HP ProtectTools User Guide
© Copyright 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Microsoft, Windows, and Windows Vista are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
About This Book This guide provides basic information for upgrading this computer model. WARNING! Text set off in this manner indicates that failure to follow directions could result in bodily harm or loss of life. CAUTION: Text set off in this manner indicates that failure to follow directions could result in damage to equipment or loss of information. NOTE: Text set off in this manner provides important supplemental information.
iv About This Book ENWW
Table of contents 1 Introduction to security HP ProtectTools features ..................................................................................................................... 2 Accessing HP ProtectTools Security .................................................................................................... 4 Achieving key security objectives ......................................................................................................... 4 Protecting against targeted theft .......
Settings .............................................................................................................................................. 19 3 Credential Manager for HP ProtectTools Setup procedures ............................................................................................................................... 20 Logging on to Credential Manager .................................................................................... 20 Using the Credential Manager Logon Wizard .....
General tasks ..................................................................................................................................... 32 Activating Drive Encryption ................................................................................................ 32 Deactivating Drive Encryption ............................................................................................ 32 Logging in after Drive Encryption is activated ............................................................
6 File Sanitizer for HP ProtectTools Setup procedures ............................................................................................................................... 54 Opening File Sanitizer ....................................................................................................... 54 Setting a free space bleaching schedule ........................................................................... 54 Selecting or creating a shred profile ........................................
Power ................................................................................................................................................. 70 Advanced ........................................................................................................................................... 70 9 Embedded Security for HP ProtectTools Setup procedures ...............................................................................................................................
x ENWW
1 Introduction to security HP ProtectTools Security Manager for Administrators software provides security features that help protect against unauthorized access to the computer, networks, and critical data.
HP ProtectTools features The following table details the key features of HP ProtectTools modules: Module Key features HP ProtectTools Security Manager for Administrators ● The Security Manager setup wizard is used by administrators to set up and configure levels of security and security logon methods. ● Users can also use the setup wizard to configure their logon methods. ● Administrator tools are used to add and remove ProtectTools users and view user status.
Module Key features BIOS Configuration for HP ProtectTools ● BIOS Configuration provides access to power-on user and administrator password management. ● BIOS Configuration provides an alternative to the pre-boot BIOS configuration utility known as Computer Setup.
Accessing HP ProtectTools Security To access HP ProtectTools Security Manager for Administrators from Windows® Control Panel: ▲ In Windows Vista®, click Start, click All Programs, and then click HP ProtectTools Security Manager for Administrators. – or – In Windows XP, click Start, click All Programs, and then click HP ProtectTools Security Manager. NOTE: If you are not an HP ProtectTools administrator, you can run HP ProtectTools in nonadministrator mode to view information, but you cannot make changes.
Protecting against targeted theft An example of this type of incident would be the targeted theft of a computer or its confidential data and customer information. This can easily occur in open office environments or in unsecured areas. The following features help protect the data if the computer is stolen: ● The pre-boot authentication feature, if enabled, helps prevent access to the operating system.
information such as patient records or personal financial records. The following features help prevent unauthorized access: ● ● ● The pre-boot authentication feature, if enabled, helps prevent access to the operating system.
Additional security elements Assigning security roles In managing computer security (particularly for large organizations), one important practice is to divide responsibilities and rights among various types of administrators and users. NOTE: In a small organization or for individual use, these roles may all be held by the same person.
HP ProtectTools password Set in this HP ProtectTools module Function Owner password Embedded Security, by IT administrator Protects the system and the TPM chip from unauthorized access to all owner functions of Embedded Security. Java™ Card PIN Java Card Security Protects access to the Java Card contents and authenticates users of the Java Card. When used for power-on authentication, the Java Card PIN also protects access to the Computer Setup utility and to the computer contents.
Creating a secure password When creating passwords, you must first follow any specifications that are set by the program. In general, however, consider the following guidelines to help you create strong passwords and reduce the chances of your password being compromised: ● Use passwords with more than 6 characters, preferably more than 8. ● Mix the case of letters throughout your password. ● Whenever possible, mix alphanumeric characters and include special characters and punctuation marks.
2 HP ProtectTools Security Manager for Administrators About HP ProtectTools Security Manager for Administrators HP ProtectTools Security Manager for Administrators provides security features that help protect against unauthorized access to the computer, networks, and critical data. Security Manager is extensible and can therefore grow to handle new threats as they emerge and offer new technologies as they become available.
Getting Started - Configuring HP ProtectTools Security Manager for Administrators The Getting Started setup wizard allows a Windows administrator to establish and/or update levels of security and security login methods. Users also use the setup wizard to configure their security logon methods. NOTE: The Windows administrator can run the setup wizard whenever he or she wants to change the levels of security or security login methods.
5. One or more of the following pages will be displayed, depending on the levels of security you chose in step 4. ● Protect your Windows account - The Windows password is required because Security Manager must synchronize the password for each level of security. Enter and confirm a Windows password, or enter your password if one has already been established, and then click Next.
8. 9. Depending on the security login method(s) you chose in step 6, one or more of the following pages will be displayed. Follow the on-screen instructions, and then click Next.
7. On the “Set Security Login Methods” page, click Next. 8. On the “Review and Enable Security Settings” page, click Enable. 9. Depending on the security login methods set by the administrator, one or both of the following pages will be displayed. Follow the on-screen instructions, and then click Next.
Administrator Tools - Managing users (administrator task) Windows administrators can add and remove HP ProtectTools users and view user status using the Administrator Tools feature. In Administrator Tools, the Administrator and User tabs show the selected security login methods and whether a user can choose to use any one of them or must use all of them. If you want to change levels of security or security login methods, you must run the setup wizard to make those changes.
4. Select the Administrator or User tab. 5. Click the user name for the account you want to remove, and then click Remove. NOTE: You cannot remove an administrator if there is only one administrator listed in the Administrator list. 6. In the confirmation dialog box, click Yes. Checking user status In Administrator Tools, the Administrator and User tabs show current status of each user: ● Green check mark - Indicates that the user has configured the required security login method(s).
Using the Backup wizard 1. In Security Manager, click Backup and Restore, and then click Backup Options to start the Backup wizard. 2. Clear the Show Welcome Screen check box if you want to bypass the “Welcome” page the next time the Backup wizard is run. 3. Click Next. The “Security Modules” page opens. 4. Refer to the following subsections below to continue. Security Modules To select modules to back up, follow these steps: 1.
3. Click Remember all passwords and authentication values to configure the system to securely cache (save) passwords, which enables unattended backups. Enabling this feature also caches any authentication values entered in Security Modules. 4. Click Backup Now to start the backup, or click Next to save the backup configuration without performing a backup at this time. If you choose to start the backup, the “Backup Complete” page opens at the end of the operation.
To select modules to restore: 1. Select the check box at the beginning of each row to add the associated module to the restore list. Click the Select All or Clear All buttons to quickly add or remove modules from the restore list. Note that the Status column for the module must display “Ready” or “Needs Authentication” before you can select it. NOTE: The check box is unavailable if the module is not ready.
3 Credential Manager for HP ProtectTools Credential Manager for HP ProtectTools protects against unauthorized access to your computer using the following security features: ● Alternatives to passwords when logging on to Windows, such as using a Java Card or biometric reader to log on to Windows. For additional information, refer to Registering credentials on page 21. ● Single Sign On feature that automatically remembers credentials for Web sites, applications, and protected network resources.
Using the Credential Manager Logon Wizard To log on to Credential Manager using the Credential Manager Logon Wizard, use the following steps: 1. 2.
Registering a Smart Card or Token A smart card is a plastic card about the size of a credit card with an embedded microchip that can be loaded with information. Smart cards provide protection of information and authentication for individual users. Logging on to a network with a smart card can provide a strong form of authentication when it uses cryptography-based identification and proof of possession when authenticating a user to a domain. A USB token is simply a smart card in a different form factor.
General tasks All users have access to the “My Identity” page in Credential Manager. From the “My Identity” page, you can perform the following tasks: ● Change the Windows logon password ● Change a token PIN ● Lock a workstation NOTE: This option is available only if the Credential Manager classic logon prompt is enabled. See Example 1—Using the “Advanced Settings” page to allow Windows logon from Credential Manager on page 30.
3. On the Device Type dialog box, click the desired type of device, and then click Next. 4. Select the token for which you want to change the PIN, and then click Next. 5. Follow the on-screen instructions to complete the PIN change. NOTE: If you enter the incorrect PIN for the token several times in sequence, the token gets locked out. You will be unable to use this token until you unlock it.
5. 6. Select More, and then click Wizard Options. a. If you want this to be the default user name the next time that you log on to the computer, select the Use last user name on next logon check box. b. If you want this logon policy to be the default method, select the Use last policy on next logon check box. Follow the on-screen instructions. If your authentication information is correct, you will be logged on to your Windows account and to Credential Manager.
Using manual (drag and drop) registration 1. In HP ProtectTools Security Manager for Administrators, click Credential Manager, and then click Services and Applications in the left pane. 2. Click Manage Applications and Credentials. The Credential Manager Single Sign On dialog box is displayed. 3. To modify or remove a previously registered web site or application, select the desired record in the list. 4. Follow the on-screen instructions.
To export an application: 1. In HP ProtectTools Security Manager for Administrators, click Credential Manager, and then click Services and Applications in the left pane. 2. Click Manage Applications and Credentials. The Credential Manager Single Sign On dialog box is displayed. 3. Click the application entry you want to export, and then click More. 4. Follow the on-screen instructions to complete the export. 5. Click OK. Importing an application 1.
NOTE: You must authenticate your identity before viewing the password. 5. Follow the on-screen instructions. 6. Click OK. Using Application Protection This feature allows you to configure access to applications. You can restrict access based on the following criteria: ● Category of user ● Time of use ● User inactivity Restricting access to an application 1. In HP ProtectTools Security Manage for Administrators, click Credential Manager in the left pane, and then click Services and Applications.
Changing restriction settings for a protected application 1. Click Application Protection, and then click Manage Protected Applications. 2. Select a category of user whose access you want to manage. NOTE: If the category is not Everyone, you may need to click Override default settings to override the settings for the Everyone category. 3. Click the application you want to change, and then click Properties. The Properties dialog box for that application opens. 4. Click the General tab.
4. 5. Click the credential type you want to modify. You can modify the credential using one of the following choices: ● To register the credential, click Register, and then follow the on-screen instructions. ● To delete the credential, click Clear, and then click Yes in the confirmation dialog box. ● To modify the credential properties, click Properties, and then follow the on-screen instructions. Click Apply, and then click OK.
NOTE: Selecting the Use Credential Manager to log on to Windows check box allows you to lock your computer. See Locking the computer (workstation) on page 24. NOTE: The procedure above may be slightly different for Windows XP. Example 2—Using the “Advanced Settings” page to require user verification before Single Sign On ENWW 1. In HP ProtectTools Security Manager for Administrators, click Credential Manager, and then click Settings. 2. Click the Single Sign On tab. 3.
4 Drive Encryption for HP ProtectTools CAUTION: If you decide to uninstall the Drive Encryption module or if you are using a backup and restore solution, you must first decrypt all encrypted drives. If you do not, you will not be able to access the data on encrypted drives unless you have registered with the Drive Encryption recovery service. Reinstalling the Drive Encryption module will not enable you to access the encrypted drives. Setup procedures Opening Drive Encryption 1.
Advanced tasks Managing Drive Encryption (administrator task) The “Encryption Management” page allows Windows administrators to view and change the status of Drive Encryption (active or inactive) and to view the encryption status of all of the hard drives on the computer. Activating a TPM-protected password Use Embedded Security for HP ProtectTools to activate the TPM. After activation, logging in at the Drive Encryption logon screen requires the Windows user name and password.
The encryption key is saved on the storage device you selected. 5. Click OK when the confirmation dialog box opens. Registering for online recovery The Online Drive Encryption Key Recovery Service stores a backup copy of your encryption key, which will enable you to access your computer if you forget your password and do not have access to your local backup. NOTE: You must be connected to the Internet and have a valid e-mail address to register and to recover your password through this service. 1.
Managing an existing online recovery account After you create an online recovery account, you can access the SafeBoot Recovery Service Web site to recover access to your computer if you lose your password, modify your personal settings, reset the password you use for the online recovery account, and view or renew your account. 1. Open Drive Encryption, and then click Recovery. 2. Click Manage. 3. When the “SafeBoot Recovery Service” Web page opens, click Recovery Service Account or Recovery Process.
NOTE: This section describes how to perform an online recovery when you have access to a different computer with an Internet connection. If you do not have access to such a computer, contact HP technical support. 1. Turn on the computer. 2. When the Drive Encryption for HP ProtectTools logon dialog box opens, click Cancel. 3. Click Options in the lower-left corner of the screen, and then click Recovery. 4. Click Web recovery, and then click Next. 5. Record the client code, and then click Next. 6.
5 Privacy Manager for HP ProtectTools Privacy Manager is a tool used to obtain Certificates of Authority, which verify the source, integrity, and security of communication when using Microsoft mail, Microsoft Office documents, and Live Messenger.
Setup procedures Managing Privacy Manager Certificates Manager Certificates protect data and messages using a cryptographic technology called public key infrastructure (PKI). PKI requires users to obtain cryptographic keys and a Privacy Manager Certificate issued by a certificate authority (CA).
6. Authenticate using your chosen security logon method. 7. If you choose to begin the Trusted Contact invitation process, follow the on-screen instructions. – or – If you click Cancel, refer to Managing Trusted Contacts for information on adding a Trusted Contact at a later time. Viewing Privacy Manager Certificate details 1. Open Privacy Manager, and click Certificate Manager. 2. Click a Privacy Manager Certificate. 3. Click Certificate details. 4.
To delete a Privacy Manager Certificate: 1. Open Privacy Manager, and click Certificate Manager. 2. Click the Privacy Manager Certificate you want to delete, and then click Advanced. 3. Click Delete. 4. When the confirmation dialog box opens, click Yes. 5. Click Close, and then click Apply.
Adding Trusted Contacts 1. You send an e-mail invitation to a Trusted Contact recipient. 2. The Trusted Contact recipient responds to the e-mail. 3. You receive the e-mail response from the Trusted Contact recipient, and click Accept. You can send Trusted Contact e-mail invitations to individual recipients or you can send the invitation to all the contacts in your Microsoft Outlook address book.
Adding Trusted Contacts using your Microsoft Outlook address book 1. Open Privacy Manager, click Trusted Contacts Manager, and then click Invite Contacts. – or – In Microsoft Outlook, click the down arrow next to Send Securely on the toolbar, and then click Invite All My Outlook Contacts. 2. When the “Trusted Contact Invitation” page opens, select the e-mails address of the recipients you want to add as Trusted Contacts and then click Next. 3. When the “Sending Invitation” page opens, click Finish.
Checking revocation status for a Trusted Contact 1. Open Privacy Manager, and click Trusted Contacts Manager. 2. Click a Trusted Contact. 3. Click the Advanced button. The Advanced Trusted Contact Management dialog box opens. 4. Click Check Revocation. 5. Click Close.
Privacy Manager allows you to add a signature line when you sign a Microsoft Word or Microsoft Excel document: 1. In Microsoft Word or Microsoft Excel create and save a document. 2. Click the Home menu. 3. Click the down arrow next to Sign and Encrypt, and then click Add Signature Line Before Signing. NOTE: A check mark is displayed next to Add Signature Line Before Signing when this option is selected. By default, this option is enabled. 4.
To sign the document: 1. Double-click the appropriate signature line. 2. Authenticate using your chosen security logon method. The signature line will be shown according to the settings specified by the owner of the document. Encrypting a Microsoft Office document You can encrypt a Microsoft Office document for you and for your Trusted Contacts. When you encrypt a document and close it, you and the Trusted Contact(s) you select from the list must authenticate before opening it.
To send a sealed e-mail with an attached signed and/or encrypted Microsoft Office document, follow these steps: 1. In Microsoft Outlook, click New or Reply. 2. Type your e-mail message. 3. Attach the Microsoft Office document. 4. Refer to Sealing and sending an e-mail message for further instructions. Viewing a signed Microsoft Office document NOTE: You do not need to have a Privacy Manager Certificate in order to view a signed Microsoft Office document.
Signing and sending an e-mail message ▲ In Microsoft Outlook, click New or Reply. ▲ Type your e-mail message. ▲ Click the down arrow next to Send Securely, and then click Sign and Send. ▲ Authenticate using your chosen security logon method. Sealing and sending an e-mail message Sealed e-mail messages that are digitally signed and sealed (encrypted) can only be viewed by people you choose from your Trusted Contacts list. To seal and send an e-mail message to a Trusted Contact: 1.
NOTE: In order to use Privacy Manager Chat, both parties must have Privacy Manager and a Privacy Manager Certificate installed. For details about installing a Privacy Manager Certificate, see Requesting and installing a Privacy Manager Certificate on page 5. 1. To start Privacy Manager Chat in Windows Live Messenger, perform either of the following procedures: a. Right-click an online contact in Live Messenger, and then select Start an Activity. b. Click Start Privacy Manager Chat. – or – a.
● Are you there?–Click this button to request authentication from your contact. ● Lock–Click this button to close the Privacy Manager Chat window and return to the Chat Entry window. To display the Secure Communications window again, click Resume the session, and then authenticate using your chosen security logon method. ● Send–Click this button to send an encrypted message to your contact. ● Send signed–Select this check box to electronically sign and encrypt your messages.
Revealing a session displays the decrypted Contact Screen Name for the currently selected session. 1. In the Chat History Viewer, right-click any session, and then select Reveal Session. 2. Authenticate using your chosen security logon method. The Contact Screen Names are decrypted. 3. Double-click the revealed session to view its content.
To remove columns from the display: 1. Right-click on any column heading, and then select Add/Remove Columns. 2. Select a column heading in the right panel, and then click Remove to move it to the left panel. Filter displayed sessions A list of sessions for all of your accounts is displayed in the Chat History Viewer. Displaying sessions for a specific account ▲ In the Chat History Viewer, select an account from the Display history for menu. Displaying sessions for a range of dates 1.
Advanced tasks Migrating Privacy Manager Certificates and Trusted Contacts to a different computer You can securely migrate your Privacy Manager Certificates and Trusted Contacts to a different computer. To do this, export them as a password-protected file to a network location or any removable storage device, and then import the file to the new computer.
6 File Sanitizer for HP ProtectTools File Sanitizer is a tool that allows you to securely shred assets (personal information or files, historical or Web-related data, or other data components) on your computer and periodically bleach your hard drive. NOTE: File Sanitizer currently operates only on the hard drive. About shredding Deleting an asset in Windows does not completely remove the contents of the asset from your hard drive. Windows only deletes the reference to the asset.
Setup procedures Opening File Sanitizer To open File Sanitizer: 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager for Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP. 2. Click File Sanitizer. – or – ● Double-click the File Sanitizer icon. – or – ● Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click File Sanitizer, and then click Open File Sanitizer.
4. Under Shred the following, select the check box next to each asset that you want to confirm before shredding. 5. Click Apply, and then click OK. Customizing a shred profile When you create a shred profile, you specify the number of shred cycles, which assets to include for shredding, which assets to confirm before shredding, and which assets to exclude from shredding: 1. Open File Sanitizer, and click Settings, click Advanced Security Settings, and then click View Details. 2.
NOTE: It is highly recommended that you run free space bleaching regularly if you use the simple delete option. 1. Open File Sanitizer, click Settings, click Simple Delete Setting, and then click View Details. 2. Select the assets you want to delete: a. Under Available delete options, click an asset, and then click Add. b. To add a custom asset, click Add Custom Option, enter a file name or folder name, and then click OK. Click the custom asset, and then click Add.
Setting a free space bleaching schedule NOTE: Free space bleaching is for those assets that you delete using the Windows Recycle Bin or for manually deleted assets. Free space bleaching provides no additional security to shredded assets. To set a free space bleaching schedule: 1. Open File Sanitizer, and click Free Space Bleaching. 2. Select the Activate Scheduler check box, enter your Windows password, and then enter a day and time to bleach your hard drive. 3. Click Apply, and then click OK.
3. Select the assets you want to shred: a. Under Available shred options, click an asset, and then click Add. b. To add a custom asset, click Add Custom Option, enter a file name or folder name, and then click OK. Click the custom asset, and then click Add. NOTE: To delete an asset from the available shred options, click the asset, and then click Delete. 4. Under Shred the following, select the check box next to each asset that you want to confirm before shredding.
NOTE: Only file extensions can be excluded from deleting. For example, if you add the .BMP file extension, all files with the .BMP extension will be excluded from deletion. To remove an asset from the exclusions list, click the asset, and then click Delete. 5. When you finish configuring the simple delete profile, click Apply, and then click OK. General tasks Using a key sequence to initiate shredding To specify a key sequence, follow these steps: 1. Open File Sanitizer, and click Shred. 2.
Manually shredding one asset CAUTION: Shredded assets cannot be recovered. Carefully consider which items you select for manual shredding. 1. Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click File Sanitizer, and then click Shred One. 2. When the Browse dialog box opens, navigate to the asset you want to shred, and then click OK. NOTE: The asset you select can be a single file or folder. 3. When the confirmation dialog box opens, click Yes. – or – 1.
Aborting a shred or free space bleaching operation When a shred or free space bleaching operation is in progress, a message above the HP ProtectTools Security Manager for Administrators icon in the notification area is displayed. The message provides details on the shred or free space bleaching process (percentage complete), and gives you the option to abort the operation. To abort the operation: ▲ Click the message, and then click Stop to cancel the operation.
7 Java Card Security for HP ProtectTools Java Card Security for HP ProtectTools manages the Java Card setup and configuration for use with the HP Smart Card keyboard. HP's Java Card is a personal security device that protects authentication data requiring both the card and a PIN number to grant access – like using an ATM card with a PIN. The Java Card can be used to access Credential Manager, Drive Encryption, HP BIOS, or any number of third party access points.
6. Type a new PIN in the New PIN box, and then type the PIN again in the Confirm New PIN box. 7. Click OK. Selecting the card reader Be sure that the correct card reader is selected in Java Card Security before using the Java Card. If the correct reader is not selected, some of the features may be unavailable or incorrectly displayed. In addition, the card reader drivers must be correctly installed, as shown in Windows Device Manager. To select the card reader: 1.
Assigning a name to a Java Card You must assign a name to a Java Card before it can be used for power-on authentication. To assign a name to a Java Card: 1. Select Start > All Programs > HP ProtectTools Security Manager for Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP. 2. In the left pane, click Java Card Security, and then click Advanced. 3. Insert the Java Card into the card reader.
Enabling Java Card power-on authentication and creating an administrator Java Card To enable Java Card power-on authentication: 1. Select Start > All Programs > HP ProtectTools Security Manager for Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP. 2. In the left pane, click Java Card Security, and then click Advanced. 3. Insert the Java Card into the card reader.
Creating a user Java Card NOTE: Power-on authentication and an administrator card must be set up in order to create a user Java Card. To create a user Java Card: 1. Select Start > All Programs > HP ProtectTools Security Manager for Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP. 2. In the left pane, click Java Card Security, and then click Advanced. 3. Insert a Java Card that will be used as a user card. 4.
8 BIOS Configuration for HP ProtectTools BIOS Configuration for HP ProtectTools provides access to the Computer Setup utility security and configuration settings giving users Windows access to system security features that are managed by Computer Setup. The options within BIOS Configuration for HP ProtectTools are: ● File ● Storage ● Security ● Power ● Advanced NOTE: Support for specific Computer Setup options may vary depending on the hardware configuration.
General tasks BIOS Configuration allows you to manage various computer settings that would otherwise be accessible only by pressing F10 at startup to enter Computer Setup. Accessing BIOS Configuration To access BIOS Configuration: 1. Click Start, click Settings, and then click Control Panel. 2. Click HP ProtectTools Security Manager for Administrators, and then click BIOS Configuration. You can also access BIOS Configuration from an icon in the notification area, at the far right of the taskbar.
Viewing or changing settings To view or change configuration settings: 1. Click one of the BIOS Configuration pages. 2. Make your changes, and then click Apply to save your changes. 3. Exit and restart the computer. Your changes go into effect when the computer restarts. NOTE: Password changes take effect immediately with no need to restart the computer.
● DriveLock Security ● System Security (some models) ● Setup Security Level NOTE: For more information on Security options, refer to the Computer Setup (F10) Utility Guide. Power The Power option within BIOS Configuration for HP ProtectTools provides settings that control power management at a hardware level. Settings included are: ● OS Power Management ● Hardware Power Management ● Thermal NOTE: For more information on Power options, refer to the Computer Setup (F10) Utility Guide.
9 Embedded Security for HP ProtectTools NOTE: The integrated Trusted Platform Module (TPM) embedded security chip must be installed in your computer to use Embedded Security for HP ProtectTools. Embedded Security for HP ProtectTools protects against unauthorized access to user data or credentials.
Setup procedures CAUTION: To reduce security risk, it is highly recommended that your IT administrator immediately initialize the embedded security chip. Failure to initialize the embedded security chip could result in an unauthorized user, a computer worm, or a virus taking ownership of the computer and gaining control over the owner tasks, such as handling the emergency recovery archive, and configuring user access settings.
Initializing the embedded security chip In the initialization process for Embedded Security, you will perform the following tasks: ● Set an owner password for the embedded security chip that protects access to all owner functions on the embedded security chip. ● Set up the emergency recovery archive, which is a protected storage area that allows reencryption of the Basic User Keys for all users. To initialize the embedded security chip: 1.
General tasks After the basic user account is set up, you can perform the following tasks: ● Encrypting files and folders ● Sending and receiving encrypted e-mail Using the Personal Secure Drive After setting up the PSD, you are prompted to type the Basic User Key password at the next logon. If the Basic User Key password is entered correctly, you can access the PSD directly from Windows Explorer.
Changing the Basic User Key password To change the Basic User Key password: 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager for Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP. 2. In the left pane, click Embedded Security, and then click User Settings. 3. In the right pane, under Basic User Key password, click Change. 4. Type the old password, and then set and confirm the new password. 5. Click OK.
Changing the owner password To change the owner password: 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager for Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP. 2. In the left pane, click Embedded Security, and then click Advanced. 3. In the right pane, under Owner Password, click Change. 4. Type the old owner password, and then set and confirm the new owner password. 5. Click OK.
Migrating keys with the Migration Wizard Migration is an advanced administrator task that allows the management, restoration, and transfer of keys and certificates. For details on migration, refer to the Embedded Security software Help.
10 Device Access Manager for HP ProtectTools This security tool is available to administrators only.
Device class configuration (advanced) More selections are available to allow specific users or groups of users to be granted or denied access to types of devices. Adding a user or a group 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager for Administrators in Windows Vista or HP ProtectTools Security Manager in Windows XP. 2. In the left pane, click Device Access Manager, and then click Device Class Configuration. 3.
11 Troubleshooting Credential Manager for HP ProtectTools Short description Details Solution Using the Credential Manager Network Accounts option, a user can select which domain account to log on to. When TPM authentication is used, this option is not available. All other authentication methods work properly. Using TPM authentication, the user is only logged on to the local computer. Using Credential Manager Single Sign On tools allows the user to authenticate other accounts.
Short description Details Solution Windows password from Credential local PC, Credential Manager can only change the Manager, the administrator gets an error password used to log on. logon failure: User account restriction. Credential Manager has incompatibility issues with Corel WordPerfect 12 password GINA. If the user logs on to Credential Manager, HP is researching a workaround for future product creates a document in WordPerfect, and enhancements.
Short description Details Solution HP is investigating resolution options for future customer software releases. The security Restore Identity process loses association with virtual token. When user restores identity, Credential Manager can lose the association with the location of the virtual token at logon screen. Even though Credential Manager has the virtual token registered, the user must reregister the token to restore the association. This is currently by design.
Embedded Security for HP ProtectTools ENWW Short description Details Solution Encrypting folders, subfolders, and files on PSD causes an error message. If the user copies files and folders to the PSD and tries to encrypt folders/files or folders/subfolders, the Error Applying Attributes message is displayed. The user can encrypt the same files on the C:\ drive or an extra installed hard drive. This is as designed. Cannot Take Ownership With Another OS In MultiBoot Platform.
Short description Details Solution Errors occur after a power loss interrupts Embedded Security initialization.
Short description Details Solution An intermittent encrypt and decrypt error occurs: The process cannot access the file because it is being used by another process. This is an extremely intermittent error during file encryption or decryption which occurs because the file is being used by another process, even though that file or folder is not being processed by the operating system or other applications.
Short description Details Solution Secure e-mail is supported, even when secure e-mail is not specified in the User Initialization Wizard or when secure e-mail configuration is disabled in user policies. Embedded security software and the wizard do not control settings of an email client (Outlook, Outlook Express, or Netscape). This behavior is as designed. Configuration of TPM email settings does not prohibit editing encryption settings directly in an e-mail client.
Short description Details Solution and is not accessed by another process. The user must reboot the system in order to delete the PSD and it is not loaded after reboot. An internal error is detected when the user is restoring from the Automatic Backup Archive. The security system exhibits a restore error with multiple users. In Embedded Security, if the user clicks the Restore under Backup option to restore from the automatic backup Archive and then selects SPSystemBackup.
Short description Details Solution Automatic backup does not work with the mapped drive. When an administrator sets up Automatic Backup in Embedded Security, it creates an entry in Windows > Tasks > Scheduled Task. This Windows Scheduled Task is set to use NT AUTHORITY\SYSTEM for rights to execute the backup. This works properly to any local drive. The workaround is to change the NT AUTHORITY \SYSTEM to (computer name)\(admin name). This is the default setting if the Scheduled Task is created manually.
Device Access Manager for HP ProtectTools Short description Details Solution Users have been denied access to devices within Device Access Manager, but the devices are still accessible. Simple Configuration and/or Device Class Configuration have been used within Device Access Manager to deny users access to devices. Despite being denied access, users can still access the devices. Verify that the HP ProtectTools Device Locking service has started.
Miscellaneous Software Impacted— Short description Details Security Manager— Warning received: The security application can not be installed until the HP Protect Tools Security Manager is installed. All security applications such as The Security Manager software must be installed Embedded Security, Java Card Security, before installing any security plug-in. and biometrics are extendable plug-ins for the Security Manager interface.
Software Impacted— Short description Details Solution HP ProtectTools Security Manager—Intermittently, an error is returned when closing the Security Manager interface. Intermittently (1 in 12 instances), an error is created by using the close button in the upper right of the screen to close Security Manager before all plug-in applications have finished loading. This is related to a timing dependency on plug-in services load time when closing and restarting Security Manager. Since PTHOST.
92 Software Impacted— Short description Details Solution Security Power-On Authentication overlaps the BIOS Password during boot sequence. Power-On Authentication prompts the user to log on to the system using the TPM password, but, if the user presses F10 to access the BIOS, the user is granted Read rights access only. To be able to write to BIOS, the user must type the BIOS password instead of the TPM password at the Poweron Authentication window.
Glossary activation. The task that must be completed before any of the Drive Encryption features are accessible. Drive Encryption is activated using the HP ProtectTools Security Manager for Administrators setup wizard. Only an administrator can activate Drive Encryption. The activation process consists of activating the software, encrypting the drive, creating a user account, and creating the initial backup encryption key on a removable storage device. administrator. See Windows administrator. asset.
cryptography. Practice of encrypting and decrypting data so that it can be decoded only by specific individuals. decryption. Procedure used in cryptography to convert encrypted data into plain text. digital certificate. Electronic credentials that confirm the identity of an individual or a company by binding the identity of the digital certificate owner to a pair of electronic keys that are used to sign digital information. digital signature.
power-on authentication. Security feature that requires some form of authentication, such as a Java Card, security chip, or password, when the computer is turned on. Privacy Manager certificate. A digital certificate that requires authentication each time you use it for cryptographic operations, such as signing and encrypting e-mail messages and Microsoft Office documents.
Trusted Contact list. A listing of Trusted Contacts. Trusted Contact recipient. A person who receives an invitation to become a Trusted Contact. Trusted Contact. A person who has accepted a Trusted Contact invitation. trusted IM communication. A communication session during which trusted messages are sent from a trusted sender to a Trusted Contact. trusted message. a Trusted Contact.
Index A access controlling 78 preventing unauthorized 5 accessing HP ProtectTools Security 4 account basic user 73 adding users 15 administrator tasks Credential Manager 29 Java Card 63 advanced BIOS Configuration for HP ProtectTools 70 advanced tasks Credential Manager 29 Device Access Manager 79 Embedded Security 75 Java Card 63 B background service, Device Access Manager 78 backing up and restoring all ProtectTools modules 16 certification information 75 Embedded Security 75 HP ProtectTools credentials
disabling Embedded Security 76 Embedded Security, permanently 76 Java Card power-on authentication 66 Drive Encryption for HP ProtectTools activating 32 activating a TPM-protected password 33 backup and recovery 33 creating backup keys 33 deactivating 32 decrypting individual drives 33 encrypting individual drives 33 logging in after Drive Encryption is activated 32 managing an existing online recovery account 35 managing Drive Encryption 33 opening 32 performing a local recovery 35 performing a recovery 35
O objectives, security 4 owner password changing 76 definition 8 setting 73 P password Basic User Key 75 BIOS administrator 68 changing owner 76 emergency recovery token 73 guidelines 9 HP ProtectTools 7 managing 7 owner 73 policies, creating 6 resetting user 76 secure, creating 9 Windows 68 Windows logon 23 personal secure drive (PSD) 74 power BIOS Configuration for HP ProtectTools 70 power-on password definition 8 Privacy Manager for HP ProtectTools add or remove columns 50 adding a signature line when si
restore wizard 18 restricting access to sensitive data device access 78 5 S security BIOS Configuration for HP ProtectTools 69 key objectives 4 levels 11 logging in 14 login methods 11, 13 roles 7 setup wizard 11, 13 security setup password 8 settings options 19 shred profile customizing 55, 57 predefined 54, 57 selecting or creating 54, 57 simple delete profile customizing 55, 58 Single Sign On automatic registration 25 exporting applications 26 manual registration 26 modifying application properties 26
