Loading...HP ProtectTools
User Guide
© Copyright 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Microsoft, Windows, and Windows Vista are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
This document contains proprietary information that is protected by copyright. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Hewlett-Packard Company.
HP ProtectTools User Guide
HP Compaq Business PC
First Edition: July 2008
Document Part Number: 491163-001
About This Book
This guide provides basic information for upgrading this computer model.
WARNING! Text set off in this manner indicates that failure to follow directions could result in bodily harm or loss of life.
CAUTION: Text set off in this manner indicates that failure to follow directions could result in damage to equipment or loss of information.
NOTE: Text set off in this manner provides important supplemental information.
ENWW |
iii |
iv About This Book |
ENWW |
Table of contents
1 Introduction to security |
|
HP ProtectTools features ..................................................................................................................... |
2 |
Accessing HP ProtectTools Security .................................................................................................... |
4 |
Achieving key security objectives ......................................................................................................... |
4 |
Protecting against targeted theft .......................................................................................... |
5 |
Restricting access to sensitive data ..................................................................................... |
5 |
Preventing unauthorized access from internal or external locations ................................... |
5 |
Creating strong password policies ....................................................................................... |
6 |
Additional security elements ................................................................................................................. |
7 |
Assigning security roles ....................................................................................................... |
7 |
Managing HP ProtectTools passwords ................................................................................ |
7 |
Creating a secure password ............................................................................... |
9 |
Backing up and restoring HP ProtectTools credentials ....................................................... |
9 |
Backing up credentials and settings .................................................................... |
9 |
2 HP ProtectTools Security Manager for Administrators |
|
About HP ProtectTools Security Manager for Administrators ............................................................ |
10 |
Getting Started - Configuring HP ProtectTools Security Manager for Administrators ........................ |
11 |
Getting Started - Configuring user security login methods ................................................................. |
13 |
Logging in after Security Manager is configured ................................................................................ |
14 |
Administrator Tools - Managing users (administrator task) ................................................................ |
15 |
Adding a user ..................................................................................................................... |
15 |
Removing a user ................................................................................................................ |
15 |
Checking user status ......................................................................................................... |
16 |
Backup and Restore ........................................................................................................................... |
16 |
Using the Backup wizard .................................................................................................................... |
17 |
Security Modules ............................................................................................................... |
17 |
File Location ...................................................................................................................... |
17 |
Backup Complete .............................................................................................................. |
18 |
Using the Restore wizard ................................................................................................................... |
18 |
File Location ...................................................................................................................... |
18 |
Security Modules ............................................................................................................... |
18 |
Confirmation ...................................................................................................................... |
19 |
Restore Complete .............................................................................................................. |
19 |
ENWW |
v |
Settings .............................................................................................................................................. |
19 |
3 Credential Manager for HP ProtectTools |
|
Setup procedures ............................................................................................................................... |
20 |
Logging on to Credential Manager .................................................................................... |
20 |
Using the Credential Manager Logon Wizard ................................................... |
21 |
Registering credentials ...................................................................................................... |
21 |
Registering fingerprints ..................................................................................... |
21 |
Setting up the fingerprint reader ....................................................... |
21 |
Using your registered fingerprint to log on to Windows .................... |
21 |
Registering a Smart Card or Token .................................................................. |
22 |
Registering other credentials ............................................................................ |
22 |
General tasks ..................................................................................................................................... |
23 |
Creating a virtual token ...................................................................................................... |
23 |
Changing the Windows logon password ............................................................................ |
23 |
Changing a token PIN ........................................................................................................ |
23 |
Locking the computer (workstation) ................................................................................... |
24 |
Using Windows Logon ....................................................................................................... |
24 |
Logging on to Windows with Credential Manager ............................................. |
24 |
Using Single Sign On ......................................................................................................... |
25 |
Registering a new application ........................................................................... |
25 |
Using automatic registration ............................................................. |
25 |
Using manual (drag and drop) registration ....................................... |
26 |
Managing applications and credentials ............................................................. |
26 |
Modifying application properties ....................................................... |
26 |
Removing an application from Single Sign On ................................. |
26 |
Exporting an application ................................................................... |
26 |
Importing an application ................................................................... |
27 |
Modifying credentials ........................................................................ |
27 |
Using Application Protection .............................................................................................. |
28 |
Restricting access to an application .................................................................. |
28 |
Removing protection from an application .......................................................... |
28 |
Changing restriction settings for a protected application .................................. |
29 |
Advanced tasks (administrator only) .................................................................................................. |
29 |
Configuring credential properties ....................................................................................... |
29 |
Configuring Credential Manager settings .......................................................................... |
30 |
Example 1—Using the “Advanced Settings” page to allow Windows logon |
|
from Credential Manager .................................................................................. |
30 |
Example 2—Using the “Advanced Settings” page to require user verification |
|
before Single Sign On ....................................................................................... |
31 |
4 Drive Encryption for HP ProtectTools |
|
Setup procedures ............................................................................................................................... |
32 |
Opening Drive Encryption .................................................................................................. |
32 |
vi |
ENWW |
General tasks ..................................................................................................................................... |
32 |
Activating Drive Encryption ................................................................................................ |
32 |
Deactivating Drive Encryption ............................................................................................ |
32 |
Logging in after Drive Encryption is activated .................................................................... |
32 |
Advanced tasks .................................................................................................................................. |
33 |
Managing Drive Encryption (administrator task) ................................................................ |
33 |
Activating a TPM-protected password .............................................................. |
33 |
Encrypting or decrypting individual drives ......................................................... |
33 |
Backup and recovery (administrator task) ......................................................................... |
33 |
Creating backup keys ........................................................................................ |
33 |
Registering for online recovery ......................................................................... |
34 |
Managing an existing online recovery account ................................................. |
35 |
Performing a recovery ....................................................................................... |
35 |
5 Privacy Manager for HP ProtectTools |
|
Opening Privacy Manager .................................................................................................................. |
37 |
Setup procedures ............................................................................................................................... |
38 |
Managing Privacy Manager Certificates ............................................................................ |
38 |
Requesting and installing a Privacy Manager Certificate .................................................. |
38 |
Requesting a Privacy Manager Certificate ........................................................ |
38 |
Installing a Privacy Manager Certificate ............................................................ |
38 |
Viewing Privacy Manager Certificate details ...................................................................... |
39 |
Renewing a Privacy Manager Certificate ........................................................................... |
39 |
Setting a default Privacy Manager Certificate .................................................................... |
39 |
Deleting a Privacy Manager Certificate ............................................................................. |
39 |
Restoring a Privacy Manager Certificate ........................................................................... |
40 |
Revoking your Privacy Manager Certificate ....................................................................... |
40 |
Managing Trusted Contacts ............................................................................................... |
40 |
Adding Trusted Contacts ................................................................................... |
41 |
Adding a Trusted Contact ................................................................. |
41 |
Adding Trusted Contacts using your Microsoft Outlook address |
|
book .................................................................................................. |
42 |
Viewing Trusted Contact details ........................................................................ |
42 |
Deleting a Trusted Contact ............................................................................... |
42 |
Checking revocation status for a Trusted Contact ............................................ |
43 |
General tasks ..................................................................................................................................... |
43 |
Using Privacy Manager in Microsoft Office ........................................................................ |
43 |
Using Privacy Manager in Microsoft Outlook ..................................................................... |
46 |
Using Privacy Manager in Windows Live Messenger ........................................................ |
47 |
Advanced tasks .................................................................................................................................. |
52 |
Migrating Privacy Manager Certificates and Trusted Contacts to a different |
|
computer ............................................................................................................................ |
52 |
Exporting Privacy Manager Certificates and Trusted Contacts ......................... |
52 |
Importing Privacy Manager Certificates and Trusted Contacts ......................... |
52 |
ENWW |
vii |
6 File Sanitizer for HP ProtectTools |
|
Setup procedures ............................................................................................................................... |
54 |
Opening File Sanitizer ....................................................................................................... |
54 |
Setting a free space bleaching schedule ........................................................................... |
54 |
Selecting or creating a shred profile .................................................................................. |
54 |
Selecting a predefined shred profile .................................................................................. |
54 |
Customizing a shred profile ............................................................................................... |
55 |
Customizing a simple delete profile ................................................................................... |
55 |
Setting a shred schedule ................................................................................................... |
56 |
Setting a free space bleaching schedule ........................................................................... |
57 |
Selecting or creating a shred profile .................................................................................. |
57 |
Selecting a predefined shred profile .................................................................. |
57 |
Customizing a shred profile ............................................................................... |
57 |
Customizing a simple delete profile .................................................................. |
58 |
General tasks ..................................................................................................................................... |
59 |
Using a key sequence to initiate shredding ....................................................................... |
59 |
Using the File Sanitizer icon .............................................................................................. |
59 |
Manually shredding one asset ........................................................................................... |
60 |
Manually shredding all selected items ............................................................................... |
60 |
Manually activating free space bleaching .......................................................................... |
60 |
Aborting a shred or free space bleaching operation .......................................................... |
61 |
Viewing the log files ........................................................................................................... |
61 |
7 Java Card Security for HP ProtectTools |
|
General tasks ..................................................................................................................................... |
62 |
Changing a Java Card PIN ................................................................................................ |
62 |
Selecting the card reader ................................................................................................... |
63 |
Advanced tasks (administrators only) ................................................................................................ |
63 |
Assigning a Java Card PIN ................................................................................................ |
63 |
Assigning a name to a Java Card ...................................................................................... |
64 |
Setting power-on authentication ........................................................................................ |
64 |
Enabling Java Card power-on authentication and creating an administrator |
|
Java Card .......................................................................................................... |
65 |
Creating a user Java Card ................................................................................ |
66 |
Disabling Java Card power-on authentication ................................................... |
66 |
8 BIOS Configuration for HP ProtectTools |
|
General tasks ..................................................................................................................................... |
68 |
Accessing BIOS Configuration .......................................................................................... |
68 |
Viewing or changing settings ............................................................................................. |
69 |
File ...................................................................................................................................................... |
69 |
Storage ............................................................................................................................................... |
69 |
Security .............................................................................................................................................. |
69 |
viii |
ENWW |
Power ................................................................................................................................................. |
70 |
Advanced ........................................................................................................................................... |
70 |
9 Embedded Security for HP ProtectTools |
|
Setup procedures ............................................................................................................................... |
72 |
Enabling the embedded security chip in Computer Setup ................................................. |
72 |
Initializing the embedded security chip .............................................................................. |
73 |
Setting up the basic user account ...................................................................................... |
73 |
General tasks ..................................................................................................................................... |
74 |
Using the Personal Secure Drive ....................................................................................... |
74 |
Encrypting files and folders ................................................................................................ |
74 |
Sending and receiving encrypted e-mail ............................................................................ |
74 |
Changing the Basic User Key password ........................................................................... |
75 |
Advanced tasks .................................................................................................................................. |
75 |
Backing up and restoring ................................................................................................... |
75 |
Creating a backup file ....................................................................................... |
75 |
Restoring certification data from the backup file ............................................... |
75 |
Changing the owner password .......................................................................................... |
76 |
Resetting a user password ................................................................................................ |
76 |
Enabling and disabling Embedded Security ...................................................................... |
76 |
Permanently disabling Embedded Security ...................................................... |
76 |
Enabling Embedded Security after permanent disable ..................................... |
76 |
Migrating keys with the Migration Wizard .......................................................................... |
77 |
10 Device Access Manager for HP ProtectTools |
|
Starting background service ............................................................................................................... |
78 |
Simple configuration ........................................................................................................................... |
78 |
Device class configuration (advanced) ............................................................................................... |
79 |
Adding a user or a group ................................................................................................... |
79 |
Removing a user or a group .............................................................................................. |
79 |
Denying access to a user or group .................................................................................... |
79 |
11 Troubleshooting |
|
Credential Manager for HP ProtectTools ........................................................................................... |
80 |
Embedded Security for HP ProtectTools ............................................................................................ |
83 |
Device Access Manager for HP ProtectTools .................................................................................... |
89 |
Miscellaneous ..................................................................................................................................... |
90 |
Glossary ............................................................................................................................................................. |
93 |
Index ................................................................................................................................................................... |
97 |
ENWW |
ix |
x |
ENWW |
1 Introduction to security
HP ProtectTools Security Manager for Administrators software provides security features that help protect against unauthorized access to the computer, networks, and critical data. Enhanced security functionality is provided by the following software modules:
●Credential Manager for HP ProtectTools
●Drive Encryption for HP ProtectTools
●Privacy Manager for HP ProtectTools
●File Sanitizer for HP ProtectTools
●Java Card Security for HP ProtectTools
●BIOS Configuration for HP ProtectTools
●Embedded Security for HP ProtectTools
●Device Access Manager for HP ProtectTools
NOTE: Credential Manager, Java Card Security, and Drive Encryption are configured using the Security Manager setup wizard.
HP ProtectTools software modules may be preinstalled, preloaded, or available as a configurable option or as an after market option. Visit http://www.hp.com for more information.
NOTE: The instructions in this guide are written with the assumption that you have already installed the applicable HP ProtectTools software modules.
ENWW |
1 |
HP ProtectTools features
The following table details the key features of HP ProtectTools modules:
Module |
Key features |
|
|
HP ProtectTools Security Manager for Administrators |
● The Security Manager setup wizard is used by administrators to |
|
set up and configure levels of security and security logon methods. |
|
● Users can also use the setup wizard to configure their logon |
|
methods. |
|
● Administrator tools are used to add and remove ProtectTools |
|
users and view user status. |
|
● Backs up and restores security modules from installed |
|
HP ProtectTools modules. |
|
|
Credential Manager for HP ProtectTools |
● Credential Manager acts as a personal password vault, |
|
streamlining the logon process with the Single Sign On feature, |
|
which automatically remembers and applies user credentials. |
|
● Single Sign On also offers additional protection by requiring |
|
combinations of different security technologies, such as a Java™ |
|
Card and biometrics, for user authentication. |
|
● Password storage is protected through software encryption and |
|
can be enhanced through the use of a TPM embedded security |
|
chip and/or security device authentication, such as Java Cards or |
|
biometrics. |
|
|
Drive Encryption for HP ProtectTools |
● Drive Encryption provides complete, full-volume hard drive |
|
encryption. |
|
● Drive Encryption forces pre-boot authentication in order to decrypt |
|
and access the data on the hard drive. |
|
|
Privacy Manager for HP ProtectTools |
● Privacy Manager is a tool used to obtain Certificates of Authority, |
|
which verify the source, integrity, and security of communication |
|
when using Microsoft mail, Microsoft Office documents, and Live |
|
Messenger. |
|
|
File Sanitizer for HP ProtectTools |
● File Sanitizer allows you to securely shred digital assets (securely |
|
delete sensitive information including application files, historical |
|
or Web-related content, or other confidential data) on your |
|
computer and periodically bleach the hard drive (write over data |
|
that has been previously deleted but is still present on the hard |
|
drive in order to make recovery of the data more difficult). |
|
|
Java Card Security for HP ProtectTools |
● Java Card Security is a management software interface for Java |
|
Card. Java Card is a personal security device that protects |
|
authentication data requiring both the card and a PIN number to |
|
grant access. The Java Card can be used to access Credential |
|
Manager, Drive Encryption, HP BIOS, or any number of third party |
|
access points. |
|
● Java Card Security configures the HP ProtectTools Java Card for |
|
user authentication before the hard drive boots. Java Card |
|
Security can be accessed by Embedded Security, Java Card, and |
|
passwords. |
|
● Java Card Security configures separate Java Cards for an |
|
administrator and a user. |
|
|
2 Chapter 1 Introduction to security |
ENWW |
Module |
Key features |
|
|
BIOS Configuration for HP ProtectTools |
● BIOS Configuration provides access to power-on user and |
|
administrator password management. |
|
● BIOS Configuration provides an alternative to the pre-boot BIOS |
|
configuration utility known as Computer Setup. |
|
● BIOS Configuration enablement of automatic DriveLock support, |
|
which is enhanced with the embedded security chip, helps protect |
|
a hard drive from unauthorized access, even if it is removed from |
|
a system, without requiring the user to remember any additional |
|
passwords beyond the embedded security chip user password. |
|
|
Embedded Security for HP ProtectTools |
● Embedded Security uses a Trusted Platform Module (TPM) |
|
embedded security chip to help protect against unauthorized |
|
access to sensitive user data or credentials stored locally on a PC. |
|
● Embedded Security allows creation of a personal secure drive |
|
(PSD), which is useful in protecting user file and folder information. |
|
● Embedded Security supports third-party applications (such as |
|
Microsoft Outlook and Internet Explorer) for protected digital |
|
certificate operations. |
|
|
Device Access Manager for HP ProtectTools |
● Device Access Manager allows IT managers to control access to |
|
devices such as USB ports, optical drives, etc. based on user |
|
profiles. |
|
● Device Access Manager prevents unauthorized users from |
|
removing data using external storage media and from introducing |
|
viruses into the system from external media. |
|
● The administrator can disable access to writeable devices for |
|
specific individuals or groups of users. |
|
|
ENWW |
HP ProtectTools features 3 |
Accessing HP ProtectTools Security
To access HP ProtectTools Security Manager for Administrators from Windows® Control Panel:
▲In Windows Vista®, click Start, click All Programs, and then click HP ProtectTools Security Manager for Administrators.
– or –
In Windows XP, click Start, click All Programs, and then click HP ProtectTools Security Manager.
NOTE: If you are not an HP ProtectTools administrator, you can run HP ProtectTools in nonadministrator mode to view information, but you cannot make changes.
NOTE: After you have configured the Credential Manager module, you can also open HP ProtectTools by logging on to Credential Manager directly from the Windows logon screen. For more information, refer to Logging on to Windows with Credential Manager on page 24.
Achieving key security objectives
The HP ProtectTools modules can work together to provide solutions for a variety of security issues, including the following key security objectives:
●Protecting against targeted theft
●Restricting access to sensitive data
●Preventing unauthorized access from internal or external locations
●Creating strong password policies
●Addressing regulatory security mandates
4 Chapter 1 Introduction to security |
ENWW |
Protecting against targeted theft
An example of this type of incident would be the targeted theft of a computer or its confidential data and customer information. This can easily occur in open office environments or in unsecured areas. The following features help protect the data if the computer is stolen:
●The pre-boot authentication feature, if enabled, helps prevent access to the operating system. See the following procedures:
◦Credential Manager
◦Embedded Security
◦Drive Encryption
●DriveLock helps ensure that data cannot be accessed even if the hard drive is removed and installed into an unsecured system.
●The Personal Secure Drive feature, provided by the Embedded Security for HP ProtectTools module, encrypts sensitive data to help ensure it cannot be accessed without authentication. See the following procedures:
◦Embedded Security “Setup procedures on page 72”
◦“Using the Personal Secure Drive on page 74”
Restricting access to sensitive data
Suppose a contract auditor is working onsite and has been given computer access to review sensitive financial data; you do not want the auditor to be able to print the files or save them to a writeable device such as a CD. The following features help restrict access to data:
●Device Access Manager for HP ProtectTools allows IT managers to restrict access to writeable devices so sensitive information cannot be printed or copied from the hard drive onto removable media. See Device class configuration (advanced) on page 79.
●DriveLock helps ensure that data cannot be accessed even if the hard drive is removed and installed into an unsecured system.
Preventing unauthorized access from internal or external locations
Unauthorized access to an unsecured business PC presents a very tangible risk to corporate network resources such as information from financial services, an executive, or R&D team, and to private
ENWW |
Achieving key security objectives 5 |
information such as patient records or personal financial records. The following features help prevent unauthorized access:
●The pre-boot authentication feature, if enabled, helps prevent access to the operating system. See the following procedures:
◦Credential Manager
◦Embedded Security
◦Drive Encryption
●Embedded Security for HP ProtectTools helps protect sensitive user data or credentials stored locally on a PC using the following procedures:
◦Embedded Security “Setup procedures on page 72”
◦“Using the Personal Secure Drive on page 74”
●Using the following procedures, Credential Manager for HP ProtectTools helps ensure that an unauthorized user cannot get passwords or access to password-protected applications:
◦Credential Manager “Setup procedures on page 20”
◦“Using Single Sign On on page 25”
●Device Access Manager for HP ProtectTools allows IT managers to restrict access to writeable devices so sensitive information cannot be copied from the hard drive. See Simple configuration on page 78.
●The Personal Secure Drive feature encrypts sensitive data to help ensure it cannot be accessed without authentication using the following procedures:
◦Embedded Security “Setup procedures on page 72”
◦“Using the Personal Secure Drive on page 74”
●File Sanitizer allows you to securely delete data by shredding assets or bleaching the hard drive (write over data that has been previously deleted but is still present on the hard drive in order to make recovery of the data more difficult).
●Privacy Manager allows you to obtain Certificates of Authority when using Microsoft mail, Office documents, and Live Messenger, making the process of sending and saving important information safe and secure.
Creating strong password policies
If a mandate goes into effect that requires the use of strong password policy for dozens of Web-based applications and databases, Credential Manager for HP ProtectTools provides a protected repository for passwords and Single Sign On convenience using the following procedures:
●Credential Manager “Setup procedures on page 20”
●“Using Single Sign On on page 25”
For stronger security, Embedded Security for HP ProtectTools then protects that repository of user names and passwords. This allows users to maintain multiple strong passwords without having to write them down or try to remember them. See Embedded Security Setup procedures on page 72.
6 Chapter 1 Introduction to security |
ENWW |
Additional security elements
Assigning security roles
In managing computer security (particularly for large organizations), one important practice is to divide responsibilities and rights among various types of administrators and users.
NOTE: In a small organization or for individual use, these roles may all be held by the same person.
For HP ProtectTools, the security duties and privileges can be divided into the following roles:
●Security officer—Defines the security level for the company or network and determines the security features to deploy, such as Java™ Cards, biometric readers, or USB tokens.
●IT administrator—Applies and manages the security features defined by the security officer. Can also enable and disable some features. For example, if the security officer has decided to deploy Java Cards, the IT administrator can enable Java Card BIOS security mode.
●User—Uses the security features. For example, if the security officer and IT administrator have enabled Java Cards for the system, the user can set the Java Card PIN and use the card for authentication.
Managing HP ProtectTools passwords
Most of the HP ProtectTools Security Manager features are secured by passwords. The following table lists the commonly used passwords, the software module where the password is set, and the password function.
The passwords that are set and used by IT administrators only are indicated in this table as well. All other passwords may be set by regular users or administrators.
HP ProtectTools password |
Set in this HP ProtectTools |
Function |
|
module |
|
|
|
|
Credential Manager logon |
Credential Manager |
This password offers 2 options: |
password |
|
● It can be used in a separate logon to |
|
|
|
|
|
access Credential Manager after |
|
|
logging on to Windows. |
|
|
● It can be used in place of the Windows |
|
|
logon process, allowing access to |
|
|
Windows and Credential Manager |
|
|
simultaneously. |
|
|
|
Credential Manager recovery file |
Credential Manager, by IT |
Protects access to the Credential Manager |
password |
administrator |
recovery file. |
|
|
|
Basic User Key password |
Embedded Security |
Used to access Embedded Security |
NOTE: Also known as: |
|
features, such as secure e-mail, file, and |
|
folder encryption. When used for power-on |
|
Embedded Security password |
|
authentication, also protects access to the |
|
|
computer contents when the computer is |
|
|
turned on, restarted, or restored from |
|
|
hibernation. |
|
|
|
Emergency Recovery Token |
Embedded Security, by IT |
Protects access to the Emergency Recovery |
password |
administrator |
Token, which is a backup file for the |
|
|
embedded security chip. |
|
|
|
ENWW |
Additional security elements 7 |
HP ProtectTools password |
Set in this HP ProtectTools |
Function |
|
module |
|
|
|
|
NOTE: Also known as: |
|
|
Emergency Recovery Token Key |
|
|
password |
|
|
|
|
|
Owner password |
Embedded Security, by IT |
Protects the system and the TPM chip from |
|
administrator |
unauthorized access to all owner functions |
|
|
of Embedded Security. |
|
|
|
Java™ Card PIN |
Java Card Security |
Protects access to the Java Card contents |
|
|
and authenticates users of the Java Card. |
|
|
When used for power-on authentication, the |
|
|
Java Card PIN also protects access to the |
|
|
Computer Setup utility and to the computer |
|
|
contents. |
|
|
Authenticates users of Drive Encryption, if |
|
|
the Java Card token is selected. |
|
|
|
Computer Setup password |
BIOS Configuration, by IT |
Protects access to the Computer Setup |
NOTE: Also known as BIOS |
administrator |
utility. |
|
|
|
administrator, F10 Setup, or |
|
|
Security Setup password |
|
|
|
|
|
Power-on password |
BIOS Configuration |
Protects access to the computer contents |
|
|
when the computer is turned on, restarted, |
|
|
or restored from hibernation. |
|
|
|
Windows Logon password |
Windows Control Panel |
Can be used for manual logon or saved on |
|
|
the Java Card. |
|
|
|
8 Chapter 1 Introduction to security |
ENWW |
Creating a secure password
When creating passwords, you must first follow any specifications that are set by the program. In general, however, consider the following guidelines to help you create strong passwords and reduce the chances of your password being compromised:
●Use passwords with more than 6 characters, preferably more than 8.
●Mix the case of letters throughout your password.
●Whenever possible, mix alphanumeric characters and include special characters and punctuation marks.
●Substitute special characters or numbers for letters in a key word. For example, you can use the number 1 for letters I or L.
●Combine words from 2 or more languages.
●Split a word or phrase with numbers or special characters in the middle, for example, “Mary2-2Cat45.”
●Do not use a password that would appear in a dictionary.
●Do not use your name for the password, or any other personal information, such as birth date, pet names, or mother's maiden name, even if you spell it backwards.
●Change passwords regularly. You might change only a couple of characters that increment.
●If you write down your password, do not store it in a commonly visible place very close to the computer.
●Do not save the password in a file, such as an e-mail, on the computer.
●Do not share accounts or tell anyone your password.
Backing up and restoring HP ProtectTools credentials
To back up and restore credentials from all supported HP ProtectTools modules, reference the following:
Backing up credentials and settings
You can back up credentials in the following ways:
●Use Drive Encryption for HP ProtectTools to select and back up HP ProtectTools credentials.
You can also register for Online Drive Encryption Key Recovery Service to store a backup copy of your encryption key, which will enable you to access your computer if you forget your password and do not have access to your local backup.
NOTE: You must be connected to the Internet and have a valid e-mail address to register and to recover your password through this service.
●Use Embedded Security for HP ProtectTools to back up HP ProtectTools credentials.
●Use the Backup and Recovery tool in HP ProtectTools Security Manager for Administrators as a central location from which you can back up and restore security credentials from installed
HP ProtectTools modules.
ENWW |
Additional security elements 9 |
2HP ProtectTools Security Manager for Administrators
About HP ProtectTools Security Manager for Administrators
HP ProtectTools Security Manager for Administrators provides security features that help protect against unauthorized access to the computer, networks, and critical data. Security Manager is extensible and can therefore grow to handle new threats as they emerge and offer new technologies as they become available.
Use the modules HP ProtectTools Security Manager for Administrators for the initial security setup. The Security Manager centralized user interface has the following features:
●Getting Started - Setup wizard that guides Windows operating system administrators through the configuration of levels of security and of the security login methods that are used in a pre-boot environment, Credential Manager, and Drive Encryption. Users also use the setup wizard to configure their security login methods. Refer to Getting Started - Configuring HP ProtectTools Security Manager for Administrators on page 11 and Getting Started - Configuring user security login methods on page 13 for more information.
●Administrators Tools - Allows Windows administrators to add and remove ProtectTools users and view user status. Refer to Administrator Tools - Managing users (administrator task)
on page 15 for more information.
●Backup and Restore - Backs up and restores security credentials from installed HP ProtectTools modules. Refer to Backup and Restore on page 16 for more information.
●Settings - Allows you to customize the behavior of a variety of items. Refer to Settings on page 19 for more information.
The Security Manager centralized user interface also contains a list of add-on software modules designed to maximize computer security. You can select and configure any number of the available modules.
10 Chapter 2 HP ProtectTools Security Manager for Administrators |
ENWW |
Getting Started - Configuring HP ProtectTools Security Manager for Administrators
The Getting Started setup wizard allows a Windows administrator to establish and/or update levels of security and security login methods.
Users also use the setup wizard to configure their security logon methods.
NOTE: The Windows administrator can run the setup wizard whenever he or she wants to change the levels of security or security login methods.
The setup wizard guides the Windows administrator through configuring Security Manager:
1.In HP ProtectTools Security Manager for Administrators, click Getting Started, and then click the Security Manager Setup button. A demonstration that describes the Security Manager features may start.
2.On the “Welcome” page, if available, clear the Automatically play video when wizard starts check box if you want to bypass the demonstration of the Security Manager features the next time you run the setup wizard.
3.Read the page, and then click Next.
4.Choose the levels of security on the “Set Levels of Security” page. You can choose one or more of the following levels:
●HP Credential Manager - Protects your Windows account.
●Pre-boot Security (some models) - Protects your computer before Windows starts.
●HP Drive Encryption - Protects your computer data by encrypting the hard drive. Selecting this option will require you to back up the unique encryption key to a removable storage device.
NOTE: The Security meter changes according to your selections. The more levels you select, the more secure your computer will be.
After selecting the security levels, click Next.
ENWW |
Getting Started - Configuring HP ProtectTools Security Manager for Administrators 11 |
5.One or more of the following pages will be displayed, depending on the levels of security you chose in step 4.
●Protect your Windows account - The Windows password is required because Security Manager must synchronize the password for each level of security.
Enter and confirm a Windows password, or enter your password if one has already been established, and then click Next.
●Protect your system before Windows start-up (optional) - If you or the user knows the BIOS administrator password, the BIOS administrator password can be entered. If the BIOS administrator password is entered, the Windows administrator or user becomes a BIOS administrator.
NOTE: If a BIOS administrator password does not exist, you must establish one before you can continue. When a BIOS administrator password is entered, you will become a BIOS administrator.
Enter and confirm a BIOS administrator password, or enter the password if one has already been established. Then click Next.
●Protect your data by encrypting your hard drive - You must use a USB storage device to save the encryption key. Select the drive(s) to be encrypted (at least one drive must be selected), insert the storage device into the appropriate slot, select the storage device where the encryption key will be saved, then click Next.
6.Choose one or more security login methods on the “Set Security Login Methods” page.
a.Under Step 1, select one or more security login methods.
NOTE: The selections apply to both administrators and users.
b.Under Step 2, if you want to increase security, select the check box to require all of the security login methods you selected under Step 1 when logging in to the computer.
If you want any one of the selected security login methods to be permissible when logging in to the computer, do not select the check box.
CAUTION: If you select the check box and a user has not yet configured his or her login methods (Windows password, fingerprint authentication, and/or the HP ProtectTools Java™ Card), that user will not be able to log in to the computer. It is recommended that all users first configure their login methods before this option is selected.
c. Click Next. A summary page opens, allowing you to review your selections.
7.Click Enable on the “Review and Enable Security Settings” page.
When you click Enable, the computer sets your security choices. You will not be able to return to any of the preceding wizard pages until security setup is complete. After you complete the wizard, you can change your settings by running the wizard again.
12 Chapter 2 HP ProtectTools Security Manager for Administrators |
ENWW |
8.Depending on the security login method(s) you chose in step 6, one or more of the following pages will be displayed. Follow the on-screen instructions, and then click Next.
●“Enroll your fingerprints” - Click the finger on the screen that corresponds to the finger you want to register (you must register at least 2 fingerprints), slowly swipe your chosen finger over the fingerprint sensor, then continue swiping the same finger over the fingerprint sensor until you have completed the required swipes. Repeat the process to register a second finger then click Finish.
●“Register an HP ProtectTools Java Card” - Insert the HP ProtectTools Java Card, enter the Java Card PIN, then click Finish.
9.On the “Congratulations” page, review your selections, and then click Done.
Getting Started - Configuring user security login methods
After the Windows administrator has configured the levels of security and security login methods, users run the setup wizard to be added as HP ProtectTools users on the computer:
NOTE: Users who run the setup wizard will see most of the wizard pages. However, the “Set Levels of Security” and “Set Security Login Methods” pages are not configurable because they are administrator tasks only.
1.Log in to the computer.
2.In Security Manager, click Getting Started, and then click the Security Manager Setup button.
3.On the “Welcome” page, clear the Automatically play video when wizard starts check box if you want to bypass the demonstration of the Security Manager features the next time you run the setup wizard.
4.Read the page, and then click Next.
5.On the “Set Levels of Security” page, click Next.
6.Depending on the levels of security set by the administrator, one or both of the following pages will be displayed.
●Protect your Windows account - The Windows password is required because Security Manager must synchronize the password for each level of security.
NOTE: If HP Credential Manager is the only level of security selected, you will not be prompted for your Windows password because Credential Manager already knows your Windows password.
Enter and confirm a Windows password, or enter your password if one has already been established, and then click Next.
●Protect your system before Windows start-up (optional) - If you know the BIOS administrator password, the BIOS administrator password can be entered. If the BIOS administrator password is entered, the Windows administrator or user becomes a BIOS administrator.
NOTE: If a BIOS administrator password does not exist, you must establish one before you can continue. When a BIOS administrator password is entered, you will become a BIOS administrator.
Enter and confirm a BIOS administrator password, or enter the password if one has already been established. Then click Next.
ENWW |
Getting Started - Configuring user security login methods 13 |
7.On the “Set Security Login Methods” page, click Next.
8.On the “Review and Enable Security Settings” page, click Enable.
9.Depending on the security login methods set by the administrator, one or both of the following pages will be displayed. Follow the on-screen instructions, and then click Next.
●“Enroll your fingerprints” - Click the finger on the screen that corresponds to the finger you want to register (you must register at least 2 fingerprints), slowly swipe your chosen finger over the fingerprint sensor, then continue swiping the same finger over the fingerprint sensor until you have completed the required swipes. Repeat the process to register a second finger then click Finish.
●“Register an HP ProtectTools Java Card” - Insert the HP ProtectTools Java Card, enter the Java Card PIN, then click Finish.
10.On the “Congratulations” page, review your selections, and then click Done.
Logging in after Security Manager is configured
Login scenarios vary, depending on the levels of security and security login methods chosen by the Windows administrator during configuration. Several possible scenarios follow:
●If all 3 levels of security have been configured and all security login methods are required, users must log in using all of the configured methods when the computer is first turned on. This action logs the user in to Windows.
●If all 3 levels of security have been configured and any of the security login methods is permissible, users may log in using any one of the configured security login methods when the computer is first turned on. This action logs the user in to Windows.
●If the HP Drive Encryption and the HP Credential Manager levels of security have been configured and all security login methods are required, users must log in using all of the configured methods when the HP Drive Encryption login screen opens. This action logs the user in to Windows.
●If the HP Drive Encryption and the HP Credential Manager levels of security have been configured and any of the configured security login methods is permissible, users may log in using any one of the security login methods when the HP Drive Encryption login screen opens. This action logs the user in to Windows.
●If the HP Credential Manager level of security has been configured and all of the security login methods are required, users must log in using all of the configured methods when the Credential Manager login screen opens. This action logs the user in to Windows.
●If the HP Credential Manager level of security option has been configured and any of the configured security login methods is permissible, users may log in using any one of the security login methods when the Credential Manager login screen opens. This action logs the user in to Windows.
NOTE: If the HP Credential Manager level of security has not been configured, users must still enter their Windows password at the Windows login screen, regardless of the security login methods that are required by other levels of security.
14 Chapter 2 HP ProtectTools Security Manager for Administrators |
ENWW |
Administrator Tools - Managing users (administrator task)
Windows administrators can add and remove HP ProtectTools users and view user status using the Administrator Tools feature.
In Administrator Tools, the Administrator and User tabs show the selected security login methods and whether a user can choose to use any one of them or must use all of them. If you want to change levels of security or security login methods, you must run the setup wizard to make those changes.
Adding a user
The Windows administrator can add additional administrators or regular users to the users list. The process is the same for both.
NOTE: Before you add a user, that user must already have a Windows user account on the computer and must be present during the following procedure to provide the password.
To add a user to the users list:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for Administrators.
2.Click Administrator Tools.
3.Click the Manage Users button.
4.Select the Administrator or User tab.
5.Click Add.
6.Click the user name for the account you want to add or type it in the User Name box, and then click Next.
NOTE: You must use an existing Windows account and click the name or type it exactly. You cannot modify or add a Windows user account using this dialog box.
7.Type the Windows password for the selected account, and then click OK.
NOTE: If the user will be logging in with the fingerprint and/or HP ProtectTools Java Card security login method, he or she must now log in to the computer and run the setup wizard to configure those security login methods.
Removing a user
NOTE: This procedure does not delete the Windows user account. It only removes that account from Security Manager. To completely remove the user, you must remove the user from both Security Manager and Windows.
To remove a user from the users list:
1.Click Start, click All Programs, and then click HP ProtectTools Security Manager for Administrators.
2.Click Administrator Tools.
3.Click the Manage Users button.
ENWW |
Administrator Tools - Managing users (administrator task) 15 |
4.Select the Administrator or User tab.
5.Click the user name for the account you want to remove, and then click Remove.
NOTE: You cannot remove an administrator if there is only one administrator listed in the Administrator list.
6.In the confirmation dialog box, click Yes.
Checking user status
In Administrator Tools, the Administrator and User tabs show current status of each user:
●Green check mark - Indicates that the user has configured the required security login method(s).
●Yellow exclamation point - Indicates that a user has not configured one or more of the required or permissible security login method(s). For example, if the Windows administrator configures at least 2 required security login methods, and indicates that either of them can be used for logging in to the computer, a user who has already configured one of those methods may log in using that method. The yellow exclamation point indicates to the Windows administrator that the user has not configured the other security login method.
●Red X - Indicates that the user has not configured a required security login method and will be locked out of the computer when trying to log in. The user must run the setup wizard to configure the required login method(s).
●Blank - Indicates that a security login method is not required.
Backup and Restore
HP ProtectTools Backup and Restore provides a central location from which you can back up and restore security credentials from installed HP ProtectTools modules.
In Security Manager, click Backup and Restore, and then click the one of the following buttons:
●Backup Options button - Allows you to configure backup settings. For details, refer to Using the Backup wizard on page 17.
●Backup button - Allows you to perform an immediate backup of all security credentials.
NOTE: You must configure backup settings using the Backup Options button before you can perform a backup.
●Schedule Backups button - Allows you to set up scheduled backups. If you need help with scheduling, search for the topic “task scheduling” in Windows Help.
NOTE: You must configure backup settings using the Backup Options button before you can schedule a backup.
●Restore button - Allows you to restore previously backed up security credentials. For details, refer to Using the Restore wizard on page 18.
CAUTION: Backup files created outside of HP ProtectTools Backup and Restore (for example, files created previously by a specific security module) are not compatible with HP ProtectTools Backup and Restore, and therefore cannot be restored by HP ProtectTools Backup and Restore or by new versions of the security modules themselves. HP recommends that you create a new backup file with
HP ProtectTools Backup and Restore.
16 Chapter 2 HP ProtectTools Security Manager for Administrators |
ENWW |
Using the Backup wizard
1.In Security Manager, click Backup and Restore, and then click Backup Options to start the Backup wizard.
2.Clear the Show Welcome Screen check box if you want to bypass the “Welcome” page the next time the Backup wizard is run.
3.Click Next. The “Security Modules” page opens.
4.Refer to the following subsections below to continue.
Security Modules
To select modules to back up, follow these steps:
1.Select the check box at the beginning of a row to add the associated module to the backup list. Click the Select All or Clear All buttons to quickly add or remove all modules from the backup list. Note that the Status column for the module must display “Ready” or “Needs Authentication” before you can select it.
NOTE: The check box is unavailable if the module is not ready. After you update a module's status, click the Refresh button on the right side of the row to update the Status field. Click the Refresh All button to update the status for all modules.
2.If necessary, type the required value in the Authentication column for each selected module. The security device may require the entry of authentication values to access the credential data on the device. These values may include passwords, PINs, and so on.
3.Click Next. The ”File Location” page opens.
File Location
The “File Location” page allows you to choose the location of the backup storage file and the security token file.
The security token file securely stores the key used to encrypt the backup storage file. A password encrypts the contents of the security token file. Saving the security token file to an offline location (USB flash drive, disc, or other media) provides a two-factor level of security, because to access the backedup data in the storage file, you must have the security token file and know the password. Therefore, HP recommends that you store the storage file and the token file on two different removable media that are stored in different locations.
To configure file location:
1.Confirm or change the file name and location where you want to save the storage file and security token file. To change the location, click the Edit button, and then type the new file name, or click Browse to select a new location. An extension of .ptb is automatically appended to the file name.
NOTE: Only one instance of backup data is allowed for each module in a given storage file. If you specify an existing storage file, you will be given the option to overwrite the selected module's data within the storage file or to specify a different storage file. If you specify an existing storage file, the entire file is not overwritten, only the backup data for the selected module.
2.To encrypt and protect the storage file with the security token and password, click Password protect the storage file. Then type and confirm the password with which to encrypt the security token file.
ENWW |
Using the Backup wizard 17 |
3.Click Remember all passwords and authentication values to configure the system to securely cache (save) passwords, which enables unattended backups. Enabling this feature also caches any authentication values entered in Security Modules.
4.Click Backup Now to start the backup, or click Next to save the backup configuration without performing a backup at this time.
If you choose to start the backup, the “Backup Complete” page opens at the end of the operation.
Backup Complete
The “Backup Complete” page shows the status of the backup operation.
1.Click View Log to see more details about the backup operation, including any errors.
2.Click Finish to exit the wizard.
Using the Restore wizard
1.In Security Manager, click Backup and Restore, and then click Restore to start the Restore wizard.
2.Clear the Show Welcome Screen check box if you want to bypass the “Welcome” page the next time the Restore wizard is run.
3.Click Next. The “File Location” page opens.
4.Refer to the following subsections below to continue.
File Location
The “File Location” page allows you to choose the backup storage file and the security token file (if applicable) that contain the security credentials to restore.
To select the location of the backup files, follow these steps:
1.If the storage file is not displayed on the page, click the Edit button, and then click Browse to navigate to the file.
2.If the security token file is not displayed on the page, click the Edit button, and then click Browse to navigate to the security token file location.
3.If necessary, type the password for the file.
4.Click Next. The “Security Modules” page opens.
Security Modules
This page displays all installed modules that have backup data in the file selected in the “File Location” page.
18 Chapter 2 HP ProtectTools Security Manager for Administrators |
ENWW |
To select modules to restore:
1.Select the check box at the beginning of each row to add the associated module to the restore list. Click the Select All or Clear All buttons to quickly add or remove modules from the restore list. Note that the Status column for the module must display “Ready” or “Needs Authentication” before you can select it.
NOTE: The check box is unavailable if the module is not ready. After you update a module's status, click the Refresh button on the right side of the row to update the Status field. Click the Refresh All button to update the status for all modules.
2.If necessary, type the required value in the Authentication column for each selected module. Authentication values may be required to access the security device to restore. These values may include passwords, PINs, and so on. Values typed in these fields are immediately validated.
3.Click Next. The “Confirmation” page opens.
Confirmation
1.If you want to change the restore settings, click Previous to go back to the restore configuration screens.
2.Confirm that you want to restore the credentials for the listed modules, and then click Restore Now to begin the restore.
3.Select the files you want to restore and click Finish.
4.Click Yes in the confirmation dialog box
CAUTION: Restoring credentials will overwrite current credentials which could lead to loss of data or system lockout.
Restore Complete
The “Restore Complete” page shows the status of the restore operation.
●Click View Log to see more details about the restore operation, including any errors.
●Click Finish to exit the wizard.
Settings
IN HP ProtectTools Security Manager for Administrators, click Settings to change the settings options.
The following Security Manager settings are available:
●Select the Show icon on the taskbar check box to display a taskbar icon that allows you to start the host and activate a specific page and/or launch a specific application.
●Select the Show Security Desktop Notifications check box to display notifications generated by the installed modules.
●View or bypass the Backup wizard “Welcome” page.
●View or bypass the Restore wizard “Welcome” page.
ENWW |
Settings 19 |
3Credential Manager for HP ProtectTools
Credential Manager for HP ProtectTools protects against unauthorized access to your computer using the following security features:
●Alternatives to passwords when logging on to Windows, such as using a Java Card or biometric reader to log on to Windows. For additional information, refer to Registering credentials
on page 21.
●Single Sign On feature that automatically remembers credentials for Web sites, applications, and protected network resources.
●Support for optional security devices, such as Java Cards and biometric readers.
●Support for additional security settings, such as requiring authentication using an optional security device to unlock the computer.
Setup procedures
Logging on to Credential Manager
Depending on the configuration, you can log on to Credential Manager in any of the following ways:
●HP ProtectTools Security Manager for Administrators icon in the notification area
●In Windows Vista®, click Start, click All Programs, and then click HP ProtectTools Security Manager for Administrators.
●In Windows XP, click Start, click All Programs, and then click HP ProtectTools Security Manager.
NOTE: In Windows Vista, you must launch the HP ProtectTools Security Manager for Administrators to make changes.
After logging on to Credential Manager, you can register additional credentials, such as a fingerprint or a Java Card. For additional information, refer to Registering credentials on page 21.
At the next logon, you can select the logon policy and use any combination of the registered credentials.
20 Chapter 3 Credential Manager for HP ProtectTools |
ENWW |
Loading...