Manual
Table Of Contents
- Preface
- Chapter 1. Overview
- Chapter 2. Installation
- Chapter 3. Working with Client Security Solution
- Chapter 4. Working with ThinkVantage Fingerprint Software
- Chapter 5. Working with Lenovo Fingerprint Software
- Chapter 6. Best Practices
- Deployment examples for installing Client Security Solution
- Switching Client Security Solution modes
- Corporate Active Directory rollout
- Standalone Install for CD or script files
- System Update
- System Migration Assistant
- Generating a certificate using key generation in the TPM
- Using USB fingerprint keyboards with 2008 ThinkPad notebook computer models (R400/R500/T400/T500/W500/X200/X301)
- Appendix A. Special considerations for using the Lenovo Fingerprint Keyboard with some ThinkPad notebook models
- Appendix B. Synchronizing password in Client Security Solution after the Windows password is reset
- Appendix C. Using Client Security Solution on a reinstalled Windows operating system
- Appendix D. Using the TPM on ThinkPad notebook computers
- Appendix E. Notices
- Glossary
enrolledasanactiveuser.Everyotheruserthatlogsintothesystemwillbeautomaticallyrequestedtoenroll
intoClientSecuritySolution.
•TakeOwnership
AsingleWindowsadministratoruserIDisassignedasthesoleClientSecuritySolutionAdministrator
forthesystem.ClientSecuritySolutionadministrativefunctionsmustbeperformedthroughthisuser
ID.TheTrustedPlatformModuleauthorizationiseitherthisuser’sWindowspasswordorClientSecurity
passphrase.
Note:TheonlywaytorecoverfromaforgottenClientSecuritySolutionAdministratorspasswordor
passphraseistoeitheruninstallthesoftwarewithvalidWindowspermissionsortoclearthesecuritychip
inBIOS.Eitherway,thedataprotectedthroughthekeysassociatedwiththeTrustedPlatformModule
willbelost.ClientSecuritySolutionalsoprovidesanoptionalmechanismthatallowsself-recoveryof
aforgottenpasswordorpassphrasebasedonaquestionandanswerchallengeresponse.TheClient
SecuritySolutionAdministratormakesthedecisionwhethertousethefeatureornot.
•EnrollUser
OncetheTakeOwnershipprocessiscompletedandaClientSecuritySolutionAdministratoriscreated,
aUserBaseKeycanbecreatedtosecurelystorecredentialsforthecurrentlyloggedonWindows
user.ThisdesignallowsformultipleuserstoenrollintoClientSecuritySolutionandleveragethesingle
TrustedPlatformModule.Userkeysareprotectedthroughthesecuritychip,butactuallystoredoff
thechipontheharddrive.Thisdesigncreatesharddrivespaceasthelimitingstoragefactorinstead
ofactualmemorybuiltintothesecuritychip.Thenumberofusersthatcanleveragethesamesecure
hardwareisvastlyincreased.
TakeOwnership
TherootoftrustforClientSecuritySolutionistheSystemRootKey(SRK).Thisnon-migratableasymmetric
keyisgeneratedwithinthesecureenvironmentoftheTrustedPlatformModuleandneverisexposedto
thesystem.TheauthorizationtoleveragethekeyisderivedthroughtheWindowsAdministratoraccount
duringtheTPM_TakeOwnershipcommand.IfthesystemisleveragingaClientSecuritypassphrase,thenthe
ClientSecuritypassphrasefortheClientSecuritySolutionAdministratorwillbetheTrustedPlatformModule
authorization,otherwiseitwillbetheClientSecuritySolutionAdministrator’sWindowspassword.
WiththeSRKcreatedforthesystem,otherkeypairscanbecreatedandstoredoutsideoftheTrusted
PlatformModule,butwrappedorprotectedbythehardware-basedkeys.SincetheTrustedPlatform
Module,whichincludestheSRKishardwareandhardwarecanbedamaged,arecoverymechanismis
neededtomakesuredamagetothesystemdoesnotpreventdatarecovery.
Inordertorecoverasystem,aSystemBaseKeyiscreated.ThisasymmetricstoragekeyenablestheClient
SecuritySolutionAdministratortorecoverfromasystemboardswaporplannedmigrationtoanother
system.InordertoprotecttheSystemBaseKey,butallowittobeaccessibleduringnormaloperationor
recovery,twoinstancesofthekeyiscreatedandprotectedbytwodifferentmethods.First,theSystem
BaseKeyisencryptedwithanAESSymmetricKeythatisderivedfromknowingtheClientSecuritySolution
Administrator'spasswordorClientSecuritypassphrase.ThiscopyoftheClientSecuritySolutionRecovery
KeyissolelyforthepurposeofrecoveringfromaclearedTrustedPlatformModuleorreplacedsystemboard
becauseofhardwarefailure.
ThesecondinstanceoftheClientSecuritySolutionRecoveryKeyiswrappedbytheSRKtoimportittothe
keyhierarchy.ThisdoubleinstanceoftheSystemBaseKeyallowstheTrustedPlatformModuletoprotect
secretsboundtoitbelowinnormalusageandallowsforarecoveryofafailedsystemboardthroughthe
SystemBaseKeythatisencryptedwithanAESKeyunlockedbytheClientSecuritySolutionAdministrator
passwordorClientSecuritypassphrase.Next,aSystemLeafKeyiscreated.Thiskeyiscreatedtoprotect
systemlevelsecretssuchastheAESKey.
20ClientSecuritySolution8.3DeploymentGuide