow him to download Java applets from websites. A normal user will not be able to download these applets, but a user with administrative privileges can override the browser's configuration. A properly defined SCV policy can indicate that the browser's configuration had changed and trigger a proper action on the Security Gateway side. However, if the user is allowed by the Security Gateway to pass to the LAN - either by a wrong configuration of the SCV policy or lack of enforcement of the user's SCV status on the Security Gateway side - then the user's desktop will become a potential security risk to the LAN.

The SCV policy itself is protected. Users can not change the SCV policy definition files they receive, even if they have administrative rights. The SCV policy files supplied to the client are signed before arriving to the client and checked against their signature by SecureClient. If the signatures do not match, the SCV check fails.

Configuring SCV

Configuring SCV involves setting it up on the server, setting it up on the client, and configuring SCV policy.

Server Side Configuration

First you need to configure several general parameters regarding SCV. Open your SmartDashboard and go to Policy > Global Properties and select the Remote Access > Secure Configuration Verification (SCV) tab. This tab has several options:
- Apply Secure Configurations on Simplified Mode - Specifies whether all remote access rules in the simplified policy mode should have the SCV flag turned on.
- Upon Verification failure - Specifies the action that should be performed when the client fails one or more SCV checks. The options are to Block the client's connection or to Accept it and send a log about the event.
- Basic configuration verification on client's machine - Specifies whether SecureClient should perform SCV checks to determine whether the policy is installed on all network interfaces cards on the client's desktop, and whether only TCP/IP protocols are installed on these interfaces.
- Configurations Violation Notification on client's machine - Specifies whether a log record should be saved on the Security Management server machine indicating that a remote user is not verified by SCV (this is a general indication, without a specification of a certain SCV check the user's desktop had failed).
Close the Global Properties screen.
If you are using simplified mode (the mode that supports VPN communities), skip this step. If you are using traditional mode, edit your Security Policy Rule base and add SCV checks for your remote access rules (Client Encrypt or Client Auth rules). To enable SCV for a remote access rule, right click on the action tab of the rule and choose Edit properties > Apply rule Only if Desktop Configuration is Verified. Close the properties screen by pressing OK.
Edit the local.scv file in the $FWDIR/conf directory and configure the SCV policy. For more information, see SCV Policy Syntax and The local.scv Sets.
Install the policy - In the policy install dialog box select the Advanced Security policy for the Security Gateways and the Desktop Security policy for the Policy Servers.

Client Side Configuration

If you intend to use an OPSEC SCV application, install the application on the client and enable the application's integration with SCV (see the application's documentation for information on how to do this).
Start SecureClient and connect to the Security Gateway to receive the SCV Policy. See: Desktop Security for more information.

SCV Policy Syntax

The SCV Policy is configured by the administrator in the text file $FWDIR/conf/local.scv. This file can be edited either manually by the administrator using a text editor or using a tool called SCVEditor, available at: http://www.opsec.com. The local.scv file is a policy file, containing sets, subsets and expressions.

Note - In general, you can use the pre-defined checks (in the SCVNames section of the local.scv file) as templates and list the modified checks in the SCVPolicy section, without writing new SCV subsets.

Sets and Sub-sets

Each set has a certain purpose which was predefined for it. For example, one set can be used to define certain parameters, another could specify certain actions that should take place in a certain event etc. Sets are differentiated by their names and hierarchy in a recursive manner. Each set can have a sub-set, and each sub-set can have a sub-set of its own and so on. Subsets can also contain logical expressions. Sets and sub-sets with more than one sub-sets/conditions are delimited by left and right parentheses (), and start with the set/sub-set name. Differentiation between sub-sets/expressions with the same hierarchy is done using the colon :. For example:

(SetName

   :SubSetName1 (

      :ExpressionName1_1 (5)

      :ExpressionName1_2 (false)

   :SubSetName2 (

      :ExpressionName2_1 (true)

      :SubSetName2_1 (

         :ExpressionName2_1_1 (10)

In the example above the set named SetName has two subsets: SubSetName1 and SubSetName2. SubSetName1 has two conditions in it (ExpressionName1_1 and ExpressionName1_2). SubSetName2 has one condition (ExpressionName2_1) and one subset (SubSetName2_1) in it. SubSetName2_1 has one condition as well (ExpressionName2_1_1).

Expressions

Expressions are evaluated by checking the value of the expression (which corresponds to an SCV check) and comparing it with the value defined for the expression (the value in the parentheses). For example, in the browser monitor SCV check provided with SecureClient, you can specify the following expression:

:browser_major_version (5)

This expression checks whether the version of the Internet Explorer browser installed on the client is 5.x. If the (major) version is 5, this expression is evaluated as true, otherwise it is evaluated as false. The name of the expression (e.g. "browser_major_version") is determined by the SCV application and is supplied by manufacturer.

If several expressions appear one after the other, they are logically ANDed, meaning that only if all expressions are evaluated as true, then the value of all of them taken together is true. Otherwise (if even one of the expressions is false), the value of all of them is false. For example:

:browser_major_version (5)

:browser_minor_version (0)

These expressions are ANDed. If the version of Internet Explorer is 5 AND the minor version is 0 (i.e. version 5.0), then the result is true, otherwise it is false. If the version of Internet Explorer is, for example, 4.0, then the first expression is false and the second one is true, and the result of both of them is false.

Sometimes, some expressions can influence the way in which others are evaluated. For example:

:browser_major_version (5)

:browser_minor_version (0)

:browser_version_operand (">=")

These expressions are ANDed, but the third expression influences the way that the first and second ones are evaluated. In the example above, if the version of Internet Explorer is greater than or equal to (">=") 5.0, then the result is true, otherwise it is false. If the version of Internet Explorer is, for example, 4.5, then the result is false, if the version is 5.1 or higher than the result is true.

Logical Sections

As mentioned earlier, subsequent expressions are automatically ANDed. However, sometimes it is necessary to perform a logical OR between expressions, instead of logical AND. This is done by using labels:

The begin_or (orX) label - this label starts a section containing several expressions. The end of this section is marked by a end (orX) label (X should be replaced with a number which differentiates between different sections OR sections). All of expressions inside this section are logically ORed, producing a single value for the section. For example:

:begin_or(or1)

:browser_major_version (5)

:browser_major_version (6)

:end(or1)

This section checks whether the version of Internet Explorer is 5 OR 6 - if it is then the result is true, otherwise it is false.

The begin_and (andX) label - this label is similar to the begin_or (orX) label, but the expressions inside are evaluated and logically ANDed. The end of this section is marked by a end (andX) or the end (orX) label. As mentioned earlier, simple subsequent expressions are automatically ANDed. The reason that this label exists is to allow nested ANDed sections inside ORed sections. For example, if an administrator considers old browsers as secure since they do not have a lot of potentially unsafe components, and new browsers as secure, since they contain all the latest security patches, he can define the following SCV rules:

:begin_or (or1)

:begin_and (and1)

:browser_major_version (5)

:browser_minor_version (0)

:browser_version_operand (">=")

:end (and1)

:begin_and (and2)

:browser_major_version (3)

:browser_minor_version (0)

:browser_version_operand ("<=")

:end (and2)

:end (or1)

In the example above, the first AND section checks whether the version of IE >= 5.0, the second AND section checks whether the version of IE is <=3.0 and they are ORed. The entire example is evaluated as true only if the version of IE is larger than (or equal to) 5.0 OR lower than (or equal to) 3.0.

Expressions and Labels with Special Meanings

There are several expressions and labels which have special meaning:

begin_admin (admin) - this label starts a section defining several actions which are performed only if the client is considered as non-SCVed by previous expressions in the subset (i.e. if previous expressions in the subset have returned a value of false). The end of this section is marked by the end (admin) label.
send_log (type) - This expression is used as part of the begin_admin (admin) - end (admin) section, and determines whether to send a log to the Security Management server (and the client's diagnostic tool) specifying that the client is not SCVed.
The word type should be replace by the type of log to send, such as log/alert. Alert means sending a log to the Security Management server, while log means sending the log to the remote client's diagnostic tool.
mismatchmessage ("Message") - This expression is used as part of the begin_admin (admin) - end (admin) section, and specifies that a popup message should be shown on the remote user's desktop, indicating the problem. The text in the inverted commas (Message) should be replaced by a meaningful text which should instruct the client about the possible sources of the problem and the action he should perform.

For example:

:browser_major_version (5)

:browser_minor_version (0)

:browser_version_operand (">=")

:begin_admin (admin)

:send_log (alert)

:mismatchmessage ("The version of your Internet Explorer browser is old.

For security reasons, users with old browsers are not allowed to access

the local area network of the organization. Please upgrade your Internet

Explorer to version 5.0 or higher. If you require assistance in upgrading

or additional information on the subject, please contact your network

administrator.")

:end (admin)

In this example, if the user's IE browser's version is lower than 5.0, an alert is sent to the Security Management server machine and a popup message is shown to the user with indication of the problem.

The local.scv Sets

The local.scv policy files contains one set called SCVObject. This set must always be present and contains all the subsets which deal with the SCV checks and parameters. Currently SCVObject has 3 subsets:

SCVNames - This section is the main SCV policy definition section, in which all of the SCV checks and actions are defined. This is the definition part of the SCV policy, and doesn't actually determine the SCV checks that will be performed. In this section sets of tests are defined. Later on, the administrator will choose from these sets those he wants to run on the user's desktop.
SCVPolicy - This section specifies the names of the SCV checks that should actually be performed on the client's machine, from the SCV checks defined in SCVNames.
SCVGlobalParams - This section contains some global SCV parameters.

SCVNames

In this section the administrator specifies the names and different checks for the SCV products. Here is a general definition of an SCV check subset of SCVNames:

 : (SCVCheckName1

         :type (plugin)

         :parameters (

           :Expression1 (value)

           :Expression2 (value)

           :begin_admin (admin)

           :send_log (alert)

           :mismatchmessage ("Failure Message")

           :end (admin)

The test section begins with the name of the SCV check (SCVCheckName1). SCVCheckName1 defines the name of the set of tests. It is defined in the SCV application and should be provided by the SCV manufacturer. The type (plugin) expression specifies that the test is performed by an SCV DLL plugin. The parameters subset is where the SCV rules and actions are defined. The type (plugin) expression and the parameters subset should always be specified when defining a subset of SCV checks (such as SCVCheckName1).

SCVPolicy

This section defines the names of the SCV checks that should be enforced (the names are part of the SCV check names specified in SCVNames). This section's general structure is:

 :SCVPolicy (

      :(SCVCheckName1)

      :(SCVCheckName2)

Note - there is a space between the colon (:) and the opening brace.

The Difference between SCVNames and SCVPolicy

The SCVNames section defines the different parameters for the checks.
The SCVPolicy section states which checks are enforced.

To enforce a specific SCV check:

Set the check's parameters in SCVNames.
Include the name of the check in SCVPolicy.

SCVGlobalParams

This section includes global parameters for SCV.

:SCVGlobalParams (

		:enable_status_notifications (true)

		:status_notifications_timeout (10)

		:disconnect_when_not_verified (false)

		:block_connections_on_unverified (false)

		:scv_policy_timeout_hours (24)

		:enforce_ip_forwarding (true)

		:not_verified_script ("myscript.bat")

		:not_verified_script_run_show (true)

		:not_verified_script_run_admin (false)

		:not_verified_script_run_always (false)

		:allow_non_scv_clients (false)

	:block_scv_client_connections (false)

A Complete Example of a local.scv File

Following is a complete example of a local.scv file.

Note that in the following example the internal syntax of some of the SCV subsets differs from the syntax described earlier. SCV policy syntax has evolved in recent versions, while these SCV checks were written using the old syntax. For example, in the sc_ver_scv subset, the begin_admin (admin) - end (admin) section does not exist. In addition, the mismatchmessage expression which was in this section is replaced with MismatchMessage (using capital letters) expression. The syntax and operation of MismatchMessage is similar to the one specified for mismatchmessage, although it does not appear in a begin_admin (admin) - end (admin) section.

Another difference in the sc_ver_scv subset compared to the syntax explained above concerns the EnforceBuild_XX_Operand and SecureClient_XX_BuildNumber expressions. These expressions are not ANDed but rather evaluated automatically in accordance with the operating system the user has. For example, if the user has a Windows 2000 system, only the EnforceBuild_2K_Operand and SecureClient_2K_BuildNumber expressions are evaluated, and the expressions relating to different operating systems are not.

Some other minor changes from the described syntax appear in the local.scv policy file. You can review the changes in the default local.scv policy file. In general, you can use the pre-defined checks (in the SCVNames section) as templates and list the modified checks in the SCVPolicy section, without writing new SCV subsets.

Note - To enforce a specific SCV check, set the parameters of the check in the SCVNames section, and include the name of the check in SCVPolicy.

Sample

(SCVObject

	:SCVNames (

		: (user_policy_scv

			:type (plugin)

			:parameters (

		: (BrowserMonitor

			:type (plugin)

			:parameters (

				:browser_major_version (5)

				:browser_minor_version (0)

				:browser_version_operand (">=")

				:browser_version_mismatchmassage ("Please upgrade your

				 Internet browser.")

				:intranet_download_signed_activex (disable)

				:intranet_run_activex (disable)

				:intranet_download_files (disable)

				:intranet_java_permissions (disable)

				:trusted_download_signed_activex (disable)

				:trusted_run_activex (disable)

				:trusted_download_files (disable)

				:trusted_java_permissions (disable)

				:internet_download_signed_activex (disable)

				:internet_run_activex (disable)

				:internet_download_files (disable)

				:internet_java_permissions (disable)

				:restricted_download_signed_activex (disable)

				:restricted_run_activex (disable)

				:restricted_download_files (disable)

				:restricted_java_permissions (disable)

				:send_log (alert)

				:internet_options_mismatch_message ("Your Internet browser settings do not meet policy requirements\nPlease check the following

settings:\n1. In your browser, go to Tools -> Internet Options -> Security.\n2.

For each Web content zone, select custom level and disable the following items:

DownLoad signed ActiveX, Run ActiveX Controls, Download Files and Java

Permissions.")

		: (OsMonitor

			:type (plugin)

			:parameters (

				:os_version_mismatchmessage ("Please upgrade your

				 operating system.")

				:enforce_screen_saver_minutes_to_activate (3)

				:screen_saver_mismatchmessage ("Your screen saver

settings do not meet policy requirements\nPlease check the following

settings:\n1. Right click on your desktop and select properties.\n2. Select the

Screen Saver tab.\n3. Under Wait choose 3 minutes and check the Password

Protection box.")

				:send_log (log)

				:major_os_version_number_9x (4)

				:minor_os_version_number_9x (10)

				:os_version_operand_9x (">=")

				:service_pack_major_version_number_9x (0)

				:service_pack_minor_version_number_9x (0)

				:service_pack_version_operand_9x (">=")

				:major_os_version_number_nt (4)

				:minor_os_version_number_nt (0)

				:os_version_operand_nt ("==")

				:service_pack_major_version_number_nt (5)

				:service_pack_minor_version_number_nt (0)

				:service_pack_version_operand_nt (">=")

				:major_os_version_number_2k (5)

				:minor_os_version_number_2k (0)

				:os_version_operand_2k ("==")

				:service_pack_major_version_number_2k (0)

				:service_pack_minor_version_number_2k (0)

				:service_pack_version_operand_2k (">=")

				:major_os_version_number_xp (5)

				:minor_os_version_number_xp (1)

				:os_version_operand_xp ("==")

				:service_pack_major_version_number_xp (0)

				:service_pack_minor_version_number_xp (0)

				:service_pack_version_operand_xp (">=")

		: (ProcessMonitor

			:type (plugin)

			:parameters (

				:begin_or (or1)

					:AntiVirus1.exe (true)

					:AntiVirus2.exe (true)

				:end (or1)

				:IntrusionMonitor.exe (true)

				:ShareMyFiles.exe (false)

				:begin_admin (admin)

					:send_log (alert)

					:mismatchmessage ("Please check that the following

processes are running:\n1. AntiVirus1.exe or AntiVirus2.exe\n2.

IntrusionMonitor.exe\n\nPlease check that the following process is not

running\n1. ShareMyFiles.exe")

				:end (admin)

		: (groupmonitor

			:type (plugin)

			:parameters (

				:begin_or (or1)

					:begin_and (1)

						:"builtin\administrator" (false)

						:"BUILTIN\Users" (true)

					:end (1)

					:begin_and (2)

						:"builtin\administrator" (true)

						:"BUILTIN\Users" (false)

					:end (and2)

					:end (or1)

				:begin_admin (admin)

					:send_log (alert)

					:mismatchmessage ("You are using SecureClient with

a non-authorized user.\nMake sure you are logged on as an authorized user.")

					:securely_configured_no_active_user (false)

				:end (admin)

		: (HotFixMonitor

			:type (plugin)

			:parameters (

				:147222 (true)

				:begin_admin (admin)

					:send_log (alert)

					:mismatchmessage ("Please install security patch

Q147222.")

				:end (admin)

		: (AntiVirusMonitor

			:type (plugin)

			:parameters (

				:type ("Norton")

				:Signature (">=20020819")

				:begin_admin (admin)

					:send_log (alert)

					:mismatchmessage ("Please update your AntiVirus

					 (use the LiveUpdate option).")

				:end (admin)

		: (HWMonitor

			:type (plugin)

			:parameters (

				:cputype ("GenuineIntel")

				:cpumodel ("9")

				:cpufamily ("6")

				:begin_admin (admin)

					:send_log (alert)

					:mismatchmessage ("Your machine must have

an\nIntel(R) Centrino(TM) processor installed.")

				:end (admin)

		: (ScriptRun

			:type (plugin)

			:parameters (

				:exe ("VerifyScript.bat")

				:begin_admin (admin)

					:send_log (alert)

					:mismatchmessage ("Verification script has

determined that your configuration does not meet policy requirements.")

				:end (admin)

		: (RegMonitor

			:type (plugin)

			:parameters (

				:value ("Software\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\PatternVer>=414")

				:begin_admin (admin)

					:send_log (alert)

					:mismatchmessage ("Please update your AntiVirus

(use the LiveUpdate option).")

				:end (admin)

		: (SCVMonitor

			:type (plugin)

			:parameters (

				:scv_version ("54014")

				:begin_admin (admin)

					:send_log (alert)

					:mismatchmessage ("Please upgrade your Secure

Configuration Verification products package.")

				:end (admin)

		: (sc_ver_scv

			:type (plugin)

			:parameters (

				:Default_SecureClientBuildNumber (52032)

				:Default_EnforceBuildOperand ("==")

				:MismatchMessage ("Please upgrade your SecureClient.")

				:EnforceBuild_9X_Operand (">=")

				:SecureClient_9X_BuildNumber (52030)

				:EnforceBuild_NT_Operand ("==")

				:SecureClient_NT_BuildNumber (52032)

				:EnforceBuild_2K_Operand (">=")

				:SecureClient_2K_BuildNumber (52032)

				:EnforceBuild_XP_Operand (">=")

				:SecureClient_XP_BuildNumber (52032)

	:SCVPolicy (

		: (BrowserMonitor)

		: (HWMonitor)

		: (AntiVirusMonitor)

	:SCVGlobalParams (

		:enable_status_notifications (false)

		:status_notifications_timeout (10)

		:disconnect_when_not_verified (false)

		:block_connections_on_unverified (false)

		:scv_policy_timeout_hours (24)

		:enforce_ip_forwarding (true)

		:not_verified_script ("")

		:not_verified_script_run_show (false)

		:not_verified_script_run_admin (false)

		:not_verified_script_run_always (false)

		:not_verified_script_run_always (false)

		:allow_non_scv_clients (false)

When using this file, it is important to maintain the same indentation/nesting format.

Common Attributes

Typically, an administrator might need to change only a few of the common parameters (SCV checks) contained in the SCV policy file.

SCV Checks

Anti-Virus monitor

Parameters:

Type (“av_type”)
Type of Anti-Virus. For example, “Norton”, “VirusScan”, “OfficeScan”, or “ZoneLabs”.
Signature(x)
Required Virus definition file signature. The signature’s format depends on the AntiVirus type. For example, on Norton Antivirus the signature maybe be “>=20031020”. (The format for Norton’s AV signature is “yyyymmdd”).

For TrendMicro Officescan, the signature maybe “<650”

For McAfee’s VirusScan, use signature (“>404291”) for a signature greater than 4.0.4291

For Zone Labs, use signature (“>X.Y.Z”) where X = Major Version, Y = Minor Version, and Z = Build Number of the .dat signature file.

AntiVirusMonitor does not support “begin_or” and the “begin_and” syntax. See: Expressions and Labels with Special Meanings.

BrowserMonitor

Parameters:

browser_major_version (5)
Major version number of Internet Explorer. If this field does not exist in the local.scv file, or if this value is 0, the IE’S version will not be checked as part of the BrowserMonitor check.
browser_minor_version (0)
Internet Explorer’s minor version number.
browser_version_operand (“>=”)
The operator used for checking the Internet Explorer’s version number.
browser_version_mismatchmessage (“Please upgrade your Internet Browser.”)
Message to be displayed in case of a non-verified configuration for the Internet Explorer’s version.
intranet_download_signed_activex (enable)
The maximum permission level that IE should have for downloading signed ActiveX controls from within the local Intranet.
intranet_run_activex (enable)
The maximum permission level that IE should have for running signed ActiveX controls from within the local Intranet.
intranet_download_files (enable)
The maximum permission level that IE should have for downloading files from within the local Intranet.
- intranet_java_permissions (low)
The maximum security level that IE Explorer should have for running java applets from within the local Intranet.

(low) means a low security level.
trusted_download_signed_activex (enable)
The maximum permission level that IE should have for downloading signed ActiveX controls from trusted zones.
trusted_run_activex (enable)
The maximum permission level that IE should have for running signed ActiveX controls from trusted zones.
trusted_download_files (enable)
The maximum permission level that IE should have for downloading files from trusted zones.
trusted_java_permissions (medium)
The maximum security level that IE should have for running java applets from trusted zones.
internet_download_signed_activex (disable)
The maximum permission level that IE should have for downloading signed ActiveX controls from the Internet.
Internet_run_activex (disable)
The maximum permission level that IE should have for running signed ActiveX controls from the Internet.
internet_download_files (disable)
The maximum permission level that IE should have for downloading files from the Internet.
internet_java_permissions (disable)
The maximum security level that IE should have for running java applets from the Internet.
restricted_download_signed_activex (disable)
The maximum permission level that IE should have for downloading signed ActiveX controls from restricted zones.
restricted_run_activex (disable)
The maximum permission level that IE should have for running signed ActiveX controls from restricted zones.
restricted_download_files (disable)
The maximum permission level that IE should have for downloading files from restricted zones.
restricted_java_permissions (disable)
The maximum security level that IE should have for running java applets from restricted zones.
send_log (type)
Determines whether to send a log to Security Management server for specifying that the client is not “SCVed.”

This SCV check does not support the “begin admin/end admin” parameter section.

The (type) section should be replaced by (log) or (alert)

internet_options_mismach_message (“Your Internet browser settings do not meet policy requirements”)

Mismatch message for the Internet Explorer settings.

BrowserMonitor can be configured to check only Internet Explorer’s version, or only the browser’s settings for a certain zone. For example, if none of the following parameters appear:

restricted_download_signed_activex
restricted_run_activex
restricted_download_files
restricted_java_permissions

then BrowserMonitor will not check the restricted zones’ security settings. In similar fashion, if the parameter “browser_major_version” does not appear or is equal to zero, then IE’s version number is not checked.

BrowserMonitor does not support the “begin_or” and the “begin_and” syntax, and does not support the admin parameters. See also: Expressions and Labels with Special Meanings.

For the script for checking Internet Explorer Service Pack, see Script for Internet Explorer Service Pack below.

Groupmonitor

Parameters

“builtin\administrator” (false)
A name of a user group. The user has to belong to this group in order for the machine configuration to be verified.
securely_configured_no_active_user (true)
Specifies whether the machine’s configuration may be considered verified when no user is logged on. The default value is false.

HotFixMonitor

Parameters

HotFix_Number (true)
A number of a system HotFix to be checked. In order for the machine to be verified, the HotFix should be installed, for example: “823980(true)” verifies that Microsoft’s RPC patch is installed on the operating system.
HotFix_Name (true)
The full name of a system HotFix to be checked. In order for the machine to be verified, the HotFix should be installed, for example: “KB823980(true)” verifies that Microsoft’s RPC patch is installed on the operating system.

Not all the mentioned fields for HotFixMonitor need to appear in the local.scv file. Some of them may not appear at all, or may appear more than once. These fields may also be ORed and ANDed. In this way, multiple HotFixes can be checked, and the results ORed or ANDed for extra flexibility.

HWMonitor

Parameters

cputype (“GenuineIntel”)
The CPU type as described in the vendor ID string. The string has to be exactly 12 characters long. For example: “GenuineIntel”, or “AuthenticAMD”, or “aaa bbb ccc ” where spaces count as a character.
cpufamily(6)
The CPU family.
cpumodel(9)
The CPU model.

HWMonitor does not support the “begin_or” and the “begin_and” syntax. See also: Expressions and Labels with Special Meanings.

OsMonitor

Parameters

enforce_screen_saver_minutes_to_activate (3)
Time in minutes for the screen saver to activate. If the screen saver does not activate within this time period, then the client is not considered verified. In addition, the screen saver must be password protected.
screen_saver_mismatchmessage (“Your screen saver settings do not meet policy requirements”)
Mismatch message for the screen saver check. The screen saver will not be checked if the property “enforce_screen_saver_minutes_to_activate” does not appear, or if the time is set to zero.
send_log (type)
Determines whether to send a log to Security Management server for specifying that the client is not “SCVed.”

This SCV check does not support the “begin admin/end admin” parameter section.

The (type) section should be replaced by (log) or (alert)
major_os_version_number_9x (4)
Specifies the major version required for 9x operating systems to be verified.
minor_os_version_number_9x (10)
Specifies the minor version required for 9x operating systems to be verified.
os_version_operand_9x (“>=”)
Operator for checking the operating system’s version on 9x.
service_pack_major_version_number_9x (0)
Specifies the major service pack’s version required for 9x operating system’s to be verified.
service_pack_minor_version_number_9x (0)
Specifies the minor service pack’s version required for 9x operating systems to be verified.
service_pack_version_operand_9x (“>=”)
Operator for checking the operating system’s service pack on 9x.
major_os_version_number_nt (4)
Specifies the major version required for Windows NT operating systems to be verified.
minor_os_version_number_nt (10)
Specifies the minor version required for Windows NT operating systems to be verified.
os_version_operand_nt (“>=”)
Operator for checking the operating system’s version on Windows NT.
service_pack_major_version_number_nt (0)
Major service pack version required for Windows NT operating systems to be verified
service_pack_minor_version_number_nt (0)
Minor service pack version required for Windows NT operating systems to be verified
service_pack_version_operand_nt (“>=”)
Operator for checking the operating system’s service pack on Windows NT
major_os_version_number_2k (4)
Specifies the major version required for Windows 2000 operating systems to be verified.
minor_os_version_number_2k (10)
Specifies the minor version required for Windows 2000 operating systems to be verified.
os_version_operand_2k (“>=”)
Operator for checking the operating system’s version on Windows 2000
service_pack_major_version_number_2k (0)
Specifies major service pack version required for Windows 2000 operating systems to be verified.
service_pack_minor_version_number_2k (0)
Specifies minor service pack version required for Windows 2000 operating systems to be verified.
service_pack_version_operand_2k (“>=”)
Operator for checking the operating system’s service pack on Windows 2000
major_os_version_number_xp (4)
Specifies the major version required for Windows XP operating systems to be verified.
minor_os_version_number_xp (10)
Specifies the minor version required for Windows XP operating systems to be verified.
os_version_operand_xp (“>=”)
Operator for checking the operating system’s service pack on Windows XP
service_pack_major_version_number_xp (0)
Specifies the major service pack version required for Windows XP operating systems to be verified.
service_pack_minor_version_number_xp (0)
Specifies the minor service pack version required for Windows XP operating systems to be verified.
service_pack_version_operand_xp (“>=”)
Operator for checking the operating system’s service pack on Windows XP.
os_version_mismatches (“Please upgrade your operating system”)
Message to be displayed in case of a non-verified configuration for the operating system’s version/service pack. The operating system’s version and service pack will not be checked if none of the parameters appear in the scv file.
:major_os_version_number_2003 (5)
Specifies the major version required for Windows 2003 operating systems to be verified.
:minor_os_version_number_2003 (2)
Specifies the minor version required for Windows 2003 operating systems to be verified.
:os_version_operand_2003 ("==")
Operator for checking the operating system’s service pack on Windows 2003
:service_pack_major_version_number_2003 (0)
Specifies the major service pack version required for Windows 2003 operating systems to be verified.
:service_pack_minor_version_number_2003 (0)
Specifies the minor service pack version required for Windows 2003 operating systems to be verified.
:service_pack_version_operand_2003 (">=")
Operator for checking the operating system’s service pack on Windows 2003

OsMonitor can be configured to check only the screen saver’s configuration, or only the operating system’s version and service pack. For example, if none of the following parameters appear:

major_os_version_number_xp
minor_os_version_number_xp
os_version_operand_xp
service_pack_major_version_number_xp
service_pack_minor_version_number_xp
service_pack_version_operand_xp

then OsMonitor will not check the system’s version and service pack on Windows XP platforms.

Similarly, if the parameter “enforce_screen_saver_minutes_to_activate” does not appear, then the screen saver’s configuration is not checked.

OSMonitor does not support the “begin_or” and the “begin_and” syntax. See also: Expressions and Labels with Special Meanings.

ProcessMonitor

Parameters

ProcessName.exe (true)
A process the administrator would like to check. If the value is true, the process needs to be running for the machine to be verified. If the value is false, the process should not be running for the machine to be verified.

ProcessMonitor can also be used to check for the existence/exclusion of more than one process. The fields may be ANDed or ORed for flexibility.

RegMonitor

Parameters

PredefinedKeys (HIVE)
Specify the registry hive from one of the following choices:
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE
- HKEY_USERS
If one of the hives is not specified, then HKEY_LOCAL_MACHINE is used.

To configure a check for HKEY_CLASSES_ROOT, use HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes.

value (registry_value_path)
The path of a registry DWORD, under the hive specified by the predefined keys will be checked. The value should be an operator followed by a number, e.g. “Software\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\PatternVer>=414”

The syntax for the value parameter is:

:value (“pathOPval”)

For example:

:value (“Software\...\PaternVer>=414”)
string (registry_string_path)
The path of a registry string, under the hive specified by the predefined keys will be checked. The string’s value is compared to the given value, in the way that DWORDs are compared.
keyexist (registry_key_path)
The path of a registry key to check if the key exists, under the hive specified by the predefined keys will be checked. The key must exist if the machine is to be verified.
keynexist (registry_key_path)
The path of a registry key to be checked for exclusion, under the hive specified by the predefined keys will be checked. For the machine to be verified, the key should not exist.
allow_no_user (default: true)
This parameter is valid only when a user is logged in to the machine.

Since SC services and SCV checks run also when no user is logged on, a decision should be taken if the check passed or failed.

If no user is logged on to the machine, and a running RegMonitor check is configured to monitor HKEY_CURRENT_USER, the behavior is according to the flag allow_no_user.

If allow_no_user is true, the check will PASS.

If allow_no_user is false, the check will FAIL.

This attribute is not, by default, included in the local.scv file. If the attribute does not exist in the file, then the default setting used is also true.

Configuring this attribute is done via local.scv. For example:

: (RegMonitor

         :type (plugin)

         :parameters (

                 :keyexist ("HKEY_CURRENT_USER\Software\CheckPoint")

                 :allow_no_user (true)

                 :begin_admin (admin)

                         :send_log (alert)

                         :mismatchmessage ("mismatch message ")

                 :end (admin)

Not all the mentioned fields for RegMonitor need to appear in the local.scv file. Some of them may not appear at all, or may appear more than once. These fields may also be ORed and ANDed. In this way, multiple registry entries can be checked, and the results ORed or ANDed for extra flexibility.

Script for Internet Explorer Service Pack

RegMonitor can be configured to check the version and service pack of Internet Explorer. The script looks as follows:

: (RegMonitor

            :type (plugin)

            :parameters (

                        :begin_or (or1)

                                    :keynexist ("Software\Microsoft\Internet Explorer")

                                    :string ("Software\Microsoft\Internet Explorer\Version>=6")

                                    :begin_and (and1)

                                                :string ("Software\Microsoft\Internet Explorer\Version>=5.5")

:string ("Software\Microsoft\Windows\CurrentVersion\Internet Settings\MinorVersion>=SP2")

                                                :string ("Software\Microsoft\Windows\CurrentVersion\Internet Settings\MinorVersion<=SP9")

                                    :end_and (and1)

                                    :begin_and (and2)

                                                :string ("Software\Microsoft\Internet Explorer\Version>=5.5")

                                                :string ("Software\Microsoft\Windows\CurrentVersion\Internet Settings\MinorVersion>=;SP2")

                                                :string ("Software\Microsoft\Windows\CurrentVersion\Internet Settings\MinorVersion<=;SP9")

                                    :end_and (and2)

:end_or (or1)

                        :begin_admin (admin)

                                    :send_log (alert)

                                    :mismatchmessage ("Your IE must be at least version 5.5 with SP2.")

                        :end (admin)

SCVMonitor

Parameters

scv_version(“>=541000076”)
Represents the SCV product’s build number. This is the version of the DLLs in charge of the SCV checks. This number differs from the build number of SecureClient. SCV products can be upgraded, and maybe updated without updating SecureClient.

The string is an operator followed by the DLL’s version number in the format “vvshhhbbb”. For example, if you want the DLL version to be at least 54.1.0.220, the syntax should be:

scv_version (“>=541000220”)

SCVMonitor does not support the “begin_or” and the “begin_and” syntax. See also: Expressions and Labels with Special Meanings.

ScriptRun

Parameters

exe (“VerifyScript.bat”)
Runs an executable. Supply the name of the executable, and the full path to the executable.
run_as_admin (“no”)
Determines whether the verification script is run with administrator privileges. The default is “no”. The only other value is “yes”.
run_timeout (10)
Time (in seconds) to wait for the executable to finish. If the executable does not finish within the set time, the process is considered as a failure, and the machine categorized as “not verified”. The default value is zero, which is the same as “no timeout”.

ScriptRun does not support the “begin_or” and the “begin_and” syntax. See also: Expressions and Labels with Special Meanings.

sc_ver_scv

Parameters

Default_SecureClientBuildNumber (52032)
Build number for SecureClient. This build number is checked (with the specified operator) only if no specific build number is to be checked for a particular platform.
Default_EnforceBuildOperand (“==”)
Operator for comparing the local.scv’s build number with the client build number.
MismatchMessage (“Please upgrade your SecureClient”)
Mismatch message to be displayed when the SecureClient’s build does not match the local.scv’s configuration.
EnforceBuild_9x_Operand (“>=”)
Operator for comparing the local.scv’s build number with the client build number on Windows 9x platforms.
SecureClient_9x_BuildNumber (52030)
SecureClient build number for windows 9x platforms.
EnforceBuild_NT_Operand (“==”)
Operator for comparing the local.scv’s build number with the client build number on WindowsNT platforms.
SecureClient_NT_BuildNumber (52030)
SecureClient build number for WindowsNT platforms.
EnforceBuild_2K_Operand (“>=”)
Operator for comparing the local.scv’s build number with the client build number on Window 2000 platforms.
SecureClient_2K_BuildNumer (52030)
SecureClient build number for Windows 2000 platforms.
EnforceBuild_XP_Operand (“>=”)
Operator for comparing the local.scv’s build number with the client build number on Windows XP platforms.
SecureClient_XP_Buildnumber (52030)
SecureClient build number for Windows XP platforms.

sc_ver_scv does not support the “begin_or” and the “begin_and” syntax. See also: Expressions and Labels with Special Meanings.

user_policy_scv

Parameters

logged_on_to_policy_server (true/false)
Specifies whether the user has to be logged on to a Policy Server to be considered SCVed.
policy_refresh_rate (“168”)
Time, in hours, for which the desktop policy remains valid. After 168 hours the desktop policy is not considered valid, and the user is no longer SCVed. If this parameter is not specified, the policy is not checked for freshness.
mismatchmessage (“Place a message here”)
The message displayed when the user_policy_scv check fails.
dont_enforce_while_connecting
If this parameter is present, the user is considered SCVed while connecting to the Security Gateway. The user is considered SCVed only for the duration of the connect process.

SCVGlobalParams

Parameters

For all boolean parameters (true or false), the values should not be enclosed in quotation marks.

enable_status_notifications (true/false)
If “true”, SecureClient displays a balloon window when the Desktop is not SCVed. On windows 9x and NT, where balloons are not supported, popups appear.
status_notifications_timeout ()
The number of seconds the balloon window (see previous parameter) will be displayed.
disconnect_when_not_verified (true/false)
If “true”, SecureClient will disconnect from the site when the Desktop is not SCVed.
block_connections_on_unverified (true/false)
If “true”, SecureClient will drop all open connections when the Desktop is not SCVed.

Note - This parameter, if true, blocks all connections to the machine, not just those connections to and from the VPN site.

scv_policy_timeout_hours ()
The period (in hours) during which the SCV policy is considered valid since the last logon to the Policy Server. When this timeout is about to expire SecureClient will attempt to logon to the Policy Server to get a new SCV policy.

Possible values are between 1 and 504 hours(21 days). The default value is 168 hours (one week). If you set the value to 0, the SCV policy never expires (no time-out).
enforce_ip_forwarding (true/false)
If “true” the IP Forwarding between network interface cards on the user’s desktop must be disabled for the user to be considered SCVed.
ip_forwarding_mismatchmessage (“Message string placed here”)
The value is a string displayed when ip forwarding is enabled. For example: ip_forwarding_mismatchmessage (“Please....etc”)

This is relevant only if ip forwarding is part of the SCV checks, that is, if the parameter is defined as True.
not_verified_script (“script_name.bat”)
The name of executable that will be run when the Desktop is not SCVed. The next three parameters provide more options related to the running of the executable.
not_verified_script_run_show (true/false)
If “true”, the executable’s progress will be displayed in an onscreen window.
not_verified_script_run_admin (true/false)
If “true”, the executable will run with administrator privileges.
not_verified_script_run_always (true/false)
If “true”, the executable will run every time the Desktop is not SCVed. If “false”, it will run once per SecureClient session.
:allow_non_scv_clients (true/false)
If “true”, the client will send a verified state to the enforcing Security Gateway even if the OS does not support SCV.

Top of Page

Download Complete PDF

Send Feedback