Secure Configuration Verification
Use Case
Network and Firewall administrators can use different tools to control computers inside their organization. For example, to disable dangerous components such as Java and ActiveX controls in browsers, install Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., and make sure they are run correctly.
For remote users who access the organization from outside of the LAN, the administrator cannot enforce control of the computer with the same tools. For example, suppose the remote user has ActiveX enabled, and connects to a website containing a malicious ActiveX control which infects his or her computer. When the remote user connects to the organization's LAN, the LAN becomes vulnerable as well.
A properly configured Desktop Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., cannot protect against this type of attack, because the attack does not target a vulnerability in the access control to the endpoint computer. Instead it takes advantage of the vulnerable configuration of applications on the endpoint computer.
Introduction to Secure Configuration Verification (SCV)
Secure Configuration Verification (SCV) makes sure that remote access client computers are configured in accordance with the enterprise Security Policy. Use SCV to:
-
Get reports on the configuration of remote clients.
-
Make sure that clients comply with the organization's security policy.
-
Block connectivity from clients that do not comply.
SCV does not replace the Desktop Security Policy, but works with it.
SCV uses SCV checks, which are DLLs (plug-ins) on the client, that are invoked and enforced according to the policy that you configure on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. SCV checks include sets of conditions that define a securely configured client system. Checks can include, for example, the user's browser configuration, the version of the Anti-Virus software installed on the desktop computer, and the operation of the personal firewall policy. These security checks are performed at pre-defined intervals by the remote access client. Based on the results of the SCV checks, the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. decides whether to allow or block connections from the client to the LAN.
-
If the client passes all of the SCV checks, the client is compliant. The Security Gateway allows the connection.
-
If the client fails one of the SCV checks, it is not compliant. You can configure the Security Gateway to reject connections from non-compliant endpoint computers, or to accept such connections and create a log entry.
Check Point's SCV solution comes with many predefined SCV checks for the operating system and user's browser, and also allows OPSEC partners, such as Anti-Virus software manufacturers, to add SCV checks for their own products.
Introduction to the local.scv file
You configure an SCV policy in the local.scv file on the Management Server. The file path is $FWDIR/conf/local.scv. This section describes the format and syntax of the file.
Sets and Sub-sets
Each set has a certain purpose which was predefined for it. For example, one set can be used to define certain parameters, another could specify certain actions that should take place in a certain event etc. Sets are differentiated by their names and hierarchy in a recursive manner. Each set can have a sub-set, and each sub-set can have a sub-set of its own and so on. Subsets can also contain logical expressions. Sets and sub-sets with more than one sub-sets/conditions are delimited by left and right parentheses (), and start with the set/sub-set name. Differentiation between sub-sets/expressions with the same hierarchy is done using the colon :. .For example:
(SetName :SubSetName1 ( :ExpressionName1_1 (5) :ExpressionName1_2 (false) ) :SubSetName2 ( :ExpressionName2_1 (true) :SubSetName2_1 ( :ExpressionName2_1_1 (10) ) ) ) |
In the example above the set named SetName
has two subsets - SubSetName1
and SubSetName2
:
-
SubSetName1
has two conditions in it (ExpressionName1_1
andExpressionName1_2
). -
SubSetName2
has one condition (ExpressionName2_1)
and one subset (SubSetName2_1
) in it. -
SubSetName2_1
has one condition as well(ExpressionName2_1_1
).
The "local.scv" Sets
The local.scv
policy files contains one set called SCVObject.
This set must always be present and contains all the subsets which deal with the SCV checks and parameters.
SCVObject has these subsets:
-
SCVNames - This section is the main SCV policy definition section, in which all of the SCV checks and actions are defined. This is the definition part of the SCV policy, and doesn't actually determine the SCV checks that will be performed. In this section sets of tests are defined. Later on, the administrator will choose from these sets those he wants to run on the user's desktop.
-
SCVPolicy - This section specifies the names of the SCV checks that should actually be performed on the client's machine, from the SCV checks defined in SCVNames.
-
SCVGlobalParams - This section contains some global SCV parameters.
The Difference between SCVNames and SCVPolicy
-
The "
SCVNames
" section defines the different parameters for the checks. -
The "
SCVPolicy
" section states which checks are enforced.
To enforce a specific SCV check (such as Windows Security Monitor):
-
Configure the check's parameters in the "
SCVNames
" section. -
Include the name of the check in the "
SCVPolicy
" section.
The expressions that you can use are set by the manufacturer. The names of the expressions are determined by the SCV check. The value of an expression is true or false, according to the result of an SCV check.
Logical Operators for Comparison Operators
You can use these logical comparison operators when working with RegMonitor in the SCV policy. Other logical operations are not supported:
Logical Operator |
Description |
---|---|
= |
Equals |
!= |
Does not equal |
> |
Greater than |
< |
Less than |
>= |
Greater than or equal to |
<= |
Less than or equal to |
Expressions are evaluated by checking the value of the expression (which corresponds to an SCV check) and comparing it with the value defined for the expression (the value in the parentheses). For example, in the browser monitor SCV check provided with the client, you can specify the following expression:
|
This expression checks whether the version of the Internet Explorer browser installed on the client is 5.x. If the (major) version is 5, this expression is evaluated as true, otherwise it is evaluated as false. The name of the expression (e.g. "browser_major_version") is determined by the SCV application and is supplied by manufacturer.
If several expressions appear one after the other, they are logically ANDed, meaning that only if all expressions are evaluated as true, then the value of all of them taken together is true. Otherwise (if even one of the expressions is false), the value of all of them is false. For example:
|
These expressions are ANDed. If the version of Internet Explorer is 5 AND the minor version is 0 (i.e. version 5.0), then the result is true, otherwise it is false. If the version of Internet Explorer is, for example, 4.0, then the first expression is false and the second one is true, and the result of both of them is false.
Logical Sections
As mentioned earlier, subsequent expressions are automatically ANDed. However, sometimes it is necessary to perform a logical OR between expressions, instead of logical AND. This is done by using labels:
The begin_or (orX) label - this label starts a section containing several expressions. The end of this section is marked by the end (orX) label (X should be replaced with a number which differentiates between different sections OR sections). All of expressions inside this section are logically ORed, producing a single value for the section. For example:
|
This section checks whether the version of Internet Explorer is 5 OR 6 - if it is then the result is true, otherwise it is false.
The begin_and (andX) label - this label is similar to the begin_or (orX) label, but the expressions inside are evaluated and logically "AND"-ed. The end of this section is marked by the end (andX) or the end (orX) label. As mentioned earlier, simple subsequent expressions are automatically "AND"-ed. The reason that this label exists is to allow nested "AND"-ed sections inside "OR"-ed sections. For example, if an administrator considers old browsers as secure since they do not have a lot of potentially unsafe components, and new browsers as secure, since they contain all the latest security patches, the administrator can configure these SCV rules:
|
In the example above, the first AND section checks whether the version of IE >= 5.0, the second "AND" section checks whether the version of IE is <=3.0 and they are "OR"-ed. The entire example is evaluated as true only if the version of IE is larger than (or equal to) 5.0 "OR" lower than (or equal to) 3.0.
Example:
:browser_major_version (7)
This expression is a Check Point SCV check. It checks whether the version of the Internet Explorer browser installed on the client is 7.x. If the major version is 7, this expression is true.
Grouping Expressions
If several expressions appear one after the other, they are checked on AND logic. Only if all expressions are true, then the value of all of them together is true.
Example:
:browser_major_version (7)
:browser_minor_version (0)
If the version of Internet Explorer is 7 AND the minor version is 0 (version 7.0), the result is true. If the version is 6.0, the first expression is false and the second one is true: result is false.
Influential Expressions
Some expressions can influence the way in which others are evaluated.
Example:
:browser_major_version (10)
:browser_minor_version (0)
:browser_version_operand (">=")
The third expression influences the way that the first and second are evaluated:
-
If the version of Internet Explorer is greater than or equal to (">=") 10, the result is true.
-
If the version is 9, the result is false
-
If the version is 11, the result is true.
Expressions and Labels with Special Meanings
There are several expressions and labels which have special meaning:
-
begin_admin (admin) - This label starts a section defining several actions which are performed only if the client is considered as one that does not meet SCV by previous expressions in the subset (i.e. if previous expressions in the subset have returned a value of false). The end of this section is marked by the end (admin) label.
-
send_log (alert / log) - Use this label as part of the begin_admin (admin) - end (admin) section to define where the client should send logs when it does not meet the SCV check.
If the value of this label is alert, the client sends a log to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and to the client's diagnostic tool.
If the value of the label is log, the client sends a log only to the client's diagnostic tool.
-
mismatchmessage ("Message") - This expression is used as part of the begin_admin (admin) - end (admin) section, and specifies that a popup message should be shown on the remote user's desktop, indicating the problem. The text in the inverted commas (Message) should be replaced by a meaningful text which should instruct the client about the possible sources of the problem and the action he should perform.
For example:
|
In this example, if the user's IE browser's version is lower than 5.0, an alert is sent to the Security Management Server machine and a popup message is shown to the user with indication of the problem.
SCV Configuration on the Management Server
From SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. , click Global Properties.
From the navigation tree, click Remote Access > Secure Configuration Verification (SCV).
Configure the settings:
-
Apply Secure Configurations on Simplified Mode - Specifies if SCV is applied to all remote access rules in the simplified policy mode.
-
Upon Verification failure - Specifies the action that is performed when the client fails one or more SCV checks. The options are to Block the client's connection or to Accept it and send a log about the event.
-
Basic configuration verification on client's machine - Specifies whether the Remote Access Client performs SCV checks to determine if the policy is installed on all network interfaces cards on the client's desktop, and if only TCP/IP protocols are installed on these interfaces.
-
Configurations Violation Notification on client's machine - Specifies if a log record is saved on the Security Management Server machine indicating that a remote user is not verified by SCV (this is a general indication, without a specification of a certain SCV check the user's desktop had failed).
From the left navigation tree, below Access Control, click Access Control Policy. In the Access Control Policy, make sure that all connections where you configure SCV match a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that is explicitly defined for Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway..
Example Access Rules:
No. |
Source |
Destination |
VPN |
Services & Applications |
Action |
---|---|---|---|---|---|
1 (Management Rule - Not relevant for this example) |
_ |
_ |
_ |
_ |
_ |
2 |
MP_Role |
Host_10.10.0.10 |
Any |
icmp-proto http |
Accept |
3 |
MP_Role |
Host_10.10.0.10 |
RemoteAccess |
ssh |
Accept |
For an HTTP connection from MP_Role to Host_10.10.0.10, SCV policy is not enforced. This is because the connection matches Rule 2. Rule 2 is for any VPN, and is not explicitly for Remote Access VPN.
For an SSH connection from MP_Role to Host_10.10.0.10, SCV policy is enforced. This is because the connection matches Rule 3, which is explicitly for Remote Access VPN.
For more information, see the R81.10 Security Management Administration Guide > chapter Creating an Access Control Policy.
Click OK and publish the changes.
Configure an SCV Policy in the text file $FWDIR/conf/local.scv
on the Management Server. The local.scv
file is a policy file, containing sets, subsets and expressions. In general, you can use the pre-defined checks (in the SCVNames section of the local.scv
file) as templates and list the modified checks in the SCV Policy section, without writing new SCV subsets. You do not need to use expressions to create a basic SCV policy.
-
In the
$FWDIR/conf/local.scv
file, configure one or more of these SCV checks to create a basic SCV policy:"Groupmonitor"This checks that the logged on user belongs to the expected domain user groups.
Parameter
Description
"builtin\administrator" (false)
A name of a user group. The user must belong to this group for the machine configuration to be verified.
"OsMonitor"For Windows 10 and Windows 11,
osMonitor
checks for version build numbers to do the checks. To support this functionality on Windows 10, you must have both these parameters:-
os_build_number_10
-
os_build_operand_10
If the parameter "enforce_screen_saver_minutes_to_activate" does not appear, the screen saver configuration is not checked.
OSMonitor does not support begin_or or begin_and.
Parameter
Description
enforce_screen_saver_minutes_to_activate (3)
Time in minutes for the screen saver to activate. If the screen saver does not activate within this time, then the client is not considered verified. In addition, the screen saver must be password protected.
screen_saver_mismatchmessage ("Your screen saver settings do not meet policy requirements")
Mismatch message for the screen saver check. The screen saver will not be checked if the property "enforce_screen_saver_minutes_to_activate" does not appear, or if the time is set to zero.
service_pack_version_operand_8 (">=")
Operator for checking the operating system's service pack on Windows 8.
major_os_version_number_81 (6)
Specifies the major version required for Windows 8.1 operating systems to be verified.
minor_os_version_number_81 (3)
Specifies the minor version required for Windows 8.1 operating systems to be verified.
os_version_operand_81 (“==”)
Operator for checking the operating system’s major and minor version on Windows 8.1.
service_pack_major_version_number_81 (0)
Specifies the major service pack version required for Windows 8.1 operating systems to be verified.
service_pack_minor_version_number_81 (0)
Specifies the minor service pack version required for Windows 8.1 operating systems to be verified.
service_pack_version_operand_81 (“>=”)
Operator for checking the operating system’s service pack on Windows 8.1.
major_os_version_number_10 (10)
Specifies the major version required for Windows 10 operating systems to be verified.
minor_os_version_number_10 (0)
Specifies the minor version required for Windows 10 operating systems to be verified.
os_version_operand_10 (“==”
)Operator for checking the operating system’s major and minor version on Windows 10.
os_build_number_10 (0)
Specifies the version build number required for Windows 10 operating systems to be verified.
os_build_operand_10 (“>=”)
Operator for checking the operating system’s version build number on Windows 10.
major_os_version_number_11 (10)
Specifies the major version required for Windows 11 operating systems to be verified.
minor_os_version_number_11 (0)
Specifies the minor version required for Windows 11 operating systems to be verified.
os_version_operand_11 (“==”)
Operator for checking the operating system’s major and minor version on Windows 11.
os_build_number_11 (0)
Specifies the version build number required for Windows 11 operating systems to be verified.
os_build_operand_11 (“>=”)
Operator for checking the operating system’s version build number on Windows 11.
os_version_mismatches ("Please upgrade your operating system")
Message to be displayed in case of a non-verified configuration for the operating system's version/service pack. The operating system's version and the service pack will not be checked if none of the parameters appear in the scv file.
"ProcessMonitor"This check is for process activity. It supports AND and OR sections.
It is based on the process name, with an additional hash check option for running processes.
ProcessName.exe (
true
|false
)ProcessName.exe (
true
;<SHA1 hash value>)For example:
calc.exe (true;9018A7D6CDBE859A430E8794E73381F77C840BE0)
If the value is true, the client is compliant if this process is running.
If the value is false, the client is compliant if the process is not running.
Note - Checking the SHA1 hash value can impact performance.
"RegMonitor"These checks are for the system registry. RegMonitor supports AND and OR sections.
Parameters
PredefinedKeys
(HIVE)Specify the registry hive from one of these choices:
-
HKEY_CURRENT_USER
-
HKEY_LOCAL_MACHINE
-
HKEY_USERS
To configure a check for
HKEY_CLASSES_ROOT
, useHKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes
.Note - If the values of these parameters do not include the name of the registry hive, the
HKEY_LOCAL_MACHINE
hive is used by default. If you want to use another hive, you must explicitly use it in the value of the parameter.Parameter
Description
value (registry_value_path)
The path of a registry
DWORD
will be checked. The value should be an operator followed by a number, e.g."Software\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\PatternVer>=414"
string (registry_string_path)
The path of a registry string will be checked. The string's value is compared to the given value, in the way that DWORDs are compared.
keynexist (registry_key_path)
The path of a registry key to be checked for exclusion. For the machine to be verified, the key should not exist.
keyexist (reistry_key_path)
The path of a registry key to be checked for inclusion. For the machine to be verified, the key must exist.
-
-
In SmartConsole, install the policy.
SCV Configuration on the Endpoint Computer
-
Optional - If you intend to use an OPSEC SCV third-party application, install the application on the client and enable the application's integration with SCV (see the application's documentation for information on how to do this).
-
Start the client and connect to the Security Gateway to receive the SCV
Example of WindowsSecurityMonitor configuration
: SCVEpsNames (
: (WindowsSecurityMonitor
:type (plugin)
:parameters (
:VirusProtectionRequired (true)
:VirusProtectionRequiredMismatchMessage ("Please see that your AntiVirus is updated and active")
:VirusProtectionInstalledPrograms ("Trend Micro OfficeScan Antivirus;Kaspersky Anti-Virus")
:VirusProtectionInstalledProgramsMismatchMessage ("Please see that your AntiVirus is Trend Micro or Kaspersky")
:WindowsUpdateRequired (true)
:WindowsUpdateRequiredMismatchMessage ("Please turn on Windows automatic Updates")
:SpywareProtectionRequired (true)
:SpywareProtectionRequiredMismatchMessage ("AntiMalware is not updated or active")
:SpywareProtectionInstalledPrograms ("none")
:SpywareProtectionInstalledProgramsMismatchMessage ("")
:NetworkFirewallRequired (true)
:NetworkFirewallRequiredMismatchMessage ("Please check the your network firewall is turned on")
:NetworkFirewallInstalledPrograms ("Kaspersky Anti-Virus")
:NetworkFirewallInstalledProgramsMismatchMessage ("Please check that Kaspersky Anti-Virus firewall is installed on your machine")
)
)
)
The "SCVNames" section
In this section the administrator specifies the names and different checks for the SCV products. Here is a general definition of an SCV check subset of SCVNames:
: (SCVCheckName1 :type (plugin) :parameters ( :Expression1 (value) :Expression2 (value) :begin_admin (admin) :send_log (alert) :mismatchmessage ("Failure Message") :end (admin) ) ) |
The test section begins with the name of the SCV check (SCVCheckName1). SCVCheckName1 defines the name of the set of tests. It is defined in the SCV application and should be provided by the SCV manufacturer. The type (plugin) expression specifies that the test is performed by an SCV DLL plugin. The parameters subset is where the SCV rules and actions are defined. The type (plugin) expression and the parameters subset should always be specified when defining a subset of SCV checks (such as SCVCheckName1).
The "SCVPolicy" section
This section defines the names of the SCV checks that should be enforced (the names are part of the SCV check names specified in SCVNames). This section's general structure is:
:SCVPolicy ( :(SCVCheckName1) :(SCVCheckName2) ) |
SCVGlobalParams
This section includes global parameters for SCV.
:SCVGlobalParams ( :disconnect_when_not_verified (false) :block_connections_on_unverified (false) :not_verified_script ("myscript.bat") :not_verified_script_run_show (true) :not_verified_script_run_admin (false) :not_verified_script_run_always (false) :allow_non_scv_clients (false) ) |