HP 413742-001 User Manual
HP ProtectTools Troubleshooting
Guide
HP Compaq Business Desktops
Document Part Number: 413742-001
January 2006
This document contains information and recommendations for the
ProtectTools administrator concerning questions that may arise in the
administration and operation of HP ProtectTools.
© Copyright 2006 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the U.S. and other countries.
The only warranties for HP products and services are set forth in the express warranty statements accompanying
such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
This document contains proprietary information that is protected by copyright. No part of this document may be
photocopied, reproduced, or translated to another language without the prior written consent of Hewlett-Packard
Company.
WARNING: Text set off in this manner indicates that failure to follow directions could result in bodily
Å
harm or loss of life.
CAUTION: Text set off in this manner indicates that failure to follow directions could result in damage to
Ä
equipment or loss of information.
HP ProtectTools Troubleshooting Guide
HP Compaq Business Desktops
First Edition (January 2006)
Document Part Number: 413742-001
HP ProtectTools Troubleshooting Guide
Overview
HP ProtectTools Security is a new technology offered by HP on some Business PCs. This
technology offers enhanced security support for file/folder encryption, user identity and
protection, Single Sign On, multi-factor authentication, smart card, smart card preboot, token
and biometric support and works natively with the operating system to enhance security aware
applications, such as secure e-mail. The enhanced security is achieved through both hardware
and software. Windows-based management of the BIOS is also incorporated through a BIOS
Configuration module. All software is centrally managed through an HP Security Manager
interface, which can be accessed from the task tray, start menu, or control panel. A properly
enabled security system requires a TPM-enabled BIOS, versions 1.54 or greater, obtainable
through
Administrators are encouraged to perform “best practices” in restricting end-user privileges and
restrictive access to users.
Hardware
The hardware consists of a Trusted Platform Module (TPM) which meets the Trusted Computing
Group requirements of TPM 1.2 standards. The card is integrated with the system board and is
part of the NIC. The NIC and TPM solution contains on-chip memory and off-chip memory,
functions and firmware are located on an external flash integrated with the system board. All
TPM functions are encrypted or protected to ensure secure flash or communications.
www.hp.com support, and security software available via purchase.
Software
The software, HP ProtectTools, has two parts: HP ProtectTools Security Manager and HP
plug-in modules. Security Manager is the interface (shell) that centralizes all security
applications (plug-ins). The computer offers security in both configure-to-order and aftermarket
configurations. Both offerings provide a CD which can be used in Microsoft Windows to install
the HP ProtectTools security products. Customers using a non-HP corporate image are
encouraged to use the provided CD to install security software. Some HP Web-based downloads
(SoftPaqs) will not install unless previous versions of security software are already installed on
the target PC.
HP ProtectTools security applications for the computer are:
■ HP ProtectTools Security Manager: The software is preinstalled on the hard drive and can be
accessed from the Start Menu or Control Panel applet. The Security Manager shell interface
provides a central point for administering all security plug-in modules. Security plug-ins like
the TPM, Smart Card, and future security products cannot be installed unless the Security
Manager interface is present.
■ HP ProtectTools Embedded Security: This supports the TPM 1.2 hardware directly and is
preinstalled on the imaged drive for desktop. In Windows 2000 and Windows XP
environments, this software supports enhanced security for secure e-mail with Microsoft
Technical Reference Guide www.hp.com 1
HP ProtectTools Troubleshooting Guide
Outlook or Outlook Express, and it supports enhanced security for Microsoft EFS file/folder
encryption. The software also provides a function called Personal Secure Drive (PSD). The
PSD is a function in addition to the EFS-based file/folder encryption, and it uses the
Advanced Encryption Standard (AES) encryption algorithm. It is important to note that HP
ProtectTools Personal Secure Drive cannot function unless the TPM is unhidden, enabled
with appropriate software installed with ownership, and the user configuration initialized.
Additionally, the TPM also supports data management functions, such as backing up and
restoring the key hierarchy, support for third-party applications that use MSCAPI (such as
Microsoft Outlook and Internet Explorer) and applications that use PKCS#11 (such as
Netscape) for protected digital certificate operations when using the Embedded Security
software.
■ HP ProtectTools TPM Firmware Update Utility: This utility is a Web-based SoftPaq for
updating your TPM firmware.
■ HP Credential Manager for ProtectTools: This tool provides identity management and has
security features that protect against unauthorized access to your computer. These features
include the following:
❏ Alternatives login capability as opposed to passwords when logging on to Windows,
such as using a smart card or biometric reader to log on to Windows
❏ Single Sign On feature that automatically remembers credentials for Web sites,
applications, and protected network resources
❏ Support for optional security devices, such as smart cards and biometric readers
❏ Support for additional security settings, such as requiring authentication with an optional
security device to unlock the computer and access applications
❏ Enhanced encryption for stored passwords, when implemented with a TPM Embedded
Security chip
■ Smart Card Security for ProtectTools: This tool manages the smart card setup and
configuration for computers equipped with an optional smart card reader. The smart card
BIOS security mode is available on some models. When enabled, this mode requires you to
use a smart card to log on to the computer.
■ BIOS Configuration for ProtectTools: This configuration provides access to the Computer
Setup Utility security and configuration settings. This allows users to access system security
features managed by Computer Setup through Windows.
Please consult the HP ProtectTools Security Manager Guide that shipped with the computer or
access this online at
http://www.hp.com along with the latest software, firmware, driver, and
support materials. Help files provided with the installed product contain a variety of
troubleshooting, configuration, and functional product data, and they are considered the first
direct source of information.
Table A Glossary of HP ProtectTools Embedded Security Related Terminology
Acronym Term Detail
AES Advanced Encryption
Standard
A symmetric 128-bit block data encryption technique
API Application Programming
Interface
CSP Cryptographic Service
Provider
2 www.hp.com Technical Reference Guide
A series of internal operating system functions that applications
can use to perform various tasks
A software component that interfaces with the MSCAPI
HP ProtectTools Troubleshooting Guide
Acronym Term Detail
EFS Encryption File System A transparent file encryption service provided by Microsoft for
Windows 2000 or later
LPC Low Pin Count Defines an interface used by the HP ProtectTools Embedded
Security device to connect with the platform chipset. The bus
consists of 4 bits of Address/Data pins, along with a 33Mhz
clock and several control/status pins.
MSCAPI: Microsoft Cryptographic
API, or CryptoAPI
PKCS Public Key Cryptographic
Standards
An API from Microsoft that provides an interface to the
Windows operating system for cryptographic applications
Standards generated that govern definition and use of Public
Key/Private Key means of encryption and decryption.
PKI Public Key Infrastructure A general term defining the implementation of security systems
that use Public Key/Private Key encryption and decryption
PSD Personal Secure Drive A feature that is provided by HP ProtectTools Embedded
Security. This application creates a virtual drive on the user's
machine that automatically encrypts files/folders that are moved
into the virtual drive.
S/MIME Secure Multipurpose
Internet Mail Extensions
A specification for secure electronic messaging using PKCS.
S/MIME offers authentication via digital signatures and privacy
via encryption
TCG Trusted Computing Group Industry association set up to promote the concept of a “Trusted
PC.” TCG supersedes TCPA
TCPA Trusted Computing Platform
Trusted computing alliance; now superseded by TCG
Alliance
TPM Trusted Platform Module TPM hardware and software enhances the security of EFS and
the Personal Secure Drive by protecting the keys used by EFS
and the Personal Secure Drive.
In systems without the TPM, the keys used for EFS and the PSD
are normally stored on the hard drive. This makes the keys
potentially vulnerable. In systems with the TPM card, the TPM's
private Storage Root Keys, which never leave the TPM chip, are
used to “wrap” or protect the keys used by EFS and by the PSD.
Breaking into the TPM to extract the private keys is much more
difficult than hacking onto the system's hard drive to obtain the
keys.
The TPM also enhances the security of secure e-mail via
S/MIME in Microsoft Outlook and Outlook Express. The TPM
functions as a Cryptographic Service Provider (CSP). Keys and
certificates are generated and/or supported by the TPM
hardware, providing significantly greater security than
software-only implementations.
Technical Reference Guide www.hp.com 3
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
HP ProtectTools Embedded
Security—Encrypting
folders, sub folders, and
files on PSD cause error
message
HP ProtectTools Embedded
Security—Cannot Take
Ownership With Another
OS In Multi-Boot Platform
HP ProtectTools Embedded
Security—Unauthorized
administrator can view,
delete, rename, or move
the contents of encrypted
EFS folders
Details Solution / Workaround
If the user copies files and
folders to the PSD and tries to
encrypt folders/files or
folders/subfolders, the Error
Applying Attributes
message appears. The user
can encrypt the same files on
the C:\ drive on an extra
installed hard drive.
If a drive is set up for multiple
OS boot, ownership can only
be taken with the platform
initialization wizard in one
operating system.
Encrypting a folder does not
stop an unauthorized user
with administrative rights to
view, delete, or move
contents of the folder.
This is as designed.
Moving files/folders to the PSD automatically
encrypts them. There is no need to
“double-encrypt” the files/folders. Attempting to
double-encrypt them using on the PSD using EFS
will produce this error message.
This is as designed.
For security reasons, the Embedded Security is
designed to work with only one OS per system.
This is as designed.
It is a feature of EFS, not the Embedded Security
TPM. Embedded Security uses Microsoft EFS
software, and EFS preserves file/folder access
rights for all administrators.
HP ProtectTools Embedded
Security—Encrypted folders
with EFS in Windows 2000
are not shown highlighted
in green
HP ProtectTools Embedded
Security—EFS does not
require a password to view
encrypted files in Windows
2000
HP ProtectTools Embedded
Security—Software should
not be installed on a restore
with FAT32 partition
Encrypted folders with EFS
are highlighted in green in
Windows XP, but not in
Windows 2000.
If a user sets up the
Embedded Security, logs on
as an administrator, then logs
off and back on as the
administrator, the user can
subsequently see files/folders
in Windows 2000 without a
password.
If the user attempts to restore
the hard drive using FAT32,
there will be no encrypt
options for any files/folders
using EFS.
This is as designed.
It is a feature of EFS that it does not highlight
encrypted folders in Windows 2000, but it does
in Windows XP. This is true whether or not an
Embedded Security TPM is installed.
This is as designed.
It is a feature of EFS in Windows 2000. EFS in
Windows XP, by default, will not let the user
open files/folders without a password.
This is as designed.
Microsoft EFS is supported only on NTFS and
will not function on FAT32. This is a feature of
Microsoft's EFS and is not related to HP
ProtectTools software.
4 www.hp.com Technical Reference Guide
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
HP ProtectTools Embedded
Security—Initialization fails
for TPM module after
system restore.
HP ProtectTools Embedded
Security—Windows 2000
User can share to the
network any PSD with the
hidden ($) share
HP ProtectTools Embedded
Security—User is able to
encrypt or delete the
recovery archive XML file
Details Solution / Workaround
If the user restores the hard
drive from the restore CD,
initialization of the TPM fails.
Windows 2000 User can
share to the network any PSD
with the hidden ($) share. The
hidden share can be
accessed over the network
using the hidden ($) share.
By design, the ACLs for this
folder is not set; therefore, a
user can inadvertently or
purposely encrypt or delete
the file, making it
inaccessible. Once this file
has been encrypted or
deleted, no one can use the
TPM software.
This is as designed.
The TPM must be reset and enabled again in
Computer Setup (F10) Utility prior to
initialization.
The PSD is not normally shared on the network,
but it can be through the hidden ($) share in
W2K only. HP recommends always having the
built-in Administrator account
password-protected.
This is as designed.
Users have access rights to an emergency
archive in order to save/update their basic user
key backup copy. Customers should adopt a
'best practices' security approach and instruct
users never to encrypt or delete the recovery
archive files.
HP ProtectTools Embedded
Security—HP ProtectTools
Embedded Security EFS
interaction with Norton
Antivirus produces longer
encryption/decryption and
scan times
HP ProtectTools Embedded
Security—Cannot save
emergency recovery
archive to removable
media
Encrypted files interfere with
Norton Anti Virus 2005 virus
scan. During the scan
process, the Basic User Key
password prompt asks the
user for a password every
10 files or so. If the user does
not enter a password, the
Basic User Key password
prompt times out, allowing
NAV2005 to continue with
the scan. Encrypting files
using HP ProtectTools
Embedded Security EFS takes
longer when Norton Antivirus
is running.
If the user inserts an MMC or
SD card when creating the
emergency recovery archive
path during Embedded
Security Initialization, an
error message is displayed.
To reduce the time required to scan HP
ProtectTools Embedded Security EFS files, the
user can either enter the encryption password
before scanning or decrypt before scanning.
To reduce the time required to encrypt/decrypt
data using HP ProtectTools Embedded Security
EFS, the user should disable Auto-Protect on
Norton Antivirus.
This is as designed.
Storage of the recovery archive on removable
media is not supported. The recovery archive
can be stored on a network drive or another
local drive other than the C drive.
Technical Reference Guide www.hp.com 5
HP ProtectTools Troubleshooting Guide
Software
Impacted-Short
description
HP ProtectTools Embedded
Security—Cannot encrypt
any data in the Windows
2000 French (France)
environment.
HP ProtectTools Embedded
Security—Errors occur after
experiencing a power loss
while taking ownership
during the Embedded
Security Initialization
Details Solution / Workaround
There is no Encrypt selection
when right-clicking a file icon.
If there is a power loss while
initializing the Embedded
Security chip, the following
issues will occur:
• When attempting to
launch the Embedded
Security Initialization
Wizard, the following
error is displayed:
The Embedded
security cannot be
initialized since the
Embedded Security
chip has already an
Embedded Security
owner.
• When attempting to
launch the User
Initialization Wizard, the
following error is
displayed:
The Embedded
security is not
initialized. To use the
wizard, the
Embedded Security
must be initialized
first.
This is a Microsoft operating system limitation. If
the locale is changed to anything else (French
(Canada), for example), then the Encrypt
selection will appear.
To work around the problem, encrypt the file as
follows: right-click the file icon and select
Property > Advanced > Encrypt
Contents.
Perform the following procedure to recover from
the power loss:
Use the Arrow keys to select various menus,
✎
menu items, and to change values (unless
otherwise specified).
1. Start or restart the computer.
2. Press F10 when the F10=Setup message
appears on screen (or as soon as the
monitor LED turns green).
3. Select the appropriate language option.
4. Press Enter.
5. Select Security > Embedded Security.
6. Set the Embedded Security Device option to
Enable.
7. P r e s s F10 to accept the change.
8. Select File > Save Changes and Exit.
9. P ress ENTER.
10. Press F10 to save the changes and exit the
F10 Setup utility.
HP ProtectTools Embedded
Security—Computer Setup
(F10) Utility password can
be removed after enabling
TPM Module
6 www.hp.com Technical Reference Guide
Enabling the TPM module
requires a Computer Setup
(F10) Utility password. Once
the module has been
enabled, the user can remove
the password. This allows
anyone with direct access to
the system to reset the TPM
module and cause possible
loss of data.
This is as designed.
The Computer Setup (F10) Utility password can
only be removed by a user who knows the
password. However, HP strongly recommends
having the Computer Setup (F10) Utility
password protected at all times.
Loading...