SafeWord for Check Point Demo Site, Product Info, Product Bulletin

View a detailed demonstration on how SafeWord for Check Point works.

Request an evaluation package.

Get contact information for Secure Computing Corporation.

Back to SafeWord for Check Point Home Page.

Home -> Product Info -> Product Bulletin

SafeWord® for Check Point Product Bulletin

SafeWord for Check Point follows Microsoft's best practices in the Active Directory schema

Download the product bulletin - 90 KB, 2 pages

SafeWord® for Check Point adds strong authentication to your Check Point VPNs, positively identifying users who access your applications and resources through Check Point. SafeWord for Check Point delivers security through one-time passcode-generating hardware tokens. Only the SafeWord server knows which passcode will allow the user to gain access. This eliminates threats from outsiders stealing, copying, or reusing passwords.

In addition to being OPSEC-certified and featuring tight integration with the Check Point user management interface, SafeWord for Check Point can be managed directly from Microsoft Active Directory, allowing administrators to easily manage tokens and users.

Schema extension recommendations
Some network administrators and IT staff members have expressed reluctance to install applications that extend the Active Directory schema, as evidenced in several online discussion groups. While the Microsoft knowledge base suggests using caution when making changes to the Active Directory schema, Microsoft expressly decrees that extending the AD schema is, in fact, encouraged to extend the Active Directory definition (when done following Microsoft recommendations).

Microsoft recommends only using schema extensions that follow recommended "best practices." SafeWord for Check Point follows the Microsoft best practices list. The list, found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/adschemaext.asp, includes the following guidelines for extending the schema.

Best practices include:

The schema is neither a database nor a file system. Don't treat it as such.

Place references in the directory that point to other data stores instead of using the directory for something for which it was not designed.

Only define globally interesting, relatively static information in the schema.

Objects defined in the schema should not be created very often or modified frequently.

Objects should have a long life.

Use twice the maximum replication frequency when determining longevity or frequency.

Test the application in a private forest and with other applications before deploying.

The schema upgrade must be separate from the application installation.

SafeWord for Check Point has followed the Microsoft recommendations to create the SafeWord for Check Point Active Directory extension.

Application requirements for shipping
Microsoft offers some caveats for schema extensions that ship with applications such as SafeWord for Check Point. All caveats have been explicitly followed: a separate install has been created for SafeWord for Check Point, and the following steps recommended by Microsoft have been implemented:

The application must use a registered prefix and base OID for each class and attribute.

The application must have a unique schemaIDGuid for each class and attribute.

LDIF files for your schema installation must be created.

The application uses LDIFDE.exe to load the LDIF files.

The application and schema extensions were tested on Secure Computing's local network.

For more information
If you have additional questions or concerns on the implementation of the Active Directory schema extensions in SafeWord for Check Point, contact sales@securecomputing.com or visit http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/adschemaext.asp.