HP dc73 User's Manual
Contents
1. N network account 18 6 objectives security 4 owner password changing 34 definition 7 setting 29 P password Basic User Key 32 changing owner 34 changing power on 49 changing setup 50 Computer Setup managing 49 emergency recovery token 29 guidelines 8 HP ProtectTools 6 managing 6 owner 29 policies creating 5 resetting user 34 secure creating 8 setting options 50 setting power on 49 setting setup 49 Windows logon 15 personal secure drive PSD 31 power on authentication enabling and disabling 46 on Windows restart 50 power on password definition 7 setting and changing 49 Index 71 properties Ww application 19 Windows Logon authentication 23 Credential Manager 17 credential 24 password 7 Windows network account 17 R recovering encrypted data 55 registering application 18 credentials 13 restricting access to sensitive data 4 S security key objectives 4 roles 6 security roles 6 security setup password 7 Single Sign On automatic registration 18 exporting applications 19 manual registration 19 modifying application properties 19 removing applications 19 stringent security 50 T targeted theft protecting against 4 token Credential Manager 14 TPM chip enabling 28 initializing 29 troubleshooting Credential Manager for ProtectTools 56 Embedded Security for ProtectTools 60 Miscellaneous 66 U unauthorized access preventing 4 USB eToken Credential Manager 12. HP ProtectTools Security Manager In the left pane click BIOS Configuration Type your Computer Setup administrator password at the BIOS administrator password prompt and then click OK In the left pane click Security Under Embedded Security click Enable Power on Authentication Support NOTE To disable power on authentication for Embedded Security click Disable Click Apply and then click OK in the HP ProtectTools window Advanced tasks 47 Enabling and disabling DriveLock hard drive protection DriveLock is an industry standard security feature that prevents unauthorized access to the data on ATA hard DriveLock has been implemented as an extension to Computer Setup It is only available when hard drives that support the ATA Security command set are detected DriveLock is intended for HP customers for whom data security is the paramount concern For such customers the cost of the hard drive and the loss of the data stored on it is inconsequential when compared with the damage that could result from unauthorized access to its contents In order to balance this level of security with the practical need to accommodate a forgotten password the HP implementation of DriveLock employs a two password security scheme One password is intended to be set and used by a system administrator while the other is typically set and used by the end user There is no back door that can be used to unlock the drive if both passwords are lo
3. When there is an EK a TPM owner must exist since the upgrade requires owner authorization After the successful upgrade the platform must be restarted for the new firmware to take effect If the BIOS TPM is factory reset ownership is removed and firmware update capability is prevented until the Embedded Security Software platform and User Initialization Wizard have been configured A reboot is always recommended after performing a firmware update The firmware version is not identified correctly until after the reboot 1 Reinstall HP ProtectTools Embedded Security Software 2 Run the Platform and User configuration wizard 3 Ensure that the system contains Microsoft NET framework 1 1 installation a Click Start b Click Control Panel c Click Add or remove programs d Ensure Microsoft NET Framework 1 1 is listed 4 Check the hardware and software configuration a Click Start b Click All Programs c Click HP ProtectTools Security Manager d Select Embedded Security from tree menu e Click More Details The system should have the following configuration e Product version V4 0 1 e Embedded Security State Chip State Enabled Owner State Initialized User State Initialized e Component Info TCG Spec Version 1 2 e Vendor Broadcom Corporation e FW Version 2 18 or greater e TPM Device driver library version 2 0 0 9 or greater 5 If the FW version does not match 2 18 do
4. NOTE After you have set a power on password the Set button on the Passwords page is replaced by a Change button The Computer Setup password protects the configuration settings and system identification information in Computer Setup After this password is set it must be used to access Computer Setup If you have set a setup password you will be prompted for the password before opening the BIOS Configuration portion of HP ProtectTools EY NOTE After you have set a setup password the Set button on the Passwords page is replaced by a Change button Setting the power on password To set the power on password 1 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click BIOS Configuration and then click Security In the right pane next to Power On Password click Set 2 3 4 Type and confirm the password in the Enter Password and Verify Password boxes 5 Click OK in the Passwords dialog box 6 Click Apply and then click OK in the HP ProtectTools window Changing the power on password To change the power on password 1 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click BIOS Configuration and then click Security In the right pane next to Power On Password click Change 2 3 4 Type the current password in the Old Password box 5 Set and confirm the new password in the Enter New Password box 6 Click OK in the Passwords di
5. a Java Card PIN NOTE The Java Card PIN must be between 4 and 8 numeric characters 1 2 3 4 5 6 T Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Java Card Security and then click General Insert a Java Card with an existing PIN into the card reader In the right pane click Change In the Change PIN dialog box type the current PIN in the Current PIN box Type a new PIN in the New PIN box and then type the PIN again in the Confirm New PIN box Click OK Selecting the card reader ENWW Be sure that the correct card reader is selected in Java Card Security before using the Java Card If the correct reader is not selected some of the features may be unavailable or incorrectly displayed In addition the card reader drivers must be correctly installed as shown in Windows Device Manager To select the card reader 1 2 3 4 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Java Card Security and then click General Insert the Java Card into the card reader In the right pane under Selected card reader click the correct reader General tasks 37 Advanced tasks administrators only The Advanced page allows you to perform the following tasks e Assign a Java Card PIN e Assign a name to a Java Card e Set power on authentication e Back up and restore Java Cards amp NOTE You must have Windo
6. agent When a user key cannot be retrieved as in the case of entering the wrong password or canceling the Enter Password dialog the file is automatically decrypted with a recovery key This is due to the Microsoft EFS Please refer to Microsoft Knowledge Base Technical Article Q257705 at http www microsoft com for more information The documents cannot be opened by a non administrator user When viewing a certificate it shows as non trusted After setting up HP ProtectTools and running the User Initialization Wizard the user has the ability to view the certificate issued however when viewing the certificate it shows as non trusted While the certificate can be installed at this point by clicking the install button installing it does not make it trusted Self signed certificates are not trusted In a properly configured enterprise environment EFS certificates are issued by online Certification Authorities and are trusted Intermittent encrypt and decrypt error occurs The process cannot access the file because it is being used by another process Extremely intermittent error during file encryption or decryption occurs due to the file being used by another process even though that file or folder is not being processed by the operating system or other applications To resolve the failure 1 Restart the system 2 Log off 3 Log back in Data loss in removable storage occurs if storage is r
7. click Advanced In the right pane under Owner Password click Change Type the old owner password and then set and confirm the new owner password Click OK Resetting a user password An administrator can help a user to reset a forgotten password For more information refer to the online Help Enabling and disabling Embedded Security Itis possible to disable the Embedded Security features if you want to work without the security function The Embedded Security features can be enabled or disabled at 2 different levels Temporary disabling With this option embedded security is automatically reenabled on Windows restart This option is available to all users by default Permanent disabling With this option the owner password is required to reenable Embedded Security This option is available only to administrators Permanently disabling Embedded Security To permanently disable Embedded Security 1 2 3 4 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Embedded Security and then click Advanced In the right pane under Embedded Security click Disable Type your owner password at the prompt and then click OK Enabling Embedded Security after permanent disable To enable Embedded Security after permanently disabling it 1 2 3 4 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Embedded Security and then cli
8. computer when you are away from your desk use the Lock Workstation feature This prevents unauthorized users from gaining access to your computer Only you and members of the administrators group on your computer can unlock it amp NOTE This option is available only if the Credential Manager classic logon prompt is enabled See Example 1 Using the Advanced Settings page to allow Windows logon from Credential Manager on page 25 For added security you can configure the Lock Workstation feature to require a Java Card biometric reader or token to unlock the computer For more information see Configuring Credential Manager settings on page 25 To lock the computer 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Credential Manager 3 Inthe right pane click Lock Workstation The Windows logon screen is displayed You must use a Windows password or the Credential Manager Logon Wizard to unlock the computer Using Windows Logon You can use Credential Manager to log on to Windows either at a local computer or on a network domain When you log on to Credential Manager for the first time the system automatically adds your local Windows user account as the account for the Windows Logon service Logging on to Windows with Credential Manager You can use Credential Manager to log on to a Windows network or local account 1 If you have registered your fingerp
9. computer on page 17 ENWW Advanced tasks administrator only 25 Example 2 Using the Advanced Settings page to require user verification before Single Sign On 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Credential Manager and then click Settings 3 Inthe right pane click the Single Sign On tab 4 Under When registered logon dialog or Web page is visited select the Authenticate user before submitting credentials check box a Click Apply and then click OK 6 Restart the computer 26 Chapter 2 Credential Manager for HP ProtectTools ENWW 3 Embedded Security for HP ProtectTools amp NOTE The integrated Trusted Platform Module TPM embedded security chip must be installed in ENWW your computer to use Embedded Security for HP ProtectTools Embedded Security for HP ProtectTools protects against unauthorized access to user data or credentials This software module provides the following security features e Enhanced Microsoft Encryption File System EFS file and folder encryption e Creation of a personal secure drive PSD for protecting user data e Data management functions such as backing up and restoring the key hierarchy e Support for third party applications such as Microsoft Outlook and Internet Explorer for protected digital certificate operations when using the Embedded Security software The TPM embedded security chip
10. encrypting files and folders 31 initializing chip 29 migrating keys 35 owner password changing 34 password 6 permanently disabling 34 Personal Secure Drive 31 resetting user password 34 setup procedures 28 Embedded Security for ProtectTools troubleshooting 60 emergency recovery 29 ENWW emergency recovery token password definition 6 setting 29 enabling device options 44 DriveLock 48 Embedded Security 34 Embedded Security after permanent disable 34 Java Card power on authentication 40 power on authentication 46 smart card authentication 46 stringent security 50 TPM chip 28 encrypting adrive 52 encrypting files and folders 31 encryption methods 53 user authentication 54 users 54 F F10 Setup password 7 features HP ProtectTools 2 fingerprints Credential Manager 13 H HP ProtectTools Backup and Restore 8 HP ProtectTools features 2 HP ProtectTools Security accessing 3 l identity managing Credential Manager 16 identity removing Credential Manager 16 initializing embedded security chip 29 J Java Card Security for HP ProtectTools administrator tasks 38 advanced tasks 38 assigning name 39 creating administrator 40 Credential Manager 14 PIN 7 PIN assigning 38 PIN changing 37 power on authentication disabling 41 power on authentication enabling 40 power on authentication setting 39 reader selecting 37 user creating 41 K key security objectives 4 L locking computer 17
11. enhances and enables other HP ProtectTools Security Manager security features For example Credential Manager for HP ProtectTools can use the embedded chip as an authentication factor when the user logs on to Windows On select models the TPM embedded security chip also enables enhanced BIOS security features accessed through BIOS Configuration for HP ProtectTools 27 Setup procedures A CAUTION To reduce security risk it is highly recommended that your IT administrator immediately initialize the embedded security chip Failure to initialize the embedded security chip could result in an unauthorized user a computer worm or a virus taking ownership of the computer and gaining control over the owner tasks such as handling the emergency recovery archive and configuring user access settings Follow the steps in the following 2 sections to enable and initialize the embedded security chip Enabling the embedded security chip The embedded security chip must be enabled in the Computer Setup utility This procedure cannot be performed in BIOS Configuration for HP ProtectTools To enable the embedded security chip 1 Open Computer Setup by turning on or restarting the computer and then pressing F10 while the F10 ROM Based Setup message is displayed in the lower left corner of the screen 2 Ifyou have not set an administrator password use the arrow keys to select Security gt Setup password and then press enter 3 Typ
12. one from the first document HP is researching a workaround for future product enhancements Incompatibility issues with Corel WordPerfect 12 password gina If the user logs in to Credential Manager creates a document in WordPerfect and saves with password protection Credential Manager cannot detect or recognize either manually or automatically the password gina HP is researching a workaround for future product enhancements Credential Manager does not recognize the Connect button on screen If the Single Sign On credentials for Remote Desktop Connection RDP are set to Connect Single Sign On upon relaunch always enters Save As instead of Connect HP is researching a workaround for future product enhancements ATI Catalyst configuration wizard is not usable with Credential Manager Credential Manager Single Sign On conflicts with the ATI Catalyst configure wizard Disable the Credential Manager Single Sign On When logging in using TPM authentication the Back button on screen skips the option to choose another authentication method If user using TPM login authentication for Credential Manager enters his her password the Back button does not work properly but instead immediately displays the Windows login screen HP is researching a workaround for future product enhancements Credential Manager opens out of standby when it is configured not to When use Credential Manag
13. pose security e deletion of PSD risk Unauthorized users should not be granted e malicious modification of user administrative privileges settings e disabling of security policies and functions BIOS and OS Embedded If user does not validate anew password This is functioning as designed these passwords can Security password are out as the BIOS Embedded Security be re synchronized by changing the OS Basic User of synch password the BIOS Embedded Security password and authenticating it at the BIOS Embedded password reverts back to the original Security password prompt embedded security password through F10 BIOS Only one user canlogon The TPM BIOS PIN is associated with This is functioning as designed HP recommends that to the system after TPM the first user who initialize the user the customer s IT department follow good security preboot authentication is setting If a computer has multiple users policies for rolling out their security solution and enabled in BIOS the first user is in essence the ensuring that the BIOS administrator password is administrator The first user will have to configured by IT administrators for system level give his TPM user PIN to other users to protection use to log in User has to change PIN to User has to change PIN or create This is as designed the factory reset clears the Basic make TPM preboot work another user to initialize his user setting User Key The user must change his user PIN or cr
14. reader The Credential Manager Registration Wizard opens 2 Follow the on screen instructions to complete registering your fingerprints and setting up the fingerprint reader 3 To set up the fingerprint reader for a different Windows user log on to Windows as that user and then repeat steps 1 and 2 Using your registered fingerprint to log on to Windows 1 Immediately after you have registered your fingerprints restart Windows 2 At the Windows Welcome screen swipe any of your registered fingers to log on to Windows Registering a Java Card USB eToken or virtual token amp NOTE You must have a card reader or smart card keyboard configured for this procedure If you choose not to use a smart card you can register a virtual token as described in Creating a virtual token on page 15 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Credential Manager 3 Inthe right pane click Register Smart Card or Token The Credential Manager Registration Wizard opens 4 Follow the on screen instructions Registering a USB eToken 1 Be sure that the USB eToken drivers are installed EY NOTE Refer to the USB eToken user guide for more information 2 Select Start gt All Programs gt HP ProtectTools Security Manager 3 Inthe left pane click Credential Manager 4 Inthe right pane click Register Smart Card or Token The Credential Manager Registration Wizard o
15. removed from a system without requiring the user to remember any additional passwords Drive Encryption for HP ProtectTools e Drive Encryption provides complete full volume hard drive encryption e Drive Encryption forces pre boot authentication in order to decrypt and access the data SS SSS Ooo ee 2 Chapter 1 Introduction to security ENWW Accessing HP ProtectTools Security To access HP ProtectTools Security from Windows Control Panel A Select Start gt All Programs gt HP ProtectTools Security Manager NOTE After you have configured the Credential Manager module you can also open HP ProtectTools by logging on to Credential Manager directly from the Windows logon screen For more information refer to Logging on to Windows with Credential Manager on page 17 ENWW Accessing HP ProtectTools Security 3 Achieving key security objectives The HP ProtectTools modules can work together to provide solutions for a variety of security issues including the following key security objectives e Protecting against targeted theft e Restricting access to sensitive data e Preventing unauthorized access from internal or external locations e Creating strong password policies Protecting against targeted theft An example of this type of incident would be the targeted theft of a computer containing confidential data and customer information in a cubicle or open environment The following features help protect aga
16. screen e From the notification area by double clicking the HP ProtectTools Security Manager icon e From the Credential Manager page of ProtectTools Security Manager by clicking the Log On link in the upper right corner of the window 2 Follow the on screen instructions to log on to Credential Manager 12 Chapter 2 Credential Manager for HP ProtectTools ENWW Logging on for the first time Before you begin you must be logged on to Windows with an administrator account but not logged on to Credential Manager 1 Open HP ProtectTools Security Manager by double clicking the HP ProtectTools Security Manager icon in the notification area The HP ProtectTools Security Manager window opens 2 Inthe left pane click Credential Manager and then click Log On in the upper right corner of the right pane The Credential Manager Logon Wizard opens 3 Type your Windows password in the Password box and then click Next Registering credentials You can use the My Identity page to register your various authentication methods or credentials After they have been registered you can use these methods to log on to Credential Manager Registering fingerprints A fingerprint reader allows you to log on to Windows using your fingerprint for authentication instead of using a Windows password ENWW Setup procedures 13 Setting up the fingerprint reader 1 After logging on to Credential Manager swipe your finger across the fingerprint
17. screen instructions to back up credentials Introduction to security ENWW Ef Setting backup options i 2 3 4 5 6 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click HP ProtectTools and then click Backup and Restore In the right pane click Backup Options The HP ProtectTools Backup Wizard opens Follow the on screen instructions After you set and confirm the Storage File Password select Remember all passwords and authentication values for future automated backups Click Save Settings and then click Finish Backing up preselected HP ProtectTools modules NOTE You must set backup options before you can use this method 1 2 3 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click HP ProtectTools and then click Backup and Restore In the right pane click Backup Scheduling backups NOTE You must set backup options before you can use this method 1 2 3 4 5 10 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click HP ProtectTools and then click Backup and Restore In the right pane click Schedule Backups On the Task tab select the Enabled check box to enable scheduled backups Click Set Password and type and confirm your password in the Set Password dialog box Click OK Click Apply Click the Schedule tab Click the Schedule Task arrow and select t
18. that provides enhanced protection for the power on and administrator passwords and other forms of power on authentication Trusted Platform Module TPM embedded security chip select models only Integrated security chip that can protect highly sensitive user information from malicious attackers It is the root of trust in a given platform The TPM provides cryptographic algorithms and operations that meets the Trusted Computing Group TCG specifications USB token Security device that stores identifying information about a user Like a Java Card or biometric reader it is used to authenticate the owner to a computer Virtual token Security feature that works very much like a Java Card and card reader The token is saved either on the computer hard drive or in the Windows registry When you log on with a virtual token you are asked for a user PIN to complete the authentication Windows user account Profile for an individual authorized to log on to a network or to an individual computer ENWW Glossary 69 Index A access preventing unauthorized 4 accessing HP ProtectTools Security 3 account basic user 30 Credential Manager 13 administrator tasks Credential Manager 23 Java Card 38 advanced tasks BIOS Configuration 46 Credential Manager 23 Embedded Security 33 Java Card 38 B backing up and restoring certification information 33 Embedded Security 33 HP ProtectTools modules 8 Single Sign On data 19 basic user account 30 Bas
19. using another credential Windows password in order to log off and re log back into When logging back into Windows log off Credential Manager Credential Manager re log back into Credential Manager and reselect token as primary login the token login operation functions normally Some application Web Some Web based applications stop Credential Manager Single Sign On does not support pages create errors that functioning and report errors due to the all software Web interfaces Disable Single Sign On prevent user from disabling functionality pattern of Single support for the specific Web page by turning off Single performing or completing Sign On For example an inayellow Sign On support Please see complete documentation tasks triangle is observed in Internet Explorer on Single Sign On which is available in the Credential indicating an error has occurred Manager help files If a specific Single Sign On cannot be disabled for a given application call HP Service and Support and request 3rd level support through your HP Service contact No option to Browse for User cannot move the location of The browse option was removed from current product Virtual Token during the registered virtual token in Credential offerings because it allowed non users to delete and login process Manager because the option to browse rename files and take control of Windows was removed due to security risks Login with TPM Using the Network Accounts opti
20. 4 V virtual token 15 virtual token Credential Manager 14 15 72 Index ENWW
21. Configuration to manage various settings for tasks that run when you turn on or restart the computer To manage boot options 1 2 3 ey Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click BIOS Configuration Type your Computer Setup administrator password at the BIOS administrator password prompt and then click OK NOTE The BIOS administrator password prompt is displayed only if you have already set the Computer Setup password For more information about setting the Computer Setup password refer to Setting the setup password on page 49 In the left pane click System Configuration In the right pane select the delays in seconds for F9 F10 and F 12 and for Express Boot Popup Delay Sec Enable or disable MultiBoot If you have enabled MultiBoot select the boot order by selecting a boot device and then clicking the up arrow or the down arrow to adjust its order in the list Click Apply and then click OK in the HP ProtectTools window General tasks 43 Enabling and disabling system configuration options amp NOTE Some of the items listed below may not be supported by your computer To enable or disable devices or security options 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click BIOS Configuration 3 Type your Computer Setup administrator password at the BIOS administrator password prompt and t
22. EERE A EAE A REEE 66 MNOS h E O A OE E E P A E E OEA N A E eee ee 68 Lae o E E A E A E O 70 ENWW v vi ENWW 1 ENWW Introduction to security HP ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer networks and critical data Enhanced security functionality is provided by the following software modules Credential Manager for HP ProtectTools Embedded Security for HP ProtectTools Java Card Security for HP ProtectTools BIOS Configuration for HP ProtectTools Drive Encryption for HP ProtectTools The software modules available for your computer may vary depending on your model For example Embedded Security for HP ProtectTools is available only for computers on which the Trusted Platform Module TPM embedded security chip is installed HP ProtectTools software modules may be preinstalled preloaded or available for download from the HP Web site Visit http www hp com for more information NOTE The instructions in this guide are written with the assumption that you have already installed the applicable HP ProtectTools software modules HP ProtectTools features The following table details the key features of HP ProtectTools modules Module Key features Credential Manager for HP ProtectTools e Credential Manager acts as a personal password vault e Single Sign On remembers multiple passwords for various password protected We
23. M in BIOS Open the Computer Setup F10 Utility navigate to Security gt Device security modify the field from Hidden to Available Automatic backup does not work with mapped drive When an administrator sets up Automatic Backup in Embedded Security it creates an entry in Windows gt Tasks gt Scheduled Task This Windows Scheduled Task is set to use NT AUTHORITY SYSTEM for rights to execute the backup This works properly to any local drive When the administrator instead configures the Automatic Backup to save to a mapped drive the process fails because the NT AUTHORITY SYSTEM does not have the rights to use the mapped drive If the Automatic Backup is scheduled to occur upon login Embedded Security TNA Icon displays the following message The Backup Archive location is currently not accessible The workaround is to change the NT AUTHORITY SYSTEM to computer name admin name This is the default setting if the Scheduled Task is created manually HP is working to provide future product releases with default settings that include computer name admin name 64 Chapter 7 Troubleshooting ENWW eee esse ee ann nnn a a Short description Details Solution Click here if you want to backup to a temporary archive until the Backup Archive is accessible again If the Automatic Backup is scheduled for a specific time however the backup fails without displaying notice of the failure Unable to di
24. On click Manage Applications and Credentials 4 Click the application entry you want to import Then select More gt Applications gt Import Script 5 Follow the on screen instructions to complete the import 6 Click OK Modifying credentials 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Credential Manager and then click Services and Applications 3 Inthe right pane under Single Sign On click Manage Applications and Credentials 4 Click the application entry you want to modify and then click More 5 Select any of the following options e Applications o Add New o Remove o Properties Import Script Export Script e Credentials Create New e View Password amp NOTE You must authenticate your identity before viewing the password 6 Follow the on screen instructions 7 Click OK Using Application Protection This feature allows you to configure access to applications You can restrict access based on the following criteria e Category of user e Time of use e User inactivity 20 Chapter 2 Credential Manager for HP ProtectTools ENWW Restricting access to an application 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Credential Manager and then click Services and Applications 3 Inthe right pane under Application Protection click Manage Protected Applications The Application Protection S
25. ProtectTools User Guide Copyright 2007 Hewlett Packard Development Company L P Microsoft and Windows are U S registered trademarks of Microsoft Corporation Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries AMD the AMD Arrow logo and combinations thereof are trademarks of Advanced Micro Devices Inc Bluetooth is a trademark owned by its proprietor and used by Hewlett Packard Company under license Java is a US trademark of Sun Microsystems Inc SD Logo is a trademark of its proprietor The information contained herein is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein First Edition July 2007 Document Part Number 451271 001 Table of contents 1 Introduction to security FIP Protect OolS feature vedic acct a esblshdet ds pelosdau tie peptevaa ade pebtidvaa a A dis 2 Accessing HP ProtectTools Security ssicccissisaadcieseetdediseetdgcesbetandievinidensiee tl EARE NEERA ise 3 Achieving key security objectives 0 2 0 cect eee et ttt ee ee etter ee terre een aae teste naaaeeee eee naaeeeeeeeaeeeeeeeeaas 4 Protecting against targeted theft e s iania 4 Restri
26. To change the Basic User Key password 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Embedded Security and then click User Settings 3 Inthe right pane under Basic User Key password click Change 4 Type the old password and then set and confirm the new password 5 Click OK 32 Chapter 3 Embedded Security for HP ProtectTools ENWW Advanced tasks Backing up and restoring The Embedded Security backup feature creates an archive that contains certification information to be restored in case of emergency Creating a backup file To create a backup file 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 In the left pane click Embedded Security and then click Backup 3 In the right pane click Backup The Embedded Security Backup Wizard opens 4 Follow the on screen instructions Restoring certification data from the backup file To restore data from the backup file 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 In the left pane click Embedded Security and then click Backup 3 Inthe right pane click Restore The Embedded Security Backup Wizard opens 4 Follow the on screen instructions ENWW Advanced tasks 33 Changing the owner password To change the owner password i 2 3 4 5 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Embedded Security and then
27. a Card PIN also protects access to the Computer Setup utility and to the computer contents Authenticates users of Drive Encryption if the Java Card token is selected Computer Setup password BIOS Configuration by IT administrator NOTE Also known as BIOS administrator F10 Setup or Security Setup password Protects access to the Computer Setup utility Power on password BIOS Configuration Protects access to the computer contents when the computer is turned on restarted or restored from hibernation Windows Logon password Windows Control Panel Can be used for manual logon or saved on the Java Card Additional security elements 7 Creating a secure password When creating passwords you must first follow any specifications that are set by the program In general however consider the following guidelines to help you create strong passwords and reduce the chances of your password being compromised Use passwords with more than 6 characters preferably more than 8 Mix the case of letters throughout your password Whenever possible mix alphanumeric characters and include special characters and punctuation marks Substitute special characters or numbers for letters in a key word For example you can use the number 1 for letters or L Combine words from 2 or more languages Split a word or phrase with numbers or special characters in the middle for example Mary2 2Cat45 Do not use a password
28. alog box 7 Click Apply and then click OK in the HP ProtectTools window Setting the setup password To set the Computer Setup password 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click BIOS Configuration and then click Security ENWW Advanced tasks 49 3 4 5 6 In the right pane next to Setup Password click Set Type and confirm the password in the Enter Password and Confirm Password boxes Click OK in the Passwords dialog box Click Apply and then click OK in the HP ProtectTools window Changing the setup password To change the Computer Setup password aS Se D 7 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click BIOS Configuration and then click Security In the right pane next to Setup Password click Change Type the current password in the Old Password box Type and confirm the new password in the Enter New Password and Verify New Password boxes Click OK in the Passwords dialog box Click Apply and then click OK in the HP ProtectTools window Setting password options You can use BIOS Configuration for HP ProtectTools to set password options to enhance the security of your system Enabling and disabling stringent security A CAUTION To prevent the computer from becoming permanently unusable record your configured setup password power on password or smart card PIN in a safe place away fr
29. an set the Java Card identity to be the same as the DriveLock user password which allows you to validate both DriveLock and the Java Card using only the Java Card when starting the computer b If applicable type your DriveLock user password in the DriveLock password box and then type it again in the Confirm password box c Type the Java Card PIN d Click OK When you are prompted to create a recovery file click Cancel to create a recovery file at a later time or click OK and follow the on screen instructions in the HP ProtectTools Backup Wizard to create a recovery file now NOTE For more information see HP ProtectTools Backup and Restore on page 8 40 Chapter4 Java Card Security for HP ProtectTools ENWW Creating a user Java Card amp NOTE Power on authentication and an administrator card must be set up in order to create a user Java Card To create a user Java Card 1 2 3 4 5 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Java Card Security and then click Advanced Insert a Java Card that will be used as a user card In the right pane under Power on authentication click Create next to User card identity Type a PIN for the user Java Card and then click OK Disabling Java Card power on authentication ENWW When you disable Java Card power on authentication the use of the Java Card is no longer needed to access the compute
30. andles detection of logon screens automatic logon to registered logon dialogs and password display Services and Applications Allows you to view the available services and modify the settings for those services Security Allows you to select the fingerprint reader software and adjust the security level of the fingerprint reader Smart Cards and Tokens Allows you to view and modify properties for all available Java Cards and tokens To modify Credential Manager settings 1 2 3 4 5 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager and then click Settings In the right pane click the appropriate tab for the settings you want to modify Follow the on screen instructions to modify the settings Click Apply and then click OK Example 1 Using the Advanced Settings page to allow Windows logon from Credential Manager 1 2 3 4 5 6 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager and then click Settings In the right pane click the General tab Under Select the way users log on to Windows requires restart select the Use Credential Manager with classic logon prompt check box Click Apply and then click OK Restart the computer amp NOTE Selecting the Use Credential Manager with classic logon prompt check box allows you to lock your computer See Locking the
31. ate with the TPM once the operating passwords through after changing the Owner password in system is up and running and to verify the TPM pass Computer Setup after Embedded Security Windows software phrase against the TPM key blob changing the Owner password in Embedded Security Windows software ENWW Miscellaneous 67 Glossary Authentication Process of verifying whether a user is authorized to perform a task for example accessing a computer modifying settings for a particular program or viewing secured data Biometric Category of authentication credentials that use a physical feature such as a fingerprint to identify a user BIOS profile Group of BIOS configuration settings that can be saved and applied to other accounts BIOS security mode Setting in Java Card Security that when enabled requires the use of a Java Card anda valid PIN for user authentication Certification authority Service that issues the certificates required to run a public key infrastructure Credentials Method by which a user proves eligibility for a particular task in the authentication process Cryptographic service provider CSP Provider or library of cryptographic algorithms that can be used ina well defined interface to perform particular cryptographic functions Cryptography Practice of encrypting and decrypting data so that it can be decoded only by specific individuals Decryption Procedure used in cryptography to convert encrypted data i
32. b sites applications and network resources e Single Sign On offers additional protection by requiring combinations of different security technologies such as a Java Card and biometrics for user authentication e Password storage is protected through encryption and can be hardened through the use of a TPM embedded security chip and or security device authentication such as Java Cards or biometrics Embedded Security for HP ProtectTools e Embedded Security uses a Trusted Platform Module TPM embedded security chip to help protect against unauthorized access to sensitive user data or credentials stored locally on a PC e Embedded Security allows creation of a personal secure drive PSD for protecting user data e Embedded Security supports third party applications such as Microsoft Outlook and Internet Explorer for protected digital certificate operations Java Card Security for HP ProtectTools e Java Card Security configures the HP ProtectTools Java Card for user authentication before the operating system loads e Java Card Security configures separate Java Cards for an administrator and a user BIOS Configuration for HP ProtectTools e BIOS Configuration provides access to power on user and administrator password management e BIOS Configuration provides an alternative to the pre boot BIOS configuration utility known as F10 Setup e _ DriveLock helps protect a hard drive from unauthorized access even if it is
33. ck Advanced In the right pane under Embedded Security click Enable Type your owner password at the prompt and then click OK 34 Chapter 3 Embedded Security for HP ProtectTools ENWW Migrating keys with the Migration Wizard Migration is an advanced administrator task that allows the management restoration and transfer of keys and certificates For details on migration refer to the Embedded Security online Help ENWW Advanced tasks 35 4 Java Card Security for HP ProtectTools Java Card Security for HP ProtectTools manages the Java Card setup and configuration for computers equipped with an optional card reader With Java Card Security you can accomplish the following tasks Access Java Card Security features Work with the Computer Setup utility to enable Java Card authentication in a power on environment Configure separate Java Cards for an administrator and a user A user must insert the Java Card and type a PIN before the operating system will load Set and change the PIN used to authenticate users of the Java Card 36 Chapter4 Java Card Security for HP ProtectTools ENWW General tasks The General page allows you to perform the following tasks Change a Java Card PIN Select the card reader or smart card keyboard amp NOTE The card reader uses both Java Cards and smart cards This feature is available if you have more than one card reader on the computer Changing a Java Card PIN To change
34. cting access to sensitive Data eee ee ceeeeeee eee teeeee eee eeceeeeeeeseceeaeeeeeeeeaaeeeesenaees 4 Preventing unauthorized access from internal or external locations eeceeeeeeeeeees 4 Creating strong password policies cee eceeeeeee scene eee eee eecneee eee eaeeeeeeeeaeeeeeeeeiaeeeeeeeenaaes 5 Additional security Clement 2 eccccccceecccceeeeeeecceeeeeeedeceneseeececeaeedeadsnnenseduaceaeeeseedaedeeenesdeeeeesedaceaeeneeees 6 ASSIGNING Securty rolas osese rinan tneead ecient R O 6 Managing HP ProtectTools passwords 0 0 ccceceeceeeeeeeeeeeeeeeeeeeeeceeeaeeeeeeeeeaaeeeseeeeaeeeeeeeaaees 6 Creating a secure password ssesessrssrnnnnrssrnnnesseenennnnaaattannnnaaateeennnaaanaannnnaaaae een 8 HP ProtectTools Backup and Restore cecceccceceeeeeeeeeeeeeeeeseeeeeceneccaaeaeeeeeeeeeeeeeeneeees 8 Backing up credentials and settings cccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeaeeeeeeeeaeees 8 Restoring credentials ec cceeeeeeeeeeeeeeee esse eeeeenaeeeeeeeeeeeaeeeeeeeeeeiaeeeteeeneeiaees 9 Configuring Settings escea eri iaden ence EEE EEE 10 2 Credential Manager for HP ProtectTools SGtUP proc d rEsS srasni Mana a aaan ai aea aaea aaaea 12 Logging on to Credential Manger 0 0 eeecceeeceeee seen eeee eee eennneeeeeeeeeeaeeeeeeeeeeaaeeeeeeneeenaeees 12 Using the Credential Manager Logon Wizard ccccecceceeeeeeeeeeeteeeeeeeeeeenaaes 12 Logging on for the f
35. d Security system will render existing Recovery Archives and Recovery Tokens useless by overwriting those xml files The error occurs after user e Initializes owner and user in Embedded Security using the default locations My Documents e Resets the chip to factory settings in the BIOS e _ Reboots the computer e Begins to restore Embedded Security During the restore process Credential Manager asks user if the system can automate the logon to Infineon TPM User Authentication If user selects Yes then the location of SPEmRecToken automatically appears in the text box Even though this location is correct the following error message is displayed No Emergency Recovery Token is provided Select the token location the Emergency Recovery Token should be retrieved from HP is working to resolve the xml file overwrite issue and will provide a solution in a future SoftPaq Click the Browse button on the screen to select the location and the restore process proceeds Multiple User PSDs do not function in a fast user switching environment This error occurs when multiple users have been created and given a PSD with the same drive letter If an attempt is made to fast user switch between users when the PSD is loaded the second user s PSD will be unavailable The second user s PSD will only be available if it is reconfigured to use another drive letter or if the first user is logged off Embedded Securit
36. dding AN ACCOUNT sssrinin an E ai i iaaa 17 REMOVING AN account sosro ERA 18 Using Single SIGM ON serea bead dentasnseddevauhaieddeeesianaddsaiaseedes 18 Registering a NEW Application cece eect eenteeeeeeeeeeaeeeeeeeeettaaeeeeeneeeaas 18 Using automatic registration c cee ceeeeeeceeeeeenteeeeeeeeeeetteeeeeeeeenaaes 18 ENWW iii Using manual drag and drop registration eects 19 Managing applications and credentials cccceeeeeceeeeeeneeeeeeeeeenteeeeeeeeenaaees 19 Modifying application properties cceceecececeecceeeeeeeeeeeeeeeeeeeeeeees 19 Removing an application from Single Sign ON sses 19 Exporting an application 2 0 0 0 ccccececcccecceeeeeeeeeeeeeeeeeeeeeteeeeeeeeeeeeeeees 19 Importing an application ec cee cece eee e eee e eee ee ete e eee e eee teeeeeeeeeeeeees 20 Modifying credentials eecccceeeeeeceeeeeeeeeceneeeeeeeenieeeeeeeeenaeeeeeeneeaas 20 Using Application Protection isrann iiinn aiaia aai aaia aah 20 Restricting access to an application 22 0 2 cccceeceeceeeeeeeeeeeecaeceeeeeeeeeeeeeeeeeeeneees 21 Removing protection from an application c ceeceeeeeeeeecaeceeeeeeeeeeeeeteeeeeteees 21 Changing restriction settings for a protected application eeeeee 21 Advanced tasks administrator Only 0 eect tere eee ieee erie e eee e eee neeee EEEa REAA 23 Specifying how users and administrators log ON 0 eec
37. dled like an account or profile for a particular user JavaCard Small piece of hardware similar in size and shape to a credit card which stores identifying information about the owner Used to authenticate the owner to a computer 68 Glossary ENWW Migration A task that allows the management restoration and transfer of keys and certificates Network account Windows user or administrator account either on a local computer in a workgroup or on a domain NTFS partition NT File System a method of indexing storage media This method is standard with Windows Vista and Windows XP Personal secure drive PSD Provides a protected storage area for sensitive information Power on authentication Security feature that requires some form of authentication such as a Java Card security chip or password when the computer is turned on Public Key Infrastructure PKI Standard that defines the interfaces for creating using and administering certificates and cryptographic keys Reboot Process of restarting the computer Single Sign On Feature that stores authentication information and allows you to use the Credential Manager to access Internet and Windows applications that require password authentication Smart card Small piece of hardware similar in size and shape to a credit card which stores identifying information about the owner Used to authenticate the owner to a computer Stringent security Security feature in BIOS Configuration
38. e your password in the New password and Verify new password boxes and then press F10 4 In the Security menu use the arrow keys to select TPM Embedded Security and then press enter Under Embedded Security if the device is hidden select Available Select Embedded security device state and change to Enable Press F10 to accept the changes to the Embedded Security configuration D N Ee A To save your preferences and exit Computer Setup use the arrow keys to select File gt Save Changes and Exit Then follow the on screen instructions 28 Chapter3 Embedded Security for HP ProtectTools ENWW Initializing the embedded security chip In the initialization process for Embedded Security you will perform the following tasks e Set an owner password for the embedded security chip that protects access to all owner functions on the embedded security chip e Setup the emergency recovery archive which is a protected storage area that allows reencryption of the Basic User Keys for all users To initialize the embedded security chip 1 Right click the HP ProtectTools Security Manager icon in the notification area at the far right of the taskbar and then select Embedded Security Initialization The HP ProtectTools Embedded Security Initialization Wizard opens 2 Follow the on screen instructions ENWW Setup procedures 29 Setting up the basic user account Setting up a basic user account in Embedded Security accomplishes the fol
39. eate after a TPM factory reset to make TPM BIOS authentication work anew user to re initialize the Basic User Key after reset There is no option to make TPM BIOS authentication work Power on In Computer Setup the Power on The Reset to Factory Settings option disables authentication support authentication support option is not Embedded Security Device which hides the other not set to default using being reset to factory settings when Embedded Security options including Power on Embedded Security using the Embedded Security Device authentication support However after re enabling Reset to Factory option Reset to Factory Settings By Embedded Security Device Power on authentication Settings default Power on authentication support remained enabled support is set to Disable HP is working on a resolution which will be provided in future Web based ROM SoftPaq offerings Security Power On Power On Authentication prompts the To be able to write to BIOS the user must enter the Authentication overlaps user to log on to system using the TPM BIOS password instead of the TPM password at the BIOS Password during password but if the user presses F10 to Power on Authentication window boot sequence access the BIOS Read rights access only is granted The BIOS asks for both The BIOS asks for both the old and new This is as designed This is due to the inability of the the old and new passwords through Computer Setup BIOS to communic
40. eeeeeeeeeeeeeeeeeeeeeeeeeeeeentaeeeeeeeeeeenaaes 23 Configuring custom authentication requirements ccc eee eeeeeeeeeetteeeeeeeeeeeenaeees 24 Configuring credential properties 2 2 eeceeeeeeeeneeeeeeeeeecneee eee eaaeeeeeseeaaeeeeeeeenaeeeeeeeeeaes 24 Configuring Credential Manager settings cc eeeeeeeeeeeeenene etter eeeeaaaeeeeeeeeeetaeeeeeeeneeeaas 25 Example 1 Using the Advanced Settings page to allow Windows logon from Credential Manager cescccceceeeeseencceceeeeeebeeaceeceeensunacececeeessbbbaaedeeeteete 25 Example 2 Using the Advanced Settings page to require user verification before Single SIJ ON oeyecsisssetseveteeeatecewcaah eiaa iaeia E EAEE 26 3 Embedded Security for HP ProtectTools Setup PFOCCUUMES assanar iiaa a E a aaa A a E Aa aE A AAE E 28 Enabling the embedded security Chip eee eeeeeceeeeeeeeeeeeeente eee eeeeaeeeeeeeeaaeeeeeeeenaeeeeeeeeaaas 28 Initializing the embedded security chip essseeeesssssssssssrrneasesnnanannnnnnanaenennnadnnannnaaattnnnaaanaannna 29 Setting up the basic user account 0 0 eee cece eee eete eee e ee eette eee ee tae tees eeeaaeeeesenteeeeeeeentaeeeeeeeaaas 30 General TASKS seach cen dae ope ear T O 31 Using the Personal Secure Drive va s sisisscecee center ant gadlagesseeulidcescbeatlivesadeudndsaetdeldngae sie EEEE 31 Encrypting files and folders 20 0 eee ccceeeeeeeeeeeeeenee eee eeeeaaeeeeeeeeaaeeeeeeeaeeeeeneeaaeeeeeneneeeeseeenaa
41. emoved prior to new data generation or transfer During uninstall if user has not initialized the Basic User and opens the Administration tool the Disable option is not available and Uninstaller will not continue until the Administration tool is closed Removing storage mediums such as a MultiBay hard drive still shows PSD availability and does not generate errors while adding modifying data to the PSD After system restart the PSD does not reflect file changes that occurred while the removable storage was not available The user has the option of uninstalling either without disabling the TPM or by first disabling the TPM through Admin tool then uninstalling Accessing the Admin tool requires Basic User Key initialization If basic initialization has not occurred all options are inaccessible to the user Since the user has explicitly chosen to open the Admin tool by clicking Yes in the dialog box prompting Click Yes to open Embedded Security Administration tool uninstall waits until the Admin tool is closed If user clicks No in that dialog box then the Admin tool does not open at all and uninstall proceeds The issue is only experienced if the user accesses the PSD then removes the hard drive before completing new data generation or transfer If the user attempts to access the PSD when the removable hard drive is not present an error message is displayed stating that the device is not ready The Admin tool i
42. en click Manage Network Accounts The Manage Network Accounts dialog box opens Click the account you want to remove and then click Remove In the confirmation dialog box click Yes Click OK Using Single Sign On Credential Manager has a Single Sign On feature that stores user names and passwords for multiple Internet and Windows programs and automatically enters logon credentials when you access a registered program amp NOTE Security and privacy are important features of Single Sign On All credentials are encrypted and are available only after successful logon to Credential Manager NOTE You can also configure Single Sign On to validate your authentication credentials with a Java Card a fingerprint reader or a token before logging on to a secure site or program This is particularly useful when logging on to programs or Web sites that contain personal information such as bank account numbers For more information refer to Configuring Credential Manager settings on page 25 Registering a new application Credential Manager prompts you to register any application that you launch while you are logged on to Credential Manager You can also register an application manually Using automatic registration 18 1 2 3 Open an application that requires you to log on Click the Credential Manager SSO icon in the program or Web site password dialog box Type your password for the program or Web site and the
43. er log on to Windows is not selected as an option allowing the system to go into S3 suspend and then waking the system causes the Credential Manager logon to Windows to open With no administrator password set user cannot log on to Windows through Credential Manager because of account restrictions invoked by the Credential Manager e Without Java Card token user can cancel the Credential Manager login and user will see the Microsoft Windows login User can log in at this point e With Java Card token the following workaround allows the user to enable disable opening of Credential Manager upon Java Card insertion 1 Click Advanced Settings 2 Click Service amp Applications 3 Click Java Cards and Tokens 4 Click when Java Card token is inserted 5 Select the Advise to log on checkbox Users lose all Credential Manager credentials protected by the TPM if the TPM module is removed or damaged If the TPM module is removed or damaged users lose all credentials protected by the TPM This is as designed The TPM Module is designed to protect the Credential Manager credentials HP recommends that the user back up identity from Credential Manager prior to removing the TPM module ENWW Credential Manager for ProtectTools 57 Short description Details Solution Credential Manager not being set as primary logon in Windows 2000 During Windows 2000 install the logon policy is set for manual
44. er password system administrators may find themselves locked out of a hard drive and unable to perform routine checks for unauthorized software other asset control functions and support For users with less stringent security requirements HP does not recommend enabling DriveLock Users in this category include personal users or users who do not maintain sensitive data on their hard drives as acommon practice For these users the potential loss of a hard drive resulting from forgetting both passwords is much greater than the value of the data DriveLock has been designed to protect Access to Computer Setup and DriveLock can be restricted through the Setup password By specifying a Setup password and not giving it to end users system administrators are able to restrict users from enabling DriveLock 48 Chapter 5 BIOS Configuration for HP ProtectTools ENWW Managing Computer Setup passwords You can use BIOS Configuration to set and change the power on and setup passwords in Computer Setup and also to manage various password settings A CAUTION The passwords you set through the Passwords page in BIOS Configuration are saved immediately upon clicking the Apply or OK button in the HP ProtectTools window Be sure that you remember what password you have set because you will not be able to undo a password setting without supplying the previous password The power on password can protect your notebook from unauthorized use amp
45. ervice dialog box opens 4 Select a category of user whose access you want to manage NOTE Ifthe category is not Everyone you may need to select Override default settings to override the settings for the Everyone category 5 Click Add The Add a Program Wizard opens 6 Follow the on screen instructions Removing protection from an application To remove restrictions from an application 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 In the left pane click Credential Manager and then click Services and Applications 3 Inthe right pane under Application Protection click Manage Protected Applications The Application Protection Service dialog box opens 4 Select a category of user whose access you want to manage NOTE Ifthe category is not Everyone you may need to click Override default settings to override the settings for the Everyone category 5 Click the application entry you want to remove and then click Remove 6 Click OK Changing restriction settings for a protected application 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Credential Manager and then click Services and Applications 3 Inthe right pane under Application Protection click Manage Protected Applications The Application Protection Service dialog box opens 4 Select a category of user whose access you want to manage NOTE Ifthe category
46. es 31 Sending and receiving encrypted e mail eceeceeeeeeceeee eee e ener eee ee eeaeeeeeeeeaeeeeeeeesaeeeeeneaaes 31 Changing the Basic User Key password cecccceceeeeeeeneneeeeeeeeeeeaeeeeeeeeeeiaeeteeeeeeeenaaees 32 Advanced task sicceeses hadeeteteeesdaeetitobeaaethidersiadiedirenadutcieleainazgeevaaddnentertaadduandevsedauaeit E 33 Backing Up ANd restoring 1 cece eeeeeeeeee eee eeeeeae eee eeeeaaaeeeeeeeeaaaeeeeseeenaeeeeeeeeeiaeeeeeseeaes 33 Creating a backup file scsi sis iavetects itech tt enact aiieias diay ied 33 Restoring certification data from the backup file 0 0 0 eeeeeeeeeeeeeeeeeenneneees 33 Changing the owner PASSWOMC 0000 eee eee cet cette etne eee e eee entte teeter ee EEEREN EEA REENE EEEE 34 Resetting USEF password acerina iiion ANAAO 34 Enabling and disabling Embedded Security 0 eeececcceceeeenneeeeeeeeeeeneeeeeeeeeeaeeeeeeeeeenaaees 34 Permanently disabling Embedded Security ccc ccccececeeeeeteeteeeeeeeeeeeentaeeees 34 Enabling Embedded Security after permanent disable 0 seeee 34 Migrating keys with the Migration Wizard 0 0 0 eee eee eennte eter eeeeaaaeeeeeeeeenaaeeeeeeeeenaaees 35 4 Java Card Security for HP ProtectTools General TASKS reien aiaia nna AAAA EANO NEA 37 Changing a Java Card PIN eecucsenosesuniiaren n A 37 Selecting ihe card reader sis iicesievedcecesvedlecdasesaet MedasbeAtnadaseveelacecesve AEAEE 37 Advanced tasks administrators On
47. ffers 2 options password Credential Manager recovery file Credential Manager by IT password administrator e _ Itcan be used in a separate logon to access Credential Manager after logging on to Windows e _ Itcan be used in place of the Windows logon process allowing access to Windows and Credential Manager simultaneously Protects access to the Credential Manager recovery file Basic User Key password Embedded Security NOTE Also known as Embedded Security password Used to access Embedded Security features such as secure e mail file and folder encryption When used for power on authentication also protects access to the computer contents when the computer is turned on restarted or restored from hibernation Emergency Recovery Token Embedded Security by IT password administrator NOTE Also known as Emergency Recovery Token Key password Protects access to the Emergency Recovery Token which is a backup file for the embedded security chip 6 Chapter 1 Introduction to security ENWW ENWW HP ProtectTools password Setinthis HP ProtectTools Function module Owner password Embedded Security by IT Protects the system and the TPM chip from administrator unauthorized access to all owner functions of Embedded Security Java Card PIN Java Card Security Protects access to the Java Card contents and authenticates users of the Java Card When used for power on authentication the Jav
48. g into Credential Manager after transitioning from sleep mode to hibernation on Windows XP Service Pack 1 only After allowing system to transition into hibernation and sleep mode Administrator or user is unable to log into Credential Manager and the Windows logon screen remains displayed no matter which logon credential password finger print or Java Card is selected This issue appears to be resolved in Service Pack 2 from Microsoft Refer to Microsoft knowledge base article 813301 at http www microsoft com for more information on the cause of the issue In order to log on user must select Credential Manager and log in After logging into Credential Manager user is prompted to log in to Windows user may have to select the Windows login option to complete login process If user logs into Windows first then user must manually log into Credential Manager 58 Chapter 7 Troubleshooting ENWW ENWW Short description Details Solution Restoring Embedded Credential Manager fails to register any The HP Credential Manager for ProtectTools fails to Security causes credentials after the ROM is restored to access the TPM if the ROM was reset to factory settings Credential Manager to fail factory settings after the Credential Manager installation The TPM embedded security chip can be enabled in the BIOS Computer Setup utility BIOS Configuration for ProtectTools or HP Client Manager To enable the TPM embedded securit
49. he automatic backup frequency Under Start time use the Start time arrows to select the exact time for the backup to begin Click Advanced to select a start date an end date and recurring task settings Click Apply Click Settings and select settings for Scheduled Task Completed Idle Time and Power Management Click Apply and then click OK to close the dialog box Restoring credentials ENWW 1 2 3 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click HP ProtectTools and then click Backup and Restore In the right pane click Restore The HP ProtectTools Restore Wizard opens Follow the on screen instructions Additional security elements 9 Configuring settings 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click HP ProtectTools and then click Settings 3 Inthe right pane select your settings and then click OK 10 Chapter 1 Introduction to security ENWW 2 Credential Manager for HP ProtectTools ENWW Credential Manager for HP ProtectTools protects against unauthorized access to your computer using the following security features Alternatives to passwords when logging on to Windows such as using a Java Card or biometric reader to log on to Windows For additional information refer to Registering credentials on page 13 Single Sign On feature that automatically remembers credentials for Web sites applica
50. hen click OK 4 Inthe left pane click System Configuration and then enable or disable a system configuration option or configure any of the following system configuration options in the right pane e Port Options o o Serial Port Infrared Port Parallel Port SD Slot USB Port 1394 Port Cardbus Slot ExpressCard slot e Boot Options o o F9 F10 and F12 Delay Sec MultiBoot Express Boot Popup Delay Sec CD ROM Boot Floppy Boot Internal Network Adapter Boot Internal Network Adapter Boot Mode PXE or RPL Boot Order e Device Configurations o NumLock at Boot Swapping fn Ctrl Keys Multiple Pointing Devices USB Legacy Support Parallel port mode standard bidirectional EPP or ECP Data Execution Prevention 44 Chapter5 BIOS Configuration for HP ProtectTools ENWW ENWW o SATA Native Mode Dual Core CPU Automatic Intel SpeedStep Functionality Support Fan Always on While on AC Power BIOS DMA Data Transfers Intel or AMD PSAE Execution Disable e Built In Device Options o o 5 Click Apply and then click OK in the HP ProtectTools window to save your changes and exit Embedded WLAN Device Radio Embedded WWAN Device Radio Embedded Bluetooth Device Radio LAN WLAN Switching Wake on LAN from Off General tasks 45 Advanced tasks Managing HP ProtectTools add on module settings Some of the features of HP ProtectTools Security Manager can be managed in BIOS Config
51. ic User Key password changing 32 setting 30 biometric readers 14 BIOS administrator password 7 BIOS Configuration for HP ProtectTools add on module settings managing 46 boot options 43 DriveLock 48 password options setting 50 power on authentication 47 power on authentication on Windows restart 50 power on password changing 49 power on password setting 49 70 Index setup password changing 50 setup password setting 49 smart card power on authentication 46 stringent security 50 system configuration options 44 BIOS setup password changing 50 setting 49 boot options 43 Cc Computer Setup administrator password 7 password changing 50 password setting 49 passwords managing 49 Credential Manager troubleshooting 56 Credential Manager for HP ProtectTools account adding 17 account removing 18 administrator tasks 23 application protection 20 application protection removing 21 changing application restriction setting 21 credential properties configuring 24 credentials registering 13 custom authentication requirements 24 fingerprint logon 14 fingerprint reader 14 identity 16 identity clearing 16 identity removing 16 locking computer 17 logging on 12 logon password 6 logon specifications 23 logon wizard 12 new account creating 13 recovery file password 6 registering fingerprints 13 registering Java Card 14 registering other credentials 14 registering token 14 registering virtual token 14 restrict
52. ing DriveLock hard drive protection on page 48 Preventing unauthorized access from internal or external locations If a PC containing confidential data and customer information is accessed from an internal or external location unauthorized users may be able to gain entry to corporate network resources or data from 4 Chapter 1 Introduction to security ENWW financial services an executive or R amp D team or private information such as patient records or personal financial data The following features help prevent unauthorized access e The pre boot authentication feature if enabled helps prevent access to the operating system See the following procedures o Enabling and disabling smart card power on authentication support on page 46 o Enabling and disabling power on authentication support for Embedded Security on page 47 o Assigning a name to a Java Card on page 39 o Drive Encryption for HP ProtectTools on page 52 e Embedded Security for HP ProtectTools helps protect sensitive user data or credentials stored locally on a PC using the following procedures o Embedded Security Setup procedures on page 28 o Using the Personal Secure Drive on page 31 e Using the following procedures Credential Manager for HP ProtectTools helps ensure that an unauthorized user cannot get passwords or access to password protected applications Credential Manager Setup procedures
53. inst targeted theft e The pre boot authentication feature if enabled helps prevent access to the operating system See the following procedures o Enabling and disabling smart card power on authentication support on page 46 o Enabling and disabling power on authentication support for Embedded Security on page 47 o Assigning a name to a Java Card on page 39 o Drive Encryption for HP ProtectTools on page 52 e DriveLock helps ensure that data cannot be accessed even if the hard drive is removed and installed into an unsecured system See Enabling and disabling DriveLock hard drive protection on page 48 e The Personal Secure Drive feature provided by the Embedded Security for HP ProtectTools module encrypts sensitive data to help ensure it cannot be accessed without authentication See the following procedures o Embedded Security Setup procedures on page 28 o Using the Personal Secure Drive on page 31 Restricting access to sensitive data Suppose a contract auditor is working onsite and has been given computer access to review sensitive financial data you do not want the auditor to be able to print the files or save them to a writeable device such as a CD The following feature helps restrict access to data e The DriveLock helps ensure that data cannot be accessed even if the hard drive is removed and installed into an unsecured system See Enabling and disabl
54. ion application access 21 settings configuring 25 setup procedures 12 Single Sign On SSO 18 SSO application exporting 19 SSO application importing 20 SSO application modifying properties 19 SSO application removing 19 SSO applications and credentials 19 SSO automatic registration 18 SSO credentials modifying 20 SSO manual registration 19 SSO new application 18 token PIN changing 15 USB eToken registering 14 user verification 26 virtual token creating 15 Windows Logon 17 Windows logon password changing 15 Windows logon allow 25 data restricting access to 4 decrypting a drive 52 device options 44 disabling device options 44 DriveLock 48 ENWW Embedded Security 34 Embedded Security permanently 34 Java Card power on authentication 41 power on authentication 46 smart card authentication 46 stringent security 50 Drive Encryption for HP ProtectTools adding a user 54 changing a token 54 changing authentication 54 changing encryption 53 decrypting adrive 53 Drive Encryption keys 55 Drive Encryption recovery service 55 encrypting a drive 53 removing auser 54 setting a password 54 DriveLock applications 48 using 48 Embedded Security for HP ProtectTools backup file creating 33 basic user account 30 Basic User Key 30 Basic User Key password changing 32 certification data restoring 33 enabling after permanent disable 34 enabling and disabling 34 enabling TPM chip 28 encrypted e mail 31
55. irst time 0 eee eee eeceeee eee eete tees ee eaeee este eaeeeeeeeeaaeeeeeeenaaees 13 Registering credential ssicceceeveciiecce hitide evs dilidecrves EE EAEE 13 Registering fingerprints cece ee eeeeeeee terse eeeeaaeeeeeeeeeaaeeeeeseeenaeeeeeeneeaas 13 Setting up the fingerprint reader eee ccceeeeeeeeeeeeeeeeeetteeeeeeeeenaaes 14 Using your registered fingerprint to log on to Windows 55 14 Registering a Java Card USB eToken or virtual token 0 cccceeeeeeeetteeeeeees 14 Registering a USB CTOKGM 2 0 22 cecceeccccceecsedacecenenensteceeeneedeeceeebensieeeetnnesseeeeeneneee 14 Registering other credentials 0 cceceeeeceeeeeeeeceeeeeeeeeeeeaaaeeeeeeeeentaeeeeeeeeeeeaaas 14 GONGlal LASKS evcisentaioweventadedewendactueeuebe Meveveueudacceeessl dd dsceesaueaa haddeezte EAA E inane 15 Creating a virtual tOKGM seci a a EREE 15 Changing the Windows logon password eeeeeeeeee teeter ee eitie nese ee eneeee eee teeeeeeetiieeeeenenea 15 Changing a token PIN 000 0 eee ctr ne nee eee rene eee eeee ee naaeeeeeeniaeeeeeetea 15 Managing Identity 03 est eitiet niet AE EAEN EAE ERE EE AE 16 Clearing an identity from the system seessseeseinsseserrrssserrrssrerrrsssrrrrsssrernnsa 16 Locking the computer creniero e es AE TEE 17 Using Windows LOgON nessrcariiirirriniiirrirrinii inerea 17 Logging on to Windows with Credential Manager cceesceeeeeeeeeeeeeeeeaes 17 A
56. is not Everyone you may need to click Override default settings to override the settings for the Everyone category 5 Click the application you want to change and then click Properties The Properties dialog box for that application opens 6 Click the General tab Select one of the following settings e Disabled Cannot be used e Enabled Can be used without restrictions e Restricted Usage depends on settings ENWW General tasks 21 7 When you select Restricted the following settings are available a Ifyou want to restrict usage based on time day or date click the Schedule tab and configure the settings b If you want to restrict usage based on inactivity click the Advanced tab and select the period of inactivity 8 Click OK to close the application Properties dialog box 9 Click OK 22 Chapter 2 Credential Manager for HP ProtectTools ENWW Advanced tasks administrator only The Authentication and Credentials page and the Advanced Settings page of Credential Manager are available only to those users with administrator rights From these pages you can perform the following tasks e Specifying how users and administrators log on e Configuring custom authentication requirements e Configuring credential properties e Configuring Credential Manager settings Specifying how users and administrators log on ENWW On the Authentication and Credentials page you can specify which type or combi
57. l description EFS Encryption works without entering password in the prompt Functional descriptions during custom setup option during installation wizard are truncated By allowing prompt for User password to time out encryption is still capable on a file or folder HP will correct this in a future release The ability to encrypt does not require password authentication since this is a feature of the Microsoft EFS encryption The decryption will require the user password to be supplied Secure e mail is supported even if unchecked in User Initialization Wizard or if secure e mail configuration is disabled in user policies Embedded security software and the wizard do not control settings of an e mail client Outlook Outlook Express or Netscape This behavior is as designed Configuration of TPM e mail settings does not prohibit editing encryption settings directly in e mail client Usage of secure e mail is set and controlled by 3rd party applications The HP wizard allows linkage to the three reference applications for immediate customization Running Large Scale Deployment a second time on the same PC or on a previously initialized PC overwrites Emergency Recovery and Emergency Token files The new files are useless for recovery Automated logon scripts not functioning during user restore in Embedded Security Running Large Scale Deployment on any previously initialized HP ProtectTools Embedde
58. l Token is not an option use the procedure for Registering other credentials 4 on page 14 Follow the on screen instructions Changing the Windows logon password 1 2 3 4 5 6 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager In the right pane click Change Windows Password Type your old password in the Old password box Type your new password in the New password and Confirm password boxes Click Finish Changing a token PIN ENWW 1 2 3 4 5 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager In the right pane click Change Token PIN Select the token for which you want to change the PIN and then click Next Follow the on screen instructions to complete the PIN change General tasks 15 Managing identity Clearing an identity from the system amp NOTE This does not affect your Windows user account 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Credential Manager 3 Inthe right pane click Clear Identity for this Account 4 Click Yes in the confirmation dialog box Your identity is logged off and removed from the system 16 Chapter 2 Credential Manager for HP ProtectTools ENWW Locking the computer This feature is available if you log on to Windows using Credential Manager To secure your
59. l times The PSD password box is no longer displayed when the system becomes active after Standby status When a user logs on the system after creating a PSD the TPM asks for the Basic User password If the user does not enter the password and the system goes into Standby the password dialog box is no longer available when the user resumes This is by design The user has to log off and back on to view the PSD password box again No password required to change the Security Platform Policies Access to Security Platform Policies both Machine and User does not require a TPM password for users who have administrative rights on the system This is by design Any administrator can modify the Security Platform Policies with or without TPM user initialization ENWW Embedded Security for ProtectTools 61 Short description Details Solution Microsoft EFS does not fully work in Windows 2000 An administrator can access encrypted information on the system without knowing the correct password If the administrator enters an incorrect password or cancels the password dialog the encrypted file will open as if the administrator had entered the correct password This happens regardless of the security settings used when encrypting the data This occurs only in the first administrator account on Windows 2000 The Data Recovery Policy is automatically configured to designate an administrator as a recovery
60. lation and create a new PSD If the user selects SpSystemBackup xml when the SpBackupArchive xml is required Embedded Security Wizard fails with An internal Embedded Security error has been detected User must select the correct xml file to match the required reason The processes are working as designed and function properly however the internal Embedded Security error message is not clear and should state a more appropriate message HP is working to enhance this in future products Security System exhibits a restore error with multiple users During the restore process if the administrator selects users to restore the users not selected are not able to restore the keys when trying to restore at a later time A decryption process failed error message is displayed The non selected users can be restored by resetting the TPM running the restore process and selecting all users before the next default daily back runs If the automated backup runs it overwrites the non restored users and their data is lost If a new system backup is stored the previous non selected users cannot be restored Also user must restore the entire system backup An Archive Backup can be restored individually Resetting System ROM to default hides TPM Resetting the system ROM to default hides the TPM to Windows This does not allow the security software to operate properly and makes TPM encrypted data inaccessible Unhide the TP
61. lick here to backup your keys 4 Select a diskette flash storage device or some other USB connected storage media on which to save the recovery information and then click Next The Drive Encryption for HP ProtectTools Wizard opens 5 Follow the on screen instructions to back up the Drive Encryption keys amp NOTE You will need to specify a diskette flash storage device or some other USB connected storage media on which the recovery information will be stored Recovery 55 7 Troubleshooting Credential Manager for ProtectTools Short description Details Solution Using Credential Manager Using TPM authentication the user is Using Credential Manager Single Sign On tools allows Network Accounts option only logged into the local computer user to authenticate other accounts a user can select which domain account to log into When TPM authentication is used this option is not available All other authentication methods work properly USB token credential is After installing USB token software This only occurs with Windows XP Service Pack 1 not available with login to registering the USB token credential and update Windows version to Service Pack 2 via Windows XP Service Pack setting Credential Manager as primary Windows Update to correct 1 login the USB Token is neither listed nor available in the Credential Manager gina To work around if retaining Service Pack 1 re log back logon into Windows
62. log on e Use OR to require one of two or more authentication methods Users will be able to choose any of the selected methods each time they log on Click OK Click Apply and then click OK Configuring credential properties On the Credentials tab of the Authentication and Credentials page you can view the list of available authentication methods and modify the settings To configure the credentials 1 2 3 4 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager and then click Authentication and Credentials In the right pane click the Credentials tab Click the credential type you want to modify You can modify the credential using one of the following choices e To register the credential click Register and then follow the on screen instructions e To delete the credential click Clear and then click Yes in the confirmation dialog box e Tomodify the credential properties click Properties and then follow the on screen instructions Click Apply and then click OK 24 Chapter 2 Credential Manager for HP ProtectTools ENWW Configuring Credential Manager settings From the Settings page you can access and modify various settings using the following tabs General Allows you to modify the settings for basic configuration Single Sign On Allows you to modify the settings for how Single Sign On works for the current user such as how it h
63. lowing tasks e Produces a Basic User Key that protects encrypted information and sets a Basic User Key password to protect the Basic User Key e Sets up a personal secure drive PSD for storing encrypted files and folders A CAUTION Safeguard the Basic User Key password Encrypted information cannot be accessed or recovered without this password To set up a basic user account and enable the user security features 1 Ifthe Embedded Security User Initialization Wizard is not open select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Embedded Security and then click User Settings 3 Inthe right pane under Embedded Security Features click Configure The Embedded Security User Initialization Wizard opens 4 Follow the on screen instructions 999 amp NOTE To use secure e mail you must first configure the e mail client to use a digital certificate that is created with Embedded Security If a digital certificate is not available you must obtain one from a certification authority For instructions on configuring your e mail and obtaining a digital certificate refer to the e mail client online Help 30 Chapter 3 Embedded Security for HP ProtectTools ENWW General tasks After the basic user account is set up you can perform the following tasks e Encrypting files and folders e Sending and receiving encrypted e mail Using the Personal Secure Drive After setting
64. ly ccccccccceceeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeeeeeseeeeaeeeeeeseeeaaeeeeeteeeenanenes 38 Assigning a Java Card PIN aniei anaE ANASA A 38 Assigning a name to a Java Card o oo eect cnree eerie eee ee nese rieeeeeetaeeeeeeesinieeeeeee 39 Setting power on authentication 0 cee eeceeee cere ence tees eee eeneeeeeeeeseeeeeeeeeenaaeeeeeeeeenaees 39 Enabling Java Card power on authentication and creating an administrator dava Card csicicccidteiet Metal einer E AEE S 40 Creating a user Java Card 0 0 eecececeee ee eetee eee e eee eeneeeeeeeeeaaeeeeeeeeesaeeeeeeeeenaaees 41 iv ENWW Disabling Java Card power on authentication 0 eee eeeeeeeeeenteeeeeeeeenaees 41 5 BIOS Configuration for HP ProtectTools General taskSemicnnsi ia e a a e aea A e 43 Managing boot Options escrire T A 43 Enabling and disabling system configuration Options essssseseeesssseeerrresseeerrrsssrerenrresreens 44 Advanced TASKS sinseridad a E aa daa aaa deca aaa Aaaa danaa i aa a aaa ead ivanaa a 46 Managing HP ProtectTools add on module settings ccccecsseeeeeeeeeeeeeeeetieeeeeeeesaeees 46 Enabling and disabling smart card power on authentication support 46 Enabling and disabling power on authentication support for Embedded SUNY aes E AE A E N S RE A 47 Enabling and disabling DriveLock hard drive protection 00ssseeeeeee 48 Using Dive LOCK risorsi iaaa nats iacetaindsiaeeen 48 DriveLock Application
65. n click OK The Credential Manager Single Sign On dialog box opens Click More and select from the following options e Do not use SSO for this site or application e Prompt to select account for this application e Fill in credentials but do not submit e Authenticate user before submitting credentials e Show SSO shortcut for this application Click Yes to complete the registration Chapter 2 Credential Manager for HP ProtectTools ENWW Using manual drag and drop registration 1 2 3 4 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager and then click Services and Applications In the right pane click Single Sign On and then click Register New Application The SSO Application Wizard opens Follow the on screen instructions Managing applications and credentials Modifying application properties 5 2 3 4 5 6 Ts Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager and then click Services and Applications In the right pane under Single Sign On click Manage Applications and Credentials Click the application entry you want to modify and then click Properties Click the General tab to modify the application name and description Change the settings by selecting or clearing the check boxes next to the appropriate settings Click the Script tab to view and edit the SSO applica
66. nation of credentials are required of either users or administrators To specify how users or administrators log on 1 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager and then click Authentication and Credentials In the right pane click the Authentication tab 2 3 4 Click the category Users or Administrators from the category list 5 Click the type or combination of authentication methods from the list 6 Click Apply and then click OK Advanced tasks administrator only 23 Configuring custom authentication requirements If the set of authentication credentials you want is not listed on the Authentication tab of the Authentication and Credentials page you can create custom requirements To configure custom requirements 1 SF ee SS YS oe 9 10 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager and then click Authentication and Credentials In the right pane click the Authentication tab Click the category Users or Administrators from the category list Click Custom in the list of authentication methods Click Configure Select the authentication methods you want to use Choose the combination of methods by clicking one of the following selections e Use AND to combine the authentication methods Users will have to authenticate with all of the methods you checked each time they
67. ncryption management 53 User management Add a user 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Drive Encryption and then click User Management 3 Inthe right pane click Add Click a user name in the User Name list or type a user name in the Username box Click Next 4 Type the Windows password for the selected user and then click Next 5 Select an authentication method for the new user and then click Finish Remove a user 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Drive Encryption and then click User Management 3 Inthe right pane click a user name to remove in the User Name list Click Remove 4 Click Yes to confirm that you want to remove the selected user Change token Change the authentication method for a user as follows 1 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Drive Encryption and then click User Management In the right pane select a user name from the User Name list and then click Change Token 2 3 4 Type the user s Windows Password and then click Next 5 Select a new authentication method and then click Finish 6 If you selected a Java Card as the authentication method type the Java Card password when prompted and then click OK Set password Set a password or change the authentication method for a user as follows 1 Select Start gt All Pr
68. ndows XP This is true whether or not an Embedded Security TPM is installed EFS does not require a password to view encrypted files in Windows 2000 If a user sets up the Embedded Security logs on as an administrator then logs off and back on as the administrator the user can subsequently see files folders in Windows 2000 without a password This occurs only in the first administrator account on Windows 2000 If a secondary administrator account is being logged into this does not occur This is as designed Itis a feature of EFS in Windows 2000 EFS in Windows XP by default will not let the user open files folders without a password Software should not be installed on a restore with FAT32 partition If the user attempts to restore the hard drive using FAT32 there will be no encrypt options for any files folders using EFS This is as designed Microsoft EFS is supported only on NTFS and will not function on FAT32 This is a feature of Microsoft s EFS and is not related to HP ProtectTools software Windows 2000 User can share to the network any PSD with the hidden share Windows 2000 User can share to the network any PSD with the hidden share The hidden share can be accessed over the network using the hidden share The PSD is not normally shared on the network but it can be through the hidden share in Windows 2000 only HP recommends always having the built in Administrator acc
69. nto plain text Digital certificate Electronic credentials that confirm the identity of an individual or a company by binding the identity of the digital certificate owner to a pair of electronic keys that are used to sign digital information Digital signature Data sent with a file that verifies the sender of the material and that the file has not been modified after it was signed Domain Group of computers that are part of a network and share a common directory database Domains are uniquely named and each has a set of common rules and procedures DriveLock Security feature that links the hard drive to a user and requires the user to correctly type the DriveLock password when the computer starts up Emergency recovery archive Protected storage area that allows the reencryption of basic user keys from one platform owner key to another Encryption Procedure such as use of an algorithm employed in cryptography to convert plain text into cipher text in order to prevent unauthorized recipients from reading that data There are many types of data encryption and they are the basis of network security Common types include Data Encryption Standard and public key encryption Encryption File System EFS System that encrypts all files and subfolders within the selected folder FAT partition File Allocation Table a method of indexing storage media Identity In the HP ProtectTools Credential Manager a group of credentials and settings that is han
70. ograms gt HP ProtectTools Security Manager In the left pane click Drive Encryption and then click User Management In the right pane select the user from the User Name list and then click Set Password 2 3 4 Type the user s Windows Password and then click Next 5 Select the new authentication method and then click Finish 6 If you selected a Java Card as the authentication method type the Java Card password when prompted and then click OK 54 Chapter6 Drive Encryption for HP ProtectTools ENWW Recovery ENWW The following two safety measures are available to you e Ifyou forget your password you cannot access your encrypted drives You may however register with the Drive Encryption recovery service to enable you to access your computer if you forget your password e You may back up your Drive Encryption keys on a diskette flash storage device or some other USB connected storage media Registering with the Drive Encryption recovery service 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Drive Encryption and then click Recovery 3 In the right pane click Click here to register Type the requested information to complete the security backup procedure Backing up your Drive Encryption keys 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Drive Encryption and then click Recovery 3 In the right pane click C
71. om your computer Without these passwords or PIN the computer cannot be unlocked Enabling stringent security provides enhanced protection for the power on and administrator passwords and other forms of power on authentication To enable or disable stringent security 1 2 3 4 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click BIOS Configuration and then click Security In the right pane under Password Options enable or disable Stringent Security amp NOTE If you want to disable stringent security clear the Enable Stringent Security check box Click Apply and then click OK in the HP ProtectTools window Enabling and disabling power on authentication on Windows restart This option allows you to enhance security by requiring users to type a power on TPM or smart card password when Windows restarts To enable or disable power on authentication on Windows restart 1 2 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click BIOS Configuration and then click Security 50 Chapter5 BIOS Configuration for HP ProtectTools ENWW 3 Inthe right pane under Password Options enable or disable Require password on restart 4 Click Apply and then click OK in the HP ProtectTools window ENWW Advanced tasks 51 6 Drive Encryption for HP ProtectTools A CAUTION Ifyou decide to uninstall the Drive Encryption module yo
72. on a HP is researching a workaround for future product authentication does not user can select which domain account to enhancements give the Network log into When TPM authentication is Accounts option used this option is not available Domain administrators This happens after a domain Credential Manager cannot change a domain user s cannot change Windows administrator logs on to a domain and account password through Change Windows password even with registers the domain identity with password Credential Manager can only change the authorization Credential Manager using an account local PC account passwords The domain user can with Administrator s rights on the domain change his her password through Windows and the local PC When the domain security gt Change password option but since the administrator attempts to change the domain user does not have a physical account on the 56 Chapter 7 Troubleshooting ENWW Short description Details Solution Windows password from Credential Manager the administrator gets an error logon failure User account restriction local PC Credential Manager can only change the password used to log in Credential Manager Single Sign On default settings should be set to prompt to prevent loop Single Sign On default is set to log users automatically However when creating the second of two different password protected documents Credential Manager uses the last password recorded the
73. on page 12 Using Single Sign On on page 18 e The Personal Secure Drive feature encrypts sensitive data to help ensure it cannot be accessed without authentication using the following procedures Embedded Security Setup procedures on page 28 Using the Personal Secure Drive on page 31 Creating strong password policies ENWW If a mandate goes into effect that requires the use of strong password policy for dozens of Web based applications and databases Credential Manager for HP ProtectTools provides a protected repository for passwords and Single Sign On convenience using the following procedures e Credential Manager Setup procedures on page 12 e Using Single Sign On on page 18 For stronger security Embedded Security for HP ProtectTools then protects that repository of user names and passwords This allows users to maintain multiple strong passwords without having to write them down or try to remember them See Embedded Security Setup procedures on page 28 Achieving key security objectives 5 Additional security elements Assigning security roles In managing computer security particularly for large organizations one important practice is to divide responsibilities and rights among various types of administrators and users Ef NOTE Ina small organization or for individual use these roles may all be held by the same person For HP ProtectTools the secu
74. or auto logon admin If auto logon is chosen then the Windows default registry settings sets the default auto admin logon value at 1 and Credential Manager does not override this This is as designed If user wishes to modify operating system level settings for auto admin logon values for bypassing the edit path is HKEY_ LOCAL MACHINE Software Microsoft WindowsNT CurrentVersion WinLogon CAUTION Use Registry Editor at your own risk Using the Registry Editor regedit incorrectly can cause serious problems that may require you to reinstall the operating system There is no guarantee that problems resulting from the incorrect use of Registry Editor can be solved Fingerprint logon message appears whether or not fingerprint reader is installed or registered If user selects Windows logon the following desktop alert appears in the Credential Manager task bar You can place your finger on the fingerprint reader to log on to Credential Manager The purpose of the desktop alert is to notify the user that fingerprint authentication is available if it is configured Credential Manager logon window for Windows 2000 states insert card when no reader is attached The Windows Credential Manager Welcome screen suggests the user can log on with insert card when no Java Card reader is attached The purpose of the alert is to notify the user that Java Card authentication is available if it is configured Unable to lo
75. ount password protected User is able to encrypt or delete the recovery archive XML file By design the ACLs for this folder is not set therefore a user can inadvertently or purposely encrypt or delete the file making it inaccessible Once this file has been encrypted or deleted no one can use the TPM software This is as designed Users have access rights to an emergency archive in order to save update their Basic User Key backup copy Customers should adopt a best practices security approach and instruct users never to encrypt or delete the recovery archive files HP ProtectTools Embedded Security EFS interaction with Symantec Antivirus or Norton Antivirus produces longer encryption decryption and scan times Encrypted files interfere with Symantec Antivirus or Norton Antivirus 2005 virus scan During the scan process the Basic User password prompt asks the user for a password every 10 files or so If the user does not enter a password the Basic User password prompt times out allowing NAV2005 to continue with the scan Encrypting files using HP ProtectTools Embedded Security EFS To reduce the time required to scan HP ProtectTools Embedded Security EFS files the user can either enter the encryption password before scanning or decrypt before scanning To reduce the time required to encrypt decrypt data using HP ProtectTools Embedded Security EFS the user should disable Auto Protect on Symantec Antivir
76. pens 5 Follow the on screen instructions Registering other credentials 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Credential Manager 3 Inthe right pane click Register Credentials The Credential Manager Registration Wizard opens 4 Follow the on screen instructions 14 Chapter 2 Credential Manager for HP ProtectTools ENWW General tasks All users have access to the My Identity page in Credential Manager From the My Identity page you can perform the following tasks Creating a virtual token Changing the Windows logon password Managing a token PIN Managing identity Locking the computer NOTE This option is available only if the Credential Manager classic logon prompt is enabled See Example 1 Using the Advanced Settings page to allow Windows logon from Credential Manager on page 25 Creating a virtual token A virtual token works very much like a Java Card or USB eToken The token is saved either on the computer hard drive or in the Windows registry When you log on with a virtual token you are asked for a user PIN to complete the authentication To create a new virtual token 1 2 3 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager In the right pane click Virtual Token The Credential Manager Registration Wizard opens amp NOTE If Virtua
77. r 1 2 3 4 5 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Java Card Security and then click Advanced Insert the administrator Java Card In the right pane under Power on authentication clear the Enable check box Type a PIN for the Java Card and then click OK Advanced tasks administrators only 41 5 BIOS Configuration for HP ProtectTools BIOS Configuration for HP ProtectTools provides access to the Computer Setup utility security and configuration settings This gives users Windows access to system security features that are managed by Computer Setup With BIOS Configuration you can accomplish the following objectives e Manage power on passwords and administrator passwords e Configure other power on authentication features such as enabling embedded security authentication support e Enable and disable hardware features such as CD ROM boot or different hardware ports e Configure boot options which includes enabling MultiBoot and changing the boot order amp NOTE Many ofthe features in BIOS Configuration for HP ProtectTools are also available in Computer Setup 42 Chapter 5 BIOS Configuration for HP ProtectTools ENWW General tasks BIOS Configuration allows you to manage various computer settings that would otherwise be accessible only by pressing F10 at startup and entering Computer Setup Managing boot options ENWW You can use BIOS
78. r copies files and folders to the PSD and tries to encrypt folders files or folders subfolders the Error Applying Attributes message appears The user can encrypt the same files on the C drive on an extra installed hard drive This is as designed Moving files folders to the PSD automatically encrypts them There is no need to double encrypt the files folders Attempting to double encrypt them using on the PSD using EFS will produce this error message Cannot Take Ownership With Another OS In MultiBoot Platform If a drive is set up for multiple OS boot ownership can only be taken with the platform initialization wizard in one operating system This is as designed for security reasons Unauthorized administrator can view delete rename or move the contents of encrypted EFS folders Encrypting a folder does not stop an unauthorized user with administrative rights to view delete or move contents of the folder This is as designed It is a feature of EFS not the Embedded Security TPM Embedded Security uses Microsoft EFS software and EFS preserves file folder access rights for all administrators Encrypted folders with EFS in Windows 2000 are not shown highlighted in green Encrypted folders with EFS are highlighted in green in Windows XP but not in Windows 2000 This is as designed It is a feature of EFS that it does not highlight encrypted folders in Windows 2000 but it does in Wi
79. rint to log on to Windows swipe your finger to log on 2 Ifyou have not registered your fingerprint to log on to Windows click the keyboard icon in the upper left corner of the screen next to the fingerprint icon The Credential Manager Logon Wizard opens 3 Click the User name arrow and then click your name 4 Type your password in the Password box and then click Next 5 Select More gt Wizard Options a If you want this to be the default user name the next time that you log on to the computer select the Use last user name on next logon check box b If you want this logon policy to be the default method select the Use last policy on next logon check box 6 Follow the on screen instructions If your authentication information is correct you will be logged on to your Windows account and to Credential Manager Adding an account 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Credential Manager and then click Services and Applications ENWW General tasks 17 3 4 In the right pane click Windows Logon and then click Add a Network Account The Add Network Account Wizard opens Follow the on screen instructions Removing an account e 2 3 4 5 6 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager and then click Services and Applications In the right pane click Windows Logon and th
80. rity chip has already an Embedded Security owner e When attempting to launch the User Initialization Wizard the following error is displayed The Embedded security is not initialized To use the wizard the Embedded Security must be initialized first Perform the following procedure to recover from the power loss NOTE Use the Arrow keys to select various menus menu items and to change values unless otherwise specified 1 Start or restart the computer 2 Press F10 when the F10 Setup message appears on screen or as soon as the monitor LED turns green 3 Select the appropriate language option 4 Press Enter 5 Select Security gt Embedded Security 6 Set the Embedded Security Device option to Enable 7 Press F10 to accept the change 8 Select File gt Save Changes and Exit 9 Press ENTER 10 Press F10 to save the changes and exit the F10 Setup utility Computer Setup F10 Utility password can be removed after enabling TPM Module Enabling the TPM module requires a Computer Setup F10 Utility password Once the module has been enabled the user can remove the password This allows anyone with direct access to the system to reset the TPM module and cause possible loss of data This is as designed The Computer Setup F10 Utility password can only be removed by a user who knows the password However HP strongly recommends having the Computer Setup F10 Utility password protected at al
81. rity duties and privileges can be divided into the following roles e Security officer Defines the security level for the company or network and determines the security features to deploy such as Java Cards biometric readers or USB tokens NOTE Many of the features in HP ProtectTools can be customized by the security officer in cooperation with HP For more information see the HP Web site at http www hp com e T administrator Applies and manages the security features defined by the security officer Can also enable and disable some features For example if the security officer has decided to deploy Java Cards the IT administrator can enable Java Card BIOS security mode e User uUses the security features For example if the security officer and IT administrator have enabled Java Cards for the system the user can set the Java Card PIN and use the card for authentication Managing HP ProtectTools passwords Most of the HP ProtectTools Security Manager features are secured by passwords The following table lists the commonly used passwords the software module where the password is set and the password function The passwords that are set and used by IT administrators only are indicated in this table as well All other passwords may be set by regular users or administrators HP ProtectTools password Setin this HP ProtectTools Function module Credential Manager logon Credential Manager This password o
82. s 0 cccccccccccceceeeeeeeeeeeeeeeeeeteeeeteteteeteeeeeeeeeeee 48 Managing Computer Setup passwordS cccceceeeeeeeeeeeeeceeeeeeeeeeeeeeeeececenneaeeeeeeeeeeeeeeenees 49 Setting the power on password cceeee eee eeeeeeececcaeceeeeeeeeeeeeeeeseeeensaeaaeeeeeeeeess 49 Changing the power on password 0 eeeeeeeee ee eeeeee eee eeeaaeeeeeeeeaeeeeeneeenaeeeeeneaas 49 Setting the setup password 00 0 2 ccc cee ee eee eeeceeeececeececaecceeeeeeeeeeeeteeeeeeeeesnnsiaeeeeeeees 49 Changing the Setup password 00 ee ceeceeeetette cece eeetteee eee taaeeeeeetaaeeeeetenaaeeeeeeeaas 50 Setting password Options cccecseccecceeeeeeeeeeeeeeeeeeeeeeeseceaeaaaeaaeaaecaeeeeeeeeees 50 Enabling and disabling stringent security eee eeeeeeeeeeeeeeeeeeteaees 50 Enabling and disabling power on authentication on Windows restart ahoan enue A EE AR i TEE 50 6 Drive Encryption for HP ProtectTools Encryption Management aeecsriciercnsieai ia a EE E EEEE EERS 53 User management assssrriricrnvirininirinirinnnirainniiadian Kv iiNi nanana A ANNANN AAAA AA KANANE ANAA KENAAN Eaa AAAA 54 ROEGCOVENY crcire titio ea ian ETIE OA TEATE EA A edad ae 55 7 Troubleshooting Credential Manager for ProtectTools esssseeessessesrrennrsrnnsserennananannaaneeennanatannaaatennnaaanannaaatennnaanannna aeann 56 Embedded Security for ProtectTools secarneseiiironirii neneiia ANANE EEE EEEE 60 Miscellanous scsccrecronnrirni ini Aa
83. s used for disabling the TPM chip but that option is not available unless the Basic User Key has already been initialized If it has not then select OK or Cancel in order to continue with the uninstallation process Intermittent system lockup occurs after creating PSD on 2 users accounts and using fast user switching in 128 MB system configurations System may lock up with a black screen and non responding keyboard and mouse instead of showing welcome logon screen when using fast switching with minimal RAM Root Cause suspicion is a timing issue in low memory configurations Integrated graphics uses UMA architecture taking 8 MB of memory leaving only 120 available to user This 120 MB is shared by both users who are logged in and are fast user switching when error is generated Workaround is to reboot system and customer is encouraged to increase memory configuration HP 62 Chapter 7 Troubleshooting ENWW ENWW Short description Details Solution does not ship 128 MB configurations by default with security modules EFS User Authentication password request times out with access denied The EFS User Authentication password reopens after clicking OK or returning from standby state after timeout This is by design to avoid issues with Microsoft EFS a 30 second watchdog timer was created to generate the error message Minor truncation during setup of Japanese is observed in functiona
84. sable The current 4 0 software was designed HP will address this issue in future releases Embedded Security State for HP Notebook 1 1B implementations temporarily in Embedded as well as supporting HP Desktop 1 2 Security GUI implementations This option to disable is still supported in the software interface for TPM 1 1 platforms a ENWW Embedded Security for ProtectTools 65 Miscellaneous Software Impacted Short description Details Solution HP ProtectTools Security Manager Warning received The security application can not be installed until the HP Protect Tools Security Manager is installed All security applications such as Embedded Security Java Card and biometrics are extendable plug ins for the HP Security Manager interface Security Manager must be installed before an HP approved security plug in can be loaded HP ProtectTools Security Manager software must be installed before installing any security plug in HP ProtectTools TPM Firmware Update Utility for dc7600 and models containing Broadcom enabled TPMs The tool provided through HP support Web site reports ownership required This is the expected behavior of TPM firmware utility for dc7600 and models containing Broadcom enabled TPMs The firmware upgrade tool allows the user to upgrade the firmware with or without an endorsement key EK When there is no EK no authorization is required to complete the firmware upgrade
85. st Therefore DriveLock is most safely used when the data contained on the hard drive is replicated on a corporate information system or is regularly backed up In the event that both DriveLock passwords are lost the hard drive is rendered unusable For users who do not fit the previously defined customer profile this may be an unacceptable risk For users who do fit the customer profile it may be a tolerable risk given the nature of the data stored on the hard drive Using DriveLock When one or more hard drives that support the ATA Security command set are detected the DriveLock option appears under the Security menu in Computer Setup The user is presented with options to set the master password or to enable DriveLock A user password must be provided in order to enable DriveLock Since the initial configuration of DriveLock is typically performed by a system administrator a master password should be set first HP encourages system administrators to set a master password whether they plan to enable DriveLock or keep it disabled This will give the administrator the ability to modify DriveLock settings if the drive is locked in the future Once the master password is set the system administrator may enable DriveLock or choose to keep it disabled If a locked hard drive is present POST will require a password to unlock the device If a power on password is set and it matches the device s user password POST will not prompt the user to re enter
86. that would appear in a dictionary Do not use your name for the password or any other personal information such as birth date pet names or mother s maiden name even if you spell it backwards Change passwords regularly You might change only a couple of characters that increment If you write down your password do not store it in a commonly visible place very close to the computer Do not save the password in a file such as an e mail on the computer Do not share accounts or tell anyone your password HP ProtectTools Backup and Restore HP ProtectTools Backup and Restore provides a convenient and quick way to back up and restore credentials from all supported HP ProtectTools modules Backing up credentials and settings You can back up credentials in the following ways Use the HP ProtectTools Backup Wizard to select and back up HP ProtectTools modules Back up preselected HP ProtectTools modules amp NOTE You must set backup options before you can use this method Schedule backups NOTE You must set backup options before you can use this method Using the HP ProtectTools Backup Wizard to select and back up HP ProtectTools modules 1 2 3 8 Chapter 1 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click HP ProtectTools and then click Backup and Restore In the right pane click Backup Options The HP ProtectTools Backup Wizard opens Follow the on
87. the password Otherwise the user will be prompted to enter a DriveLock password On a cold boot either the master or the user password may be used On a warm boot enter the same password used to unlock the drive during the preceding cold boot Users will have two attempts to enter a correct password On a cold boot if neither attempt succeeds POST will continue but the drive will remain inaccessible On a warm boot or restart from Windows if neither attempt succeeds POST will halt and the user will be instructed to cycle power DriveLock Applications The most practical use of the DriveLock security feature is in a corporate environment The system administrator would be responsible for configuring the hard drive which would involve among other things setting the DriveLock master password and a temporary user password In the event that the user forgets the user password or the equipment is passed on to another employee the master password can always be used to reset the user password and regain access to the hard drive HP recommends that corporate system administrators who choose to enable DriveLock also establish a corporate policy for setting and maintaining master passwords This should be done to prevent a situation where an employee intentionally or unintentionally sets both DriveLock passwords before leaving the company In such a scenario the hard drive would be rendered unusable and require replacement Likewise by not setting a mast
88. tion requires you to use a Java Card to start the computer The process of enabling Java Card power on authentication involves the following steps 1 Enable Java Card power on authentication support in BIOS Configuration or Computer Setup For more information see Enabling and disabling smart card power on authentication support on page 46 2 Enable Java Card power on authentication in Java Card Security 3 Create and enable the administrator Java Card ENWW Advanced tasks administrators only 39 Enabling Java Card power on authentication and creating an administrator Java Card To enable Java Card power on authentication 1 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Java Card Security and then click Advanced Insert the Java Card into the card reader NOTE If you have not assigned a name and PIN to this card the New Card dialog box opens allowing you to type a new name and PIN In the right pane under Power on authentication select the Enable check box Type your Computer Setup password in the Computer Setup Password dialog box and then click OK If you do not have DriveLock enabled type the Java Card PIN and then click OK or If you do have DriveLock enabled a Click Make Java card identity unique or Click Make the Java card identity the same as the DriveLock password NOTE If DriveLock is enabled on the computer you c
89. tion script Click OK Removing an application from Single Sign On 1 2 3 4 5 6 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager and then click Services and Applications In the right pane under Single Sign On click Manage Applications and Credentials Click the application entry you want to remove and then click Remove Click Yes in the confirmation dialog box Click OK Exporting an application ENWW You can export applications to create a backup copy of the Single Sign On application script This file can then be used to recover the Single Sign On data This acts as a supplement to the identity backup file which contains only the credential information To export an application 1 2 3 4 5 6 Select Start gt All Programs gt HP ProtectTools Security Manager In the left pane click Credential Manager and then click Services and Applications In the right pane under Single Sign On click Manage Applications and Credentials Click the application entry you want to export Then click More gt Applications gt Export Script Follow the on screen instructions to complete the export Click OK General tasks 19 Importing an application 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Credential Manager and then click Services and Applications 3 Inthe right pane under Single Sign
90. tions and protected network resources Support for optional security devices such as Java Cards and biometric readers Support for additional security settings such as requiring authentication using an optional security device to unlock the computer 11 Setup procedures Logging on to Credential Manger Depending on the configuration you can log on to Credential Manager in any of the following ways e Credential Manager Logon Wizard preferred e HP ProtectTools Security Manager icon in the notification area e HP ProtectTools Security Manager amp NOTE If you use the Credential Manager Logon prompt on the Windows Logon screen to log on to Credential Manager you are logged on to Windows at the same time The first time you open Credential Manager log on with your regular Windows Logon password A Credential Manager account is then automatically created with your Windows logon credentials After logging on to Credential Manager you can register additional credentials such as a fingerprint or a Java Card For additional information refer to Registering credentials on page 13 At the next logon you can select the logon policy and use any combination of the registered credentials Using the Credential Manager Logon Wizard To log on to Credential Manger using the Credential Manager Logon Wizard use the following steps 1 Open the Credential Manager Logon Wizard in any of the following ways e From the Windows logon
91. u must first decrypt all encrypted drives If you do not you will not be able to access the data on encrypted drives unless you have registered with the Drive Encryption recovery service see Recovery on page 55 Reinstalling the Drive Encryption module will not enable you to access the encrypted drives 52 Chapter6 Drive Encryption for HP ProtectTools ENWW Encryption management Encrypting a drive 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Drive Encryption and then click Encryption Management 3 Inthe right pane click Activate The Drive Encryption for HP ProtectTools Wizard opens 4 Follow the on screen instructions to activate encryption amp NOTE You will need to specify a diskette flash storage device or some other USB connected storage media on which the recovery information will be stored Change encryption 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Drive Encryption and then click Encryption Management 3 In the right pane click Change encryption Select the disks to encrypt in the Change Encryption dialog box and then click OK 4 Click OK again to begin encryption Decrypting a drive 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Drive Encryption and then click Encryption Management 3 In the right pane click Deactivate ENWW E
92. up the PSD you are prompted to type the Basic User Key password at the next logon If the Basic User Key password is entered correctly you can access the PSD directly from Windows Explorer Encrypting files and folders When working with encrypted files consider the following rules e Only files and folders on NTFS partitions can be encrypted Files and folders on FAT partitions cannot be encrypted e System files and compressed files cannot be encrypted and encrypted files cannot be compressed e Temporary folders should be encrypted because they are potentially of interest to hackers e A recovery policy is automatically set up when you encrypt a file or folder for the first time This policy ensures that if you lose your encryption certificates and private keys you will be able to use a recovery agent to decrypt your information To encrypt files and folders 1 Right click the file or folder that you want to encrypt 2 Click Encrypt 3 Click one of the following options e Apply changes to this folder only e Apply changes to this folder subfolders and files 4 Click OK Sending and receiving encrypted e mail Embedded Security enables you to send and receive encrypted e mail but the procedures vary depending upon the program you use to access your e mail For more information refer to the Embedded Security online Help and the online Help for your e mail ENWW General tasks 31 Changing the Basic User Key password
93. uration Enabling and disabling smart card power on authentication support Enabling this option allows you to use a smart card for user authentication when you turn on the computer EY NOTE To fully enable the power on authentication feature you must also configure a smart card using the Java Card Security for HP ProtectTools module To enable smart card power on authentication support 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click BIOS Configuration 3 Type your Computer Setup administrator password at the BIOS administrator password prompt and then click OK 4 Inthe left pane click Security 5 Under Smart Card Security click Enable amp NOTE To disable smart card power on authentication click Disable 6 Click Apply and then click OK in the HP ProtectTools window 46 Chapter5 BIOS Configuration for HP ProtectTools ENWW Enabling and disabling power on authentication support for Embedded Security ENWW Enabling this option allows the system to use the TPM embedded security chip if available for user authentication when you turn on the computer NOTE To fully enable the power on authentication feature you must also configure the TPM embedded security chip using the Embedded Security for HP ProtectTools module To enable power on authentication support for embedded security 1 2 3 4 5 6 Select Start gt All Programs gt
94. us or Norton Antivirus 60 Chapter 7 Troubleshooting ENWW Short description Details Solution takes longer when Symantec Antivirus or Norton Antivirus is running Cannot save emergency recovery archive to removable media If the user inserts an MMC or SD card when creating the emergency recovery archive path during Embedded Security Initialization an error message is displayed This is as designed Storage of the recovery archive on removable media is not supported The recovery archive can be stored on a network drive or another local drive other than the C drive Cannot encrypt any data in the Windows 2000 French France environment There is no Encrypt selection when right clicking a file icon This is a Microsoft operating system limitation If the locale is changed to anything else French Canada for example then the Encrypt selection will appear To work around the problem encrypt the file as follows right click the file icon and select Properties gt Advanced gt Encrypt Contents Errors occur after experiencing a power loss while taking ownership during the Embedded Security Initialization If there is a power loss while initializing the Embedded Security chip the following issues will occur e When attempting to launch the Embedded Security Initialization Wizard the following error is displayed The Embedded security cannot be initialized since the Embedded Secu
95. wnload and update the TPM firmware The TPM Firmware SoftPaq is a support download available at http www hp com HP ProtectTools Security Manager lIntermittently an error is returned when closing the Security Manager interface Intermittently 1 in 12 instances an error is created by using the close button in the upper right of the screen to close Security Manager before all plug in applications have finished loading This is related to a timing dependency on plug in services load time when closing and restarting Security Manager Since PTHOST exe is the shell housing the other applications plug ins it depends on the ability of the plug in to complete its load time services Closing the shell before the plug in has had time to complete loading is the root cause 66 Chapter 7 Troubleshooting ENWW esse a ss secs sn ncn ccnncnnccccc ncn cnc snc snc cnn nnn nn ne S Software Impacted Details Solution Short description Allow Security Manager to complete services loading message seen at top of Security Manager window and all plug ins listed in left column To avoid failure allow a reasonable time for these plug ins to load HP ProtectTools General Numerous risks are possible with Administrators are encouraged to follow best Unrestricted access or unrestricted access to the client PC practices in restricting end user privileges and uncontrolled administrator restricting user access privileges
96. ws administrator privileges in order to display the Advanced page Assigning a Java Card PIN You must assign a name and a PIN to a Java Card before it can be used in Java Card Security To assign a Java Card PIN NOTE The Java Card PIN must be between 4 and 8 numeric characters 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 Inthe left pane click Java Card Security and then click Advanced 3 Insert a new Java Card into the card reader 4 When the New Card dialog box opens type a new name in the New display name box type a new PIN in the New PIN box and then type the new PIN again in the Confirm New PIN box 5 Click OK 38 Chapter4 Java Card Security for HP ProtectTools ENWW Assigning a name to a Java Card You must assign a name to a Java Card before it can be used for power on authentication To assign a name to a Java Card 1 Select Start gt All Programs gt HP ProtectTools Security Manager 2 In the left pane click Java Card Security and then click Advanced 3 Insert the Java Card into the card reader NOTE Ifyou have not assigned a PIN to this card the New Card dialog box opens allowing you to type a new name and PIN In the right pane under Display name click Change 4 5 Type a name for the Java Card in the Name box 6 Type the current Java Card PIN in the PIN box T Click OK Setting power on authentication When enabled power on authentica
97. y chip 1 Open Computer Setup by turning on or restarting the computer and then pressing F10 while the F10 ROM Based Setup message is displayed in the lower left corner of the screen 2 Use the arrow keys to select Security gt Setup Password Set a password 3 Select Embedded Security Device 4 Use the arrow keys to select Embedded Security Device Disable Use the arrow keys to change it to Embedded Security Device Enable 5 Select Enable gt Save changes and exit HP is investigating resolution options for future customer software releases Security Restore Identity When user restores identity Credential This is currently by design process loses association Manager can lose association with the with virtual token location of the virtual token at login When uninstalling Credential Manager without keeping screen Even though Credential identities the system server part of the token is Manager has the virtual token registered destroyed so the token cannot be used anymore for user must reregister the token to restore logon even if the client part of the token is restored association through identity restore HP is investigating long term options for resolution _ E S iS SSS E Credential Manager for ProtectTools 59 Embedded Security for ProtectTools Short description Details Solution Encrypting folders sub folders and files on PSD causes error message If the use
98. y for ProtectTools 63 Short description Details Solution PSD is disabled and cannot be deleted after formatting the hard drive on which the PSD was generated An internal error has been detected restoring from Automatic Backup Archive The PSD is disabled and cannot be deleted after formatting the secondary hard drive on which the PSD was generated The PSD icon is still visible but the error message drive is not accessible appears when the user attempts to access the PSD User is not able to delete the PSD anda message appears that states your PSD is still in use please ensure that your PSD contains no open files and is not accessed by another process User must reboot the system in order to delete the PSD and it is not loaded after reboot If the user e clicks Restore under Backup option of Embedded Security in HPPTSM to restore from the automatic backup Archive e selects SPSystemBackup xml the Restore Wizard fails and the following error message is displayed The selected Backup Archive does not match the restore reason Please select another archive and continue As designed If a customer force deletes or disconnects from the storage location of the PSD data the Embedded Security PSD drive emulation continues to function and will produce errors based on lack of communication with the missing data Resolution After the next reboot the emulations fail to load and user can delete the old PSD emu
Download Pdf Manuals
Related Search