Checkpoint 156-536 Online Access

Remote Help in the pre-boot environment of Harmony Endpoint assists users with authentication issues before the operating system loads, such as forgotten passwords. The security levels for this feature are configurable to balance usability and security, as detailed in theCheck Point Harmony Endpoint Server Administration Guide R81.20.

Onpage 227, under "Advanced Pre-boot Settings," the guide specifies:

"Remote Help Security Level: Select the security level for Remote Help. Options are Low, Medium, or High."

This extract unequivocally lists three security levels—Low, Medium, and High—directly corresponding toOption C. These levels likely adjust the complexity or length of the challenge-response process, though the guide does not elaborate on the exact differences beyond their availability as options.

Assessing the other choices:

Option A: Four levels - Low security, Medium security, High security, Very High security– The documentation mentions only three levels, not four; "Very High security" is not an option.

Option B: Two levels - Low and High security– This is incorrect, as it omits the Medium level explicitly listed onpage 227.

Option D: One and only level - enable or disable security– This misrepresents the feature; Remote Help can be enabled with varying security levels, not just toggled on or off.

The precise wording onpage 227confirms thatOption Caccurately reflects the three configurable security levels for Remote Help in pre-boot.

Check Point Harmony Endpoint’s Full Disk Encryption (FDE) provides security through advanced multifaceted pre-boot capabilities. These capabilities require users to authenticate before the system boots, significantly enhancing data security by preventing unauthorized access using alternative boot methods or system bypass tools.

Exact Extract from Official Document:

"Pre-boot Protection requires users to authenticate to their computers before the computer boots. This prevents unauthorized access to the operating system using authentication bypass tools at the operating system level or alternative boot media to bypass boot protection."

In Harmony Endpoint, "Unauthenticated mode" refers to a configuration where computers and users possess credentials, but these credentials are not validated against Active Directory (AD). This mode is used when AD authentication is not implemented or required, yet some form of credential-based access control is still in place.

TheCP_R81.20_Harmony_Endpoint_Server_AdminGuide.pdfdoes not provide a single, explicit definition of "Unauthenticated mode" in a dedicated section. However, the concept is inferred from the authentication mechanisms described, particularly in relation to Active Directory integration. Onpage 208, under "Active Directory Authentication," the documentation states:

"Endpoint Security supports Active Directory authentication for users and computers. This allows for centralized management of user credentials and policies."

This indicates that AD authentication is a supported method for verifying credentials centrally. Onpage 209, in "Configuring Active Directory Authentication," the guide details the process for enabling AD-based authentication, implying that without this configuration, credentials are not verified through AD. In such cases, the system may rely on local credentials or alternative methods, which aligns with the concept of "Unauthenticated mode" (i.e., not authenticated via AD).

Option C("Computers and users have credentials, but they are not verified through AD") directly matches this scenario:

"Have credentials": Users and computers still use credentials (e.g., usernames and passwords) to access the system.

"Not verified through AD": These credentials are not checked against an AD server, distinguishing this mode from AD-authenticated setups.

Let’s analyze the other options:

Option A ("Computers and users might present a security risk, but still have access"): This could be a potential outcome of unauthenticated mode, as lack of AD verification might increase risk. However, it describes a consequence rather than defining the mode itself, making it less precise.

Option B ("Computers and users are trusted based on their IP address and username"): The documentation does not mention trust based on IP address and username without AD verification, so this is unsupported.

Option D ("Computers and users are trusted based on the passwords and usernames only"): This is partially correct, as unauthenticated mode may involve local credential checks. However, it lacks the critical distinction of "not verified through AD," which is central to the concept in Harmony Endpoint.

Thus,Option Cis the most accurate and specific definition based on the documentation’s discussion of authentication methods.

The Check Point Harmony Endpoint documentation clearly specifies that the pre-boot environment supports multi-factor authentication methods. These methods combine different authentication mechanisms to enhance security significantly beyond traditional password-based authentication alone.

Exact Extract from Official Document:

"You can also use TPM in addition to Pre-boot authentication for two-factor authentication."