Compaq dc5800 - Microtower PC, dc5850 - Microtower PC, 5850 - Deskjet Color Inkjet Printer, ProtectTools User Manual
HP ProtectTools
User Guide
© Copyright 2007 Hewlett-Packard
Development Company, L.P.
Microsoft and Windows are U.S. registered
trademarks of Microsoft Corporation. Intel is
a trademark or registered trademark of Intel
Corporation or its subsidiaries in the United
States and other countries. AMD, the AMD
Arrow logo, and combinations thereof are
trademarks of Advanced Micro Devices, Inc.
Bluetooth is a trademark owned by its
proprietor and used by Hewlett-Packard
Company under license. Java is a US
trademark of Sun Microsystems, Inc. SD
Logo is a trademark of its proprietor.
The information contained herein is subject
to change without notice. The only
warranties for HP products and services are
set forth in the express warranty statements
accompanying such products and services.
Nothing herein should be construed as
constituting an additional warranty. HP shall
not be liable for technical or editorial errors
or omissions contained herein.
Second Edition: October 2007
Document Part Number: 451271-002
Table of contents
1 Introduction to security
HP ProtectTools features ..................................................................................................................... 2
Accessing HP ProtectTools Security .................................................................................................... 4
Achieving key security objectives ......................................................................................................... 5
Protecting against targeted theft .......................................................................................... 5
Restricting access to sensitive data ..................................................................................... 5
Preventing unauthorized access from internal or external locations ................................... 6
Creating and using strong passwords ................................................................................. 6
Additional security elements ................................................................................................................. 7
Assigning security roles ....................................................................................................... 7
Managing HP ProtectTools passwords ................................................................................ 7
Creating a secure password ............................................................................... 8
HP ProtectTools Backup and Restore ................................................................................. 9
Backing up credentials and settings .................................................................... 9
Restoring credentials ........................................................................................ 10
Configuring settings .......................................................................................... 10
2 Credential Manager for HP ProtectTools
Setup procedures ............................................................................................................................... 12
Logging on to Credential Manager .................................................................................... 12
Using the Credential Manager Logon Wizard ................................................... 12
Logging on for the first time ............................................................................... 12
Registering credentials ...................................................................................................... 12
Registering fingerprints ..................................................................................... 12
Setting up the fingerprint reader ....................................................... 13
Using your registered fingerprint to log on to Windows .................... 13
Registering a Java Card, USB eToken, or virtual token .................................... 13
Registering a USB eToken ................................................................................ 13
Registering other credentials ............................................................................ 13
General tasks ..................................................................................................................................... 14
Creating a virtual token ...................................................................................................... 14
Changing the Windows logon password ............................................................................ 14
Changing a token PIN ........................................................................................................ 14
Managing identity ............................................................................................................... 15
Clearing an identity from the system ................................................................. 15
Locking the computer ........................................................................................................ 15
Using Windows Logon ....................................................................................................... 15
Logging on to Windows with Credential Manager ............................................. 15
Adding an account ............................................................................................ 16
Removing an account ....................................................................................... 16
Using Single Sign On ......................................................................................................... 16
Registering a new application ........................................................................... 16
Using automatic registration ............................................................. 16
iii
Using manual (drag and drop) registration ....................................... 17
Managing applications and credentials ............................................................. 17
Modifying application properties ....................................................... 17
Removing an application from Single Sign On ................................. 17
Exporting an application ................................................................... 18
Importing an application ................................................................... 18
Modifying credentials ........................................................................ 18
Using Application Protection .............................................................................................. 19
Restricting access to an application .................................................................. 19
Removing protection from an application .......................................................... 19
Changing restriction settings for a protected application .................................. 19
Advanced tasks (administrator only) .................................................................................................. 21
Specifying how users and administrators log on ............................................................... 21
Configuring custom authentication requirements .............................................................. 21
Configuring credential properties ....................................................................................... 22
Configuring Credential Manager settings .......................................................................... 22
Example 1—Using the “Advanced Settings” page to allow Windows logon
from Credential Manager .................................................................................. 23
Example 2—Using the “Advanced Settings” page to require user verification
before Single Sign On ....................................................................................... 23
3 Embedded Security for HP ProtectTools
Setup procedures ............................................................................................................................... 25
Enabling the embedded security chip ................................................................................ 25
Initializing the embedded security chip .............................................................................. 25
Setting up the basic user account ...................................................................................... 26
General tasks ..................................................................................................................................... 27
Using the Personal Secure Drive ....................................................................................... 27
Encrypting files and folders ................................................................................................ 27
Sending and receiving encrypted e-mail ............................................................................ 27
Changing the Basic User Key password ........................................................................... 27
Advanced tasks .................................................................................................................................. 28
Backing up and restoring ................................................................................................... 28
Creating a backup file ....................................................................................... 28
Restoring certification data from the backup file ............................................... 28
Changing the owner password .......................................................................................... 28
Resetting a user password ................................................................................................ 28
Enabling and disabling Embedded Security ...................................................................... 28
Permanently disabling Embedded Security ...................................................... 29
Enabling Embedded Security after permanent disable ..................................... 29
Migrating keys with the Migration Wizard .......................................................................... 29
4 Java Card Security for HP ProtectTools
General tasks ..................................................................................................................................... 31
Changing a Java Card PIN ................................................................................................ 31
Selecting the card reader ................................................................................................... 31
Advanced tasks (administrators only) ................................................................................................ 32
Assigning a Java Card PIN ................................................................................................ 32
Assigning a name to a Java Card ...................................................................................... 32
Setting power-on authentication ........................................................................................ 32
Enabling Java Card power-on authentication and creating an administrator
Java Card .......................................................................................................... 33
Creating a user Java Card ................................................................................ 33
iv
Disabling Java Card power-on authentication ................................................... 34
5 BIOS Configuration for HP ProtectTools
File ...................................................................................................................................................... 36
Storage ............................................................................................................................................... 37
Security .............................................................................................................................................. 38
Power ................................................................................................................................................. 39
Advanced ........................................................................................................................................... 40
6 Device Access Manager for HP ProtectTools
Starting background service ............................................................................................................... 42
Simple configuration ........................................................................................................................... 43
Device class configuration (advanced) ............................................................................................... 44
Adding a user or a group ................................................................................................... 44
Removing a user or a group .............................................................................................. 44
Denying access to a user or group .................................................................................... 44
Allowing access to a device class for one user of a group ................................................ 44
Allowing access to a specific device for one user of a group ............................................ 45
7 Drive Encryption for HP ProtectTools
Encryption management .................................................................................................................... 47
User management .............................................................................................................................. 48
Recovery ............................................................................................................................................ 49
8 Troubleshooting
Credential Manager for HP ProtectTools ........................................................................................... 50
Embedded Security for HP ProtectTools ............................................................................................ 53
Miscellaneous ..................................................................................................................................... 59
Glossary ............................................................................................................................................................. 61
Index ................................................................................................................................................................... 63
v
vi
1 Introduction to security
HP ProtectTools Security Manager software provides security features that help protect against
unauthorized access to the computer, networks, and critical data. Enhanced security functionality is
provided by the following software modules:
●
Credential Manager for HP ProtectTools
●
Embedded Security for HP ProtectTools
●
Java Card Security for HP ProtectTools
●
BIOS Configuration for HP ProtectTools
●
Drive Encryption for HP ProtectTools
●
Device Access Manager for HP ProtectTools
The software modules available for your computer may vary depending on your model. For example,
Embedded Security for HP ProtectTools is available only for computers on which the Trusted Platform
Module (TPM) embedded security chip is installed.
HP ProtectTools software modules may be preinstalled, preloaded, or available for download from the
HP Web site. For select HP Compaq Desktops, HP ProtectTools is available as an after market option.
Visit
http://www.hp.com for more information.
NOTE: The instructions in this guide are written with the assumption that you have already installed
the applicable HP ProtectTools software modules.
1
HP ProtectTools features
The following table details the key features of HP ProtectTools modules:
Module Key features
Credential Manager for HP ProtectTools
●
Credential Manager serves a dual role acting as a personal
password vault, providing single sign on capability, and allowing
the user to define and deploy more stringent security for user
authentication beyond a password.
●
Password storage is protected through encryption and can be
hardened through the use of a TPM embedded security chip.
●
Beyond Single Sign On, Credential Manager offers the capability
to utilize combinations of different security authentication
technologies, such as a Java™ Card or biometrics, for user
authentication along with password.
Embedded Security for HP ProtectTools
●
Embedded Security manages security user and administrator
options for protecting various encryption keys employing TPM
technology on the local computer like EFS (Windows Encrypting
File System). Personal Secure Drive (PSD), and third-party digital
certificates.
●
Embedded Security uses a Trusted Platform Module (TPM)
embedded security chip to help protect against unauthorized
access to sensitive user data or credentials stored locally on a PC.
TPM provides secure storage for encryption keys and has key
generation capabilities. It also provides a strong defense against
password attacks.
●
Embedded Security allows creation of a personal secure drive
(PSD) — a virtual drive that can be hidden from view in the system
for protecting user data.
●
Embedded Security supports third-party applications (such as
Microsoft Outlook and Internet Explorer) for protected digital
certificate operations.
Java Card Security for HP ProtectTools
●
Java Card Security configures the HP ProtectTools Java Card for
user authentication before the hard drive boots. Java Card
Security can be accessed by Embedded Security, Java Card, and
passwords.
●
Java Card Security configures separate Java Cards for an
administrator and a user.
●
Java Card Security is a management software interface for Java
Card. Java Card is a personal security device that protects
authentication data requiring both the card and a PIN number to
grant access. The Java Card can be used to access Credential
Manager, Drive Encryption, HP BIOS, or any number of third party
access points.
BIOS Configuration for HP ProtectTools
●
BIOS Configuration provides access to power-on user and
administrator password management.
●
BIOS Configuration provides an alternative to the pre-boot BIOS
configuration utility known as F10 Setup.
2 Chapter 1 Introduction to security
Module Key features
Drive Encryption for HP ProtectTools
●
Drive Encryption provides complete, full-volume hard drive
encryption.
●
Drive Encryption utilizes pre-boot authentication to decrypt and
access the data.
●
Drive Encryption provides an authentication management tool
used to encrypt partitions, hard drives, and multiple hard drives.
Device Access Manager for HP ProtectTools
●
Device Access Manager provides customizable control of data
storage and transmission hardware (USB, COM & LPT ports,
personal music players, CD drives, network interface cards, etc.)
●
Device Access Manager can also manage users and user groups
to provide read, write, allow or deny access to data on the
hardware.
HP ProtectTools features 3
Accessing HP ProtectTools Security
To access HP ProtectTools Security from Windows® Control Panel:
▲
Select Start > All Programs > HP ProtectTools Security Manager (or HP ProtectTools Security
Manager for Administrators In Windows Vista)
NOTE: After you have configured the Credential Manager module, you can also open HP ProtectTools
by logging on to Credential Manager directly from the Windows logon screen. For more information,
refer to “
Logging on to Windows with Credential Manager on page 15.”
For Windows Vista, the administrator must use the “HP ProtectTools Security Manager for
Administrators” when accessing Drive Encryption.
4 Chapter 1 Introduction to security
Achieving key security objectives
The HP ProtectTools modules can work together to provide solutions for a variety of security issues,
including the following key security objectives:
●
Protecting against targeted theft
●
Restricting access to sensitive data
●
Preventing unauthorized access from internal or external locations
●
Creating and using strong passwords
Protecting against targeted theft
An example of this type of incident would be the targeted theft of a computer containing confidential
data and customer information in a cubicle or open environment. The following features help protect
against targeted theft:
●
The pre-boot authentication feature, if enabled, helps prevent access to the operating system. See
the following procedures:
◦
“
Assigning a name to a Java Card on page 32”
◦
“
Device Access Manager for HP ProtectTools on page 41 ”
◦
“
Drive Encryption for HP ProtectTools on page 46”
●
DriveLock helps ensure that data cannot be accessed even if the hard drive is removed and
installed into an unsecured system. Refer to “
Security on page 38”.
●
The Personal Secure Drive feature, provided by the Embedded Security for HP ProtectTools
module, encrypts sensitive data to help ensure it cannot be accessed without authentication. See
the following procedures:
◦
Embedded Security “
Setup procedures on page 25”
◦
“
Using the Personal Secure Drive on page 27”
Restricting access to sensitive data
Suppose a contractor is working onsite and has been given computer access to review sensitive financial
data; you do not want the contractor to be able to print the files or save them to a writeable device such
as a CD. The following feature helps restrict access to data:
●
Device Access Manager for HP ProtectTools allows IT managers to restrict access to writeable
devices so sensitive information cannot be printed or copied from the hard drive onto removable
media. See “
Device class configuration (advanced) on page 44.”
●
DriveLock helps ensure that data cannot be accessed even if the hard drive is removed and
installed into an unsecured system. Refer to “
Security on page 38”.
Achieving key security objectives 5
Preventing unauthorized access from internal or external locations
If a PC containing confidential data and customer information is accessed from an internal or external
location, unauthorized users may be able to gain entry to corporate network resources or data from
financial services, an executive, or R&D team. The following features help prevent unauthorized access:
●
The pre-boot authentication feature, if enabled, helps prevent access to the operating system. See
the following procedures:
◦
“
Assigning a name to a Java Card on page 32”
◦
“
Drive Encryption for HP ProtectTools on page 46”
●
Embedded Security for HP ProtectTools helps protect sensitive user data or credentials stored
locally on a PC using the following procedures:
◦
Embedded Security “
Setup procedures on page 25”
◦
“
Using the Personal Secure Drive on page 27”
●
Using the following procedures, Credential Manager for HP ProtectTools helps ensure that an
unauthorized user cannot get passwords or access to password-protected applications:
◦
Credential Manager “
Setup procedures on page 12”
◦
“
Using Single Sign On on page 16”
●
Device Access Manager for HP ProtectTools allows IT managers to restrict access to writeable
devices so sensitive information cannot be copied from the hard drive. See
Simple configuration
on page 43
●
The Personal Secure Drive feature encrypts sensitive data to help ensure it cannot be accessed
without authentication using the following procedures:
◦
Embedded Security “
Setup procedures on page 25”
◦
“
Using the Personal Secure Drive on page 27”
Creating and using strong passwords
With all the passwords required to regularly access websites or secured applications, users tend to use
a simple password for every application and website, or get creative and promptly forget which password
goes with which application. Credential Manager for HP ProtectTools provides a protected repository
for passwords and Single Sign On convenience using the following procedures:
●
Creating a secure password on page 8
●
Credential Manager “
Setup procedures on page 12”
●
“
Using Single Sign On on page 16”
For stronger security, Embedded Security for HP ProtectTools then protects that repository of user
names and passwords. This allows users to maintain multiple strong passwords without having to write
them down or try to remember them. See Embedded Security “
Setup procedures on page 25.”
6 Chapter 1 Introduction to security
Additional security elements
Assigning security roles
In managing computer security (particularly for large organizations), one important practice is to divide
responsibilities and rights among various types of administrators and users.
NOTE: In a small organization or for individual use, these roles may all be held by the same person.
For HP ProtectTools, the security duties and privileges can be divided into the following roles:
●
Security officer—Defines the security level for the company or network and determines the security
features to deploy, such as Java™ Cards, biometric readers, or USB tokens.
NOTE: Many of the features in HP ProtectTools can be customized by the security officer in
cooperation with HP. For more information, see the HP Web site at
http://www.hp.com.
●
IT administrator—Applies and manages the security features defined by the security officer. Can
also enable and disable some features. For example, if the security officer has decided to deploy
Java Cards, the IT administrator can enable Java Card BIOS security mode.
●
User—Uses the security features. For example, if the security officer and IT administrator have
enabled Java Cards for the system, the user can set the Java Card PIN and use the card for
authentication.
Managing HP ProtectTools passwords
Most of the HP ProtectTools Security Manager features are secured by passwords. The following table
lists the commonly used passwords, the software module where the password is set, and the password
function.
The passwords that are set and used by IT administrators only are indicated in this table as well. All
other passwords may be set by regular users or administrators.
HP ProtectTools password Set in this HP ProtectTools
module
Function
Credential Manager logon
password
Credential Manager This password offers 2 options:
●
It can be used in a separate logon to
access Credential Manager after
logging on to Windows.
●
It can be used in place of the Windows
logon process, allowing access to
Windows and Credential Manager
simultaneously.
Credential Manager recovery file
password
Credential Manager, by IT
administrator
Protects access to the Credential Manager
recovery file.
Basic User Key password
NOTE: Also known as:
Embedded Security password
Embedded Security Used to access Embedded Security
features, such as secure e-mail, file, and
folder encryption. When used for power-on
authentication, also protects access to the
computer contents when the computer is
turned on, restarted, or restored from
hibernation.
Emergency Recovery Token
password
NOTE: Also known as:
Emergency Recovery Token Key
password
Embedded Security, by IT
administrator
Protects access to the Emergency Recovery
Token, which is a backup file for the
embedded security chip.
Additional security elements 7
HP ProtectTools password Set in this HP ProtectTools
module
Function
Owner password Embedded Security, by IT
administrator
Protects the system and the TPM chip from
unauthorized access to all owner functions
of Embedded Security.
Java™ Card PIN Java Card Security Protects access to the Java Card contents
and authenticates users of the Java Card.
When used for power-on authentication, the
Java Card PIN also protects access to the
Computer Setup utility and to the computer
contents.
Authenticates users of Drive Encryption, if
the Java Card token is selected.
Computer Setup password
NOTE: Also known as BIOS
administrator, F10 Setup, or
Security Setup password
BIOS Configuration, by IT
administrator
Protects access to the Computer Setup
utility.
Power-on password BIOS Configuration Protects access to the computer contents
when the computer is turned on, restarted,
or restored from hibernation.
Windows Logon password Windows Control Panel Can be used for manual logon or saved on
the Java Card.
Creating a secure password
When creating passwords, you must first follow any specifications that are set by the program. In
general, however, consider the following guidelines to help you create strong passwords and reduce
the chances of your password being compromised:
●
Use passwords with more than 6 characters, preferably more than 8.
●
Mix the case of letters throughout your password.
●
Whenever possible, mix alphanumeric characters and include special characters and punctuation
marks.
●
Substitute special characters or numbers for letters in a key word. For example, you can use the
number 1 for letters I or L.
●
Combine words from 2 or more languages.
●
Split a word or phrase with numbers or special characters in the middle, for example,
“Mary2-2Cat45.”
●
Do not use a password that would appear in a dictionary.
●
Do not use your name for the password, or any other personal information, such as birth date, pet
names, or mother's maiden name, even if you spell it backwards.
●
Change passwords regularly. You might change only a couple of characters that increment.
●
If you write down your password, do not store it in a commonly visible place very close to the
computer.
●
Do not save the password in a file, such as an e-mail, on the computer.
●
Do not share accounts or tell anyone your password.
8 Chapter 1 Introduction to security
HP ProtectTools Backup and Restore
HP ProtectTools Backup and Restore provides a convenient and quick way to back up and restore
credentials from all supported HP ProtectTools modules.
Backing up credentials and settings
You can back up credentials in the following ways:
●
Use the HP ProtectTools Backup Wizard to select and back up HP ProtectTools modules
●
Back up preselected HP ProtectTools modules
NOTE: You must set backup options before you can use this method.
●
Schedule backups
NOTE: You must set backup options before you can use this method.
Using the HP ProtectTools Backup Wizard to select and back up HP ProtectTools modules
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click HP ProtectTools, and then click Backup and Restore.
3. In the right pane, click Backup Options. The HP ProtectTools Backup Wizard opens. Follow the
on-screen instructions to back up credentials.
Setting backup options
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click HP ProtectTools, and then click Backup and Restore.
3. In the right pane, click Backup Options. The HP ProtectTools Backup Wizard opens.
4. Follow the on-screen instructions.
5. After you set and confirm the Storage File Password, select Remember all passwords and
authentication values for future automated backups.
6. Click Save Settings, and then click Finish.
Backing up preselected HP ProtectTools modules
NOTE: You must set backup options before you can use this method.
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click HP ProtectTools, and then click Backup and Restore.
3. In the right pane, click Backup.
Scheduling backups
NOTE: You must set backup options before you can use this method.
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click HP ProtectTools, and then click Backup and Restore.
3. In the right pane, click Schedule Backups.
4. On the Task tab, select the Enabled check box to enable scheduled backups.
Additional security elements 9
5. Click Set Password and type and confirm your password in the Set Password dialog box. Click
OK.
6. Click Apply. Click the Schedule tab. Click the Schedule Task arrow and select the automatic
backup frequency.
7. Under Start time, use the Start time arrows to select the exact time for the backup to begin.
8. Click Advanced to select a start date, an end date, and recurring task settings. Click Apply.
9. Click Settings, and select settings for Scheduled Task Completed, Idle Time, and Power
Management.
10. Click Apply, and then click OK to close the dialog box.
Restoring credentials
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click HP ProtectTools, and then click Backup and Restore.
3. In the right pane, click Restore. The HP ProtectTools Restore Wizard opens. Follow the on-screen
instructions.
Configuring settings
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click HP ProtectTools, and then click Settings.
3. In the right pane, select your settings, and then click OK.
10 Chapter 1 Introduction to security
2 Credential Manager for HP
ProtectTools
Credential Manager serves a dual role in that it allows the user to define and deploy more stringent
security for user authentication beyond a password, and it acts as a personal password vault which
provides single sign on capability. Credential Manager for HP ProtectTools protects against
unauthorized access to your computer using the following security features:
●
Alternatives to passwords when logging on to Windows, such as using a Smart Card or biometric
reader to log on to Windows. For additional information, refer to “
Registering credentials
on page 12.”
●
Single Sign On feature that automatically remembers credentials for Web sites, applications, and
protected network resources.
●
Support for optional security devices, such as Smart Cards and biometric readers.
●
Support for additional security settings, such as requiring authentication using an optional security
device to unlock the computer.
11
Setup procedures
Logging on to Credential Manager
Depending on the configuration, you can log on to Credential Manager in any of the following ways:
●
Credential Manager Logon Wizard (preferred)
●
HP ProtectTools Security Manager icon in the notification area
●
HP ProtectTools Security Manager
NOTE: If you use the Credential Manager Logon prompt on the Windows Logon screen, you are
logged on to Windows at the same time.
The first time you open Credential Manager, log on with your regular Windows Logon password. A
Credential Manager account is then automatically created with your Windows logon credentials.
After logging on to Credential Manager, you can register additional credentials, such as a fingerprint or
a Java Card. For additional information, refer to “
Registering credentials on page 12.”
At the next logon, you can select the logon policy and use any combination of the registered credentials.
Using the Credential Manager Logon Wizard
To log on to Credential Manager using the Credential Manager Logon Wizard, use the following steps:
1. Open the Credential Manager Logon Wizard in any of the following ways:
●
From the Windows logon screen
●
From the notification area, by double-clicking the HP ProtectTools Security Manager icon
●
From the “Credential Manager” page of ProtectTools Security Manager, by clicking the Log
On link in the upper-right corner of the window
2. Follow the on-screen instructions to log on to Credential Manager.
Logging on for the first time
Before you begin, you must be logged on to Windows with an administrator account, but not logged on
to Credential Manager.
1. Open HP ProtectTools Security Manager by double-clicking the HP ProtectTools Security Manager
icon in the notification area. The HP ProtectTools Security Manager window opens.
2. In the left pane, click Credential Manager, and then click Log On in the upper-right corner of the
right pane. The Credential Manager Logon Wizard opens.
3. Type your Windows password in the Password box, and then click Next.
Registering credentials
You can use the “My Identity” page to register your various authentication methods, or credentials. After
they have been registered, you can use these methods to log on to Credential Manager.
Registering fingerprints
A fingerprint reader allows you to log on to Windows using your fingerprint for authentication instead of,
or in combination with, using a Windows password.
12 Chapter 2 Credential Manager for HP ProtectTools
Setting up the fingerprint reader
1. After logging on to Credential Manager, swipe your finger across the fingerprint reader. The
Credential Manager Registration Wizard opens.
2. Follow the on-screen instructions to complete registering your fingerprints and setting up the
fingerprint reader.
3. To set up the fingerprint reader for a different Windows user, log on to Windows as that user and
then repeat steps 1 and 2.
Using your registered fingerprint to log on to Windows
1. Immediately after you have registered your fingerprints, restart Windows.
2. At the Windows Welcome screen, swipe any of your registered fingers to log on to Windows.
Registering a Java Card, USB eToken, or virtual token
NOTE: You must have a card reader or smart card keyboard configured for this procedure. If you
choose not to use a smart card, you can register a virtual token as described in “
Creating a virtual token
on page 14.”
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager.
3. In the right pane, click Register Smart Card or Token. The Credential Manager Registration
Wizard opens.
4. Follow the on-screen instructions.
Registering a USB eToken
1. Be sure that the USB eToken drivers are installed.
NOTE: Refer to the USB eToken user guide for more information.
2. Select Start > All Programs > HP ProtectTools Security Manager.
3. In the left pane, click Credential Manager.
4. In the right pane, click Register Smart Card or Token. The Credential Manager Registration
Wizard opens.
5. Follow the on-screen instructions.
Registering other credentials
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager.
3. In the right pane, click Register Credentials. The Credential Manager Registration Wizard opens.
4. Follow the on-screen instructions.
Setup procedures 13
General tasks
All users have access to the “My Identity” page in Credential Manager. From the “My Identity” page, you
can perform the following tasks:
●
Creating a virtual token
●
Changing the Windows logon password
●
Managing a token PIN
●
Managing identity
●
Locking the computer
NOTE: This option is available only if the Credential Manager classic logon prompt is enabled.
See “
Example 1—Using the “Advanced Settings” page to allow Windows logon from Credential
Manager on page 23.”
Creating a virtual token
A virtual token works very much like a Java Card or USB eToken. The token is saved either on the
computer hard drive or in the Windows registry. When you log on with a virtual token, you are asked for
a user PIN to complete the authentication.
To create a new virtual token:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager.
3. In the right pane, click Virtual Token. The Credential Manager Registration Wizard opens.
NOTE: If Virtual Token is not an option, use the procedure for “Registering other credentials
on page 13.”
4. Follow the on-screen instructions.
Changing the Windows logon password
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager.
3. In the right pane, click Change Windows Password.
4. Type your old password in the Old password box.
5. Type your new password in the New password and Confirm password boxes.
6. Click Finish.
Changing a token PIN
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager.
3. In the right pane, click Change Token PIN.
4. Select the token for which you want to change the PIN, and then click Next.
5. Follow the on-screen instructions to complete the PIN change.
14 Chapter 2 Credential Manager for HP ProtectTools
Managing identity
Clearing an identity from the system
NOTE: This does not affect your Windows user account.
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager.
3. In the right pane, click Clear Identity for this Account.
4. Click Yes in the confirmation dialog box. Your identity is logged off and removed from the system.
Locking the computer
This feature is available if you log on to Windows using Credential Manager. To secure your computer
when you are away from your desk, use the Lock Workstation feature. This prevents unauthorized users
from gaining access to your computer. Only you and members of the administrators group on your
computer can unlock it.
NOTE: This option is available only if the Credential Manager classic logon prompt is enabled. See
“
Example 1—Using the “Advanced Settings” page to allow Windows logon from Credential Manager
on page 23.”
For added security, you can configure the Lock Workstation feature to require a Java Card, biometric
reader, or token to unlock the computer. For more information, see “
Configuring Credential Manager
settings on page 22.”
To lock the computer:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager.
3. In the right pane, click Lock Workstation. The Windows logon screen is displayed. You must use
a Windows password or the Credential Manager Logon Wizard to unlock the computer.
Using Windows Logon
You can use Credential Manager to log on to Windows, either at a local computer or on a network
domain. When you log on to Credential Manager for the first time, the system automatically adds your
local Windows user account as the account for the Windows Logon service.
Logging on to Windows with Credential Manager
You can use Credential Manager to log on to a Windows network or local account.
1. If you have registered your fingerprint to log on to Windows, swipe your finger to log on.
2. If you have not registered your fingerprint to log on to Windows, click the keyboard icon in the
upper-left corner of the screen next to the fingerprint icon. The Credential Manager Logon Wizard
opens.
3. Click the User name arrow, and then click your name.
4. Type your password in the Password box, and then click Next.
General tasks 15
5. Select More > Wizard Options.
a. If you want this to be the default user name the next time that you log on to the computer,
select the Use last user name on next logon check box.
b. If you want this logon policy to be the default method, select the Use last policy on next
logon check box.
6. Follow the on-screen instructions. If your authentication information is correct, you will be logged
on to your Windows account and to Credential Manager.
Adding an account
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Services and Applications.
3. In the right pane, click Windows Logon, and then click Add a Network Account. The Add Network
Account Wizard opens.
4. Follow the on-screen instructions.
Removing an account
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Services and Applications.
3. In the right pane, click Windows Logon, and then click Manage Network Accounts. The Manage
Network Accounts dialog box opens.
4. Click the account you want to remove, and then click Remove.
5. In the confirmation dialog box, click Yes.
6. Click OK.
Using Single Sign On
Credential Manager has a Single Sign On feature that stores user names and passwords for multiple
Internet and Windows programs, and automatically enters logon credentials when you access a
registered program.
NOTE: Security and privacy are important features of Single Sign On. All credentials are encrypted
and are available only after successful logon to Credential Manager.
NOTE: You can also configure Single Sign On to validate your authentication credentials with a Java
Card, a fingerprint reader, or a token before logging on to a secure site or program. This is particularly
useful when logging on to programs or Web sites that contain personal information, such as bank
account numbers. For more information, refer to “
Configuring Credential Manager settings
on page 22.”
Registering a new application
Credential Manager prompts you to register any application that you launch while you are logged on to
Credential Manager. You can also register an application manually.
Using automatic registration
1. Open an application that requires you to log on.
2. Click the Credential Manager SSO icon in the program or Web site password dialog box.
16 Chapter 2 Credential Manager for HP ProtectTools
3. Type your password for the program or Web site, and then click OK. The Credential Manager
Single Sign On dialog box opens.
4. Click More and select from the following options:
●
Do not use SSO for this site or application.
●
Prompt to select account for this application.
●
Fill in credentials but do not submit.
●
Authenticate user before submitting credentials.
●
Show SSO shortcut for this application.
5. Click Yes to complete the registration.
Using manual (drag and drop) registration
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Services and Applications.
3. In the right pane, click Single Sign On, and then click Register New Application. The SSO
Application Wizard opens.
4. Follow the on-screen instructions.
Managing applications and credentials
Modifying application properties
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Services and Applications.
3. In the right pane, under Single Sign On, click Manage Applications and Credentials.
4. Click the application entry you want to modify, and then click Properties.
5. Click the General tab to modify the application name and description. Change the settings by
selecting or clearing the check boxes next to the appropriate settings.
6. Click the Script tab to view and edit the SSO application script.
7. Click OK.
Removing an application from Single Sign On
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Services and Applications.
3. In the right pane, under Single Sign On, click Manage Applications and Credentials.
4. Click the application entry you want to remove, and then click Remove.
5. Click Yes in the confirmation dialog box.
6. Click OK.
General tasks 17
Exporting an application
You can export applications to create a backup copy of the Single Sign On application script. This file
can then be used to recover the Single Sign On data. This acts as a supplement to the identity backup
file, which contains only the credential information.
To export an application:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Services and Applications.
3. In the right pane, under Single Sign On, click Manage Applications and Credentials.
4. Click the application entry you want to export. Then click More > Applications > Export Script.
5. Follow the on-screen instructions to complete the export.
6. Click OK.
Importing an application
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Services and Applications.
3. In the right pane, under Single Sign On, click Manage Applications and Credentials.
4. Click the application entry you want to import. Then select More > Applications > Import
Script.
5. Follow the on-screen instructions to complete the import.
6. Click OK.
Modifying credentials
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Services and Applications.
3. In the right pane, under Single Sign On, click Manage Applications and Credentials.
4. Click the application entry you want to modify, and then click More.
5. Select any of the following options:
●
Applications
◦
Add New
◦
Remove
◦
Properties
◦
Import Script
◦
Export Script
●
Credentials
◦
Create New
●
View Password
NOTE: You must authenticate your identity before viewing the password.
18 Chapter 2 Credential Manager for HP ProtectTools
6. Follow the on-screen instructions.
7. Click OK.
Using Application Protection
This feature allows you to configure access to applications. You can restrict access based on the
following criteria:
●
Category of user
●
Time of use
●
User inactivity
Restricting access to an application
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Services and Applications.
3. In the right pane, under Application Protection, click Manage Protected Applications. The
Application Protection Service dialog box opens.
4. Select a category of user whose access you want to manage.
NOTE: If the category is not Everyone, you may need to select Override default settings to
override the settings for the Everyone category.
5. Click Add. The Add a Program Wizard opens.
6. Follow the on-screen instructions.
Removing protection from an application
To remove restrictions from an application:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Services and Applications.
3. In the right pane, under Application Protection, click Manage Protected Applications. The
Application Protection Service dialog box opens.
4. Select a category of user whose access you want to manage.
NOTE: If the category is not Everyone, you may need to click Override default settings to
override the settings for the Everyone category.
5. Click the application entry you want to remove, and then click Remove.
6. Click OK.
Changing restriction settings for a protected application
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Services and Applications.
3. In the right pane, under Application Protection, click Manage Protected Applications. The
Application Protection Service dialog box opens.
4. Select a category of user whose access you want to manage.
General tasks 19
NOTE: If the category is not Everyone, you may need to click Override default settings to
override the settings for the Everyone category.
5. Click the application you want to change, and then click Properties. The Properties dialog box
for that application opens.
6. Click the General tab. Select one of the following settings:
●
Disabled (Cannot be used)
●
Enabled (Can be used without restrictions)
●
Restricted (Usage depends on settings)
7. When you select Restricted, the following settings are available:
a. If you want to restrict usage based on time, day, or date, click the Schedule tab and configure
the settings.
b. If you want to restrict usage based on inactivity, click the Advanced tab and select the period
of inactivity.
8. Click OK to close the application Properties dialog box.
9. Click OK.
20 Chapter 2 Credential Manager for HP ProtectTools
Advanced tasks (administrator only)
The “Authentication and Credentials” page and the “Advanced Settings” page of Credential Manager
are available only to those users with administrator rights. From these pages, you can perform the
following tasks:
●
Specifying how users and administrators log on
●
Configuring custom authentication requirements
●
Configuring credential properties
●
Configuring Credential Manager settings
Specifying how users and administrators log on
On the “Authentication and Credentials” page, you can specify which type or combination of credentials
are required of either users or administrators.
To specify how users or administrators log on:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Authentication and Credentials.
3. In the right pane, click the Authentication tab.
4. Click the category (Users or Administrators) from the category list.
5. Click the type or combination of authentication methods from the list.
6. Click Apply, and then click OK.
Configuring custom authentication requirements
If the set of authentication credentials you want is not listed on the Authentication tab of the
“Authentication and Credentials” page, you can create custom requirements.
To configure custom requirements:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Authentication and Credentials.
3. In the right pane, click the Authentication tab.
4. Click the category (Users or Administrators) from the category list.
5. Click Custom in the list of authentication methods.
6. Click Configure.
7. Select the authentication methods you want to use.
8. Choose the combination of methods by clicking one of the following selections:
●
Use AND to combine the authentication methods
(Users will have to authenticate with all of the methods you checked each time they log on.)
●
Use OR to require one of two or more authentication methods
(Users will be able to choose any of the selected methods each time they log on.)
Advanced tasks (administrator only) 21
9. Click OK.
10. Click Apply, and then click OK.
Configuring credential properties
On the Credentials tab of the “Authentication and Credentials” page, you can view the list of available
authentication methods, and modify the settings.
To configure the credentials:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Authentication and Credentials.
3. In the right pane, click the Credentials tab.
4. Click the credential type you want to modify. You can modify the credential using one of the
following choices:
●
To register the credential, click Register, and then follow the on-screen instructions.
●
To delete the credential, click Clear, and then click Yes in the confirmation dialog box.
●
To modify the credential properties, click Properties, and then follow the on-screen
instructions.
5. Click Apply, and then click OK.
Configuring Credential Manager settings
From the “Settings” page, you can access and modify various settings using the following tabs:
●
General—Allows you to modify the settings for basic configuration.
●
Single Sign On—Allows you to modify the settings for how Single Sign On works for the current
user, such as how it handles detection of logon screens, automatic logon to registered logon
dialogs, and password display.
●
Services and Applications—Allows you to view the available services and modify the settings for
those services.
●
Security—Allows you to select the fingerprint reader software and adjust the security level of the
fingerprint reader.
●
Smart Cards and Tokens—Allows you to view and modify properties for all available Java Cards
and tokens.
To modify Credential Manager settings:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Settings.
3. In the right pane, click the appropriate tab for the settings you want to modify.
4. Follow the on-screen instructions to modify the settings.
5. Click Apply, and then click OK.
22 Chapter 2 Credential Manager for HP ProtectTools
Example 1—Using the “Advanced Settings” page to allow Windows logon from
Credential Manager
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Settings.
3. In the right pane, click the General tab.
4. Under Select the way users log on to Windows (requires restart), select the Use Credential
Manager with classic logon prompt check box.
5. Click Apply, and then click OK.
6. Restart the computer.
NOTE: Selecting the Use Credential Manager with classic logon prompt check box allows you to
lock your computer. See “
Locking the computer on page 15.”
Example 2—Using the “Advanced Settings” page to require user verification before
Single Sign On
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Credential Manager, and then click Settings.
3. In the right pane, click the Single Sign On tab.
4. Under When registered logon dialog or Web page is visited, select the Authenticate user
before submitting credentials check box.
5. Click Apply, and then click OK.
6. Restart the computer.
Advanced tasks (administrator only) 23
3 Embedded Security for HP
ProtectTools
NOTE: The integrated Trusted Platform Module (TPM) embedded security chip must be installed in
your computer to use Embedded Security for HP ProtectTools.
Embedded Security for HP ProtectTools protects against unauthorized access to user data or
credentials. This software module provides the following security features:
●
Enhanced Microsoft® Encrypting File System (EFS) file and folder encryption
●
Creation of a personal secure drive (PSD) for protecting user data in a hidden drive
●
Data management functions, such as backing up and restoring the key hierarchy
●
Support for third-party applications (such as Microsoft Outlook and Internet Explorer) for protected
digital certificate operations when using the Embedded Security software
The TPM embedded security chip enhances and enables other HP ProtectTools Security Manager
features. For example, Credential Manager for HP ProtectTools can use the embedded chip as an
authentication factor when the user logs on to Windows. On select models, the TPM embedded security
chip also enables enhanced BIOS security features accessed through BIOS Configuration for HP
ProtectTools.
24 Chapter 3 Embedded Security for HP ProtectTools
Setup procedures
CAUTION: To reduce security risk, it is highly recommended that your IT administrator immediately
initialize the embedded security chip. Failure to initialize the embedded security chip could result in an
unauthorized user, a computer worm, or a virus taking ownership of the computer and gaining control
over the owner tasks, such as handling the emergency recovery archive, and configuring user access
settings.
Follow the steps in the following 2 sections to enable and initialize the embedded security chip.
Enabling the embedded security chip
The embedded security chip must be enabled in the Computer Setup utility. This procedure cannot be
performed in BIOS Configuration for HP ProtectTools.
To enable the embedded security chip:
1. Access Computer Setup by turning on or restarting the computer, and then pressing F10 while the
“F10 = ROM Based Setup” message is displayed in the lower-left corner of the screen.
2. If you have not set an administrator password, use the arrow keys to select Security > Setup
password, and then press enter.
3. Type your password in the New password and Verify new password boxes, and then press
F10.
4. In the Security menu, use the arrow keys to select TPM Embedded Security, and then press
enter.
5. Under Embedded Security, if the device is hidden, select Available.
6. Select Embedded security device state and change to Enable.
7. Press F10 to accept the changes to the Embedded Security configuration.
8. To save your preferences and exit Computer Setup, use the arrow keys to select File > Save
Changes and Exit. Then follow the on-screen instructions.
Initializing the embedded security chip
In the initialization process for Embedded Security, you will perform the following tasks:
●
Set an owner password for the embedded security chip that protects access to all owner functions
on the embedded security chip.
●
Set up the emergency recovery archive, which is a protected storage area that allows reencryption
of the Basic User Keys for all users.
To initialize the embedded security chip:
1. Right-click the HP ProtectTools Security Manager icon in the notification area, at the far right of
the taskbar, and then select Embedded Security Initialization.
The HP ProtectTools Embedded Security Initialization Wizard opens.
2. Follow the on-screen instructions.
Setup procedures 25
Setting up the basic user account
Setting up a basic user account in Embedded Security accomplishes the following tasks:
●
Produces a Basic User Key that protects encrypted information, and sets a Basic User Key
password to protect the Basic User Key.
●
Sets up a personal secure drive (PSD) for storing encrypted files and folders.
CAUTION: Safeguard the Basic User Key password. Encrypted information cannot be accessed or
recovered without this password.
To set up a basic user account and enable the user security features:
1. If the Embedded Security User Initialization Wizard is not open, select Start > All Programs > HP
ProtectTools Security Manager.
2. In the left pane, click Embedded Security, and then click User Settings.
3. In the right pane, under Embedded Security Features, click Configure.
The Embedded Security User Initialization Wizard opens.
4. Follow the on-screen instructions.
NOTE: To use secure e-mail, you must first configure the e-mail client to use a digital certificate
that is created with Embedded Security. If a digital certificate is not available, you must obtain one
from a certification authority. For instructions on configuring your e-mail and obtaining a digital
certificate, refer to the e-mail client online Help.
26 Chapter 3 Embedded Security for HP ProtectTools
General tasks
After the basic user account is set up, you can perform the following tasks:
●
Encrypting files and folders
●
Sending and receiving encrypted e-mail
Using the Personal Secure Drive
After setting up the PSD, you are prompted to type the Basic User Key password at the next logon. If
the Basic User Key password is entered correctly, you can access the PSD directly from Windows
Explorer.
Encrypting files and folders
When working with encrypted files, consider the following rules:
●
Only files and folders on Windows partitions can be encrypted. Files and folders on MS—DOS
partitions cannot be encrypted.
●
System files and compressed files cannot be encrypted, and encrypted files cannot be
compressed.
●
Temporary folders should be encrypted, because they are potentially of interest to hackers.
●
A recovery policy is automatically set up when you encrypt a file or folder for the first time. This
policy ensures that if you lose your encryption certificates and private keys, you will be able to use
a recovery agent to decrypt your information.
To encrypt files and folders:
1. Right-click the file or folder that you want to encrypt.
2. Click Encrypt.
3. Click one of the following options:
●
Apply changes to this folder only.
●
Apply changes to this folder, subfolders, and files.
4. Click OK.
Sending and receiving encrypted e-mail
Embedded Security enables you to send and receive encrypted e-mail, but the procedures vary
depending upon the program you use to access your e-mail. For more information, refer to the
Embedded Security online Help, and the online Help for your e-mail.
Changing the Basic User Key password
To change the Basic User Key password:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Embedded Security, and then click User Settings.
3. In the right pane, under Basic User Key password, click Change.
4. Type the old password, and then set and confirm the new password.
5. Click OK.
General tasks 27
Advanced tasks
Backing up and restoring
The Embedded Security backup feature creates an archive that contains certification information to be
restored in case of emergency.
Creating a backup file
To create a backup file:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Embedded Security, and then click Backup.
3. In the right pane, click Backup. The Embedded Security Backup Wizard opens.
4. Follow the on-screen instructions.
Restoring certification data from the backup file
To restore data from the backup file:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Embedded Security, and then click Backup.
3. In the right pane, click Restore. The Embedded Security Backup Wizard opens.
4. Follow the on-screen instructions.
Changing the owner password
To change the owner password:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Embedded Security, and then click Advanced.
3. In the right pane, under Owner Password, click Change.
4. Type the old owner password, and then set and confirm the new owner password.
5. Click OK.
Resetting a user password
An administrator can help a user to reset a forgotten password. For more information, refer to the online
Help.
Enabling and disabling Embedded Security
It is possible to disable the Embedded Security features if you want to work without the security function.
The Embedded Security features can be enabled or disabled at 2 different levels:
●
Temporary disabling—With this option, embedded security is automatically reenabled on Windows
restart. This option is available to all users by default.
●
Permanent disabling—With this option, the owner password is required to reenable Embedded
Security. This option is available only to administrators.
28 Chapter 3 Embedded Security for HP ProtectTools
Permanently disabling Embedded Security
To permanently disable Embedded Security:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Embedded Security, and then click Advanced.
3. In the right pane, under Embedded Security, click Disable.
4. Type your owner password at the prompt, and then click OK.
Enabling Embedded Security after permanent disable
To enable Embedded Security after permanently disabling it:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Embedded Security, and then click Advanced.
3. In the right pane, under Embedded Security, click Enable.
4. Type your owner password at the prompt, and then click OK.
Migrating keys with the Migration Wizard
Migration is an advanced administrator task that allows the management, restoration, and transfer of
keys and certificates.
For details on migration, refer to the Embedded Security online Help.
Advanced tasks 29
4 Java Card Security for HP ProtectTools
Java Card Security for HP ProtectTools manages the Java Card setup and configuration for use with
the HP Smart Card keyboard. HP's Java Card is a personal security device that protects authentication
data requiring both the card and a PIN number to grant access – like using an ATM card with a PIN.
The Java Card can be used to access Credential Manager, Drive Encryption, HP BIOS, or any number
of third party access points.
With Java Card Security, you can accomplish the following tasks:
●
Access Java Card Security features
●
Work with the Computer Setup utility to enable Java Card authentication in a power-on environment
●
Configure separate Java Cards for an administrator and a user. A user must insert the Java Card
and type a PIN before the operating system will load
●
Set and change the PIN used to authenticate users of the Java Card
30 Chapter 4 Java Card Security for HP ProtectTools
General tasks
The “General” page allows you to perform the following tasks:
●
Change a Java Card PIN
●
Select the card reader or smart card keyboard
NOTE: The card reader uses both Java Cards and smart cards. This feature is available if you
have more than one card reader on the computer.
Changing a Java Card PIN
To change a Java Card PIN:
NOTE: The Java Card PIN must be between 4 and 8 numeric characters.
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Java Card Security, and then click General.
3. Insert a Java Card (with an existing PIN) into the card reader.
4. In the right pane, click Change.
5. In the Change PIN dialog box, type the current PIN in the Current PIN box.
6. Type a new PIN in the New PIN box, and then type the PIN again in the Confirm New PIN box.
7. Click OK.
Selecting the card reader
Be sure that the correct card reader is selected in Java Card Security before using the Java Card. If the
correct reader is not selected, some of the features may be unavailable or incorrectly displayed. In
addition, the card reader drivers must be correctly installed, as shown in Windows Device Manager.
To select the card reader:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Java Card Security, and then click General.
3. Insert the Java Card into the card reader.
4. In the right pane, under Selected card reader, click the correct reader.
General tasks 31
Advanced tasks (administrators only)
The “Advanced” page allows you to perform the following tasks:
●
Assign a Java Card PIN
●
Assign a name to a Java Card
●
Set power-on authentication
●
Back up and restore Java Cards
NOTE: You must have Windows administrator privileges in order to display the "Advanced" page.
Assigning a Java Card PIN
You must assign a name and a PIN to a Java Card before it can be used in Java Card Security.
To assign a Java Card PIN:
NOTE: The Java Card PIN must be between 4 and 8 numeric characters.
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Java Card Security, and then click Advanced.
3. Insert a new Java Card into the card reader.
4. When the New Card dialog box opens, type a new name in the New display name box, type a
new PIN in the New PIN box, and then type the new PIN again in the Confirm New PIN box.
5. Click OK.
Assigning a name to a Java Card
You must assign a name to a Java Card before it can be used for power-on authentication.
To assign a name to a Java Card:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Java Card Security, and then click Advanced.
3. Insert the Java Card into the card reader.
NOTE: If you have not assigned a PIN to this card, the New Card dialog box opens, allowing you
to type a new name and PIN.
4. In the right pane, under Display name, click Change.
5. Type a name for the Java Card in the Name box.
6. Type the current Java Card PIN in the PIN box.
7. Click OK.
Setting power-on authentication
When enabled, power-on authentication requires you to use a Java Card to start the computer.
32 Chapter 4 Java Card Security for HP ProtectTools
The process of enabling Java Card power-on authentication involves the following steps:
1. Enable Java Card power-on authentication support in BIOS Configuration or Computer Setup.
2. Enable Java Card power-on authentication in Java Card Security.
3. Create and enable the administrator Java Card.
Enabling Java Card power-on authentication and creating an administrator Java Card
To enable Java Card power-on authentication:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Java Card Security, and then click Advanced.
3. Insert the Java Card into the card reader.
NOTE: If you have not assigned a name and PIN to this card, the New Card dialog box opens,
allowing you to type a new name and PIN.
4. In the right pane, under Power-on authentication, select the Enable check box.
5. Type your Computer Setup password in the Computer Setup Password dialog box, and then click
OK.
6. If you do not have DriveLock enabled, type the Java Card PIN, and then click OK.
– or –
If you do have DriveLock enabled:
a. Click Make Java card identity unique.
– or –
Click Make the Java card identity the same as the DriveLock password.
NOTE: If DriveLock is enabled on the computer, you can set the Java Card identity to be
the same as the DriveLock user password, which allows you to validate both DriveLock and
the Java Card using only the Java Card when starting the computer.
b. If applicable, type your DriveLock user password in the DriveLock password box, and then
type it again in the Confirm password box.
c. Type the Java Card PIN.
d. Click OK.
7. When you are prompted to create a recovery file, click Cancel to create a recovery file at a later
time or click OK and follow the on-screen instructions in the HP ProtectTools Backup Wizard to
create a recovery file now.
NOTE: For more information, see “HP ProtectTools Backup and Restore on page 9.”
Creating a user Java Card
NOTE: Power-on authentication and an administrator card must be set up in order to create a user
Java Card.
To create a user Java Card:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Java Card Security, and then click Advanced.
Advanced tasks (administrators only) 33
3. Insert a Java Card that will be used as a user card.
4. In the right pane, under Power-on authentication, click Create next to User card identity.
5. Type a PIN for the user Java Card, and then click OK.
Disabling Java Card power-on authentication
When you disable Java Card power-on authentication, the use of the Java Card is no longer needed to
access the computer.
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Java Card Security, and then click Advanced.
3. Insert the administrator Java Card.
4. In the right pane, under Power-on authentication, clear the Enable check box.
5. Type a PIN for the Java Card, and then click OK.
34 Chapter 4 Java Card Security for HP ProtectTools
5 BIOS Configuration for HP
ProtectTools
BIOS Configuration for HP ProtectTools provides access to the Computer Setup utility security and
configuration settings giving users Windows access to system security features that are managed by
Computer Setup. The options within BIOS Configuration for HP ProtectTools are:
●
File
●
Storage
●
Security
●
Power
●
Advanced
NOTE: Support for specific Computer Setup options may vary depending on the hardware
configuration.
BIOS Configuration allows you to manage various computer settings that would otherwise be accessible
only by pressing F10 at startup and entering Computer Setup. With BIOS Configuration, you can
accomplish the following objectives:
●
Manage power-on passwords and administrator passwords.
●
Configure other power-on authentication features, such as enabling embedded security
authentication support.
●
Enable and disable hardware features, such as removable media boot or different hardware ports.
●
Configure boot options, which includes enabling MultiBoot and changing the boot order.
NOTE: All of the features in BIOS Configuration for HP ProtectTools are also available in F10 Setup.
For detailed instructions on using F10 Setup, refer to the Computer Setup (F10) Utility Guide included
with your computer or BIOS update.
35
File
The File option within BIOS Configuration for HP ProtectTools provides system information such as
processor type, system BIOS name and version, chassis, serial number, etc. The only File data that can
be edited is the asset tracking number. All other data is read only.
36 Chapter 5 BIOS Configuration for HP ProtectTools
Storage
The Storage option within BIOS Configuration for HP ProtectTools provides information about all
bootable devices configured in the computer system and allows you to specify settings for these devices.
The settings accessible in Storage include:
●
Device Configuration
●
Storage Options
●
DPS Self-Test
●
Boot Order
Storage 37
Security
The Security option within BIOS Configuration for HP ProtectTools is the central location for all settings
related to security and passwords. The settings included are:
●
Setup Password
●
Power-On Password
●
Password Options
●
Smart Cover (some models)
●
Device Security
●
Network Service Boot
●
System IDs
●
DriveLock Security
●
System Security (some models)
●
Setup Security Level
38 Chapter 5 BIOS Configuration for HP ProtectTools
Power
The Power option within BIOS Configuration for HP ProtectTools provides settings that control power
management at a hardware level. Settings included are:
●
OS Power Management
●
Hardware Power Management
●
Thermal
Power 39
Advanced
The settings within the Advanced option of BIOS Configuration for HP ProtectTools are intended for
advanced users. These settings include:
●
Power-On Options
●
Execute Memory Test (some models)
●
BIOS Power-On
●
Onboard Devices
●
PCI Devices
●
PCI VGA Configuration
●
Bus Options
●
Device Options
●
AMT Options
40 Chapter 5 BIOS Configuration for HP ProtectTools
6 Device Access Manager for HP
ProtectTools
This security tool is available to administrators only. Device Access Manager provides customizable
control of data storage and transmission hardware (USB, COM & LPT ports, CD drives, network interface
cards, personal music players, etc.) Device Access Manager can also manage users and user groups
to provide read, write, allow or deny access to data on the hardware.
41
Starting background service
For device profiles to be applied, the HP ProtectTools Device Locking/Auditing background service must
be running. When you first attempt to apply device profiles, HP ProtectTools Security Manager opens
a dialog box to ask if you would like to start the background service. Click Yes to start the background
service and set it to start automatically whenever the system boots.
42 Chapter 6 Device Access Manager for HP ProtectTools
Simple configuration
This feature allows you to deny access to the following classes of devices:
●
All removable media (floppy disks, pen drives, USB, etc.) for all non-administrators
●
All DVD/CD-ROM drives for all non-administrators
●
All serial and parallel ports for all non-administrators
●
All Bluetooth, infra-red, modem, PCMCIA, personal music players, and all 1394 (FireWire) devices
for all non-administrators.
To deny access to a class of device for all non-administrators:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Device Access Manager, and then click Simple Configuration.
3. In the right pane, select the check box of a device to deny access.
4. Click Apply.
NOTE: If background service is not running, it attempts to start now. Click Yes to allow it.
5. Click OK.
Simple configuration 43
Device class configuration (advanced)
More selections are available to allow specific users or groups of users to be granted or denied access
to types of devices. Some classes allow the option to configure Read Only or Write access.
Adding a user or a group
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Device Access Manager, and then click Device Class Configuration.
3. In the device list, click the device class that you want to configure.
4. Click Add. The Select Users or Groups dialog box opens.
5. Select Advanced > Find Now to search for users or groups to add.
6. Click a user or a group to be added to the list of available users and groups, and then click OK.
7. Click OK.
Removing a user or a group
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Device Access Manager, and then click Device Class Configuration.
3. In the device list, click the device class that you want to configure.
4. Click the user or group you want to remove, and then click Remove.
5. Click Apply, then click OK.
Denying access to a user or group
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Device Access Manager, and then click Device Class Configuration.
3. In the device list, click the device class that you want to configure.
4. Under User/Groups, click the user or group to be denied access.
5. Click Deny next to the user or group to be denied access.
6. Click Apply, and then click OK.
Allowing access to a device class for one user of a group
You can allow one user access to a device class while denying access to all other members of that
user's group.
To allow access to one user but not the group:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Device Access Manager, and then click Device Class Configuration.
3. Click the device class that you want to configure in the device list.
4. Under User/Groups, add the group to be denied access.
5. Click Deny next to the group to be denied access.
44 Chapter 6 Device Access Manager for HP ProtectTools
6. Navigate to the folder below that of the required class and add the specific user. Click Allow to
grant this user access.
7. Click Apply, and then click OK.
Allowing access to a specific device for one user of a group
You can allow one user access to a specific device while denying access to all other members of that
user's group for all devices in the class.
To allow access to a specific device for one user but not the group:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Device Access Manager, and then click Device Class Configuration.
3. In the device list, click the device class that you want to configure, and then navigate to the folder
below that.
4. Under User/Groups, add the group to be denied access.
5. Click Deny next to the group to be denied access.
6. Navigate to the specific device to be allowed for the user in the device list.
7. Click Add. The Select Users or Groups dialog box opens.
8. Select Advanced > Find Now to search for users or groups to add.
9. Click a user to be allowed access, and then click OK.
10. Click Allow to grant this user access.
11. Click Apply, and then click OK.
Device class configuration (advanced) 45
7 Drive Encryption for HP ProtectTools
Drive encryption for HP ProtectTools can encode every bit of information on a single hard drive, partition
or multiple hard drives so that it becomes unreadable to an unauthorized person.
CAUTION: If you decide to uninstall the Drive Encryption module, you must first decrypt all encrypted
drives. If you do not, you will not be able to access the data on encrypted drives unless you have
registered with the Drive Encryption recovery service (see “
Recovery on page 49”). Reinstalling the
Drive Encryption module will not enable you to access the encrypted drives.
46 Chapter 7 Drive Encryption for HP ProtectTools
Encryption management
Encrypting a drive
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Drive Encryption, and then click Encryption Management.
3. In the right pane, click Activate. The Drive Encryption for HP ProtectTools Wizard opens.
4. Follow the on-screen instructions to activate encryption.
NOTE: You will need to specify a diskette, flash storage device, or some other USB-connected
storage media on which the recovery information will be stored.
Change encryption
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Drive Encryption, and then click Encryption Management.
3. In the right pane, click Change encryption. Select the disks to encrypt in the Change
Encryption dialog box, and then click OK.
4. Click OK again to begin encryption.
Decrypting a drive
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Drive Encryption, and then click Encryption Management.
3. In the right pane, click Deactivate.
Encryption management 47
User management
Add a user
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Drive Encryption, and then click User Management.
3. In the right pane, click Add. Click a user name in the User Name list or type a user name in the
Username box. Click Next.
4. Type the Windows password for the selected user, and then click Next.
5. Select an authentication method for the new user, and then click Finish.
Remove a user
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Drive Encryption, and then click User Management.
3. In the right pane, click a user name to remove in the User Name list. Click Remove.
4. Click Yes to confirm that you want to remove the selected user.
Change token
Change the authentication method for a user as follows:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Drive Encryption, and then click User Management.
3. In the right pane, select a user name from the User Name list, and then click Change Token.
4. Type the user's Windows Password, and then click Next.
5. Select a new authentication method, and then click Finish.
6. If you selected a Java Card as the authentication method, type the Java Card password when
prompted, and then click OK.
Set password
Set a password or change the authentication method for a user as follows:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Drive Encryption, and then click User Management.
3. In the right pane, select the user from the User Name list, and then click Set Password.
4. Type the user's Windows Password, and then click Next
.
5. Select the new authentication method, and then click Finish.
6. If you selected a Java Card as the authentication method, type the Java Card password when
prompted, and then click OK.
48 Chapter 7 Drive Encryption for HP ProtectTools
Recovery
The following two safety measures are available to you:
●
If you forget your password, you cannot access your encrypted drives. You may, however, register
with the Drive Encryption recovery service to enable you to access your computer if you forget your
password.
●
You may back up your Drive Encryption keys on a diskette, flash storage device, or some other
USB-connected storage media.
Registering with the Drive Encryption recovery service
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Drive Encryption, and then click Recovery.
3. In the right pane, click Click here to register. Type the requested information to complete the
security backup procedure.
Backing up your Drive Encryption keys
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, click Drive Encryption, and then click Recovery.
3. In the right pane, click Click here to backup your keys.
4. Select a diskette, flash storage device, or some other USB-connected storage media on which to
save the recovery information, and then click Next. The Drive Encryption for HP ProtectTools
Wizard opens.
5. Follow the on-screen instructions to back up the Drive Encryption keys.
NOTE: You will need to specify a diskette, flash storage device, or some other USB-connected
storage media on which the recovery information will be stored.
Recovery 49
8 Troubleshooting
Credential Manager for HP ProtectTools
Short description Details Solution
Using Credential Manager
Network Accounts option,
a user can select which
domain account to log
into. When TPM
authentication is used, this
option is not available. All
other authentication
methods work properly.
Using TPM authentication, the user is
only logged into the local computer.
Using Credential Manager Single Sign On tools allows
user to authenticate other accounts.
USB token credential is
not available with login to
Windows XP Service Pack
1.
After installing USB token software,
registering the USB token credential, and
setting Credential Manager as primary
login, the USB Token is neither listed nor
available in the Credential Manager/gina
logon.
When logging back into Windows, log off
Credential Manager, re-log back into
Credential Manager and reselect token
as primary login, the token login
operation functions normally.
This only occurs with Windows XP Service Pack 1;
update Windows version to Service Pack 2 via
Windows Update to correct.
To work around if retaining Service Pack 1, re-log back
into Windows using another credential (Windows
password) in order to log off and re-log back into
Credential Manager.
Some application Web
pages create errors that
prevent user from
performing or completing
tasks.
Some Web-based applications stop
functioning and report errors due to the
disabling functionality pattern of Single
Sign On. For example, an ! in a yellow
triangle is observed in Internet Explorer
indicating an error has occurred.
Credential Manager Single Sign On does not support
all software Web interfaces. Disable Single Sign On
support for the specific Web page by turning off Single
Sign On support. Please see complete documentation
on Single Sign On, which is available in the Credential
Manager help files.
If a specific Single Sign On cannot be disabled for a
given application, call HP Service and Support and
request 3rd level support through your HP Service
contact.
No option to Browse for
Virtual Token during the
login process.
User cannot move the location of
registered virtual token in Credential
Manager because the option to browse
was removed due to security risks.
The browse option was removed from current product
offerings because it allowed non-users to delete and
rename files and take control of Windows.
Login with TPM
authentication does not
give the Network
Accounts option.
Using the Network Accounts option, a
user can select which domain account to
log into. When TPM authentication is
used, this option is not available.
HP is researching a workaround for future product
enhancements.
Domain administrators
cannot change Windows
password even with
authorization.
This happens after a domain
administrator logs on to a domain and
registers the domain identity with
Credential Manager using an account
with Administrator's rights on the domain
and the local PC. When the domain
administrator attempts to change the
Credential Manager cannot change a domain user's
account password through Change Windows
password. Credential Manager can only change the
local PC account passwords. The domain user can
change his/her password through Windows
security > Change password option, but, since the
domain user does not have a physical account on the
50 Chapter 8 Troubleshooting
Short description Details Solution
Windows password from Credential
Manager, the administrator gets an error
logon failure: User account restriction.
local PC, Credential Manager can only change the
password used to log in.
Credential Manager
Single Sign On default
settings should be set to
prompt to prevent loop.
Single Sign On default is set to log users
automatically. However, when creating
the second of two different passwordprotected documents, Credential
Manager uses the last password
recorded—the one from the first
document.
HP is researching a workaround for future product
enhancements.
Incompatibility issues with
Corel WordPerfect 12
password gina.
If the user logs in to Credential Manager,
creates a document in WordPerfect and
saves with password protection,
Credential Manager cannot detect or
recognize, either manually or
automatically, the password gina.
HP is researching a workaround for future product
enhancements.
Credential Manager does
not recognize the
Connect button on
screen.
If the Single Sign On credentials for
Remote Desktop Connection (RDP) are
set to Connect, Single Sign On, upon
relaunch, always enters Save As instead
of Connect.
HP is researching a workaround for future product
enhancements.
ATI Catalyst configuration
wizard is not usable with
Credential Manager.
Credential Manager Single Sign On
conflicts with the ATI Catalyst configure
wizard.
Disable the Credential Manager Single Sign On.
When logging in using
TPM authentication, the
Back button on screen
skips the option to choose
another authentication
method.
If user using TPM login authentication for
Credential Manager enters his/her
password, the Back button does not
work properly, but instead immediately
displays the Windows login screen.
HP is researching a workaround for future product
enhancements.
Credential Manager
opens out of standby
when it is configured not
to.
When use Credential Manager log on
to Windows is not selected as an option,
allowing the system to go into S3
suspend and then waking the system
causes the Credential Manager logon to
Windows to open.
With no administrator password set, user cannot log on
to Windows through Credential Manager because of
account restrictions invoked by the Credential
Manager.
●
Without Java Card/token, user can cancel the
Credential Manager login and user will see the
Microsoft Windows login. User can log in at this
point.
●
With Java Card/token, the following workaround
allows the user to enable/disable opening of
Credential Manager upon Java Card insertion.
1. Click Advanced Settings.
2. Click Service & Applications.
3. Click Java Cards and Tokens.
4. Click when Java Card/token is inserted.
5. Select the Advise to log-on checkbox.
Users lose all Credential
Manager credentials
protected by the TPM, if
the TPM module is
removed or damaged.
If the TPM module is removed or
damaged, users lose all credentials
protected by the TPM.
This is as designed.
The TPM Module is designed to protect the Credential
Manager credentials. HP recommends that the user
back up identity from Credential Manager prior to
removing the TPM module.
Credential Manager for HP ProtectTools 51
Short description Details Solution
Credential Manager not
being set as primary logon
in Windows 2000.
During Windows 2000 install, the logon
policy is set for manual or auto logon
admin. If auto logon is chosen, then the
Windows default registry settings sets
the default auto admin logon value at 1,
and Credential Manager does not
override this.
This is as designed.
If user wishes to modify operating system level settings
for auto admin logon values for bypassing the edit path
is HKEY_LOCAL_MACHINE/Software/Microsoft/
WindowsNT/CurrentVersion/WinLogon
CAUTION: Use Registry Editor at your own risk!
Using the Registry Editor (regedit) incorrectly can
cause serious problems that may require you to
reinstall the operating system. There is no guarantee
that problems resulting from the incorrect use of
Registry Editor can be solved.
Fingerprint logon
message appears
whether or not fingerprint
reader is installed or
registered.
If user selects Windows logon, the
following desktop alert appears in the
Credential Manager task bar: You can
place your finger on the fingerprint
reader to log on to Credential
Manager.
The purpose of the desktop alert is to notify the user
that fingerprint authentication is available, if it is
configured.
Credential Manager logon
window for Windows 2000
states insert card when
no reader is attached.
The Windows Credential Manager
Welcome screen suggests the user can
log on with insert card when no Java
Card reader is attached.
The purpose of the alert is to notify the user that Java
Card authentication is available, if it is configured.
Unable to log into
Credential Manager after
transitioning from sleep
mode to hibernation on
Windows XP Service Pack
1 only.
After allowing system to transition into
hibernation and sleep mode,
Administrator or user is unable to log into
Credential Manager and the Windows
logon screen remains displayed no
matter which logon credential
(password, finger print or Java Card) is
selected.
This issue appears to be resolved in Service Pack 2
from Microsoft. Refer to Microsoft knowledge base
article 813301 at
http://www.microsoft.com for more
information on the cause of the issue.
In order to log on, user must select Credential Manager
and log in. After logging into Credential Manager, user
is prompted to log in to Windows (user may have to
select the Windows login option) to complete login
process.
If user logs into Windows first, then user must manually
log into Credential Manager.
52 Chapter 8 Troubleshooting
Short description Details Solution
Restoring Embedded
Security causes
Credential Manager to fail.
Credential Manager fails to register any
credentials after the ROM is restored to
factory settings.
The HP Credential Manager for ProtectTools fails to
access the TPM if the ROM was reset to factory settings
after the Credential Manager installation.
The TPM embedded security chip can be enabled in the
BIOS Computer Setup utility, BIOS Configuration for
ProtectTools, or HP Client Manager. To enable the
TPM embedded security chip:
1. Open Computer Setup by turning on or restarting
the computer, and then pressing F10 while the
F10 = ROM Based Setup message is displayed
in the lower-left corner of the screen.
2. Use the arrow keys to select Security > Setup
Password. Set a password.
3. Select Embedded Security Device.
4. Use the arrow keys to select Embedded Security
Device—Disable. Use the arrow keys to change
it to Embedded Security Device—Enable.
5. Select Enable > Save changes and exit.
HP is investigating resolution options for future
customer software releases.
Security Restore Identity
process loses association
with virtual token.
When user restores identity, Credential
Manager can lose association with the
location of the virtual token at login
screen. Even though Credential
Manager has the virtual token registered,
user must reregister the token to restore
association.
This is currently by design.
When uninstalling Credential Manager without keeping
identities, the system (server) part of the token is
destroyed, so the token cannot be used anymore for
logon, even if the client part of the token is restored
through identity restore.
HP is investigating long-term options for resolution.
Embedded Security for HP ProtectTools
Short description Details Solution
Encrypting folders, sub
folders, and files on PSD
causes error message.
If the user copies files and folders to the
PSD and tries to encrypt folders/files or
folders/subfolders, the Error Applying
Attributes message appears. The user
can encrypt the same files on the C:\
drive on an extra installed hard drive.
This is as designed.
Moving files/folders to the PSD automatically encrypts
them. There is no need to “double-encrypt” the files/
folders. Attempting to double-encrypt them using on the
PSD using EFS will produce this error message.
Cannot Take Ownership
With Another OS In
MultiBoot Platform.
If a drive is set up for multiple OS boot,
ownership can only be taken with the
platform initialization wizard in one
operating system.
This is as designed, for security reasons.
Unauthorized
administrator can view,
delete, rename, or move
the contents of encrypted
EFS folders.
Encrypting a folder does not stop an
unauthorized user with administrative
rights to view, delete, or move contents
of the folder.
This is as designed.
It is a feature of EFS, not the Embedded Security TPM.
Embedded Security uses Microsoft EFS software, and
EFS preserves file/folder access rights for all
administrators.
Encrypted folders with
EFS in Windows 2000 are
not shown highlighted in
green.
Encrypted folders with EFS are
highlighted in green in Windows XP, but
not in Windows 2000.
This is as designed.
It is a feature of EFS that it does not highlight encrypted
folders in Windows 2000, but it does in Windows XP.
Embedded Security for HP ProtectTools 53
Short description Details Solution
This is true whether or not an Embedded Security TPM
is installed.
EFS does not require a
password to view
encrypted files in
Windows 2000.
If a user sets up the Embedded Security,
logs on as an administrator, then logs off
and back on as the administrator, the
user can subsequently see files/folders
in Windows 2000 without a password.
This occurs only in the first administrator
account on Windows 2000. If a
secondary administrator account is
being logged into, this does not occur.
This is as designed.
It is a feature of EFS in Windows 2000. EFS in Windows
XP, by default, will not let the user open files/folders
without a password.
Software should not be
installed on a restore with
FAT32 partition.
If the user attempts to restore the hard
drive using FAT32, there will be no
encrypt options for any files/folders using
EFS.
This is as designed.
Microsoft EFS is supported only on NTFS and will not
function on FAT32. This is a feature of Microsoft's EFS
and is not related to HP ProtectTools software.
Windows 2000 User can
share to the network any
PSD with the hidden ($)
share.
Windows 2000 User can share to the
network any PSD with the hidden ($)
share. The hidden share can be
accessed over the network using the
hidden ($) share.
The PSD is not normally shared on the network, but it
can be through the hidden ($) share in Windows 2000
only. HP recommends always having the built-in
Administrator account password-protected.
User is able to encrypt or
delete the recovery
archive XML file.
By design, the ACLs for this folder is not
set; therefore, a user can inadvertently or
purposely encrypt or delete the file,
making it inaccessible. Once this file has
been encrypted or deleted, no one can
use the TPM software.
This is as designed.
Users have access rights to an emergency archive in
order to save/update their Basic User Key backup copy.
Customers should adopt a 'best practices' security
approach and instruct users never to encrypt or delete
the recovery archive files.
HP ProtectTools
Embedded Security EFS
interaction with Symantec
Antivirus or Norton
Antivirus produces longer
encryption/decryption and
scan times.
Encrypted files interfere with Symantec
Antivirus or Norton Antivirus 2005 virus
scan. During the scan process, the Basic
User password prompt asks the user for
a password every 10 files or so. If the
user does not enter a password, the
Basic User password prompt times out,
allowing NAV2005 to continue with the
scan. Encrypting files using HP
ProtectTools Embedded Security EFS
takes longer when Symantec Antivirus or
Norton Antivirus is running.
To reduce the time required to scan HP ProtectTools
Embedded Security EFS files, the user can either enter
the encryption password before scanning or decrypt
before scanning.
To reduce the time required to encrypt/decrypt data
using HP ProtectTools Embedded Security EFS, the
user should disable Auto-Protect on Symantec
Antivirus or Norton Antivirus.
Cannot save emergency
recovery archive to
removable media.
If the user inserts an MMC or SD card
when creating the emergency recovery
archive path during Embedded Security
Initialization, an error message is
displayed.
This is as designed.
Storage of the recovery archive on removable media is
not supported. The recovery archive can be stored on
a network drive or another local drive other than the C
drive.
Cannot encrypt any data
in the Windows 2000
French (France)
environment.
There is no Encrypt selection when
right-clicking a file icon.
This is a Microsoft operating system limitation. If the
locale is changed to anything else (French (Canada),
for example), then the Encrypt selection will appear.
To work around the problem, encrypt the file as follows:
right-click the file icon and select Properties >
Advanced > Encrypt Contents.
54 Chapter 8 Troubleshooting
Short description Details Solution
Errors occur after
experiencing a power loss
while taking ownership
during the Embedded
Security Initialization.
If there is a power loss while initializing
the Embedded Security chip, the
following issues will occur:
●
When attempting to launch the
Embedded Security Initialization
Wizard, the following error is
displayed: The Embedded
security cannot be initialized
since the Embedded Security
chip has already an Embedded
Security owner.
●
When attempting to launch the User
Initialization Wizard, the following
error is displayed: The Embedded
security is not initialized. To use
the wizard, the Embedded
Security must be initialized first.
Perform the following procedure to recover from the
power loss:
NOTE: Use the Arrow keys to select various menus,
menu items, and to change values (unless otherwise
specified).
1. Start or restart the computer.
2. Press F10 when the F10=Setup message
appears on screen (or as soon as the monitor LED
turns green).
3. Select the appropriate language option.
4. Press Enter.
5. Select Security > Embedded Security.
6. Set the Embedded Security Device option to
Enable.
7. Press F10 to accept the change.
8. Select File > Save Changes and Exit.
9. Press ENTER.
10. Press F10 to save the changes and exit the F10
Setup utility.
Computer Setup (F10)
Utility password can be
removed after enabling
TPM Module.
Enabling the TPM module requires a
Computer Setup (F10) Utility password.
Once the module has been enabled, the
user can remove the password. This
allows anyone with direct access to the
system to reset the TPM module and
cause possible loss of data.
This is as designed.
The Computer Setup (F10) Utility password can only be
removed by a user who knows the password. However,
HP strongly recommends having the Computer Setup
(F10) Utility password protected at all times.
The PSD password box is
no longer displayed when
the system becomes
active after Standby status
When a user logs on the system after
creating a PSD, the TPM asks for the
Basic User password. If the user does
not enter the password and the system
goes into Standby, the password dialog
box is no longer available when the user
resumes.
This is by design.
The user has to log off and back on to view the PSD
password box again.
No password required to
change the Security
Platform Policies.
Access to Security Platform Policies
(both Machine and User) does not
require a TPM password for users who
have administrative rights on the system.
This is by design.
Any administrator can modify the Security Platform
Policies with or without TPM user initialization.
Microsoft EFS does not
fully work in Windows
2000.
An administrator can access encrypted
information on the system without
knowing the correct password. If the
administrator enters an incorrect
password or cancels the password
dialog, the encrypted file will open as if
the administrator had entered the correct
password. This happens regardless of
the security settings used when
encrypting the data. This occurs only in
the first administrator account on
Windows 2000.
The Data Recovery Policy is automatically configured
to designate an administrator as a recovery agent.
When a user key cannot be retrieved (as in the case of
entering the wrong password or canceling the Enter
Password dialog), the file is automatically decrypted
with a recovery key.
This is due to the Microsoft EFS. Please refer to
Microsoft Knowledge Base Technical Article Q257705
at
http://www.microsoft.com for more information.
The documents cannot be opened by a nonadministrator user
When viewing a
certificate, it shows as
non-trusted.
After setting up HP ProtectTools and
running the User Initialization Wizard, the
user has the ability to view the certificate
issued; however, when viewing the
Self-signed certificates are not trusted. In a properly
configured enterprise environment, EFS certificates are
issued by online Certification Authorities and are
trusted.
Embedded Security for HP ProtectTools 55
Short description Details Solution
certificate, it shows as non-trusted. While
the certificate can be installed at this
point by clicking the install button,
installing it does not make it trusted.
Intermittent encrypt and
decrypt error occurs: The
process cannot access
the file because it is
being used by another
process.
Extremely intermittent error during file
encryption or decryption occurs due to
the file being used by another process,
even though that file or folder is not being
processed by the operating system or
other applications.
To resolve the failure:
1. Restart the system.
2. Log off.
3. Log back in.
Data loss in removable
storage occurs if storage
is removed prior to new
data generation or
transfer.
Removing storage mediums such as a
MultiBay hard drive still shows PSD
availability and does not generate errors
while adding/modifying data to the PSD.
After system restart, the PSD does not
reflect file changes that occurred while
the removable storage was not available.
The issue is only experienced if the user accesses the
PSD, then removes the hard drive before completing
new data generation or transfer. If the user attempts to
access the PSD when the removable hard drive is not
present, an error message is displayed stating that the
device is not ready.
During uninstall, if user
has not initialized the
Basic User and opens the
Administration tool, the
Disable option is not
available and Uninstaller
will not continue until the
Administration tool is
closed.
The user has the option of uninstalling
either without disabling the TPM or by
first disabling the TPM (through Admin.
tool), then uninstalling. Accessing the
Admin tool requires Basic User Key
initialization. If basic initialization has not
occurred, all options are inaccessible to
the user.
Since the user has explicitly chosen to
open the Admin tool (by clicking Yes in
the dialog box prompting Click Yes to
open Embedded Security
Administration tool), uninstall waits
until the Admin tool is closed. If user
clicks No in that dialog box, then the
Admin tool does not open at all and
uninstall proceeds.
The Admin tool is used for disabling the TPM chip, but
that option is not available unless the Basic User Key
has already been initialized. If it has not, then select
OK or Cancel in order to continue with the
uninstallation process.
Intermittent system lockup
occurs after creating PSD
on 2 users accounts and
using fast-user-switching
in 128-MB system
configurations.
System may lock up with a black screen
and non-responding keyboard and
mouse instead of showing welcome
(logon) screen when using fast-switching
with minimal RAM.
Root Cause suspicion is a timing issue in low memory
configurations.
Integrated graphics uses UMA architecture taking 8 MB
of memory, leaving only 120 available to user. This 120
MB is shared by both users who are logged in and are
fast-user-switching when error is generated.
Workaround is to reboot system and customer is
encouraged to increase memory configuration (HP
does not ship 128-MB configurations by default with
security modules).
EFS User Authentication
(password request) times
out with access denied.
The EFS User Authentication password
reopens after clicking OK or returning
from standby state after timeout.
This is by design—to avoid issues with Microsoft EFS,
a 30-second watchdog timer was created to generate
the error message).
Minor truncation during
setup of Japanese is
observed in functional
description
Functional descriptions during custom
setup option during installation wizard
are truncated.
HP will correct this in a future release.
EFS Encryption works
without entering password
in the prompt.
By allowing prompt for User password to
time out, encryption is still capable on a
file or folder.
The ability to encrypt does not require password
authentication, since this is a feature of the Microsoft
EFS encryption. The decryption will require the user
password to be supplied.
Secure e-mail is
supported, even if
Embedded security software and the
wizard do not control settings of an e-
This behavior is as designed. Configuration of TPM email settings does not prohibit editing encryption
56 Chapter 8 Troubleshooting
Short description Details Solution
unchecked in User
Initialization Wizard or if
secure e-mail
configuration is disabled in
user policies.
mail client (Outlook, Outlook Express, or
Netscape)
settings directly in e-mail client. Usage of secure e-mail
is set and controlled by 3rd party applications. The HP
wizard allows linkage to the three reference
applications for immediate customization.
Running Large Scale
Deployment a second
time on the same PC or on
a previously initialized PC
overwrites Emergency
Recovery and Emergency
Token files. The new files
are useless for recovery.
Running Large Scale Deployment on any
previously initialized HP ProtectTools
Embedded Security system will render
existing Recovery Archives and
Recovery Tokens useless by overwriting
those xml files.
HP is working to resolve the xml-file-overwrite issue
and will provide a solution in a future SoftPaq.
Automated logon scripts
not functioning during user
restore in Embedded
Security.
The error occurs after user
●
Initializes owner and user in
Embedded Security (using the
default locations—My
Documents).
●
Resets the chip to factory settings
in the BIOS.
●
Reboots the computer.
●
Begins to restore Embedded
Security. During the restore
process, Credential Manager asks
user if the system can automate the
logon to Infineon TPM User
Authentication. If user selects Yes,
then the location of
SPEmRecToken automatically
appears in the text box.
Even though this location is correct, the
following error message is displayed: No
Emergency Recovery Token is
provided. Select the token location
the Emergency Recovery Token
should be retrieved from.
Click the Browse button on the screen to select the
location, and the restore process proceeds.
Multiple User PSDs do not
function in a fast-userswitching environment.
This error occurs when multiple users
have been created and given a PSD with
the same drive letter. If an attempt is
made to fast-user-switch between users
when the PSD is loaded, the second
user's PSD will be unavailable.
The second user's PSD will only be available if it is
reconfigured to use another drive letter or if the first user
is logged off.
PSD is disabled and
cannot be deleted after
formatting the hard drive
on which the PSD was
generated
The PSD is disabled and cannot be
deleted after formatting the secondary
hard drive on which the PSD was
generated. The PSD icon is still visible,
but the error message drive is not
accessible appears when the user
attempts to access the PSD.
User is not able to delete the PSD and a
message appears that states: your PSD
is still in use, please ensure that your
PSD contains no open files and is not
accessed by another process. User
must reboot the system in order to delete
the PSD and it is not loaded after reboot.
As designed: If a customer force-deletes or disconnects
from the storage location of the PSD data, the
Embedded Security PSD drive emulation continues to
function and will produce errors based on lack of
communication with the missing data.
Resolution: After the next reboot, the emulations fail to
load and user can delete the old PSD emulation and
create a new PSD.
Embedded Security for HP ProtectTools 57
Short description Details Solution
An internal error has been
detected restoring from
Automatic Backup
Archive.
If the user
●
clicks Restore under Backup
option of Embedded Security in
HPPTSM to restore from the
automatic backup Archive
●
selects SPSystemBackup .xml
the Restore Wizard fails and the
following error message is displayed:
The selected Backup Archive does
not match the restore reason. Please
select another archive and continue.
If the user selects SpSystemBackup.xml when the
SpBackupArchive.xml is required, Embedded Security
Wizard fails with: An internal Embedded Security
error has been detected.
User must select the correct .xml file to match the
required reason.
The processes are working as designed and function
properly; however, the internal Embedded Security
error message is not clear and should state a more
appropriate message. HP is working to enhance this in
future products.
Security System exhibits a
restore error with multiple
users.
During the restore process, if the
administrator selects users to restore,
the users not selected are not able to
restore the keys when trying to restore at
a later time. A decryption process
failed error message is displayed.
The non-selected users can be restored by resetting
the TPM, running the restore process, and selecting all
users before the next default daily back runs. If the
automated backup runs, it overwrites the non-restored
users and their data is lost. If a new system backup is
stored, the previous non-selected users cannot be
restored.
Also, user must restore the entire system backup. An
Archive Backup can be restored individually.
Resetting System ROM to
default hides TPM.
Resetting the system ROM to default
hides the TPM to Windows. This does
not allow the security software to operate
properly and makes TPM-encrypted data
inaccessible.
Unhide the TPM in BIOS:
Open the Computer Setup (F10) Utility, navigate to
Security > Device security, modify the field from
Hidden to Available.
Automatic backup does
not work with mapped
drive.
When an administrator sets up
Automatic Backup in Embedded
Security, it creates an entry in
Windows > Tasks > Scheduled Task.
This Windows Scheduled Task is set to
use NT AUTHORITY\SYSTEM for rights
to execute the backup. This works
properly to any local drive.
When the administrator instead
configures the Automatic Backup to save
to a mapped drive, the process fails
because the NT AUTHORITY\SYSTEM
does not have the rights to use the
mapped drive.
If the Automatic Backup is scheduled to
occur upon login, Embedded Security
TNA Icon displays the following
message: The Backup Archive
location is currently not accessible.
Click here if you want to backup to a
temporary archive until the Backup
Archive is accessible again. If the
Automatic Backup is scheduled for a
specific time, however, the backup fails
without displaying notice of the failure.
The workaround is to change the NT AUTHORITY
\SYSTEM to (computer name)\(admin name). This is
the default setting if the Scheduled Task is created
manually.
HP is working to provide future product releases with
default settings that include computer name\admin
name.
Unable to disable
Embedded Security State
temporarily in Embedded
Security GUI.
The current 4.0 software was designed
for HP Notebook 1.1B implementations,
as well as supporting HP Desktop 1.2
implementations.
This option to disable is still supported in
the software interface for TPM 1.1
platforms.
HP will address this issue in future releases.
58 Chapter 8 Troubleshooting
Miscellaneous
Software Impacted—
Short description
Details Solution
HP ProtectTools Security
Manager—Warning
received: The security
application can not be
installed until the HP
Protect Tools Security
Manager is installed.
All security applications such as
Embedded Security, Java Card, and
biometrics are extendable plug-ins for
the HP Security Manager interface.
Security Manager must be installed
before an HP-approved security plug-in
can be loaded.
HP ProtectTools Security Manager software must be
installed before installing any security plug-in.
HP ProtectTools TPM
Firmware Update Utility
for dc7600 and models
containing Broadcomenabled TPMs—The tool
provided through HP
support Web site reports
ownership required.
This is the expected behavior of TPM
firmware utility for dc7600 and models
containing Broadcom-enabled TPMs
The firmware upgrade tool allows the
user to upgrade the firmware, with or
without an endorsement key (EK). When
there is no EK, no authorization is
required to complete the firmware
upgrade.
When there is an EK, a TPM owner must
exist, since the upgrade requires owner
authorization. After the successful
upgrade, the platform must be restarted
for the new firmware to take effect.
If the BIOS TPM is factory-reset,
ownership is removed and firmware
update capability is prevented until the
Embedded Security Software platform
and User Initialization Wizard have been
configured.
*A reboot is always recommended after
performing a firmware update. The
firmware version is not identified
correctly until after the reboot.
1. Reinstall HP ProtectTools Embedded Security
Software.
2. Run the Platform and User configuration wizard.
3. Ensure that the system contains Microsoft .NET
framework 1.1 installation:
a. Click Start.
b. Click Control Panel.
c. Click Add or remove programs.
d. Ensure Microsoft .NET Framework 1.1 is
listed.
4. Check the hardware and software configuration:
a. Click Start.
b. Click All Programs.
c. Click HP ProtectTools Security Manager.
d. Select Embedded Security from tree menu.
e. Click More Details. The system should have
the following configuration:
●
Product version = V4.0.1
●
Embedded Security State: Chip State =
Enabled, Owner State = Initialized,
User State = Initialized
●
Component Info: TCG Spec. Version =
1.2
●
Vendor = Broadcom Corporation
●
FW Version = 2.18 (or greater)
●
TPM Device driver library version
2.0.0.9 (or greater)
5. If the FW version does not match 2.18, download
and update the TPM firmware. The TPM Firmware
SoftPaq is a support download available at
http://www.hp.com.
HP ProtectTools Security
Manager—Intermittently,
an error is returned when
closing the Security
Manager interface.
Intermittently (1 in 12 instances), an error
is created by using the close button in the
upper right of the screen to close
Security Manager before all plug-in
applications have finished loading.
This is related to a timing dependency on plug-in
services load time when closing and restarting Security
Manager. Since PTHOST.exe is the shell housing the
other applications (plug-ins), it depends on the ability of
the plug-in to complete its load time (services). Closing
the shell before the plug-in has had time to complete
loading is the root cause.
Miscellaneous 59
Software Impacted—
Short description
Details Solution
Allow Security Manager to complete services loading
message (seen at top of Security Manager window) and
all plug-ins listed in left column. To avoid failure, allow
a reasonable time for these plug-ins to load.
HP ProtectTools * General
—Unrestricted access or
uncontrolled administrator
privileges pose security
risk.
Numerous risks are possible with
unrestricted access to the client PC:
●
deletion of PSD
●
malicious modification of user
settings
●
disabling of security policies and
functions
Administrators are encouraged to follow “best
practices” in restricting end-user privileges and
restricting user access.
Unauthorized users should not be granted
administrative privileges.
BIOS and OS Embedded
Security password are out
of synch.
If user does not validate a new password
as the BIOS Embedded Security
password, the BIOS Embedded Security
password reverts back to the original
embedded security password through
F10 BIOS.
This is functioning as designed; these passwords can
be re-synchronized by changing the OS Basic User
password and authenticating it at the BIOS Embedded
Security password prompt.
Only one user can log on
to the system after TPM
preboot authentication is
enabled in BIOS.
The TPM BIOS PIN is associated with
the first user who initialize the user
setting. If a computer has multiple users,
the first user is, in essence, the
administrator. The first user will have to
give his TPM user PIN to other users to
use to log in.
This is functioning as designed; HP recommends that
the customer's IT department follow good security
policies for rolling out their security solution and
ensuring that the BIOS administrator password is
configured by IT administrators for system level
protection.
User has to change PIN to
make TPM preboot work
after a TPM factory reset.
User has to change PIN or create
another user to initialize his user setting
to make TPM BIOS authentication work
after reset. There is no option to make
TPM BIOS authentication work.
This is as designed, the factory reset clears the Basic
User Key. The user must change his user PIN or create
a new user to re-initialize the Basic User Key.
Power-on
authentication support
not set to default using
Embedded Security
Reset to Factory
Settings
In Computer Setup, the Power-on
authentication support option is not
being reset to factory settings when
using the Embedded Security Device
option Reset to Factory Settings. By
default, Power-on authentication
support is set to Disable.
The Reset to Factory Settings option disables
Embedded Security Device, which hides the other
Embedded Security options (including Power-on
authentication support). However, after re-enabling
Embedded Security Device, Power-on authentication
support remained enabled.
HP is working on a resolution, which will be provided in
future Web-based ROM SoftPaq offerings.
Security Power-On
Authentication overlaps
BIOS Password during
boot sequence.
Power-On Authentication prompts the
user to log on to system using the TPM
password, but, if the user presses F10 to
access the BIOS, Read rights access
only is granted.
To be able to write to BIOS, the user must enter the
BIOS password instead of the TPM password at the
Power-on Authentication window.
The BIOS asks for both
the old and new
passwords through
Computer Setup after
changing the Owner
password in Embedded
Security Windows
software.
The BIOS asks for both the old and new
passwords through Computer Setup
after changing the Owner password in
Embedded Security Windows software.
This is as designed. This is due to the inability of the
BIOS to communicate with the TPM, once the operating
system is up and running, and to verify the TPM pass
phrase against the TPM key blob.
60 Chapter 8 Troubleshooting
Glossary
Authentication Process of verifying whether a user is authorized to perform a task, for example, accessing a
computer, modifying settings for a particular program, or viewing secured data.
Biometric Category of authentication credentials that use a physical feature, such as a fingerprint, to identify a
user.
BIOS profile Group of BIOS configuration settings that can be saved and applied to other accounts.
BIOS security mode Setting in Java Card Security that, when enabled, requires the use of a Java Card and a
valid PIN for user authentication.
Certification authority Service that issues the certificates required to run a public key infrastructure.
Credentials Method by which a user proves eligibility for a particular task in the authentication process.
Cryptographic service provider (CSP) Provider or library of cryptographic algorithms that can be used in a
well-defined interface to perform particular cryptographic functions.
Cryptography Practice of encrypting and decrypting data so that it can be decoded only by specific individuals.
Decryption Procedure used in cryptography to convert encrypted data into plain text.
Digital certificate Electronic credentials that confirm the identity of an individual or a company by binding the
identity of the digital certificate owner to a pair of electronic keys that are used to sign digital information.
Digital signature Data sent with a file that verifies the sender of the material, and that the file has not been
modified after it was signed.
Domain Group of computers that are part of a network and share a common directory database. Domains are
uniquely named, and each has a set of common rules and procedures.
DriveLock Security feature that links the hard drive to a user and requires the user to correctly type the DriveLock
password when the computer starts up.
Emergency recovery archive Protected storage area that allows the reencryption of basic user keys from one
platform owner key to another.
Encryption Procedure, such as use of an algorithm, employed in cryptography to convert plain text into cipher
text in order to prevent unauthorized recipients from reading that data. There are many types of data encryption,
and they are the basis of network security. Common types include Data Encryption Standard and public-key
encryption.
Encryption File System (EFS) System that encrypts all files and subfolders within the selected folder.
FAT partition File Allocation Table, a method of indexing storage media.
Identity In the HP ProtectTools Credential Manager, a group of credentials and settings that is handled like an
account or profile for a particular user.
Java Card Small piece of hardware, similar in size and shape to a credit card, which stores identifying information
about the owner. Used to authenticate the owner to a computer.
Glossary 61
Migration A task that allows the management, restoration, and transfer of keys and certificates.
Network account Windows user or administrator account, either on a local computer, in a workgroup, or on a
domain.
NTFS partition NT File System, a method of indexing storage media. This method is standard with Windows
Vista and Windows XP.
Personal secure drive (PSD) Provides a protected storage area for sensitive information.
Power-on authentication Security feature that requires some form of authentication, such as a Java Card,
security chip, or password, when the computer is turned on.
Public Key Infrastructure (PKI) Standard that defines the interfaces for creating, using, and administering
certificates and cryptographic keys.
Reboot Process of restarting the computer.
Single Sign On Feature that stores authentication information and allows you to use the Credential Manager to
access Internet and Windows applications that require password authentication.
Smart card Small piece of hardware, similar in size and shape to a credit card, which stores identifying
information about the owner. Used to authenticate the owner to a computer.
Stringent security Security feature in BIOS Configuration that provides enhanced protection for the power-on
and administrator passwords and other forms of power-on authentication.
Trusted Platform Module (TPM) embedded security chip (select models only) Integrated security chip that
can protect highly sensitive user information from malicious attackers. It is the root-of-trust in a given platform. The
TPM provides cryptographic algorithms and operations that meets the Trusted Computing Group (TCG)
specifications.
USB token Security device that stores identifying information about a user. Like a Java Card or biometric reader,
it is used to authenticate the owner to a computer.
Virtual token Security feature that works very much like a Java Card and card reader. The token is saved either
on the computer hard drive or in the Windows registry. When you log on with a virtual token, you are asked for a
user PIN to complete the authentication.
Windows user account Profile for an individual authorized to log on to a network or to an individual computer.
62 Glossary
Index
A
access
controlling 41
preventing unauthorized 6
accessing HP ProtectTools
Security 4
account
basic user 26
Credential Manager 12
administrator tasks
Credential Manager 21
Java Card 32
advanced
BIOS configuration for HP
ProtectTools 40
advanced tasks
Credential Manager 21
Device Access Manager 44
Embedded Security 28
Java Card 32
B
background service, Device Access
Manager 42
backing up and restoring
certification information 28
Embedded Security 28
HP ProtectTools modules 9
Single Sign On data 18
basic user account 26
Basic User Key password
changing 27
setting 26
biometric readers 13
BIOS administrator password 8
BIOS configuration for HP
ProtectTools
advanced 40
file 36
power 39
security 38
storage 37
C
Computer Setup
administrator password 8
controlling device access 41
Credential Manager
troubleshooting 50
Credential Manager for HP
ProtectTools
account, adding 16
account, removing 16
administrator tasks 21
application protection 19
application protection,
removing 19
changing application restriction
setting 19
credential properties,
configuring 22
credentials, registering 12
custom authentication
requirements 21
fingerprint log on 13
fingerprint reader 13
identity 15
identity, clearing 15
identity, removing 15
locking computer 15
logging on 12, 15
logon password 7
logon specifications 21
logon wizard 12
new account, creating 12
recovery file password 7
registering fingerprints 12
registering Java Card 13
registering other
credentials 13
registering token 13
registering virtual token 13
restriction application
access 19
settings, configuring 22
setup procedures 12
Single Sign On (SSO) 16
SSO application, exporting 18
SSO application, importing 18
SSO application, modifying
properties 17
SSO application, removing 17
SSO applications and
credentials 17
SSO automatic registration 16
SSO credentials,
modifying 18
SSO manual registration 17
SSO new application 16
token PIN, changing 14
USB eToken, registering 13
user verification 23
virtual token, creating 14
Windows 15
Windows Logon 15
Windows logon password,
changing 14
Windows logon, allow 23
D
data, restricting access to 5
decrypting a drive 46
Device Access Manager for HP
ProtectTools
background service 42
device class configuration 44
device class, allowing access to
one 44
device, allowing access to
one 45
simple configuration 43
user or group, adding 44
user or group, denying access
to 44
user or group, removing 44
disabling
Embedded Security 28
Index 63
Embedded Security,
permanently 29
Java Card power-on
authentication 34
Drive Encryption for HP
ProtectTools
adding a user 48
changing a token 48
changing authentication 48
changing encryption 47
decrypting a drive 47
Drive Encryption keys 49
Drive Encryption recovery
service 49
encrypting a drive 47
removing a user 48
setting a password 48
E
Embedded Security for HP
ProtectTools
backup file, creating 28
basic user account 26
Basic User Key 26
Basic User Key password,
changing 27
certification data, restoring 28
enabling after permanent
disable 29
enabling and disabling 28
enabling TPM chip 25
encrypted e-mail 27
encrypting files and folders 27
initializing chip 25
migrating keys 29
owner password, changing 28
password 7
permanently disabling 29
Personal Secure Drive 27
resetting user password 28
setup procedures 25
troubleshooting 53
emergency recovery 25
emergency recovery token
password
definition 7
setting 25
enabling
Embedded Security 28
Embedded Security after
permanent disable 29
Java Card power-on
authentication 33
TPM chip 25
encrypting a drive 46
encrypting files and folders 27
encryption
methods 47
user authentication 48
users 48
F
F10 Setup password 8
features, HP ProtectTools 2
file
BIOS Configuration for HP
ProtectTools 35
fingerprints, Credential
Manager 12
H
HP ProtectTools Backup and
Restore 9
HP ProtectTools features 2
HP ProtectTools Security,
accessing 4
I
identity, managing
Credential Manager 15
identity, removing
Credential Manager 15
initializing embedded security
chip 25
J
Java Card Security for HP
ProtectTools
administrator tasks 32
advanced tasks 32
assigning name 32
creating administrator 33
Credential Manager 13
PIN 8
PIN, assigning 32
PIN, changing 31
power-on authentication,
disabling 34
power-on authentication,
enabling 33
power-on authentication,
setting 32
reader, selecting 31
user, creating 33
K
key security objectives 5
L
locking computer 15
logging on
Windows 15
N
network account 16
O
objectives, security 5
owner password
changing 28
definition 8
setting 25
P
password
Basic User Key 27
changing owner 28
creating 6
emergency recovery token 25
guidelines 8
HP ProtectTools 7
managing 7
owner 25
resetting user 28
secure, creating 8
Windows logon 14
personal secure drive (PSD) 27
power
BIOS configuration for HP
ProtectTools 39
power-on password
definition 8
properties
application 17
authentication 21
credential 22
R
recovering encrypted data 49
registering
application 16
credentials 12
restricting
access to sensitive data 5
device access 41
S
security
BIOS configuration for HP
ProtectTools 38
key objectives 5
roles 7
64 Index
security roles 7
security setup password 8
Single Sign On
automatic registration 16
exporting applications 18
manual registration 17
modifying application
properties 17
removing applications 17
storage
BIOS configuration for HP
ProtectTools 37
T
targeted theft, protecting
against 5
token, Credential Manager 13
TPM chip
enabling 25
initializing 25
troubleshooting
Credential Manager for HP
ProtectTools 50
Embedded Security for HP
ProtectTools 53
Miscellaneous 59
U
unauthorized access,
preventing 6
USB eToken, Credential
Manager 13
V
virtual token 14
virtual token, Credential
Manager 13, 14
W
Windows Logon
Credential Manager 15
password 8
Windows network account 16
Index 65
Loading...