HP XM600, ProtectTools 2000 User Manual

HP ProtectTools 2000
Smart Card Kit
User’s Guide
The information contained in this document is subject to change without notice.
Hewlett-Packard makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Hewlett-Packard Company.
Microsoft registered trademarks of Microsoft Corporation in the United States and other countries.
and AcrobatTMare trademarks of Adobe Systems Incorporated.
,MS®, MS-DOS®, Windows®and Windows NT®are
Hewlett-Packard France Commercial Computing Division 38053 Grenoble Cedex 9 France
2000 Hewlett-Packard Company
User’s Guide
This manual is intended for both the PC administrator and the PC user. It describes how to:
Install and deploy HP ProtectTools 2000 software
Set up HP ProtectTools 2000 for use
Manage security settings
Manage smart cards
Troubleshoot problems
Find out where to get more information and support.
HP Custom Security Services
HP offers security consulting services and customized security solutions, including the use of this product and other HP security products. For more information, please contact your HP sales representative.
Conventions Used in this Manual
This document describes the installation of software on a range of Microsoft operating systems. Whenever some information applies only to one or more operating systems, a small tab appears alongside to indicate the operating system(s) concerned. See the following example:
Windows NT 4.0
Windows 2000
1 This indicates that step 1 applies only to PCs running Windows NT
4.0 or Windows 2000. You can ignore this step if your PC is running a different operating system.
When no such symbol is shown alongside a step or section in the manual, the information concerns all operating systems:
2 This indicates that step 2 applies to any system running one of the
supported operating systems: Windows 95, Windows 98, Windows NT 4.0 or Windows 2000.
Important Information
Folder Encryption (Windows 95, 98 and NT 4.0 Only)
You are about to install File Encryption software. This software enables the use of an advanced security feature but it implies at the same time theriskoflossofaccesstoyourconfidentialfiles.Toreducesucha risk, HP strongly recommends you prepare in advance a recovery smart card and/or recovery file that will still give you access to such files in case you lose your smart card and/or password.
ATTENTION: in case of loss of your smart card and/or password you may not be able to recover access to those encrypted files.
Import/Export Regulations
This computer system includes HP ProtectTools 2000. HP ProtectTools 2000 is made of a smart card (and associated reader and software driver) and HP Encryption Smart Card Security System software with the following encryption capabilities.
40bit symmetrical encryption algorithm, used for data encryption (confidentiality) (non-US version);
128bit symmetrical encryption algorithm, used for data encryption (confidentiality) (US version);
512/56bit RSA private key algorithm, used for digital signature (non­US version);
1024/128bit RSA private key algorithm, used for digital signature (US version).
Export of this product is not allowed to the following countries: Afghanistan, Angola, Cuba, Iraq, Iran, Lybia, Macedonia, Montenegro, Mozambique, North Korea, Pakistan, Serbia, Slovenia, Somalia, Sudan, Syria. Export of this product to other countries may be subject to regulations. For instructions on how to export this product, and according to the country in which you have purchased this equipment, please contact: in France: SCSSI (Service Central de la Sécurité des Systèmes d'Information, www.scssi.gouv.fr); in Germany: BAFA (Bundesausfuhramt, Exportkontrolle, www.bafa.de); in the United­Kingdom: DTI (Department of Trade and Industry, www.dti.gov.uk), in the USA: Department of Commerce (Export Administration Regulations, www.bxa.doc.gov).
1 Introduction to HP ProtectTools 2000
Introduction.............................................. 12
WhatisaSmartCard?........................................ 12
SmartCardKitContents...................................... 12
GemSAFESmartCards....................................... 13
PINNumbers ............................................... 13
BeforeYouBegin.......................................... 15
SystemRequirements(HPDesktopPCs) ........................ 15
SystemRequirements(OmniBookNotebookPCs)................. 15
Software Compatibility for PCs Running Windows NT 4.0 . . . . . . . . . . . 16
Features of HP ProtectTools 2000 . . . . . . . . . . .................... 17
Contents of the HP ProtectTools 2000 CD-ROM ................ 18
2 Installing HP ProtectTools 2000 Software
BeforeInstallingtheSoftware............................... 22
SoftwareInstallationProcedure............................. 23
Preparing a PC Running Windows NT 4.0 (HP Desktop PCs) . . . . . . . . 23
Preparing a PC Running Windows NT 4.0 (HP Notebook PCs) . . . . . . . 24
Installing the Drivers, Software and Reader (HP Desktop PCs). . . . . . . 25
Installing the Drivers, Software and Reader (HP Notebook PCs). . . . . . 27
InstallingOptionalItems...................................... 29
Deploying ProtectTools 2000 Using a Network ................. 31
RemoteInstallationUsingaDeploymentTool..................... 31
Automatic Installation of ProtectTools 2000 . . . . . . . . . ............. 31
Uninstalling HP ProtectTools 2000 ........................... 33
English vii
UninstallingHPNTLock...................................... 33
UninstallingHPSoftPowerDown .............................. 34
3 Setting up HP ProtectTools 2000
PreparingaSmartCardforUse:Overview.................... 36
InitializingaSmartCard ................................... 37
Updating the PCsBIOS(OmniBooksOnly)................... 38
EnablingBIOSSmartCardSecurity(OmniBooksOnly) ........ 39
SettingUpaBIOSUserPasswordCard.......................... 39
SettingUpFolderEncryptiononYourPC .................... 40
CreatingaRecoveryFile................................... 41
4 Managing Security and Smart Cards
TheHPSmartCardSecurityManager........................ 44
For Windows NT 4.0 and Windows 2000 Users . . . . . . . . . . . . ........ 44
ForWindows95andWindows98Users ......................... 45
Running the HP Smart Card Security Manager . . . . . . . . . . . . ........ 46
AccessingtheOnlineHelp .................................... 46
ManagingSecurity:ConfigurationSettings.................... 47
Smart Card–AllowInitializationOption.......................... 47
BeeponSmartCardRemovalOption ........................... 48
Win NT–LogonPoliciesOptions................................ 49
Win NT–LogonTextConfigurationOptions....................... 54
Win NT–LogonPowerManagementOptions...................... 54
viii English
AccountPolicies............................................. 55
BIOS Password Options (OmniBooks Only) . . . . . . . . . ............. 57
Win95/98Options ........................................... 58
CustomizingSecurityForYourInstalledBaseofPCs............... 59
ManagingSmartCards ..................................... 61
Using Smart Cards under Windows NT and Windows 2000 . . . . . . . . . . 62
InitializingFurtherSmartCards ............................... 63
Changing a Smart Card’sPIN .................................. 63
RestoringaSmartCardfromaRecoveryFile ..................... 64
Restoring a Smart Card Without the Recovery File . . . . . . . . . . . . . . . . . 65
Adding an Account to a Smart Card (Windows NT/Windows 2000). . . . 65
Removing an Account (Windows NT/Windows 2000) . . . . . . . . . . . . . . . 66
Changing an Account Password (Windows NT/Windows 2000) . . . . . . . 66
HPTopTools.............................................. 67
5 Troubleshooting
SmartCardTroubleshootingHelpZone....................... 70
IfYouDisconnecttheSmartCardReader ........................ 70
IfthePCFreezesAfterYouRestartIt ........................... 70
If the Smart Card’sPasswordisNotUpToDate ................... 70
WaitforService ............................................. 71
TroubleshootingTable........................................ 72
HPSmartCardDiagnosticsTool............................. 75
DiagnosticsOnlineHelp....................................... 75
UsingHPSmartCardDiagnostics .............................. 75
Documentation,HelpandSupport........................... 77
English ix
x English

Introduction to HP ProtectTools 2000

This chapter introduces the HP ProtectTools 2000 Smart Card Kit and provides information about system requirements and compatibility. It also tells you where you can get more information about ProtectTools 2000 and smart cards.
1 Introduction to HP ProtectTools 2000


The HP ProtectTools 2000 Smart Card Kit can be installed on a range of HP PCs, OmniBook Notebooks and PC Workstations. It provides smart card secured access to Microsoft Windows 95, Windows 98, Windows NT 4.0 and Windows 2000 platforms.
To discover on which PCs you can install Protectools 2000, go to:

What is a Smart Card?

Smart cards are small plastic cards the size of a credit card that carry a microchip containing memory and a microprocessor.
Like personal computers, they have an operating system to manage input/output, and include security features to resist tampering.
A Personal Identification Number (PIN) is needed to gain access to the contents of the microchip. This means that you can easily gain access to a computer protected by a smart card only if you have the- correct smart card and you know the PIN. See PIN Numberson page 13 for more information.

Smart Card Kit Contents

Your HP Smart Card Security Kit contains:
One smart card reader. This is either internal or external depending on your model of PC:
an internal PCMCIA card reader for OmniBook Notebook PCs
an external serial card reader for all desktop PC models
Two smart cards. One spare card is for backup/recovery purposes.
One CD-ROM containing software, drivers and documentation.
1 Introduction to HP ProtectTools 2000

GemSAFE Smart Cards

If your ProtectTools 2000 Smart Card Kit comes with a pair of GemSAFE GPK 8K smart cards, you can, as well as enjoying secure Web access, send and receive secure e-mail. GemSAFE cards support encryption/decryption and signature functions.
For more information on using GemSAFE smart cards, refer to the GemSAFE User Guide, available by selecting
GemSAFEUser Guide
on your PC or by looking in the folder
on the HP ProtectTools 2000 CD-ROM.
NOTE Export regulations and national law dictate maximum session key
lengths. The maximum session key length in the United States and Canada is 128 bits (for example, with Microsoft Internet Explorer). The maximum session key length for the international version is 40 bits. If you are sending a message internationally, you may need to change the session key length (or encryption algorithm) so that the recipient has the cryptographic capacity to decrypt your message.
You currently have the international version preloaded on your VL600 Secure Bundle. If you are using this system in the US or in Canada, downloading the High Encryption Pack directly from Microsoft at www.microsoft.com will enable you to use the strong key length version.

PIN Numbers

When using smart cards with ProtectTools 2000, the PIN for logging on to your PC is 8 characters in length. It can contain any letters or numbers (a-z, A-Z, 0-9) and is case sensitive (hellojoeis not the same as HelloJoe). If you fail to enter this PIN code in five successive attempts, the card will become unusable. For information on changing this PIN, refer to Changing a Smart Card’sPIN” on page 63.
In addition to this, GemSAFE smart cards also use a second PIN for secure e-mail and Web access. The default PIN code for accessing these features is 1234. However, you may use from four to eight characters when you set your own PIN. Subsequently, when you use the card, you have three attempts to type in the correct PIN number. If
1 Introduction to HP ProtectTools 2000
you fail to enter the correct PIN in three successive attempts, you will no longer be able to use the secure e-mail and Web access features. The card can be reactivated with a special unblock code by going to
StartProgramsGemSAFECard Details.
The default unblock
code is also 1234, and can be changed from within this application.
Windows NT 4.0
1 Introduction to HP ProtectTools 2000

Before You Begin

Before You Begin

System Requirements (HP Desktop PCs)

The minimum system requirements are:
Onefree9-pinserialport (If you do not have a free serial port, you can order the HP Serial/Parallel Interface Card D7503A/T)
Windows 95 OSR2, Windows 98, Windows NT 4.0 or Windows 2000.
Windows NT 4.0 Service Pack 4 or later is required. Windows NT 4.0 Service Pack 6a is provided on the ProtectTools 2000 CD-ROM
Approximately 20 MB of free hard disk space (not including the space required if you need to install Windows NT 4.0 Service Pack 6a).
Windows NT 4.0

System Requirements (OmniBook Notebook PCs)

The minimum system requirements for OmniBooks are:
An OmniBook 900 or 4150 or later with Window s95 OSR2, Windows 98, Windows NT 4.0 or Windows 2000 (a Smart Card BIOS is included), or
An OmniBook XE2 with Windows 98 or Windows 2000. BIOS security features are not supported. Future models may support other operating systems and BIOS security.
A CD-ROM drive installed in your OmniBook or available via a network (on certain OmniBook models the CD-ROM drive is an option that must be purchased separately).
Windows NT 4.0 Service Pack 4 or later is required. Windows NT 4.0 Service Pack 6a is provided on the ProtectTools 2000 CD-ROM
At least 7 megabytes of free hard disk space.
1 Introduction to HP ProtectTools 2000
Before You Begin
Windows NT 4.0

Software Compatibility for PCs Running Windows NT 4.0

ProtectTools 2000 replaces Windows NT's standard logon library (MSGINA.DLL). You may experience compatibility problems with software that replaces the same library (for example Novell Netware Client or pcAnywhere 32). In order to have HP ProtectTools 2000 work properly, do NOT install such software along with HP ProtectTools
If you install Novell Netware Client after ProtectTools 2000, you will get a message "Novell has detected a GINA difference on this machine. Do you want to replace it with Netware GINA.DLL?". If you answer Yes, neither Netware Client nor HP ProtectTools 2000 will work correctly.
1 Introduction to HP ProtectTools 2000

Features of HP ProtectTools 2000

ProtectTools 2000 can provide several types of security for your PC. The security you have available depends on your HP hardware, operating system, your security setup options, and your system BIOS.
Features on Desktop PCs
Windows 95 Windows 98 NT4.0 (SP6a or later) Windows 2000
Folder Encryption (page 40) Microsoft EFS
n/a Logon Authorization (page 49)
Lock at Card Removal (page 50)
Lock at Suspend/Resume (page 58) n/a Lock at
Secure Screen Saver (page 58)
1. Microsoft EFS (Encrypted File System) is the file encryption security system available with Windows 2000. Since file encryption is already part of the operating system, HP ProtectTools does not offer its file encryption feature for the Windows 2000 environment. Note that you must have a Windows 2000 NTFS partition on your hard drive to use Microsoft EFS.
Before You Begin
Features on OmniBook Notebook PCs
Windows 95 Windows 98 NT4.0 (SP6a or later) Windows 2000
Folder Encryption (page 40)
BIOS Smart Card Security Feature (page 39)
n/a Logon Authorization (page 49)
Lock at Undock (page 58) n/a
Lock at Card Removal (page 50)
Lock at Suspend/Resume (page 58)
Secure Screen Saver (page 58)
1. Except for OmniBook 800, 2000, 3000 and 5x00 PCs.
2. Microsoft EFS (Encrypted File System) is the file encryption security system available with Windows 2000. Since file encryption is already part of the operating system, HP ProtectTools does not offer its file encryption feature for the Windows 2000 environment. Note that you must have a Windows 2000 NTFS partition on your hard drive to use Microsoft EFS.
3. Except for OmniBook XE2.
Microsoft EFS
1 Introduction to HP ProtectTools 2000

Contents of the HP ProtectTools 2000 CD-ROM

Contents of the HP ProtectTools 2000 CD-ROM
The CD-ROM provided with your HP ProtectTools 2000 Smart Card Kit contains:
HP smart card reader driver
HP Smart Card Security System This software takes care of the encryption and the secure logon and logoff features when using the smart card. The software includes the Smart Card Security Manager, used to configure security and manage smart cards. Refer to chapter 4 for information about using the Smart Card Security Manager.
HP Smart Card Diagnostics You can use the diagnostics to ensure that your smart card reader is working correctly or to help you to troubleshoot problems. Refer to page 75 for information about using the diagnostics utility.
ProtectTools 2000 Documentation Includes the online help and this manual (in PDF format). The online help provides information about HP Smart Card Security Manager. The online help is installed when you install the HP Smart Card Security System.
Windows 95
Windows 98
Windows NT 4.0
Windows NT 4.0
GemSAFE software and documentation. This software, in conjunction with GemSAFE smart cards, provides secure e-mail and Web access.
Acrobat Reader Provided so that you can view and print this manual.
Microsoft Smart Card Base Components These components provide operating-system level support for the ProtectTools 2000 Smart Card components. You must install both updates 1 and 2.
Microsoft Windows NT 4.0 Service Pack 6a Windows NT 4.0 Service Pack 4 or later is required before installing any of the ProtectTools 2000 smart card components.
Windows NT 4.0
1 Introduction to HP ProtectTools 2000
Contents of the HP ProtectTools 2000 CD-ROM
HP NTLock (for Vectra and Kayak only) This utility allows users to lock their PC during short absences to prevent unauthorized access. If you use HP NTLock, you must first uninstall any previous version then install the appropriate latest version.
Only these versions (and later) will work correctly with the ProtectTools 2000 software.
Windows NT 4.0
Windows 95
Windows 98
Windows NT 4.0
HP NTLock is NOT supported on HP Vectra VE or VEi series PCs (with the exception of the HP Vectra VE5 series 4). For the latest information on supported utilities for your PC, refer to then click on
HP Soft PowerDown (for Vectra and Kayak only)
This utility automatically powers off your HP PC or HP PC WorkstationwhenyoushutdownWindowsNT.
HP TopTools Agent HP TopTools is a device management tool for HP PCs and other devices. This version of the Agent is compatible with HP ProtectTools 2000 Smart Card technology. For more information about TopTools, connect to HPswebsite
Note that you can obtain a Windows 2000 version of the HP TopTools agent (when it becomes available) either on your PCs hard drive or from HPswebsite
Please consult the
file provided in the root directory of the
CD-ROM. It contains the most up to date information about the drivers and software provided. The information contained in this file supersedes any information given in this manual or other documentation provided with the accessory.
1 Introduction to HP ProtectTools 2000
Contents of the HP ProtectTools 2000 CD-ROM

Installing HP ProtectTools 2000 Software

This chapter describes how to install ProtectTools 2000 software components. This is not necessary for HP Secure Bundle PCs on which the software is preinstalled. This chapter also has information about uninstalling ProtectTools 2000.
2 Installing HP ProtectTools 2000 Software
Windows NT 4.0
Windows 2000

Before Installing the Software

Before Installing the Software
Before installing any software or drivers, ensure that:
You have at least one uninitialized smart card ready. Two uninitialized cards are provided with the smart card reader. Once the installation process is complete, you will be asked to insert a smart card so that you can initialize it.
You have logged on as the PCs Administrator.
HP strongly recommends that:
You prepare a formatted blank floppy disk. You will need one if you want to create a recovery file of the smart card once the smart card has been initialized.
NOTE For the most up to date information about ProtectTools 2000 software
and drivers, please consult the directory of the CD-ROM. The information contained in this file supersedes any information given in this manual or other documentation provided with the accessory.
file provided in the root
2 Installing HP ProtectTools 2000 Software

Software Installation Procedure

Software Installation Procedure
Make sure you have carried out the tasks outlined in Before Installing the Softwareon page 22 before proceeding with the following:
1 Prepare your PC (PCs running Windows NT 4.0 only).
2 Install the drivers, software and smart card reader.
3 Install other items, if required (TopTools hardware resource
monitoring utility and this manual).
Windows NT 4.0

Preparing a PC Running Windows NT 4.0 (HP Desktop PCs)

1 Install Microsoft Windows NT 4.0 Service Pack 6a from the
ProtectTools 2000 CD-ROM (if you do not already have Service Pack 4 or later installed) and restart the PC.
To find Service Pack 6a, go to the
open the folder for your language. To install, double-click on the setup program
2 IfyouarecurrentlyusingHPNTLockonyourPC(anditisolderthan
version 2.2) or you want to use it:
a Uninstall the version of HP NTLock currently on the PC using the
Add/Remove Programs Panel
utility in
b Restart the PC. c Install the appropriate version of HP NTLock provided (or any
later version). Two versions are supplied, one for HP Vectra VL and VLi PCs only (not for Vectra VE and VEi PCs) and the other (the light version without power management) for HP Kayak PC Workstations. The Vectra version is in the folder
ntlock\vectra\disk1 ntlock\kayak\disk1.
and the Kayak version in
folder, then
2 Installing HP ProtectTools 2000 Software
Software Installation Procedure
3 If you currently use HP Soft PowerDown (and it is older than version
5.08) or you want to use it:
a Uninstall the version of HP Soft PowerDown currently on the PC
using the
Control Panel
Add/Remove Programs
utility in
b Restart the PC. c Install the version of HP Soft PowerDown provided on the CD-
ROM (or a later version that is compatible with HP ProtectTools
2000). The Soft PowerDown software is in the
folder on the
4 Restart the PC.
Windows NT 4.0

Preparing a PC Running Windows NT 4.0 (HP Notebook PCs)

1 Install Microsoft Windows NT 4.0 Service Pack 6a from the
ProtectTools 2000 CD-ROM (if you do not already have Service Pack 4 or later installed) and restart your Notebook PC.
To find Service Pack 6a, go to the
open the folder for your language. To install, double-click on the setup program
2 If Card Executive or APM is installed on your computer, you should
update them with the latest versions using the HP ProtectTools 2000 CD-ROM.
a Uninstall Card Executive or APM using the
utility in
StartSettingsControl Panel
b Insert the HP ProtectTools 2000 CD-ROM in the CD-ROM drive.
If your CD-ROM drive is configured to “autorun”,the ProtectTools 2000 installation screen will appear automatically. If this screen does not appear, use Windows Explorer to browse the CD contents and double-click the file
directory to run the installation.
c Install the new versions of Card Executive or APM from the
ProtectTools 2000 installation screen.
folder, then
in the root
3 Restart the PC.
+ 56 hidden pages