Before You Configure Smart Card Authentication

Make sure the environment is set up correctly to use Smart Card authentication before you configure it.

To use Smart Card authentication, you must have these components and requirements:

• Smart Card authentication is only supported on Endpoint Security clients of version E80.30 or higher. Make sure all users have a supported version.

  You can see which versions users have in the Endpoint Security Management Console > Monitoring tab > Versions in Use.

• Users must have the physical Smart Card in their possession.
• Users' computers must have a Smart Card reader driver and token driver installed for their specific Smart Card. Install these drivers as part of the global Pre-boot Authentication Settings.
• Each user must have a certificate that is active for the Smart Card.
  • The Directory Scanner can scan user certificates from the Active Directory. Configure this in the global Pre-boot Authentication Settings.
  • You can manually import a certificate for a user in User Details > Security Blades > OneCheck User Settings.
• In a Full Disk Encryption Policy rule, open the Authenticate user before OS loads action. Click on Advanced Pre-boot Settings and make sure that Enable USB devices in pre-boot environment is selected.

Smart Card Scenarios

Below are scenarios of how to implement Smart Card authentication in organizations with different needs.

Scenario 1: Moving from Password to Smart Card

Scenario

Your organization uses Check Point Endpoint Security with username and password authentication for Full Disk Encryption Pre-boot. You want to move all users to Smart Card authentication for even greater security. Your organization uses Active Directory.

What to do:

1. Plan your Smart Card environment:
   • Give all users a Smart Card.
   • Get a Smart Card certificate for each user and put them in Active Directory.
   • Learn which Smart Card driver and Reader driver is necessary for your Smart Card.
2. Upgrade all endpoints to this version. Use Reporting reports to make sure all users are successfully upgraded.
3. Open the Policy tab.
4. In a OneCheck User Settings rule, right-click the Authenticate users action and select Edit:
   • Select Smart Card (requires certificates).
   • Select Change authentication method only after user successfully authenticates with a Smart Card.
   • Select the drivers required for your Smart Card.
5. In the Directory Scanner area, click Configure.

   The Certificate Scanning Configuration window opens.

6. Select Scan user certificates from Active Directory.
7. Monitor the Smart Card deployment in the Pre-boot Reporting reports.
8. If you choose, you can clear the Change authentication method only after user successfully authenticates with a Smart Card option after all users have logged on with their Smart Card. If a specified user must use password authentication temporarily, you can change the Pre-boot Authentication Settings for the user to Password.

Scenario 2: Mix of Password and Smart Card Authentication

Scenario

Your organization is preparing to install Check Point Endpoint Security for the first time. Most users will use username and password Pre-boot authentication. Administrators with high administrative privileges will use Smart Card authentication. Your organization does not use Active Directory.

What to do:

1. Plan your Smart Card environment.
   • Give a physical Smart Card to all users who will use a Smart Card.
   • Get a Smart Card certificate for each user who will use a Smart Card.
   • Learn which Smart Card driver and Reader driver is necessary for your Smart Card.
2. Deploy the Endpoint Security client, including Full Disk Encryption on all endpoints, as described in the Deploying Endpoint Security Clients chapter. Use Reporting reports to make sure that Full Disk Encryption completes the deployment phase and the Full Disk Encryption Status of each computer is Encrypted.
3. Open the Policy tab.
4. In a OneCheck User Settings rule, select one of the Authenticate users actions:
   1. Select Authenticate users with Password and manually configure the Smart Card users to use Smart Card authentication.
   2. Select Authenticate users using Smart Card or Password. For added security, you can manually configure each Smart Card user to use Smart Card authentication only.
5. Right-click the Authenticate users action and select Edit.
6. Select the drivers required for your Smart Card and the Smart Card protocol. All users will receive these settings, including those who are configured to use Password authentication.
7. In the OneCheck User Settings page for each Smart Card user, in the User Certificates area, click Add to import a certificate.
8. Monitor the Smart Card deployment in the Pre-boot Reporting reports.

Note - You can put all Smart Card users in a virtual group so that it is easy to monitor them and change their policies, if necessary.

Notes on Using Smart Cards

• Check Point does not supply Smart Card features to use with Windows. You can use third-party software, supplied by Windows or the Smart Card vendor.
• To use recovery media with a Smart Card-only user, when you create the recovery media, create a temporary user who can authenticate to it.