HP Compaq Presario SR1975CF Reference Guide
Reference Guide
ProtectTools Security Manager
Document Part Number: 389171-001
May 2005
© Copyright 2005 Hewlett-Packard Development Company, L.P.
Microsoft and Windows are U.S. registered trademarks of Microsoft
Corporation.
The information contained herein is subject to change without notice. The
only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing
herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
Reference Guide
ProtectTools Security Manager
First Edition May 2005
Document Part Number: 389171-001
Contents
1Introduction
ProtectTools Security Manager . . . . . . . . . . . . . . . . . . . . 1–1
Accessing the ProtectTools Security Manager . . . . . 1–2
Understanding Security Roles . . . . . . . . . . . . . . . . . . . . . 1–3
Managing ProtectTools Passwords . . . . . . . . . . . . . . . . . 1–4
Creating a Secure Password . . . . . . . . . . . . . . . . . . . 1–7
2 Smart Card Security for ProtectTools
Basic Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–1
Initializing the Smart Card . . . . . . . . . . . . . . . . . . . . . . . . 2–2
Smart Card BIOS Security Mode. . . . . . . . . . . . . . . . . . . 2–3
Enabling Smart Card BIOS Security Mode and
Setting the Smart Card Administrator Password. . . . 2–4
Changing the Smart Card Administrator
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–6
Setting and Changing the Smart Card
User Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–7
Storing the Administrator or User
Card Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–8
General Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–10
Updating BIOS Smart Card Settings . . . . . . . . . . . . 2–10
Selecting the Smart Card Reader. . . . . . . . . . . . . . . 2–10
Changing the Smart Card PIN . . . . . . . . . . . . . . . . . 2–11
Backing Up and Restoring Smart Cards . . . . . . . . . 2–11
Reference Guide iii
Contents
3 Embedded Security for ProtectTools
Basic Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–1
Setup Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–2
Enabling the Embedded Security Chip . . . . . . . . . . . 3–2
Initializing the Embedded Security Chip. . . . . . . . . . 3–3
Setting Up the Basic User Account . . . . . . . . . . . . . . 3–4
General Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–6
Using the Personal Secure Drive . . . . . . . . . . . . . . . . 3–6
Encrypting Files and Folders. . . . . . . . . . . . . . . . . . . 3–6
Sending and Receiving Encrypted E-mail. . . . . . . . . 3–7
Changing the Basic User Key Password . . . . . . . . . . 3–7
Advanced Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–8
Backing Up and Restoring. . . . . . . . . . . . . . . . . . . . . 3–8
Changing the Owner Password . . . . . . . . . . . . . . . . 3–10
Enabling and Disabling Embedded Security . . . . . . 3–10
Migrating Keys with the Migration Wizard . . . . . . 3–12
4 BIOS Configuration for ProtectTools
Basic Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–1
General Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–2
Managing Boot Options. . . . . . . . . . . . . . . . . . . . . . . 4–2
Enabling and Disabling Device or
Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–3
Advanced Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–4
Managing ProtectTools Settings . . . . . . . . . . . . . . . . 4–4
Managing Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–7
Managing Computer Setup Passwords . . . . . . . . . . 4–11
iv Reference Guide
5 Credential Manager for ProtectTools
Basic Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–1
Setup Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–2
Logging On to Credential Manger. . . . . . . . . . . . . . . 5–2
Registering Credentials . . . . . . . . . . . . . . . . . . . . . . . 5–5
General Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–7
Creating a Virtual Token . . . . . . . . . . . . . . . . . . . . . . 5–7
Changing the Windows Logon Password . . . . . . . . . 5–8
Changing a Token PIN . . . . . . . . . . . . . . . . . . . . . . . 5–8
Managing Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–9
Locking the Computer . . . . . . . . . . . . . . . . . . . . . . . 5–11
Using Microsoft Network Logon . . . . . . . . . . . . . . 5–12
Using Single Sign On . . . . . . . . . . . . . . . . . . . . . . . 5–15
Advanced Tasks (Administrator Only) . . . . . . . . . . . . . 5–20
Specifying How Users and Administrators
Log On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–20
Configuring Custom Authentication
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–21
Configuring Credential Properties. . . . . . . . . . . . . . 5–22
Configuring Credential Manager Settings. . . . . . . . 5–23
Contents
Glossary
Index
Reference Guide v
Introduction
ProtectTools Security Manager
ProtectTools Security Manager software provides security
features that help protect against unauthorized access to the
computer, networks, and critical data. Enhanced security
functionality is provided by the following software modules:
■ Smart Card Security for ProtectTools
■ Embedded Security for ProtectTools
■ BIOS Configuration for ProtectTools
■ Credential Manager for ProtectTools
The software modules available for your computer may vary
depending on your model. For example, Embedded Security for
ProtectTools requires that the Trusted Platform Module (TPM)
embedded security chip (select models only) be installed on your
computer, and Smart Card Security for ProtectTools requires an
optional smart card and reader.
1
ProtectTools software modules may be preinstalled, preloaded,
or available for download from the HP Web site. Visit
http://www.hp.com for more information.
The instructions in this guide are written with the assumption
✎
that you have already installed the applicable ProtectTools
software modules.
Reference Guide 1–1
Introduction
Accessing the ProtectTools Security Manager
To access the ProtectTools Security Manager from the
Microsoft® Windows® Control Panel:
» Select Start > All Programs > HP ProtectTools Security
Manager.
After you have configured the Credential Manager module,
✎
you can also open ProtectTools by logging on to Credential
Manager directly from the Windows logon screen. For more
information, refer to “Logging On to Windows with Credential
Manager,” in Chapter 5, “Credential Manager for
ProtectTools.”
1–2 Reference Guide
Understanding Security Roles
In managing computer security (particularly for large
organizations), one important practice is to divide responsibilities
and rights among various types of administrators and users.
In a small organization or for individual use, these roles may
✎
all be held by the same person.
For ProtectTools, the security duties and privileges can be
divided into the following roles:
■ Security officer—Defines the security level for the company
or network and determines the security features to deploy,
such as smart cards, biometric readers, or USB tokens.
Many of the features in ProtectTools can be
✎
customized by the security officer in cooperation with
HP. For more information, visit
■ IT administrator—Applies and manages the security features
defined by the security officer. Can also enable and disable
some features. For example, if the security officer has
decided to deploy smart cards, the IT administrator can
enable smart card BIOS security mode.
http://www.hp.com.
Introduction
■ User—Uses the security features. For example, if the security
officer and IT administrator have enabled smart cards for the
system, the user can set the smart card PIN and use the card
for authentication.
Reference Guide 1–3
Introduction
Managing ProtectTools Passwords
Most of the ProtectTools Security Manager features are secured
by passwords. The following table lists the commonly used
passwords, the software module where the password is set, and
the password function.
The passwords that are set and used by IT administrators only are
indicated in this table as well. All other passwords may be set by
regular users or administrators.
Set in this
ProtectTools Password
ProtectTools Module Function
Computer Setup
administrator password
Also known as
✎
BIOS administrator,
BIOS Configuration, by
IT administrator
Protects access to the
Computer Setup utility.
f10 Setup, or
Security Setup
password
DriveLock master
password
DriveLock user password BIOS Configuration Protects access to the
Power-on password BIOS Configuration Protects access to the
BIOS Configuration, by
IT administrator
Protects access to the
internal hard drive that is
protected by DriveLock.
Is also used to remove
DriveLock protection.
internal hard drive that is
protected by DriveLock.
computer contents when
the computer is turned
on, restarted, or restored
from hibernation.
(Continued)
1–4 Reference Guide
Set in this
ProtectTools Password
Profile password BIOS Configuration, by
ProtectTools Module Function
IT administrator
Introduction
Encrypts (and unlocks)
the profile where BIOS
system settings are
saved.
Smart card administrator
password
Also known as BIOS
✎
administrator card
password
Smart card PIN Smart Card Security Protects access to the
Smart card recovery file
password
Smart card user password
Also known as BIOS
✎
user card password
Smart Card Security,
by IT administrator
Smart Card Security Protects access to the
Smart Card Security Links the smart card to
Links the smart card to
the computer for
identification purposes.
Allows a computer
administrator to enable
or disable Computer
Setup passwords,
generate a new
administrator card, and
create recovery files to
restore user or
administrator cards.
smart card contents and
to computer access
when an optional smart
card and reader is used.
recovery file that
contains the BIOS
passwords.
the computer for
identification.
Allows a user to create a
recovery file to restore a
user card.
(Continued)
Reference Guide 1–5
Introduction
ProtectTools Password
Basic User Key password
Also known as:
✎
Embedded Security
password
Emergency Recovery
Token password
Also known as:
✎
Emergency
Recovery Token Key
password
Set in this
ProtectTools Module Function
Embedded Security When enabled as the
BIOS power-on
authentication support
password, protects
access to the computer
contents when computer
is turned on, restarted,
or restored from
hibernation.
Embedded Security,
by IT administrator
Protects access to the
Emergency Recovery
Token, which is a
backup file for the
embedded security chip.
Owner password Embedded Security,
by IT administrator
Credential Manager logon
password
1–6 Reference Guide
Credential Manager This password offers
Protects the system and
the TPM chip from
unauthorized access to
all owner functions of
Embedded Security.
2 options:
■ It can be used in a
separate logon to
access Credential
Manager after logging
on to Microsoft
Windows.
■ It can be used in
place of the Windows
logon process,
allowing access to
Windows and
Credential Manager
simultaneously.
(Continued)
ProtectTools Password
Credential Manager
recovery file password
Set in this
ProtectTools Module Function
Credential Manager,
by IT administrator
Protects access to the
Credential Manager
recovery file.
Introduction
Windows logon password Windows Control
Panel
Creating a Secure Password
When creating passwords, you must first follow any
specifications that are set by the program. In general, however,
consider the following guidelines to help you create strong
passwords and reduce the chances of your password being
compromised:
■ Use passwords with more than 6 characters, preferably more
than 8.
■ Mix the case of letters throughout your password.
■ Whenever possible, mix alphanumeric characters and include
special characters and punctuation marks.
■ Substitute special characters or numbers for letters in a
key word. For example, you can use the number 1 for letters
Ior L.
■ Combine words from 2 or more languages.
■ Split a word or phrase with numbers or special characters in
the middle, for example, “Mary2-2Cat45.”
■ Do not use a password that would appear in a dictionary.
Can be used in manual
logon or saved on the
smart card.
■ Do not use your name for the password, or any other personal
information, such as birth date, pet names, or mother's
maiden name, even if you spell it backwards.
Reference Guide 1–7
Introduction
■ Change passwords regularly. You might change only a couple
■ If you write down your password, do not store it in a
■ Do not save the password in a file, such as an e-mail, on your
■ Do not share accounts or tell anyone your password.
of characters that increment.
commonly visible place very close to the computer.
computer.
1–8 Reference Guide
Smart Card Security for
Basic Concepts
Smart Card Security for ProtectTools manages the smart card
setup and configuration for computers equipped with an optional
smart card reader.
With Smart Card Security, you can
■ Access smart card security features.
■ Initialize a smart card so that it can be used with other
ProtectTools modules, such as Credential Manager for
ProtectTools.
■ Work with the Computer Setup utility to enable smart card
authentication in a preboot environment, and to configure
separate smart cards for an administrator and a user. This
requires a user to insert the smart card and optionally enter
a PIN prior to allowing the operating system to load.
2
ProtectTools
■ Set and change the password used to authenticate users of
the smart card.
■ Back up and restore smart card BIOS passwords stored on the
smart card.
Reference Guide 2–1
Smart Card Security for ProtectTools
Initializing the Smart Card
You must initialize the smart card before using it.
To initialize the smart card:
1. Insert the smart card into the reader.
2. Select Start > All Programs > HP ProtectTools Security
Manager > Smart Card Security.
3. Select the plus sign (+) to expand the Smart Card Security
menu, and then select Smart Card.
4. Click Initialize.
5. Type your name in the first box in the Initialize the smart
card dialog box.
6. Set and confirm the smart card PIN in the appropriate boxes.
The PIN code must be between 4 and 8 numeric characters.
To avoid losing access to the computer, do not forget the
Ä
smart card PIN. If you forget your smart card PIN, it may be
impossible to operate the computer. The smart card will be
locked and made unusable unless the smart card PIN is
entered correctly within 5 attempts. The count for these
attempts resets after the correct PIN is entered.
7. Click OK to complete the initialization.
2–2 Reference Guide
Smart Card Security for ProtectTools
Smart Card BIOS Security Mode
When enabled, smart card BIOS security mode requires you to
use a smart card to log on to the computer.
The process of enabling smart card BIOS security mode involves
the following steps:
1. Enable Smart Card Power-on Authentication Support in
BIOS Configuration. Refer to “Enabling and Disabling Smart
Card Power-on Authentication Support,” in Chapter 4, “BIOS
Configuration for ProtectTools.”
Enabling this setting allows you to use a smart card for
✎
power-on authentication. The smart card BIOS
security mode features are unavailable until you enable
smart card power-on authentication support.
2. Enable smart card BIOS security mode in Smart Card
Security. Refer to “Enabling Smart Card BIOS Security
Mode and Setting the Smart Card Administrator Password,”
later in this chapter.
3. Set the smart card administrator password.
The smart card administrator password is set as part of the
✎
process of enabling smart card BIOS security mode.
The smart card administrator password is not the same as the
Computer Setup administrator password. The smart card
administrator password links the smart card to the computer for
identification purposes, and also allows you to do the following:
■ Enable or disable Computer Setup passwords
■ Create new administrator and user smart cards
■ Create a recovery file to restore either a user or administrator
smart card
The smart card administrator password cannot be set until smart
card BIOS security mode is enabled in Smart Card Security.
Reference Guide 2–3
Smart Card Security for ProtectTools
Enabling Smart Card BIOS Security Mode and Setting the Smart Card Administrator Password
To enable smart card BIOS security mode and set the smart card
administrator password:
1. Select Start > All Programs > HP ProtectTools Security
Manager > Smart Card Security.
2. Select the plus sign (+) to expand the Smart Card Security
menu, and then select BIOS.
3. Under BIOS Security Mode, click Enable.
4. Click Next.
5. Enter the Computer Setup administrator password at the
prompt, and click Next.
6. Insert the new administrator smart card, and follow the
on-screen instructions. The instructions vary and may include
the following tasks:
❏ Initializing the smart card. Refer to “Initializing the Smart
Card” for detailed instructions.
❏ Setting the smart card administrator password. Refer to
“Storing the Administrator or User Card Password” for
detailed instructions.
❏ Creating a recovery file. Refer to “Creating a Recovery
File” for detailed instructions.
2–4 Reference Guide
Smart Card Security for ProtectTools
Disabling Smart Card BIOS Security Mode
When disabling smart card BIOS security mode, the smart card
administrator and user passwords are disabled, and the use of the
smart card is no longer needed to access the computer.
If smart card BIOS security mode has previously been enabled,
✎
the button on the Smart Card Security BIOS page changes to
Disable.
To disable smart card security:
1. Select Start > All Programs > HP ProtectTools Security
Manager > Smart Card Security.
2. Select the plus sign (+) to expand the Smart Card Security
menu, and then select BIOS.
3. Under BIOS Security Mode, click Disable.
4. Insert the card containing the current smart card administrator
password, and then click Next.
5. Enter the smart card PIN at the prompt and click Finish.
Reference Guide 2–5
Smart Card Security for ProtectTools
Changing the Smart Card Administrator Password
The smart card administrator password is set as part of the
process for enabling smart card BIOS security mode. You can
change the smart card administrator password after it has been
set. Refer to “Smart Card BIOS Security Mode,” earlier in this
chapter, for more information about the smart card administrator
password.
The following procedure updates the smart card administrator
✎
password stored on the card and in Computer Setup.
To change the smart card administrator password:
1. Select Start > All Programs > HP ProtectTools Security
Manager > Smart Card Security.
2. Select the plus sign (+) to expand the Smart Card Security
menu, and then select BIOS.
3. Under BIOS Security Mode, next to BIOS administrator
card, click Change.
4. Enter the smart card PIN and click Next.
5. Insert the new administrator card and click Next.
6. Enter the smart card PIN and click Finish.
2–6 Reference Guide
Smart Card Security for ProtectTools
Setting and Changing the Smart Card User Password
To set or change the smart card user password:
1. Select Start > All Programs > HP ProtectTools Security
Manager > Smart Card Security.
2. Select the plus sign (+) to expand the Smart Card Security
menu, and then select BIOS.
3. Under BIOS Security Mode, next to BIOS user card, click
the Set button.
If there is already a user password in Computer Setup,
✎
click the Change button.
4. Enter the smart card PIN and click Next.
5. Insert the new user card and click Next.
❏ If there is already a user password on the card, the
Finish dialog box is displayed. Omit steps 6 through 8
and go to step 9.
❏ If there is no user password on the card, the BIOS
Password Wizard opens.
6. In the BIOS Password Wizard, you can either
❏ Enter a password manually.
❏ Generate a random 32-byte password.
Using a known password enables you to create duplicate
✎
cards without using a recovery file. Generating a random
password offers more security; however, you must have a
recovery file to make backup cards.
Reference Guide 2–7
Smart Card Security for ProtectTools
7. Under Boot Requirements, select the check box if you
require the smart card PIN to be entered at startup.
If you do not require the smart card PIN to be entered at
✎
startup, clear this check box.
8. Enter the smart card PIN and click OK. The system prompts
you to create a recovery file.
It is highly recommended that you create a recovery
✎
file. For more information, refer to “Creating a
Recovery File,” later in this chapter.
9. Enter the smart card PIN in the Finish dialog box, and then
click Finish.
Storing the Administrator or User Card Password
If you want to create a backup card and have already set the
administrator password, you can store the password on the
new card.
CAUTION: This procedure updates only the password on the card and
Ä
not in Computer Setup. You will not be able to access the computer
with the new card.
To store the administrator or user card password:
1. Insert a smart card into the reader.
2. Select Start > All Programs > HP ProtectTools Security
Manager > Smart Card Security.
3. Select the plus sign (+) to expand the Smart Card Security
menu, and then select BIOS.
2–8 Reference Guide
Smart Card Security for ProtectTools
4. Under BIOS Password on Smart Card, click Store.
5. In the BIOS Password Wizard, you can either
❏ Enter a password manually.
❏ Generate a random 32-byte password.
Using a known password enables you to create duplicate
✎
cards without using a recovery file. Generating a random
password offers more security; however, you must have a
recovery file to make backup cards
6. Under Access Privilege, click either Administrator or User
for the type of card.
7. Under Boot Requirements, select the check box if you
require that the smart card PIN be entered at startup.
If you do not require the smart card PIN to be entered at
✎
startup, clear this check box.
8. Enter the smart card PIN and click OK.
9. Enter the smart card PIN again in the Finish dialog box, and
then click Finish. The system prompts you to create a
recovery file.
It is highly recommended that you create a smart card recovery
✎
file. For more information, refer to “Creating a Recovery File,”
later in this chapter.
Reference Guide 2–9
Smart Card Security for ProtectTools
General Tasks
Updating BIOS Smart Card Settings
To require a smart card PIN when you restart the computer:
1. Select Start > All Programs > HP ProtectTools Security
Manager > Smart Card Security.
2. Click the plus sign (+) to expand the Smart Card Security
menu, and then select BIOS.
3. Under Smart Card BIOS Password Properties, click
Settings.
4. Select the check box to require a PIN at reboot.
To eliminate this requirement, clear the check box.
✎
5. Enter the smart card PIN and click OK.
Selecting the Smart Card Reader
Ensure that the correct smart card reader is selected in Smart Card
Security before using the smart card. If the correct reader is not
selected in Smart Card Security, some of the features may be
unavailable or incorrectly displayed.
To select the smart card reader:
1. Select Start > All Programs > HP ProtectTools Security
Manager > Smart Card Security.
2. Select the plus sign (+) to expand the Smart Card Security
menu, and then select General.
3. Under Smart Card Reader, select the correct reader.
4. Insert the smart card into the reader. The reader information
is automatically refreshed.
2–10 Reference Guide
Smart Card Security for ProtectTools
Changing the Smart Card PIN
To change the smart card PIN:
1. Select Start > All Programs > HP ProtectTools Security
Manager > Smart Card Security.
2. Select the plus sign (+) to expand the Smart Card Security
menu, and then select Smart Card.
3. Click Change PIN.
4. Type your current smart card PIN.
5. Set and confirm the new PIN.
6. Click OK in the confirmation dialog box.
Backing Up and Restoring Smart Cards
After you have initialized a smart card and the card is ready for
use, it is highly recommended that you create a smart card
recovery file. The recovery file can be used to transfer the smart
card data from one smart card to another smart card. This file can
also be used to back up the original smart card or to restore the
data when a smart card is lost or stolen.
CAUTION: To avoid having a recovery file that does not match a smart
Ä
card with updated information, immediately create a new recovery file
and store it in a safe place. If you keep a backup smart card, you must
also update the information on the backup smart card by restoring the
new recovery file onto the backup smart card.
Reference Guide 2–11
Smart Card Security for ProtectTools
Creating a Recovery File
To create a recovery file:
1. Select Start > All Programs > HP ProtectTools Security
Manager > Smart Card Security.
2. Select the plus sign (+) to expand the Smart Card Security
menu, and then select Smart Card.
3. Under Recovery, click Create.
4. Enter the smart card PIN and click OK.
5. Enter the file path and file name in the Filename field.
To avoid loss of access to the computer, do not save the
Ä
recovery file on the computer hard drive; you will not be able
to access the file without the smart card. Also, a recovery file
saved on the hard drive may be accessible to others, posing a
security risk.
6. Set and confirm a recovery file password, and then click OK.
CAUTION: To prevent the loss of the smart card recovery file data, do
Ä
not forget the recovery file password. You cannot re-create your card
from the recovery file if you forget the password.
2–12 Reference Guide
Restoring Smart Card Data
You can restore the smart card data from the recovery file. This is
especially useful if a card was lost or stolen, or if you want to
create a backup smart card. If you use a card with previous data
saved on it, the data will be overwritten.
Before you begin, you will need the following:
■ Access to a computer with Smart Card Security software
installed
■ Smart card recovery file
■ Smart card recovery file password
■ Smart card
To restore a smart card:
1. Select Start > All Programs > HP ProtectTools Security
Manager > Smart Card Security.
2. Select the plus sign (+) to expand the Smart Card Security
menu, and then select Smart Card.
3. Insert the diskette or other media containing the smart card
recovery file.
Smart Card Security for ProtectTools
4. Insert a smart card into the reader. If the card is not
initialized, you will be prompted to initialize it. For detailed
instructions on initializing the smart card, refer to
“Initializing the Smart Card,” earlier in this chapter.
5. In the Recovery section, click Restore.
6. Ensure that the correct recovery file name is selected, and
enter the recovery file password.
7. Enter the smart card PIN.
8. Click OK. The original smart card contents are restored to
the new smart card.
Reference Guide 2–13
Loading...