Manual
Table Of Contents
- Preface
- Chapter 1. Overview
- Chapter 2. Installation
- Chapter 3. Working with Client Security Solution
- Chapter 4. Working with ThinkVantage Fingerprint Software
- Chapter 5. Working with Lenovo Fingerprint Software
- Chapter 6. Best Practices
- Deployment examples for installing Client Security Solution
- Switching Client Security Solution modes
- Corporate Active Directory rollout
- Standalone Install for CD or script files
- System Update
- System Migration Assistant
- Generating a certificate using key generation in the TPM
- Using USB fingerprint keyboards with 2008 ThinkPad notebook computer models (R400/R500/T400/T500/W500/X200/X301)
- Appendix A. Special considerations for using the Lenovo Fingerprint Keyboard with some ThinkPad notebook models
- Appendix B. Synchronizing password in Client Security Solution after the Windows password is reset
- Appendix C. Using Client Security Solution on a reinstalled Windows operating system
- Appendix D. Using the TPM on ThinkPad notebook computers
- Appendix E. Notices
- Glossary
Chapter3.WorkingwithClientSecuritySolution
BeforeyouinstallClientSecuritySolution,youshouldunderstandthecustomizationavailableforClient
SecuritySolution.ThischapterprovidescustomizationinformationaboutClientSecuritySolution,aswellas
informationregardingtheTrustedPlatformModule.ThetermsusedinthischapterreferencingtheTrusted
PlatformModulearedenedbytheTrustedComputingGroup(TCG).FormoreinformationabouttheTrusted
PlatformModulerefertothefollowingWebsite:
http://www.trustedcomputinggroup.org/
UsingtheTrustedPlatformModule
TheTrustedPlatformModuleisanembeddedsecuritychipdesignedtoprovidesecurity-relatedfunctions
forthesoftwareutilizingit.Theembeddedsecuritychipisinstalledonthemotherboardofasystemand
communicatesthroughahardwarebus.SystemsthatincorporateaTrustedPlatformModulecancreate
cryptographickeysandencryptthemsothattheycanonlybedecryptedbythesameTrustedPlatform
Module.Thisprocessisoftencalledwrappingakey,andhelpsprotectthekeyfromdisclosure.Onasystem
withaTrustedPlatformModule,themasterwrappingkey,calledtheStorageRootKey(SRK),isstoredwithin
theTrustedPlatformModuleitself,sotheprivateportionofthekeyisneverexposed.Theembeddedsecurity
chipcanalsostoreotherstoragekeys,signingkeys,passwords,andothersmallunitsofdata.Becauseof
thelimitedstoragecapacityintheTrustedPlatformModule,theSRKisusedtoencryptotherkeysforoff-chip
storage.TheSRKneverleavestheembeddedsecuritychip,andformsthebasisforprotectedstorage.
UsingtheembeddedsecuritychipisoptionalandrequiresaClientSecuritySolutionadministrator.Whether
forindividualuseroracorporateITdepartment,theTrustedPlatformModulemustbeinitialized.Subsequent
operations,suchastheabilitytorecoverfromaharddrivefailureorreplacedsystemboard,arealso
restrictedtotheClientSecuritySolutionadministrator.
Note:Ifyouarechangingtheauthenticationmodeandattempttounlockthesecuritychip,youmustlog
outandthenlogbackinasthemasteradministrator.Thiswillenableyoutounlockthechip.Youcanalso
logonasasecondaryuserandcontinuetoconverttheauthenticationmode.Thisisdoneautomatically
whenthesecondaryuserlogson.ClientSecuritySolutionwillpromptforthesecondaryuserpassword
orpassphrase.OnceClientSecuritySolutionisdoneprocessingthechange,thesecondaryusercan
proceedwithunlockingthechip.
UsingtheTrustedPlatformModulewithWindows7
IftheWindows7logonisenabledandtheTrustedPlatformModuleisdisabled,youmustdisablethe
WindowslogonfeaturebeforedisablingtheTrustedPlatformModuleinF1BIOS.Doingthiswillprevent
asecuritymessagethatstates:Securitychiphasbeendeactivated,thelogonprocesscannotbe
protected.
Inaddition,ifyouareupgradingtheoperatingsystemofaclientsystem,youmustclearthesecuritychipto
avoidenrollmentfailureofClientSecurity.ToclearthechipinF1BIOS,thesystemmustbestartedfroma
coldboot.Youwillnotbeabletoclearthechipifyouattemptthisprocessafterawarmreboot.
ManagingClientSecuritySolutionwithcryptographickeys
ClientSecuritySolutionisdescribedbythetwomaindeploymentactivities;TakeOwnershipandEnroll
User.WhilerunningtheClientSecuritySolutionSetupWizardforthersttime,theTakeOwnershipand
EnrollUserprocessesarebothperformedduringtheinitialization.TheparticularWindowsuserIDthat
completedtheClientSecuritySolutionSetupWizardistheClientSecuritySolutionAdministratorandis
©CopyrightLenovo2008,2011
19