Manual
Table Of Contents
- Preface
- Chapter 1. Overview
- Chapter 2. Installation
- Chapter 3. Working with Client Security Solution
- Chapter 4. Working with ThinkVantage Fingerprint Software
- Chapter 5. Working with Lenovo Fingerprint Software
- Chapter 6. Best Practices
- Deployment examples for installing Client Security Solution
- Switching Client Security Solution modes
- Corporate Active Directory rollout
- Standalone Install for CD or script files
- System Update
- System Migration Assistant
- Generating a certificate using key generation in the TPM
- Using USB fingerprint keyboards with 2008 ThinkPad notebook computer models (R400/R500/T400/T500/W500/X200/X301)
- Appendix A. Special considerations for using the Lenovo Fingerprint Keyboard with some ThinkPad notebook models
- Appendix B. Synchronizing password in Client Security Solution after the Windows password is reset
- Appendix C. Using Client Security Solution on a reinstalled Windows operating system
- Appendix D. Using the TPM on ThinkPad notebook computers
- Appendix E. Notices
- Glossary
TheTPMemulationmodecannotbeusedasasecuresubstitutefortheTPM.TheTPMprovidesthe
followingtwokeyprotectionmethodsthataremoresecurethantheTPMemulationmode.
•AllkeysusedbytheTPMareprotectedbyauniqueroot-levelkey.Theuniqueroot-levelkeyiscreated
insidetheTPMandcannotbeseenorusedoutsideoftheTPM.IntheTPMemulationmode,the
root-levelkeyisasoftware-basedkeystoredontheharddiskdrive.
•AllprivatekeyoperationsareperformedwithintheTPM,sothattheprivatekeymaterialforanykeyis
neverexposedoutsideoftheTPM.IntheTPMemulationmode,allprivatekeyoperationsareperformed
inthesoftware,sothereisnoprotectionoftheprivatekeymaterial.
TheTPMemulationmodeisprimarilyfortheuserwhoislessconcernedaboutthesecurityandmore
concernedaboutthesystemlogonspeed.
Systemboardswap
AsystemboardswapinfersthattheoldSRKtowhichkeyswereboundtoisnolongervalid,andanother
SRKisneeded.ThiscanalsohappeniftheTrustedPlatformModuleisclearedthroughtheBIOS.
TheClientSecuritySolutionAdministratorisrequiredtobindthesystemcredentialstoanewSRK.The
SystemBaseKeywillneedtobedecryptedthroughtheSystemBaseAESProtectionKeyderivedfrom
theClientSecuritySolutionAdministrator’sauthorizationcredentials.
IfaClientSecuritySolutionAdministratorisadomainuserIDandthepasswordforthatuserIDwaschanged
onadifferentmachine;thepasswordthatwaslastusedwhenloggedontothesystemneedingrecovery
willneedtobeknowninordertodecryptSystemBaseKeyforrecovery.Forexample,duringdeployment
aClientSecuritySolutionAdministratoruserIDandpasswordwillbecongured,ifthepasswordforthis
userchangesonadifferentmachine,thentheoriginalpasswordsetduringdeploymentwillbetherequired
authorizationinordertorecoverythesystem.
Followthesestepstoperformthesystemboardswap:
1.ClientSecuritySolutionAdministratorlogsontooperatingsystem.
2.Logon-executedcode(cssplanarswap.exe)recognizesthesecuritychipisdisabledandrequiresreboot
toenable.(ThisstepcanbeavoidedbyenablingthesecuritychipthroughtheBIOS.)
3.Systemisrebootedandsecuritychipisenabled.
4.TheClientSecuritySolutionAdministratorlogson;thenewTakeOwnershipprocessiscompleted.
5.SystemBaseKeyisdecryptedusingsystembaseAESProtectionKeythatisderivedbytheClient
SecuritySolutionAdministrator’sauthentication.SystemBaseKeyisimportedtothenewSRKand
re-establishestheSystemLeafKeyandallcredentialsprotectedbyit.
6.Thesystemisnowrecovered.
Note:SystemboardswapisnotneededwhenusingEmulationMode.
Chapter3.WorkingwithClientSecuritySolution23