HP tc4400 Reference Guide
Contents
1. Changing the Smart Card PIN Backing Up and Restoring Smart Cards Reference Guide iii Contents 3 Embedded Security for ProtectTools Basic Concepts sms cane soe cease eee es Setup Procedures 0 0 0 0 cee Enabling the Embedded Security Chip Initializing the Embedded Security Chip Setting Up the Basic User Account General Tasks slve RR eee EH Using the Personal Secure Drive Encrypting Files and Folders Sending and Receiving Encrypted E mail Changing the Basic User Key Password Advanced Tasks ovc s5 cece eet idees Backing Up and Restoring Changing the Owner Password Enabling and Disabling Embedded Security Migrating Keys with the Migration Wizard 4 BIOS Configuration for ProtectTools Basic Concepts ses lle ena General Tasks nemi ee reari gale dee ve ese Managing Boot Options 0 Enabling and Disabling Device or Security Options 0 0 0 0 eee eee eee Advanced Tasks soceri ees es Managing ProtectTools Settings Managing Profiles Managing Computer Setup Passwords Reference Guide Contents 5 Credential Manager for ProtectTools Basic Concepts seca acc ime aie owe ER 5 1 Setup Procedures 0 0 0c ee eee eee eee 5 2 Logging On to Credential Mang2. Reference Guide 4 1 BIOS Configuration for ProtectTools General Tasks BIOS Configuration allows you to manage various computer settings that would otherwise be accessible only by pressing 10 at startup and entering the Computer Setup utility Managing Boot Options You can use BIOS Configuration to manage various settings for tasks that run when you turn on or restart the computer To manage boot options 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration 2 Enter your Computer Setup administrator password at the BIOS administrator password prompt and click OK The BIOS administrator password prompt is displayed only if you have already set the Computer Setup administrator password For more information about setting the Computer Setup administrator password refer to Setting the Administrator Password later in this chapter 3 Select or clear the Enable Quick boot check box 4 Select the delays in seconds for f10 and f12 and for Express Boot Popup 5 Select or clear the Enable MultiBoot check box 6 If you have enabled MultiBoot select the boot order by selecting a boot device and then clicking Move Up or Move Down to adjust its order in the list 7 Click Apply and then click OK in the ProtectTools window to save your changes 4 2 Reference Guide BIOS Configuration for ProtectTools Enabling and Disabling Device or Security Options
3. Reference Guide 5 23 Credential Manager for ProtectTools Example 1 Using the Advanced Settings Page to Allow Windows Logon from Credential Manager To enable logging on to Windows from Credential Manager 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click Advanced Settings 3 Click the General tab 4 Select the Use Credential Manager to log on to Windows check box 5 Click Apply and then click OK to save your changes 6 Restart the computer Example 2 Using the Advanced Settings Page to Require User Verification Before Single Sign On To require Single Sign On to verify your credentials before logging on to a registered dialog box or Web page 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click Advanced Settings 3 Click the Single Sign On tab 4 Under When registered logon dialog or Web page is visited select the Validate user before submitting credentials check box 5 Click Apply and then click OK to save your changes 6 Restart the computer 5 24 Reference Guide Glossary The following terms are used in this document and throughout the ProtectTools Security Manager Authentication Process of verifying whether a user is authorized to perform a task for example accessing a computer modifying settings for a particular program or viewing secured
4. Select the plus sign to expand the Smart Card Security menu and then select Smart Card 4 Click Initialize Type your name in the first box in the Initialize the smart card dialog box Set and confirm the smart card PIN in the appropriate boxes The PIN code must be between 4 and 8 numeric characters A To avoid losing access to the computer do not forget the smart card PIN If you forget your smart card PIN it may be impossible to operate the computer The smart card will be locked and made unusable unless the smart card PIN is entered correctly within 5 attempts The count for these attempts resets after the correct PIN is entered Click OK to complete the initialization 2 2 Reference Guide Smart Card Security for ProtectTools Smart Card BIOS Security Mode When enabled smart card BIOS security mode requires you to use a smart card to log on to the computer The process of enabling smart card BIOS security mode involves the following steps 1 Enable Smart Card Power on Authentication Support in BIOS Configuration Refer to Enabling and Disabling Smart Card Power on Authentication Support in Chapter 4 BIOS Configuration for ProtectTools Q Enabling this setting allows you to use a smart card for power on authentication The smart card BIOS security mode features are unavailable until you enable smart card power on authentication support 2 Enable smart card BIOS securi
5. To enable or disable devices or security options 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration 2 Enter your Computer Setup administrator password at the BIOS administrator password prompt and then click OK 3 Click Device Options 4 Select or clear any combination of the following options d LB 5 5 NumLock at Boot Swapping Fn Ctrl Keys Multiple Pointing Devices USB Legacy Support Automatic SpeedStep Functionality Support Fan Always on While on AC Power 5 Select the parallel port mode from the drop down box 6 Click Security 7 Select or clear any combination of the following options COCO O d Serial Port Infrared Port Parallel Port SD Slot CD ROM Boot Floppy Boot Internal Network Adapter Boot 8 Click Apply and then click OK in the ProtectTools window to save your changes and exit Reference Guide 4 3 BIOS Configuration for ProtectTools Advanced Tasks Managing ProtectTools Settings Some of the features of ProtectTools Security Manager can be managed in BIOS Configuration Enabling and Disabling Smart Card Power on Authentication Support Enabling this option allows you to use the smart card for user authentication when you turn on the computer To enable smart card power on authentication support 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration Enter
6. to expand the Smart Card Security menu and then select Smart Card Click Change PIN Type your current smart card PIN Set and confirm the new PIN Nn B W Click OK in the confirmation dialog box Backing Up and Restoring Smart Cards After you have initialized a smart card and the card is ready for use it is highly recommended that you create a smart card recovery file The recovery file can be used to transfer the smart card data from one smart card to another smart card This file can also be used to back up the original smart card or to restore the data when a smart card is lost or stolen CAUTION To avoid having a recovery file that does not match a smart card with updated information immediately create a new recovery file and store it in a safe place If you keep a backup smart card you must also update the information on the backup smart card by restoring the new recovery file onto the backup smart card Reference Guide 2 11 Smart Card Security for ProtectTools Creating a Recovery File To create a recovery file 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Smart Card Security 2 Select the plus sign to expand the Smart Card Security menu and then select Smart Card 3 Under Recovery click Create 4 Enter the smart card PIN and click OK 5 Enter the file path and file name in the Filename field JN To avoid loss of access to the computer do n
7. To configure custom requirements 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click Authentication and Credentials 3 Click the Authentication tab AR oO N QN tA Click the category Users or Administrators from the category list Click Custom from the list of authentication methods Click Configure Select the authentication methods you want to use Choose the combination of methods by clicking one of the following m Use AND to combine the authentication methods Users will have to authenticate with all of the methods you checked each time they log on Use OR to combine the authentication methods Users will be able to choose any of the selected methods each time they log on Click OK 10 Click Apply and then click OK to save your changes Reference Guide 5 21 Credential Manager for ProtectTools Configuring Credential Properties From the Credentials tab of the Authentication and Credentials page you can view the list of available authentication methods and modify the settings To configure the credentials 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click Authentication and Credentials 3 Click the Credentials tab 4 Click the credential type you want to modify O To register the credential click Register and then follow the on screen instruct
8. Windows with an administrator account but not logged on to Credential Manager To create a new account 1 Open Credential Manager by double clicking the icon in the notification area The Credential Manager Logon Wizard opens On the Introduce Yourself page click the More button and then click Sign Up for a New Account Click Next 4 On the Registration page type the user name first and last name of the user and the account description Then click Next On the Authentication Methods page select the authentication methods you want to register and clear the check boxes for those you do not want to register and then click Next Follow the on screen instructions to register the selected credentials Click Finish Reference Guide Credential Manager for ProtectTools Registering Credentials You can use the My Identity page to register your various authentication methods or credentials After they have been registered you can use these methods to log on to Credential Manager Registering Fingerprints To register fingerprints 1 Connect the fingerprint reader to your computer 2 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 3 Click My Identity 4 Under I Want To click Register Fingerprints 5 Follow the on screen instructions to complete the registration Reference Guide 5 5 Credential Mana
9. BIOS Configuration that provides enhanced protection for the power on and administrator passwords and other forms of power on authentication Trusted Platform Module TPM embedded security chip select models only Integrated security chip that can protect highly sensitive user information from malicious attackers It is the root of trust in a given platform The TPM provides cryptographic algorithms and operations that meets the Trusted Computing Group TCG specifications Reference Guide Glossary 3 Glossary USB token Security device that stores identifying information about a user Like a smart card or biometric reader it is used to authenticate the owner to a computer Virtual token Security feature that works very much like a smart card and reader The token is saved either on the computer hard drive or in the Windows registry When you log on with a virtual token you are asked for a user PIN to complete the authentication Windows user account Profile for an individual authorized to log on to a network or to an individual computer Glossary 4 Reference Guide A account basic user 3 4 Credential Manager 5 4 Automatic DriveLock 4 6 backup embedded security 3 8 identity 5 9 single sign on 5 18 smart card 2 11 basic user account 3 4 Basic User Key password changing 3 7 definition 1 6 setting 3 5 biometric readers 5 5 BIOS administrator card password changing 2 6 definition 1 5
10. data Automatic DriveLock Security feature that causes the DriveLock passwords to be generated and protected by the TPM Embedded Security chip When the user is authenticated by the TPM embedded security chip during startup by entering the correct TPM Basic User Key password the BIOS unlocks the hard drive for the user Biometric Category of authentication credentials that use a physical feature such as a fingerprint to identify a user BIOS profile Group of BIOS configuration settings that can be saved and applied to other accounts BIOS security mode Setting in Smart Card Security that when enabled requires the use of a smart card and a valid PIN for user authentication Certification authority Service that issues the certificates required to run a public key infrastructure Credentials Method by which a user proves eligibility for a particular task in the authentication process Cryptographic service provider CSP Provider or library of cryptographic algorithms that can be used in a well defined interface to perform particular cryptographic functions Reference Guide Glossary 1 Glossary Cryptography Practice of encrypting and decrypting data so that it can be decoded only by specific individuals Decryption Procedure used in cryptography to convert encrypted data into plain text DriveLock Security feature that links the hard drive to a user and requires the user to correctly enter the Dr
11. 5 On the Set Up Account tab of the Account Properties dialog box select the Use these credentials by default check box 6 Click Apply and then click OK 5 14 Reference Guide Credential Manager for ProtectTools Using Single Sign On Credential Manager has a Single Sign On feature that stores user names and passwords for multiple Internet and Windows applications and automatically enters logon credentials when you access a registered application Q Security and privacy are important features of Single Sign On All credentials are encrypted and are available only after successful logon to Credential Manager Q You can also configure Single Sign On to validate your authentication credentials with a smart card biometric reader or token before logging on to a secure site or application This is particularly useful when logging on to applications or Web sites that contain personal information such as bank account numbers For more information refer to Configuring Credential Manager Settings later in this chapter Reference Guide 5 15 Credential Manager for ProtectTools Registering a New Application Credential Manager prompts you to register any application that you launch while you are logged on to Credential Manager You can also register an application manually Using Automatic Registration To register an application with automatic registration 1 Open an application that requires you to l
12. Authentication on Windows restart check box If you want to disable power on authentication on Windows restart clear this check box 4 Click Apply and then click OK in the ProtectTools window to save your changes Reference Guide 4 15 5 Credential Manager for ProtectTools Basic Concepts Credential Manager for ProtectTools has security features that provide protection against unauthorized access to your computer These features include the following BM Alternatives to passwords when logging on to Microsoft Windows such as using a smart card or biometric reader to log on to Windows B Single Sign On feature that automatically remembers credentials for Web sites applications and protected network resources B Support for optional security devices such as smart cards and biometric readers B Support for additional security settings such as requiring authentication with an optional security device to unlock the computer Reference Guide 5 Credential Manager for ProtectTools Setup Procedures Logging On to Credential Manger Depending upon the configuration you can log on to Credential Manager in any of the following ways B Credential Manager Logon Wizard preferred M Credential Manager icon in the notification area B6 ProtectTools Security Manager Q If you use the Credential Manager Logon prompt on the Windows Logon screen to log in to Credential Manager you are logged in to Windows
13. N and click Next Insert the new user card and click Next Q If there is already a user password on the card the Finish dialog box is displayed Omit steps 6 through 8 and go to step 9 T If there is no user password on the card the BIOS Password Wizard opens In the BIOS Password Wizard you can either 1 Enter a password manually T Generate a random 32 byte password Using a known password enables you to create duplicate cards without using a recovery file Generating a random password offers more security however you must have a recovery file to make backup cards Reference Guide 2 7 Smart Card Security for ProtectTools 7 Under Boot Requirements select the check box if you require the smart card PIN to be entered at startup If you do not require the smart card PIN to be entered at startup clear this check box 8 Enter the smart card PIN and click OK The system prompts you to create a recovery file amp It is highly recommended that you create a recovery file For more information refer to Creating a Recovery File later in this chapter 9 Enter the smart card PIN in the Finish dialog box and then click Finish Storing the Administrator or User Card Password If you want to create a backup card and have already set the administrator password you can store the password on the new card CAUTION This procedure updates only the password on the card and not in Computer
14. Reference Guide ProtectTools Security Manager Document Part Number 38917 1 001 May 2005 Copyright 2005 Hewlett Packard Development Company L P Microsoft and Windows are U S registered trademarks of Microsoft Corporation The information contained herein is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein Reference Guide ProtectTools Security Manager First Edition May 2005 Document Part Number 389171 001 Contents 1 Introduction ProtectTools Security Manager Accessing the ProtectTools Security Manager Understanding Security Roles Managing ProtectTools Passwords Creating a Secure Password 2 Smart Card Security for ProtectTools Basic Concepts Initializing the Smart Card Smart Card BIOS Security Mode Enabling Smart Card BIOS Security Mode and Setting the Smart Card Administrator Password Changing the Smart Card Administrator Password dot e etene eee eh s t Rss Setting and Changing the Smart Card User Password lesen Storing the Administrator or User Card Password 0 cee e esee General Tasks Updating BIOS Smart Card Settings Selecting the Smart Card Reader
15. Setup You will not be able to access the computer with the new card To store the administrator or user card password 1 Insert a smart card into the reader 2 Select Start gt All Programs gt HP ProtectTools Security Manager gt Smart Card Security 3 Select the plus sign to expand the Smart Card Security menu and then select BIOS 2 8 Reference Guide Smart Card Security for ProtectTools 4 Under BIOS Password on Smart Card click Store 5 In the BIOS Password Wizard you can either d Enter a password manually T Generate a random 32 byte password Using a known password enables you to create duplicate cards without using a recovery file Generating a random password offers more security however you must have a recovery file to make backup cards 6 Under Access Privilege click either Administrator or User for the type of card 7 Under Boot Requirements select the check box if you require that the smart card PIN be entered at startup If you do not require the smart card PIN to be entered at startup clear this check box 8 Enter the smart card PIN and click OK 9 Enter the smart card PIN again in the Finish dialog box and then click Finish The system prompts you to create a recovery file Q It is highly recommended that you create a smart card recovery file For more information refer to Creating a Recovery File later in this chapter Reference Guide 2 9 Sma
16. You can add additional local or domain accounts after logging on to Credential Manager To add an account 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under Microsoft Network Logon click Add a Network Account 4 Set the user name for the new account in the User name box 5 Click the domain from the list of available domains 6 Type and confirm the password If you want this to be your default user account select Use these credentials by default 7 Click Finish Removing Accounts You can remove local or domain accounts after logging on to Credential Manager To remove an account 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under Microsoft Network Logon click Manage Network Accounts 4 Click the account you want to remove and then click Remove 5 In the confirmation dialog box click Yes Reference Guide 5 13 Credential Manager for ProtectTools Setting a Default User You can set or change the default user after logging on to Credential Manager To set a default user 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under Microsoft Network Logon click Manage Network Accounts 4 Click the account you want to be the default and then click Properties
17. an owner password for the embedded security chip that protects access to all owner functions on the embedded security chip Set up the emergency recovery archive which is a protected storage area that allows reencryption of the Basic User Keys for all users To initialize the embedded security chip 1 Right click the Embedded Security icon in the notification area at the far right of the taskbar and then select Embedded Security Initialization The ProtectTools Embedded Security Initialization Wizard opens 2 Click Next 3 Set and confirm an owner password and then click Next The Setup Emergency Recovery dialog box opens Click Next to accept the default recovery archive location or click the Browse button to choose a different location and then click Next Set and confirm the emergency recovery token password and then click Next Reference Guide 3 3 Embedded Security for ProtectTools 6 Click Browse and choose the location for the emergency recovery archive and then click Next 7 Click Next on the Summary page If you do not want to set up a basic user account at this time clear the Start the Embedded Security User Initialization Wizard check box and then click Finish You can start the wizard manually to set up a basic user account at any time by following the instructions in the next section Q If you want to set up a basic user account select the Start the Embedded Securit
18. at the same time Logging On for the First Time The first time you open Credential Manager log on with your regular Windows Logon password A Credential Manager account is then automatically created with your Windows logon credentials After logging on to Credential Manager you can register additional credentials such as a fingerprint or a smart card At the next logon you can select the logon policy and use any combination of the registered credentials 5 2 Reference Guide Credential Manager for ProtectTools Using the Credential Manager Logon Wizard To log on to Credential Manger using the Credential Manager Logon Wizard 1 Open the Credential Manager Logon Wizard in any of the following ways Q From the Windows logon screen QJ From the notification area by double clicking the ProtectTools icon Q From the Credential Manager page of Protect Tools Security Manager by clicking the Log On link on the upper right side of the window 2 Enter your user name in the User name box and then click Next 3 Select the authentication method you want to use and then click Next 4 Follow the on screen instructions for logging on with your selected authentication method 5 Click Finish Reference Guide 5 3 Credential Manager for ProtectTools Creating a New Account You can use the Credential Manager Logon Wizard to create a new user account Before you begin you must be logged on to
19. ator Function Protects access to the Computer Setup utility DriveLock master password BIOS Configuration by IT administrator Protects access to the internal hard drive that is protected by DriveLock Is also used to remove DriveLock protection DriveLock user password BIOS Configuration Protects access to the internal hard drive that is protected by DriveLock Power on password BIOS Configuration Protects access to the computer contents when the computer is turned on restarted or restored from hibernation Continued Reference Guide Introduction ProtectTools Password Profile password Set in this ProtectTools Module BIOS Configuration by IT administrator Function Encrypts and unlocks the profile where BIOS system settings are saved Smart card administrator password Also known as BIOS administrator card password Smart Card Security by IT administrator Links the smart card to the computer for identification purposes Allows a computer administrator to enable or disable Computer Setup passwords generate a new administrator card and create recovery files to restore user or administrator cards Smart card PIN Smart Card Security Protects access to the smart card contents and to computer access when an optional smart card and reader is used Smart card recovery file password Smart Card Security Protects access to the
20. characters that increment If you write down your password do not store it ina commonly visible place very close to the computer Do not save the password in a file such as an e mail on your computer Do not share accounts or tell anyone your password Reference Guide 2 Smart Card Security for ProtectTools Basic Concepts Smart Card Security for ProtectTools manages the smart card setup and configuration for computers equipped with an optional smart card reader With Smart Card Security you can Access smart card security features Initialize a smart card so that it can be used with other ProtectTools modules such as Credential Manager for ProtectTools Work with the Computer Setup utility to enable smart card authentication in a preboot environment and to configure separate smart cards for an administrator and a user This requires a user to insert the smart card and optionally enter a PIN prior to allowing the operating system to load Set and change the password used to authenticate users of the smart card Back up and restore smart card BIOS passwords stored on the smart card Reference Guide 2 1 Smart Card Security for ProtectTools Initializing the Smart Card You must initialize the smart card before using it To initialize the smart card 1 2 Insert the smart card into the reader Select Start gt All Programs gt HP ProtectTools Security Manager gt Smart Card Security
21. ctTools Managing Profiles After you have set your preferences in BIOS Configuration for ProtectTools you can save the settings under a named profile The settings are saved in a file which is encrypted with a password that you provide This profile can then be applied to multiple platforms Q You must restart your computer for these settings to take effect Managing Profiles Using the Command Line You can use the command line interface to manage profiles for BIOS configuration From the command line you can B Change the setting to display the Profiles page in BIOS Configuration for ProtectTools which is hidden by default E Access and open a profile scheme B Apply profiles across multiple computers To access and modify profile settings from the command line 1 Select Start gt Run 2 Enter cmd exe in the Open box 3 Click OK 4 At the command prompt use the cd command to navigate to the following path for the BIOS Configuration utility C Program Files HPQ HP BIOS Configuration for ProtectTools Reference Guide 4 7 BIOS Configuration for ProtectTools 5 Enter hpqsetup exe and add switches to customize the request as shown in the following table Switch es Function Example If lf Specify INI file path Hpqsetup exe fc test ini and k Specify the IKXXXX k password for decrypting where testis the name the file created in the of the INI file and Xxxx These 2 switches BIOS Configu
22. dded security chip must be installed in your computer to use Embedded Security for ProtectTools Embedded Security for ProtectTools protects against unauthorized access to user data or credentials This software module provides the following security features B Enhanced Microsoft Encryption File System EFS file and folder encryption Wi Creation of a personal secure drive PSD for protecting user data B Data management functions such as backing up and restoring the key hierarchy B Support for third party applications such as Microsoft Outlook and Internet Explorer for protected digital certificate operations when using the Embedded Security software Reference Guide 3 1 Embedded Security for ProtectTools The TPM embedded security chip enhances and enables other ProtectTools Security Manager security features For example Credential Manager for ProtectTools can use the embedded chip as an authentication factor when the user logs on to Windows On select models the TPM embedded security chip also enables enhanced BIOS security features accessed through BIOS Configuration for ProtectTools Setup Procedures CAUTION To reduce security risk it is highly recommended that your IT administrator immediately initialize the embedded security chip Failure to initialize the embedded security chip could result in an unauthorized user a computer worm or a virus taking ownership of the computer and gaining control over
23. dentials 6 Follow the on screen instructions 7 Click OK to save changes Reference Guide 5 19 Credential Manager for ProtectTools Advanced Tasks Administrator Only The Authentication and Credentials page and the Advanced Settings page of Credential Manager are available only to those users with administrator rights From these pages you can B6 Specify how users and administrators log on B Configure credential properties B Configure Credential Manager program settings Specifying How Users and Administrators Log On From the Authentication and Credentials page you can specify which type or combination of credentials are required of either users or administrators To specify how users or administrators log on 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click Authentication and Credentials 3 Click the Authentication tab 4 Click the category Users or Administrators from the category list 5 Click the type or combination of authentication methods from the list 6 Click OK 7 Click Apply and then click OK to save your changes 5 20 Reference Guide Credential Manager for ProtectTools Configuring Custom Authentication Requirements If the set of authentication credentials you want is not listed on the Authentication tab of the Authentication and Credentials page you can create custom requirements
24. e Embedded Security features if you want to work without the security function The Embedded Security features can be enabled or disabled at 2 different levels B Temporary disabling With this option embedded security is automatically reenabled on Windows restart This option is available to all users by default B Permanent disabling With this option the owner password is required to reenable Embedded Security This option is available only to administrators 3 10 Reference Guide Embedded Security for ProtectTools Temporarily Disabling Embedded Security To temporarily disable Embedded Security 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Embedded Security gt User Settings 2 Under Embedded Security click Disable Enabling Embedded Security After Temporary Disable Embedded Security will automatically be reenabled upon Windows restart if it was disabled through User Settings Q If you log off your Windows account but do not restart the computer the Embedded Security features will still be disabled when you or another user logs on to Windows until the computer is restarted Permanently Disabling Embedded Security To permanently disable Embedded Security 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Embedded Security gt Advanced 2 Under Embedded Security click Disable 3 Enter your owner password at the prompt and then cl
25. e smart card administrator password is set as part of the process for enabling smart card BIOS security mode You can change the smart card administrator password after it has been set Refer to Smart Card BIOS Security Mode earlier in this chapter for more information about the smart card administrator password zB The following procedure updates the smart card administrator password stored on the card and in Computer Setup To change the smart card administrator password 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Smart Card Security 2 Select the plus sign to expand the Smart Card Security menu and then select BIOS 3 Under BIOS Security Mode next to BIOS administrator card click Change 4 Enter the smart card PIN and click Next 5 Insert the new administrator card and click Next 6 Enter the smart card PIN and click Finish 2 6 Reference Guide Smart Card Security for ProtectTools Setting and Changing the Smart Card User Password To set or change the smart card user password 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Smart Card Security Select the plus sign to expand the Smart Card Security menu and then select BIOS Under BIOS Security Mode next to BIOS user card click the Set button If there is already a user password in Computer Setup click the Change button 4 Enter the smart card PI
26. eference Guide Introduction Set in this ProtectTools Password ProtectTools Module Function Credential Manager Credential Manager Protects access to the recovery file password by IT administrator Credential Manager recovery file Windows logon password Windows Control Can be used in manual Panel logon or saved on the smart card Creating a Secure Password When creating passwords you must first follow any specifications that are set by the program In general however consider the following guidelines to help you create strong passwords and reduce the chances of your password being compromised Mm Use passwords with more than 6 characters preferably more than 8 B Mix the case of letters throughout your password B Whenever possible mix alphanumeric characters and include special characters and punctuation marks B Substitute special characters or numbers for letters in a key word For example you can use the number 1 for letters Tor L B Combine words from 2 or more languages B Split a word or phrase with numbers or special characters in the middle for example Mary2 2Cat45 B Do not use a password that would appear in a dictionary B Donotuse your name for the password or any other personal information such as birth date pet names or mother s maiden name even if you spell it backwards Reference Guide 1 7 Introduction Change passwords regularly You might change only a couple of
27. efines the security level for the company or network and determines the security features to deploy such as smart cards biometric readers or USB tokens Many of the features in ProtectTools can be customized by the security officer in cooperation with HP For more information visit http www hp com B IT administrator Applies and manages the security features defined by the security officer Can also enable and disable some features For example if the security officer has decided to deploy smart cards the IT administrator can enable smart card BIOS security mode B User Uses the security features For example if the security officer and IT administrator have enabled smart cards for the system the user can set the smart card PIN and use the card for authentication Reference Guide 1 3 Introduction Managing ProtectTools Passwords Most of the ProtectTools Security Manager features are secured by passwords The following table lists the commonly used passwords the software module where the password is set and the password function The passwords that are set and used by IT administrators only are indicated in this table as well All other passwords may be set by regular users or administrators ProtectTools Password Computer Setup administrator password Also known as S BIOS administrator f10 Setup or Security Setup password Set in this ProtectTools Module BIOS Configuration by IT administr
28. er 5 2 Registering Credentials 0 5 5 General Tasks 2 4 iss Mae 5 7 Creating a Virtual Token 5 7 Changing the Windows Logon Password 5 8 Changing a Token PIN 40 5 8 Managing Identity 000 5 9 Locking the Computer 04 5 11 Using Microsoft Network Logon 5 12 Using Single Sign On 004 5 15 Advanced Tasks Administrator Only 5 20 Specifying How Users and Administrators Log On i e oe hab eee Sheesh 5 20 Configuring Custom Authentication Requirements 5 21 Configuring Credential Properties 5 22 Configuring Credential Manager Settings 5 23 Glossary Index Reference Guide v Introduction ProtectTools Security Manager ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer networks and critical data Enhanced security functionality is provided by the following software modules B Smart Card Security for ProtectTools B Embedded Security for ProtectTools B BIOS Configuration for ProtectTools B Credential Manager for ProtectTools The software modules available for your computer may vary depending on your model For example Embedded Security for ProtectTools requires that the Trusted Platform Module TPM embedded security chip select models only be installed
29. er name and password into the application box 10 In the confirmation dialog box confirm or modify the credential name and then click Yes Managing Applications and Credentials Modifying Application Properties To modify application properties 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under Single Sign On click Manage Applications and Credentials 4 Click the application entry you want to modify and then click Properties a Click the General tab to modify the application name and description Change the settings by selecting or clearing the check boxes next to the appropriate settings b Click the Script tab to view and edit the SSO application script 5 Click OK to save your changes Reference Guide 5 17 Credential Manager for ProtectTools Removing Applications from Single Sign On To remove applications from Single Sign On 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under Single Sign On click Manage Applications and Credentials Click the application entry you want to remove and then click Remove 5 Click Yes in the confirmation dialog box 6 Click OK Exporting Applications You can export applications to create a backup copy of the Single Sign On application script This file can then be used to recover the Single Sig
30. etting Password Options You can use BIOS Configuration for ProtectTools to set password options to enhance the security of your system Enabling and Disabling Stringent Security CAUTION To prevent the computer from becoming permanently unusable record your configured administrator password power on password or smart card PIN in a safe place away from your computer Without these passwords or PIN the computer cannot be unlocked Enabling stringent security provides enhanced protection for the power on and administrator passwords and other forms of power on authentication To enable or disable stringent security 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration 2 Select Passwords 3 Select the Enable Stringent Security check box If you want to disable stringent security clear this check box 4 Click Apply and then click OK in the ProtectTools window to save your changes 4 14 Reference Guide BIOS Configuration for ProtectTools Enabling and Disabling Power on Authentication on Windows Restart This option allows you to enhance security by requiring users to enter a power on TPM DriveLock or smart card password when Windows restarts To enable or disable power on authentication on Windows restart 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration 2 Select Passwords 3 Select the Enable Power on
31. ger for ProtectTools Registering a Smart Card or Token To register a smart card or token 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under I Want To click More and then click Register Credentials 4 Click the authentication method you want to register and then click Next 5 Follow the on screen instructions to complete the registration Registering Other Credentials To register other credentials 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under I Want To click More and then click Register Credentials 4 Click the authentication method you want to register and then click Next 5 Follow the on screen instructions to complete the registration 5 6 Reference Guide Credential Manager for ProtectTools General Tasks All users have access to the My Identity page in Credential Manager From the My Identity page you can Create and register authentication credentials Manage passwords Manage Microsoft Network accounts Manage single sign on credentials Creating a Virtual Token A virtual token works very much like a smart card or USB token The token is saved either on the computer hard drive or in the Windows registry When you log on with a virtual token you are asked for a user PIN to complete the authentication T
32. hich you want to change the PIN and then click Next 6 Follow the on screen instructions to complete the PIN change 5 8 Reference Guide Credential Manager for ProtectTools Managing Identity Backing Up an Identity It is recommended that you back up your identity in Credential Manager in case of data loss or accidental removal To back up an identity 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under I Want To click More and then click Backup Identity 4 Click Next 5 Select the elements you want to back up and then click Next 6 On the Device Type page select the device type you want to use to store the backup and then click Next You will need to know the password or PIN code for the device you select for the backup file Follow the on screen instructions for the device you selected and then click Finish Reference Guide 5 9 Credential Manager for ProtectTools Restoring an Identity To restore an identity 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under I Want To click More and then click Restore Identity 4 Click Next 5 On the Device Type page select the device type where the backup was stored and then click Next 6 Follow the on screen instructions for the device you selected and
33. ick OK Reference Guide 3 11 Embedded Security for ProtectTools Enabling Embedded Security After Permanent Disable To enable Embedded Security after permanently disabling it 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Embedded Security gt Advanced 2 Under Embedded Security click Enable 3 Enter your owner password at the prompt and then click OK Migrating Keys with the Migration Wizard Migration is an advanced administrator task that allows the management restoration and transfer of keys and certificates For details on migration refer to the Embedded Security online Help 3 12 Reference Guide 4 BIOS Configuration for ProtectTools Basic Concepts BIOS Configuration for ProtectTools provides access to the Computer Setup utility security and configuration settings This gives users Windows access to system security features that are managed by Computer Setup With BIOS Configuration you can Manage power on passwords and administrator passwords Configure other preboot authentication features such as enabling smart card passwords and embedded security authentication Enable and disable hardware features such as CD ROM boot or different hardware ports Configure boot options which includes enabling MultiBoot and changing the boot order Q Many of the features in BIOS Configuration for ProtectTools are also available in the Computer Setup utility
34. ions Q To delete the credential click Clear and then click Yes in the confirmation dialog box 21 To modify the credential properties click Properties and then follow the on screen instructions 5 Click Apply and then click OK 5 22 Reference Guide Credential Manager for ProtectTools Configuring Credential Manager Settings From the Advanced Settings page you can access and modify various settings using the following tabs General Allows you to modify the settings for basic configuration Single Sign On Allows you to modify the settings for how Single Sign On works for the current user such as how it handles detection of logon screens automatic logon to registered dialogs and password display Services and Applications Allows you to view the available services and modify the settings for those services Biometric Settings Allows you to select the fingerprint reader software and adjust the security level of the fingerprint reader Smart Cards and Tokens Allows you to view and modify properties for all available smart cards and tokens To modify Credential Manager settings 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click Advanced Settings 3 Click the appropriate tab for the settings you want to modify 4 Follow the on screen instructions to modify the settings 5 Click Apply and then click OK to save your changes
35. iveLock password when the computer starts up Digital certificate Electronic credentials that confirm the identity of an individual or a company by binding the identity of the digital certificate owner to a pair of electronic keys that are used to sign digital information Digital signature Data sent with a file that verifies the sender of the material and that the file has not been modified after it was signed Domain Group of computers that are part of a network and share a common directory database Domains are uniquely named and each has a set of common rules and procedures Emergency recovery archive Protected storage area that allows the re encryption of basic user keys from one platform owner key to another Encryption Procedure such as use of an algorithm employed in cryptography to convert plain text into cipher text in order to prevent unauthorized recipients from reading that data There are many types of data encryption and they are the basis of network security Common types include Data Encryption Standard and public key encryption Encryption File System EFS System that encrypts all files and subfolders within the selected folder Identity In the ProtectTools Credential Manager a group of credentials and settings that is handled like an account or profile for a particular user Migration a task that allows the management restoration and transfer of keys and certificates Glossary 2 Refere
36. n On data This acts as a supplement to the identity backup file which contains only the credential information To export an application 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under Single Sign On click Manage Applications and Credentials Click the application entry you want to export Then click More and then click Export Application 5 Follow the on screen instructions to complete the export 6 Click OK Reference Guide Credential Manager for ProtectTools Importing Applications To import an application 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under Single Sign On click Manage Applications and Credentials Click the application entry you want to import Then click More and then click Import Application 5 Follow the on screen instructions to complete the import 6 Click OK Modifying Credentials To modify credentials 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under Single Sign On click Manage Applications and Credentials Click the application entry you want to modify and then click More Select any of the following options LY Add New Credentials QJ Delete Credentials QJ Delete Unused Credentials d Edit Cre
37. nce Guide Glossary Network account Windows user or administrator account either on a local computer in a workgroup or on a domain Personal secure drive PSD Provides a protected storage area for sensitive data Power on authentication Security feature that requires some form of authentication such as a smart card security chip or password when the computer is turned on Public Key Infrastructure PKI Standard that defines the interfaces for creating using and administering certificates and cryptographic keys Reboot Process of restarting the computer Single Sign On Feature that stores authentication data and allows you to use the Credential Manager to access Internet and Windows applications that require password authentication Smart card Small piece of hardware similar in size and shape to a credit card which stores identifying information about the owner Used to authenticate the owner to a computer Smart card administrator password Password that links an administrator smart card with the computer in Computer Setup for identification at startup or restart This password can be set manually by the administrator or randomly generated Smart card user password Password that links a user smart card with the computer in Computer Setup for identification at startup or restart This password can be set manually by the administrator or randomly generated Stringent security Security feature in
38. ntial Manager Logon Wizard to unlock the computer Reference Guide 5 11 Credential Manager for ProtectTools Using Microsoft Network Logon You can use Credential Manager to log on to Windows either at a local computer or on a network domain When you log on to Credential Manager for the first time the system automatically adds your local Windows user account as the network account for the Network Logon service Refer to Logging On for the First Time earlier in this chapter for more information Logging On to Windows with Credential Manager You can use Credential Manager to log on to a Windows network or local account 1 From the Windows logon screen select Log on to Credential Manager 2 Click Next on the Welcome page if it is displayed 3 Type your user name in the User name box If you want this to be the default user name select Use this name next time you log on 4 Select Credential Manager from the Log on to list Click Next On the Logon Policy page select the authentication method you want to use If you want this method to be the default method select Use this policy next time you log on Follow the instructions for the authentication method you selected If your authentication information is correct you will be logged on to your Windows account and to Credential Manager 5 12 Reference Guide Credential Manager for ProtectTools Adding Accounts
39. o create a new virtual token 1 W Md oO Nn A Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager Click My Identity Under I Want To click More and then click Register Credentials Click Next Click Virtual Token and then click Next Click Create New and then click Next Enter a name and location for the virtual token file or click the Browse button to find a file location and then click Next 8 Set and confirm a master PIN and a user PIN Click Finish Reference Guide 5 7 Credential Manager for ProtectTools Changing the Windows Logon Password You can change your Windows logon password from the My Identity page in Credential Manager 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under I Want To click Change Windows Logon Password 4 Type your old password in the Old password box 5 Set and confirm your new password in the New password and Confirm password boxes 6 Click Finish Changing a Token PIN You can change the PIN for a smart card or virtual token from the My Identity page in Credential Manager 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under I Want To click More and then click Change Token PIN 4 Click Next 5 Select the token for w
40. og on 2 On the Credential Manager Single Sign On dialog box click Options to configure the following settings for the registration T Do not suggest to use SSO with this site or application m Fill in credentials only Do not submit LY Ask confirmation before submitting credentials 3 Click Yes to complete the registration Using Manual Drag and Drop Registration 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under Single Sign On click Register New Application 4 Run the application you want to register until you reach the page with the password box 5 On the Drag and Drop Registration page of the SSO Registration Wizard select the type of activity you want to automate In most cases the activity you want to automate will be the Logon dialog 5 16 Reference Guide Credential Manager for ProtectTools 6 Click and drag the icon from the wizard page over the area of the application where the password box is located Release the pointer when the area is highlighted You will not see the finger icon move across the page but when you drag the pointer over the logon box in the application a rectangular icon is displayed 7 On the Application Information page of the SSO Registration Wizard enter the name and description for the application 8 Click Finish 9 Enter the logon credential for example the us
41. on initializing the smart card refer to Initializing the Smart Card earlier in this chapter 5 In the Recovery section click Restore 6 Ensure that the correct recovery file name is selected and enter the recovery file password Enter the smart card PIN Click OK The original smart card contents are restored to the new smart card Reference Guide 2 13 Smart Card Security for ProtectTools Creating a Backup Smart Card It is highly recommended that you create duplicate smart cards for backup purposes Two methods can be used to create a backup card depending upon whether the smart card password was manually or randomly generated To create a replacement smart card with a randomly generated smart card password Insert a smart card into the reader and then load the appropriate recovery file onto it For more information refer to Restoring Smart Card Data earlier in this chapter To create a replacement smart card with a manually generated smart card password 1 Initialize a new smart card For instructions refer to Initializing the Smart Card earlier in this chapter 2 Store the administrator or user card password on the new smart card For instructions refer to Storing the Administrator or User Card Password earlier in this chapter Reference Guide 3 Embedded Security for ProtectTools Basic Concepts Q The integrated Trusted Platform Module TPM embe
42. on your computer and Smart Card Security for ProtectTools requires an optional smart card and reader ProtectTools software modules may be preinstalled preloaded or available for download from the HP Web site Visit http www hp com for more information The instructions in this guide are written with the assumption that you have already installed the applicable ProtectTools software modules Reference Guide 1 1 Introduction Accessing the ProtectTools Security Manager To access the ProtectTools Security Manager from the Microsoft Windows Control Panel Select Start gt All Programs gt HP ProtectTools Security Manager Q After you have configured the Credential Manager module you can also open ProtectTools by logging on to Credential Manager directly from the Windows logon screen For more information refer to Logging On to Windows with Credential Manager in Chapter 5 Credential Manager for ProtectTools 1 2 Reference Guide Introduction Understanding Security Roles In managing computer security particularly for large organizations one important practice is to divide responsibilities and rights among various types of administrators and users Q In a small organization or for individual use these roles may all be held by the same person For ProtectTools the security duties and privileges can be divided into the following roles E Security officer D
43. ords Under Power On Password click Change Type the current password in the Old Password box Set and confirm the new password in the Enter New Password box Click OK in the Passwords dialog box 7 Click Apply and then click OK in the ProtectTools window to save your changes Reference Guide BIOS Configuration for ProtectTools Setting the Administrator Password To set the Computer Setup administrator password 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration 2 Select Passwords 3 Under Administrator Password select Set 4 Set and confirm the password in the Enter Password and Confirm Password boxes 5 Click OK in the Passwords dialog box 6 Click Apply and then click OK in the ProtectTools window to save your changes Changing the Administrator Password To change the Computer Setup administrator password 1 nA BW N ON Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration Select Passwords Under Administrator Password click Change Type the current password in the Old Password box Type and confirm the new password in the Enter New Password and Verify New Password boxes Click OK in the Passwords dialog box 7 Click Apply and then click OK in the ProtectTools window to save your changes Reference Guide 4 13 BIOS Configuration for ProtectTools S
44. ot save the recovery file on the computer hard drive you will not be able to access the file without the smart card Also a recovery file saved on the hard drive may be accessible to others posing a security risk 6 Set and confirm a recovery file password and then click OK CAUTION To prevent the loss of the smart card recovery file data do not forget the recovery file password You cannot re create your card from the recovery file if you forget the password 2 12 Reference Guide Smart Card Security for ProtectTools Restoring Smart Card Data You can restore the smart card data from the recovery file This is especially useful if a card was lost or stolen or if you want to create a backup smart card If you use a card with previous data saved on it the data will be overwritten Before you begin you will need the following Access to a computer with Smart Card Security software installed Smart card recovery file Smart card recovery file password Smart card To restore a smart card 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Smart Card Security Select the plus sign to expand the Smart Card Security menu and then select Smart Card Insert the diskette or other media containing the smart card recovery file Insert a smart card into the reader If the card is not initialized you will be prompted to initialize it For detailed instructions
45. otectTools Applying a Profile Scheme You can apply any profile scheme to a new platform through HP BIOS Configuration for ProtectTools To apply a profile scheme 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration 2 Select Profiles 3 Select the profile scheme you want to apply from the drop down list 4 Click Apply 5 Click OK The XXX ini file is saved at the following location C Documents and Settings All Users Application Data BlOS Configuration INIFiles Applying a Profile Scheme Across Multiple Computers An IT administrator can use the HPQSetup application and a deployment tool to apply a BIOS Configuration profile across multiple platforms over a network The HPQSetup application can be used only with a deployment tool and only from the command line For more information refer to Managing Profiles Using the Command Line earlier in this document 4 10 Reference Guide BIOS Configuration for ProtectTools Managing Computer Setup Passwords You can use BIOS Configuration to set and change the power on and administrator passwords in Computer Setup and also to manage various password settings CAUTION The passwords you set through the Passwords page in BIOS Configuration are saved immediately upon clicking the Apply or OK button in the ProtectTools window Make sure you remember what password you have set because you will not be able to
46. password changing 3 10 definition 1 6 setting 3 3 P passwords guidelines 1 7 managing 1 4 personal secure drive PSD 3 6 Index 2 Reference Guide Index power on authentication enabling and disabling 4 4 on Windows restart 4 15 power on password definition 1 4 setting and changing 4 12 profile password definition 1 5 setting 4 9 profiles applying 4 10 deleting 4 9 displaying menu 4 8 saving 4 9 properties application 5 17 authentication 5 20 credential 5 22 ProtectTools Security Manager 1 1 R recovery identity 5 10 Single Sign On 5 19 smart cards 2 13 registering application 5 16 credentials 5 5 S security setup password 1 4 Single Sign On automatic registration 5 16 exporting applications 5 18 manual registration 5 16 modifying application properties 5 17 removing applications 5 18 smart card administrator password changing 2 6 definition 1 5 setting 2 3 smart card BIOS security 2 3 smart card PIN changing 2 11 definition 1 5 smart card recovery file password definition 1 5 setting 2 12 Smart Card Security for ProtectTools 2 1 smart card user password definition 1 5 setting and changing 2 7 storing 2 8 stringent security 4 14 Reference Guide Index 3 Index T TPM chip enabling 3 2 initializing 3 3 V virtual token 5 7 Ww Windows logon password 1 7 Windows network account 5 13 Index 4 Reference Guide
47. ration tool is the password are used together p Display the Profiles Hpqsetup exe p page on the BIOS Configuration page of ProtectTools which is hidden by default requires restart of ProtectTools 6 Press enter 4 8 Reference Guide BIOS Configuration for ProtectTools Saving a New Profile Scheme To save a new profile scheme 1 NWN BW Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration Click Profiles If the Profiles page is not visible you must change the display setting from the command line For instructions refer to Managing Profiles Using the Command Line in the previous section Click Save As Type a name for the profile in the dialog box Set and confirm a password to encrypt the file Click OK in the Add Profile dialog box Click Apply and then click OK in the ProtectTools window to save your changes Deleting a Profile Scheme To delete a profile scheme 1 2 3 4 5 Select Start gt All Programs gt HP ProtectTools Security Manager BIOS Configuration Select Profiles Select the profile you want to delete from the drop down list Click Delete Click Yes in the confirmation dialog box The INI file created by that profile is deleted from the following location C Program Files HPQ HP BIOS Configuration for ProtectTools INIFiles Reference Guide 4 9 BIOS Configuration for Pr
48. recovery file that contains the BIOS passwords Smart card user password Also known as BIOS user card password Smart Card Security Links the smart card to the computer for identification Allows a user to create a recovery file to restore a user card Continued Reference Guide 1 5 Introduction ProtectTools Password Basic User Key password Also known as Embedded Security password Set in this ProtectTools Module Embedded Security Function When enabled as the BIOS power on authentication support password protects access to the computer contents when computer is turned on restarted or restored from hibernation Emergency Recovery Token password Also known as Emergency Recovery Token Key password Embedded Security by IT administrator Protects access to the Emergency Recovery Token which is a backup file for the embedded security chip Owner password Embedded Security by IT administrator Protects the system and the TPM chip from unauthorized access to all owner functions of Embedded Security Credential Manager logon password Credential Manager This password offers 2 options W it can be used ina separate logon to access Credential Manager after logging on to Microsoft Windows E it can be used in place of the Windows logon process allowing access to Windows and Credential Manager simultaneously Continued R
49. riveLock passwords will be generated and protected by the TPM embedded security chip The DriveLock master password is set to match the Computer Setup administrator password and the DriveLock user password is generated randomly by the TPM and protected by the TPM The option to enable Automatic DriveLock is unavailable unless The computer has a TPM security chip installed and initialized For instructions on how to enable and initialize the TPM security chip refer to Enabling the Embedded Security Chip and Initializing the Embedded Security Chip in Chapter 3 Embedded Security for ProtectTools No DriveLock passwords have already been enabled Q If you have already manually set DriveLock passwords on your computer you must first disable them before you can set Automatic DriveLock protection To enable or disable Automatic DriveLock protection 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration Enter your Computer Setup administrator password at the BIOS administrator password prompt and then click OK Select Security 4 Click Advanced Under Embedded Security select the Enable Automatic DriveLock Protection check box To disable power on authentication for Embedded Security clear this check box Click Apply and then click OK in the ProtectTools window to save your changes 4 6 Reference Guide BIOS Configuration for Prote
50. rt Card Security for ProtectTools General Tasks Updating BIOS Smart Card Settings To require a smart card PIN when you restart the computer 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Smart Card Security 2 Click the plus sign to expand the Smart Card Security menu and then select BIOS 3 Under Smart Card BIOS Password Properties click Settings 4 Select the check box to require a PIN at reboot Q To eliminate this requirement clear the check box 5 Enter the smart card PIN and click OK Selecting the Smart Card Reader Ensure that the correct smart card reader is selected in Smart Card Security before using the smart card If the correct reader is not selected in Smart Card Security some of the features may be unavailable or incorrectly displayed To select the smart card reader 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Smart Card Security 2 Select the plus sign to expand the Smart Card Security menu and then select General 3 Under Smart Card Reader select the correct reader 4 Insert the smart card into the reader The reader information is automatically refreshed 2 10 Reference Guide Smart Card Security for ProtectTools Changing the Smart Card PIN To change the smart card PIN 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Smart Card Security 2 Select the plus sign
51. rt the new administrator smart card and follow the on screen instructions The instructions vary and may include the following tasks T Initializing the smart card Refer to Initializing the Smart Card for detailed instructions T Setting the smart card administrator password Refer to Storing the Administrator or User Card Password for detailed instructions T Creating a recovery file Refer to Creating a Recovery File for detailed instructions 2 4 Reference Guide Smart Card Security for ProtectTools Disabling Smart Card BIOS Security Mode When disabling smart card BIOS security mode the smart card administrator and user passwords are disabled and the use of the smart card is no longer needed to access the computer zB If smart card BIOS security mode has previously been enabled the button on the Smart Card Security BIOS page changes to Disable To disable smart card security 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Smart Card Security 2 Select the plus sign to expand the Smart Card Security menu and then select BIOS 3 Under BIOS Security Mode click Disable 4 Insert the card containing the current smart card administrator password and then click Next 5 Enter the smart card PIN at the prompt and click Finish Reference Guide 2 5 Smart Card Security for ProtectTools Changing the Smart Card Administrator Password Th
52. setting 2 4 BIOS administrator password changing 4 13 definition 1 4 setting 4 13 Index BIOS Configuration for ProtectTools 4 1 BIOS smart card security 2 3 BIOS user card password definition 1 5 setting and changing 2 7 boot options 4 2 C command line 4 7 Computer Setup administrator password changing 4 13 definition 1 4 setting 4 13 Credential Manager account 5 4 logon password 1 6 logon wizard 5 3 recovery file password 1 7 Credential Manager for ProtectTools 5 1 D default user 5 14 device options 4 3 Reference Guide Index 1 Index disabling Automatic DriveLock 4 6 device options 4 3 embedded security 3 11 power on authentication 4 4 smart card authentication 4 4 smart card BIOS security 2 5 stringent security 4 14 DriveLock passwords 1 4 E Embedded Security for ProtectTools 3 1 emergency recovery 3 3 emergency recovery token password definition 1 6 setting 3 3 enabling Automatic DriveLock 4 6 device options 4 3 embedded security 3 11 power on authentication 4 4 smart card authentication 4 4 smart card BIOS security 2 3 stringent security 4 14 TPM chip 3 2 encrypting files and folders 3 6 F F10 Setup password 1 4 fingerprints 5 5 l identity 5 9 initializing embedded security chip 3 3 smart card 2 2 L locking workstation 5 11 M managing identity 5 9 profiles 4 7 My Identity 5 9 network account 5 13 0 owner
53. sures that if you lose your encryption certificates and private keys you will be able to use a recovery agent to decrypt your data 3 6 Reference Guide Embedded Security for ProtectTools To encrypt files and folders 1 Right click the file or folder that you want to encrypt 2 Click Encrypt 3 Click one of the following options d Apply changes to this folder only Q Apply changes to this folder subfolders and files 4 Click OK Sending and Receiving Encrypted E mail Embedded Security enables you to send and receive encrypted e mail but the procedures vary depending upon the program you use to access your e mail For more information refer to the Embedded Security online Help and the online Help for your e mail Changing the Basic User Key Password To change the Basic User Key password 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Embedded Security gt User Settings 2 Under Basic User Key password click Change 3 Type the old password and then set and confirm the new password 4 Click OK Reference Guide 3 7 Embedded Security for ProtectTools Advanced Tasks Backing Up and Restoring The Embedded Security backup feature creates an archive that contains certification information to be restored in case of emergency Creating a Backup File To create a backup file 1 Select Start gt All Programs gt HP ProtectTools Security Manager g
54. t Embedded Security gt Backup 2 Select Backup 3 Click Browse to choose the location where the backup file will be saved 4 Select whether to add the emergency recovery archive to the backup data 5 Click Next 6 Click Finish 3 8 Reference Guide Embedded Security for ProtectTools Restoring Certification Data from the Backup File To restore data from the backup file 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Embedded Security gt Backup 2 Click Restore 3 Click Browse to select the backup file from the stored location 4 Click Next 5 Select whether to start the Embedded Security User Initialization Wizard 1 If you choose to start the initialization wizard click Finish and then follow the on screen instructions to complete the initialization For more information refer to Setting Up the Basic User Account earlier in this chapter Q If you choose not to start the initialization wizard click Finish Reference Guide 3 9 Embedded Security for ProtectTools Changing the Owner Password To change the owner password 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Embedded Security gt Advanced 2 Under Owner Password click Change 3 Type the old owner password and then set and confirm the new owner password 4 Click OK Enabling and Disabling Embedded Security It is possible to disable th
55. the owner tasks such as handling the emergency recovery archive and configuring user access settings Follow the steps in the following 2 sections to enable and initialize the embedded security chip Enabling the Embedded Security Chip The embedded security chip must be enabled in the Computer Setup utility This procedure cannot be performed in BIOS Configuration for ProtectTools To enable the embedded security chip 1 Open Computer Setup by turning on or restarting the computer and then pressing f10 while the F10 ROM Based Setup message is displayed in the lower left corner of the screen 2 If you have not set an administrator password use the arrow keys to select Security gt Administrator password and then press enter 3 Type your password in the New password and Verify new password boxes and then press f10 3 2 Reference Guide Embedded Security for ProtectTools In the Security menu use the arrow keys to select Embedded Security and then press enter Under Embedded Security select Embedded security device state and change to Enable Press f10 to accept the changes to the Embedded Security configuration To save your preferences and exit Computer Setup use the arrow keys to select File gt Save Changes and Exit Then follow the instructions on the screen Initializing the Embedded Security Chip In the initialization process for Embedded Security you will Set
56. then click Finish 7 Click Yes at the confirmation dialog box Removing an Identity from the System You can delete your identity entirely from Credential Manager Q This does not affect the Windows user account To remove your identity from the system 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Select My Identity 3 Under I Want To click More and then click Remove My Identity from the System 4 Click Yes in the confirmation dialog box The identity is logged off and removed from the system 5 10 Reference Guide Credential Manager for ProtectTools Locking the Computer To secure your computer when you are away from your desk use the Lock Workstation feature This prevents unauthorized users from gaining access to your computer Only you and members of the administrators group on your computer can unlock it Q For added security you can configure the Lock Workstation feature to require a smart card biometric reader or token to unlock the computer For more information refer to Configuring Credential Manager Settings later in this chapter To lock the computer 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Credential Manager 2 Click My Identity 3 Under I Want To click More and then click Lock Workstation The Windows logon screen is displayed You must use a Windows password or the Crede
57. thority For instructions on configuring your e mail and obtaining a digital certificate refer to the e mail client online Help 8 If more than one encryption certificate exists select the appropriate certificate and then click Next 9 Select the drive letter and label for your PSD and then click Next 10 Select the size and location of the PSD and then click Next 11 Click Next on the Summary page 12 Click Finish Reference Guide 3 5 Embedded Security for ProtectTools General Tasks After the basic user account is set up you can perform the following tasks Encrypting files and folders Sending and receiving encrypted e mail Using the Personal Secure Drive After setting up the PSD you are prompted to enter the Basic User Key password at the next logon If the Basic User Key password is entered correctly you can access the PSD directly from Windows Explorer Encrypting Files and Folders When working with encrypted files in Windows XP Professional consider the following rules Only files and folders on NTFS partitions can be encrypted Files and folders on FAT partitions cannot be encrypted System files and compressed files cannot be encrypted and encrypted files cannot be compressed Temporary folders should be encrypted because they are potentially of interest to hackers A recovery policy is automatically set up when you encrypt a file or folder for the first time This policy en
58. ty mode in Smart Card Security Refer to Enabling Smart Card BIOS Security Mode and Setting the Smart Card Administrator Password later in this chapter 3 Set the smart card administrator password The smart card administrator password is set as part of the process of enabling smart card BIOS security mode The smart card administrator password is not the same as the Computer Setup administrator password The smart card administrator password links the smart card to the computer for identification purposes and also allows you to do the following E Enable or disable Computer Setup passwords HM Create new administrator and user smart cards E Create a recovery file to restore either a user or administrator smart card The smart card administrator password cannot be set until smart card BIOS security mode is enabled in Smart Card Security Reference Guide 2 3 Smart Card Security for ProtectTools Enabling Smart Card BIOS Security Mode and Setting the Smart Card Administrator Password To enable smart card BIOS security mode and set the smart card administrator password 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt Smart Card Security Select the plus sign to expand the Smart Card Security menu and then select BIOS Under BIOS Security Mode click Enable 4 Click Next Enter the Computer Setup administrator password at the prompt and click Next Inse
59. undo a password setting without supplying the previous password The power on password can protect your notebook from unauthorized use Q After you have set a power on password the Set button on the Passwords page is replaced by a Change button The Computer Setup administrator password protects the configuration settings and system identification information in Computer Setup After this password is set it must be entered to access Computer Setup If you have set an administrator password you will be prompted for the password before opening the BIOS Configuration portion of ProtectTools Q After you have set an administrator password the Set button on the Passwords page is replaced by a Change button Reference Guide 4 11 BIOS Configuration for ProtectTools Setting the Power On Password To set the power on password 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration 2 Select Passwords 3 Under Power On Password select Set 4 Type and confirm the password in the Enter Password and Verify Password boxes 5 Click OK in the Passwords dialog box 6 Click Apply and then click OK in the ProtectTools window to save your changes Changing the Power On Password To change the power on password 1 nA BW N ON Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration Select Passw
60. y User Initialization Wizard check box and then click Finish The Embedded Security User Initialization Wizard opens Refer to the instructions in the next section for more details Setting Up the Basic User Account Setting up a basic user account in Embedded Security B Produces a Basic User Key that protects encrypted data and sets a Basic User Key password to protect the Basic User Key Sets up a personal secure drive PSD for storing encrypted files and folders CAUTION Safeguard the Basic User Key password Encrypted data cannot be accessed or recovered without this password To set up a basic user account and enable the user security features 1 If the Embedded Security User Initialization Wizard is not open select Start gt All Programs gt HP ProtectTools Security Manager Embedded Security User Settings 2 Under Embedded Security Features click Configure The Embedded Security User Initialization Wizard opens 3 Click Next 3 4 Reference Guide Embedded Security for ProtectTools 4 Set and confirm the Basic User Key password and then click Next 5 Click Next to confirm settings 6 Select the security features you want and then click Next 7 Click Next again Q To use secure e mail you must first configure the e mail client to use a digital certificate that is created with Embedded Security If a digital certificate is not available you must obtain one from a certification au
61. your Computer Setup administrator password at the BIOS administrator password prompt and then click OK Select Security 4 Click Advanced Under Smart Card Security select the Enable Smart Card Power on Authentication Support check box To disable smart card power on authentication clear this check box Click Apply and then click OK in the ProtectTools window to save your changes 4 4 Reference Guide BIOS Configuration for ProtectTools Enabling and Disabling Power on Authentication Support for Embedded Security Enabling this option allows the system to use the TPM embedded security chip if available for user authentication when you turn on the computer To enable power on authentication support for embedded security 1 Select Start gt All Programs gt HP ProtectTools Security Manager gt BIOS Configuration Enter your Computer Setup administrator password at the BIOS administrator password prompt and then click OK Select Security 4 Click Advanced Under Embedded Security select the Enable Power on Authentication Support check box To disable power on authentication for embedded security clear this check box Click Apply and then click OK in the ProtectTools window to save your changes Reference Guide 4 5 BIOS Configuration for ProtectTools Enabling and Disabling Automatic DriveLock Hard Drive Protection When this option is enabled the D
Download Pdf Manuals
Related Search