HP ProtectTools Security Manager Guide HP Compaq Business Desktops
© Copyright 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Microsoft and Windows are trademarks of Microsoft Corporation in the U.S. and other countries. Intel and SpeedStep are trademarks of Intel Corporation in the U.S. and other countries. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.
About This Book This guide provides instructions for configuring and using HP ProtectTools Security Manager. WARNING! Text set off in this manner indicates that failure to follow directions could result in bodily harm or loss of life. CAUTION Text set off in this manner indicates that failure to follow directions could result in damage to equipment or loss of information. NOTE Text set off in this manner provides important supplemental information.
iv About This Book ENWW
Table of contents 1 Introduction HP ProtectTools Security Manager ...................................................................................................... 1 Accessing the ProtectTools Security Manager .................................................................... 1 Understanding Security Roles .............................................................................................................. 2 Managing ProtectTools Passwords ...................................................
Third-Party Solutions 7 HP Client Manager for Remote Deployment Background ........................................................................................................................................ 21 Initialization ......................................................................................................................................... 21 Maintenance ...............................................................................................................................
1 Introduction HP ProtectTools Security Manager ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data.
Understanding Security Roles In managing computer security (particularly for large organizations), one important practice is to divide responsibilities and rights among various types of administrators and users. NOTE In a small organization or for individual use, these roles may all be held by the same person.
Table 1-1 Password Management (continued) next Embedded Security Basic User Key is initialized. The Embedded Security TPM chip protects the password for Power-On Authentication. Java Card administrator password Java Card Security, by IT administrator NOTE Also known as BIOS administrator card password Allows a computer administrator to enable or disable Computer Setup passwords, generate a new administrator card, and create recovery files to restore user or administrator cards.
Table 1-1 Password Management (continued) Windows logon password Windows Control Panel Can be used in manual logon or saved on the Java Card. Backup scheduler password Embedded Security, by IT administrator Sets backup scheduler for embedded Security Embedded Security, by IT administrator Password used for Encryption key from other certificates, if imported NOTE A Windows user password is used to configure the backup scheduler for embedded security.
Multifactor Authentication Credential Manager Logon Credential Manager Logon enables multifactor authentication technology to log on to the Windows operating system. This raises the security of the standard Windows password logon by requiring strong multifactor authentication. This also enhances the convenience of the everyday logon experience by eliminating the need to remember user passwords.
Advanced Tasks Managing ProtectTools Settings Some of the features of ProtectTools Security Manager can be managed in BIOS Configuration. Enabling and Disabling Java Card Power-On Authentication Support If this option is available, enabling it allows you to use the Java Card for user authentication when you turn on the computer. NOTE To fully enable the Power-On Authentication feature, you must also configure the Java Card using the Java Card Security for ProtectTools module.
Managing Computer Setup Passwords You can use BIOS Configuration to set and change the power-on and setup passwords in Computer Setup, and also to manage various password settings. CAUTION The passwords you set through the Passwords page in BIOS Configuration are saved immediately upon clicking the Apply or OK button in the ProtectTools window. Make sure you remember what password you have set, because you will not be able to undo a password setting without supplying the previous password.
6. Click OK in the Passwords dialog box. 7. Click Apply, and then click OK in the ProtectTools window to save your changes. System Setup 1. Initialize HP ProtectTools Embedded Security. 2. Initialize Basic User Key. HP Power-On Authentication Support starts as soon as the Basic User Key is set and the Basic User password is set for Power-On. After the next reboot, HP ProtectTools Power-On Authentication Support is initialized and the Basic User password must be used to start the computer.
4. Create/logon to a targeted change Microsoft Windows user. 5. Open Embedded Security and initialize a Basic User Key for the new Windows user account. If a Basic User Key already exists, change the Basic User password to take ownership of Power-On Authentication. Power-On Authentication now accepts only the new user's Basic User password. CAUTION Many products are available to the customer that protect data through software encryption, hardware encryption and hardware.
Dictionary Attack Behavior with Power-On Authentication A dictionary attack is a method used to break into security systems by systematically testing all possible passwords to break a security system. A dictionary attack against Embedded Security could try to detect the Owner password, the Basic User password, or password-protected keys. Embedded Security offers an enhanced Dictionary Attack Defense.
2 HP BIOS Configuration for ProtectTools Basic Concepts BIOS Configuration for ProtectTools provides access to the Computer Setup Utility security and configuration settings. This gives users Windows access to system security features that are managed by Computer Setup. With BIOS Configuration, you can ● Manage power-on passwords and administrator passwords. ● Configure other available Power-On Authentication features, such as enabling Java Card passwords and embedded security authentication support.
12 Chapter 2 HP BIOS Configuration for ProtectTools ENWW
3 HP Embedded Security for ProtectTools Basic Concepts If available, Embedded Security for ProtectTools protects against unauthorized access to user data or credentials.
Setup Procedures CAUTION To reduce security risk, it is highly recommended that the IT administrator immediately initialize the TPM embedded security chip. If the TPM embedded security chip is not initialized, an unauthorized user or a computer worm could gain access to the computer or a virus could initialize the TPM embedded security chip and restrict access to the PC.
4 HP Credential Manager for ProtectTools Basic Concepts Credential Manager for ProtectTools has security features that provide a secure and convenient computing environment.
Logging On for the First Time The first time you open Credential Manager, log on with your regular Windows Logon password. A Credential Manager account is then automatically created with your Windows logon credentials. After logging on to Credential Manager, you can register additional credentials, such as a fingerprint or a Java Card. At the next logon, you can select the logon policy and use any combination of the registered credentials.
5 HP Java Card Security for ProtectTools Basic Concepts Java Card Security for ProtectTools manages the Java Card setup and configuration for computers equipped with an optional Java Card reader.
18 Chapter 5 HP Java Card Security for ProtectTools ENWW
6 Third-Party Solutions Platforms containing a TPM require both a TCG Software Stack (TSS) and embedded security software. All models provide the TSS; embedded security software must be purchased separately for some models. For those models, an NTRU TSS is provided to support customer third-party purchase of embedded security software. We recommend third-party solutions such as Wave Embassy Trust Suite.
20 Chapter 6 Third-Party Solutions ENWW
7 HP Client Manager for Remote Deployment Background HP Trustworthy platforms equipped with a Trusted Platform Module (TPM) ship with the TPM deactivated (default state). Enabling the TPM is an administrative option protected by HP BIOS-enforced policies. The administrator must be present to enter BIOS configuration options (F10 options) to enable the TPM.
22 Chapter 7 HP Client Manager for Remote Deployment ENWW
8 Troubleshooting Credential Manager for ProtectTools Short description Details Solution Using Credential Manager Network Accounts option, a user can select which domain account to log into. When TPM authentication is used, this option is not available. All other authentication methods work properly. Using TPM authentication, the user is only logged into the local computer. Using Credential Manager Single Sign On tools allows user to authenticate other accounts.
24 Short description Details Solution Domain administrators cannot change Windows password even with authorization. This happens after a domain administrator logs on to a domain and registers the domain identity with Credential Manager using an account with Administrator's rights on the domain and the local PC. When the domain administrator attempts to change the Windows password from Credential Manager, the administrator gets an error logon failure: User account restriction.
Short description Details Solution 4. Click when Java Card/token is inserted. 5. Select the Advise to log-on checkbox. Users lose all Credential Manager credentials protected by the TPM, if the TPM module is removed or damaged. If the TPM module is removed or damaged, users lose all credentials protected by the TPM. This is as designed. Credential Manager not being set as primary logon in Windows 2000. During Windows 2000 install, the logon policy is set for manual or auto logon admin.
Short description Details Solution ProtectTools, or HP Client Manager. To enable the TPM embedded security chip: 1. Open Computer Setup by turning on or restarting the computer, and then pressing F10 while the F10 = ROM Based Setup message is displayed in the lower-left corner of the screen. 2. Use the arrow keys to select Security > Setup Password. Set a password. 3. Select Embedded Security Device. 4. Use the arrow keys to select Embedded Security Device—Disable.
Embedded Security for ProtectTools ENWW Short description Details Solution Encrypting folders, sub folders, and files on PSD causes error message. If the user copies files and folders to the PSD and tries to encrypt folders/files or folders/subfolders, the Error Applying Attributes message appears. The user can encrypt the same files on the C:\ drive on an extra installed hard drive. This is as designed. Cannot Take Ownership With Another OS In MultiBoot Platform.
Short description Details Solution encryption/decryption and scan times. user does not enter a password, the Basic User password prompt times out, allowing NAV2005 to continue with the scan. Encrypting files using HP ProtectTools Embedded Security EFS takes longer when Symantec Antivirus or Norton Antivirus is running. To reduce the time required to encrypt/decrypt data using HP ProtectTools Embedded Security EFS, the user should disable Auto-Protect on Symantec Antivirus or Norton Antivirus.
Short description Details Solution the system becomes active after Standby status Basic User password. If the user does not enter the password and the system goes into Standby, the password dialog box is no longer available when the user resumes. The user has to log off and back on to view the PSD password box again. No password required to change the Security Platform Policies. Access to Security Platform Policies This is by design.
Short description Details Solution until the Admin tool is closed. If user clicks No in that dialog box, then the Admin tool does not open at all and uninstall proceeds. Intermittent system lockup occurs after creating PSD on 2 users accounts and using fast-user-switching in 128-MB system configurations. System may lock up with a black screen and non-responding keyboard and mouse instead of showing welcome (logon) screen when using fast-switching with minimal RAM.
Short description Details Solution user if the system can automate the logon to Infineon TPM User Authentication. If user selects Yes, then the location of SPEmRecToken automatically appears in the text box. Even though this location is correct, the following error message is displayed: No Emergency Recovery Token is provided. Select the token location the Emergency Recovery Token should be retrieved from. Multiple User PSDs do not function in a fast-userswitching environment.
Short description Details Solution Resetting System ROM to default hides TPM. Resetting the system ROM to default hides the TPM to Windows. This does not allow the security software to operate properly and makes TPM-encrypted data inaccessible. Unhide the TPM in BIOS: When an administrator sets up Automatic Backup in Embedded Security, it creates an entry in Windows > Tasks > Scheduled Task. This Windows Scheduled Task is set to use NT AUTHORITY\SYSTEM for rights to execute the backup.
Miscellaneous Software Impacted— Short description Details Solution HP ProtectTools Security Manager—Warning received: The security application can not be installed until the HP Protect Tools Security Manager is installed. All security applications such as Embedded Security, Java Card, and biometrics are extendable plug-ins for the HP Security Manager interface. Security Manager must be installed before an HP-approved security plug-in can be loaded.
Software Impacted— Short description Details Solution an error is returned when closing the Security Manager interface. upper right of the screen to close Security Manager before all plug-in applications have finished loading. Manager. Since PTHOST.exe is the shell housing the other applications (plug-ins), it depends on the ability of the plug-in to complete its load time (services). Closing the shell before the plug-in has had time to complete loading is the root cause.
Software Impacted— Short description Details Solution changing the Owner password in Embedded Security Windows software.
36 Chapter 8 Troubleshooting ENWW
Glossary Advanced Encryption Standard (AES) A symmetric 128-bit block data encryption technique Application Programming Interface (API) A series of internal operating system functions that applications can use to perform various tasks Authentication Process of verifying whether a user is authorized to perform a task, for example, accessing a computer, modifying settings for a particular program, or viewing secured data. Biometric user.
Identity In the ProtectTools Credential Manager, a group of credentials and settings that is handled like an account or profile for a particular user. Java Card Small piece of hardware, similar in size and shape to a credit card, which stores identifying information about the owner. Used to authenticate the owner to a computer. Java Card administrator password Password that links an administrator Java Card with the computer in Computer Setup for identification at startup or restart.
Trusted Platform Module (TPM) embedded security chip (some models only) Integrated security chip that can protect highly sensitive user information from malicious attackers. It is the root-of-trust in a given platform. The TPM provides cryptographic algorithms and operations that meet the Trusted Computing Group (TCG) specifications. TPM hardware and software enhance the security of EFS and the Personal Secure Drive by protecting the keys used by EFS and the Personal Secure Drive.
40 Glossary ENWW
Index A advanced tasks 6 B Backup Identity wizard password 4 Backup scheduler password 4 Basic User password, definition 3 BIOS administrator card password, definition 3 administrator password, definition 2 changing settings 11 user card password, definition 3 BIOS Configuration for ProtectTools 11 C Client Manager 21 Computer Setup administrator password, changing 9 administrator password, definition 2 passwords, managing 7 setting administrator password 9 Credential Manager installation 15 logging on 16
password definition 2 setting password 7 Power-On Authentication embedded security 6 Java Card 6 ProtectTools Credential Manager 15 embedded security for 13 Java Card Security 17 managing settings 6 password management 2 Security Manager access 1 Security Manager modules 1 Virtual Token User PIN 4 W Windows logon password 4 R remote deployment, Client Manager 21 S security embedded for ProtectTools 13 Java Card 17 roles 2 setup password 2 Security Manager, ProtectTools 1 Security Recovery Agent password
