HP ProtectTools Security User Manual
HP ProtectTools Security Manager Guide
HP Compaq Business Desktops
© Copyright 2006 Hewlett-Packard
Development Company, L.P. The
information contained herein is subject to
change without notice.
Microsoft and Windows are trademarks of
Microsoft Corporation in the U.S. and other
countries.
Intel and SpeedStep are trademarks of Intel
Corporation in the U.S. and other countries.
The only warranties for HP products and
services are set forth in the express warranty
statements accompanying such products
and services. Nothing herein should be
construed as constituting an additional
warranty. HP shall not be liable for technical
or editorial errors or omissions contained
herein.
This document contains proprietary
information that is protected by copyright. No
part of this document may be photocopied,
reproduced, or translated to another
language without the prior written consent of
Hewlett-Packard Company.
HP ProtectTools Security Manager Guide
HP Compaq Business Desktops
First Edition (August 2006)
Document Part Number: 431330-001
About This Book
This guide provides instructions for configuring and using HP ProtectTools Security Manager.
WARNING! Text set off in this manner indicates that failure to follow directions could result in
bodily harm or loss of life.
CAUTION Text set off in this manner indicates that failure to follow directions could result in
damage to equipment or loss of information.
NOTE Text set off in this manner provides important supplemental information.
ENWW iii
iv About This Book ENWW
Table of contents
1 Introduction
HP ProtectTools Security Manager ...................................................................................................... 1
Accessing the ProtectTools Security Manager .................................................................... 1
Understanding Security Roles .............................................................................................................. 2
Managing ProtectTools Passwords ...................................................................................................... 2
Multifactor Authentication Credential Manager Logon ......................................................... 5
Creating a Secure Password ............................................................................................... 5
Advanced Tasks ................................................................................................................................... 6
Managing ProtectTools Settings .......................................................................................... 6
Enabling and Disabling Java Card Power-On Authentication Support ............... 6
Enabling and Disabling Power-On Authentication Support for Embedded
Security ............................................................................................................... 6
Managing Computer Setup Passwords ............................................................................... 7
Setting the Power-On Password (if available) ..................................................... 7
Changing the Power-On Password (if available) ................................................ 7
System Setup ...................................................................................................... 8
Changing Power-On Authentication Support ...................................................... 8
Changing User Accounts .................................................................................... 8
Setting the Computer Setup Administrator Password ......................................... 9
Changing the Computer Setup Administrator Password ..................................... 9
Dictionary Attack Behavior with Power-On Authentication ................................ 10
Dictionary Attack Defense ................................................................ 10
2 HP BIOS Configuration for ProtectTools
Basic Concepts .................................................................................................................................. 11
Changing BIOS Settings .................................................................................................................... 11
3 HP Embedded Security for ProtectTools
Basic Concepts .................................................................................................................................. 13
Setup Procedures ............................................................................................................................... 14
4 HP Credential Manager for ProtectTools
Basic Concepts .................................................................................................................................. 15
Launch Procedure .............................................................................................................................. 15
Logging On for the First Time ............................................................................................ 16
5 HP Java Card Security for ProtectTools
Basic Concepts .................................................................................................................................. 17
ENWW v
6 Third-Party Solutions
7 HP Client Manager for Remote Deployment
Background ........................................................................................................................................ 21
Initialization ......................................................................................................................................... 21
Maintenance ....................................................................................................................................... 21
8 Troubleshooting
Credential Manager for ProtectTools ................................................................................................. 23
Embedded Security for ProtectTools .................................................................................................. 27
Miscellaneous ..................................................................................................................................... 33
Glossary ............................................................................................................................................................. 37
Index ................................................................................................................................................................... 41
vi ENWW
1 Introduction
HP ProtectTools Security Manager
ProtectTools Security Manager software provides security features that help protect against
unauthorized access to the computer, networks, and critical data. Enhanced security functionality is
provided by the following modules:
●
HP BIOS Configuration for ProtectTools
●
HP Embedded Security for ProtectTools
●
HP Credential Manager for ProtectTools
●
HP Java Card Security for ProtectTools
The modules available for the computer may vary, depending on the model. ProtectTools modules may
be preinstalled, supplied on CD that shipped with the computer, or available for purchase from the HP
Web site. Visit
http://www.hp.com for more information.
NOTE Refer to the ProtectTools Help screens for specific instructions for the ProtectTools
modules.
To use the Trusted Platform Module (TPM), platforms containing a TPM require both a TCG Software
Stack (TSS) and embedded security software. Some models provide the TSS; if the TSS is not provided,
it can be purchased from HP. Additionally, TPM-enabling software must be purchased separately for
some models. Please see
Third-Party Solutions for more details.
Accessing the ProtectTools Security Manager
To access the ProtectTools Security Manager from the Microsoft Windows Control Panel:
▲
Windows XP: Click Start > Control Panel > Security Center > ProtectTools Security
Manager.
▲
Windows 2000: Click Start > All Programs > HP ProtectTools Security Manager.
NOTE After you have configured the Credential Manager module, you can also log in to
Credential Manager directly from the Windows logon screen. For more information, refer to
HP
Credential Manager for ProtectTools.
ENWW HP ProtectTools Security Manager 1
Understanding Security Roles
In managing computer security (particularly for large organizations), one important practice is to divide
responsibilities and rights among various types of administrators and users.
NOTE In a small organization or for individual use, these roles may all be held by the same
person.
For ProtectTools, the security duties and privileges can be divided into the following roles:
●
Security officer—Defines the security level for the company or network and determines the security
features to deploy, such as Java Cards, biometric readers, or USB tokens.
NOTE Many of the features in ProtectTools can be customized by the security officer in
cooperation with HP. For more information, visit
http://www.hp.com.
●
IT administrator—Applies and manages the security features defined by the security officer. Can
also enable and disable some features. For example, if the security officer has decided to deploy
Java Cards, the IT administrator can enable Java Card BIOS security mode.
●
User—Uses the security features. For example, if the security officer and IT administrator have
enabled Java Cards for the system, the user can set the Java Card PIN and use the card for
authentication.
Administrators are encouraged to perform “best practices” in restricting end-user privileges and
restrictive access to users.
Managing ProtectTools Passwords
Most of the ProtectTools Security Manager features are secured by passwords. The following table lists
the commonly used passwords, the software module where the password is set, and the password
function.
The passwords that are set and used by IT administrators only are indicated in this table as well. All
other passwords may be set by regular users or administrators.
Table 1-1 Password Management
ProtectTools Password Set in this ProtectTools Module Function
Computer Setup administrator
password
NOTE Also known as BIOS
administrator, F10 Setup, or
Security Setup password
BIOS Configuration, by IT administrator Protects access to the BIOS Computer
Setup utility and security settings.
Power-On password BIOS Configuration HP ProtectTools Power-On
Authentication Support is a TPM-based
security tool designed to prevent
unauthorized access to the computer as
it is powered on. Power-On
Authentication Support uses the HP
ProtectTools Embedded Security Basic
User password. Once Power-On
Authentication is enabled in Computer
Setup, the password is set when the first/
2 Chapter 1 Introduction ENWW
next Embedded Security Basic User Key
is initialized. The Embedded Security
TPM chip protects the password for
Power-On Authentication.
Java Card administrator password
NOTE Also known as BIOS
administrator card password
Java Card Security, by IT administrator Links the Java Card to the computer for
identification purposes.
Allows a computer administrator to
enable or disable Computer Setup
passwords, generate a new
administrator card, and create recovery
files to restore user or administrator
cards.
Java Card PIN Java Card Security Protects access to the Java Card
contents and to computer access when
an optional Java Card and reader is
used. Checks to see if Java Card user
password is duplicate to pin; it is used to
register Java Card authentication
Java Card recovery file password (if
available)
Java Card Security Protects access to the recovery file that
contains the BIOS passwords.
Java Card user password (if available)
NOTE Also known as BIOS
user card password
Java Card Security Links the Java Card to the computer for
identification.
Allows a user to create a recovery file to
restore a user card.
Basic User password
NOTE Also known as:
Embedded Security password,
TPM Preboot password
Embedded Security Used to access Embedded Security
features, such as secure e-mail, file, and
folder encryption. When enabled as the
BIOS Power-On Authentication support
password, protects access to the
computer contents when computer is
turned on, restarted, or restored from
hibernation. Also used to authenticate
the Personal Secure Drive (PSD) and to
register TPM authentication.
Emergency Recovery Token password
NOTE Also known as:
Emergency Recovery Token
Key
Embedded Security, by IT administrator Protects access to the Emergency
Recovery Token, which is a backup file
for the TPM embedded security chip
Owner password Embedded Security, by IT administrator Protects the system and the TPM chip
from unauthorized access to all owner
functions of Embedded Security.
Credential Manager logon password Credential Manager This password offers 2 options:
●
It can be used in place of the
Windows logon process, allowing
access to Windows and Credential
Manager simultaneously.
●
It can be used in a separate logon
to access Credential Manager after
logging on to Microsoft Windows
Credential Manager recovery file
password
Credential Manager, by IT administrator Protects access to the Credential
Manager recovery file.
Table 1-1 Password Management (continued)
ENWW Managing ProtectTools Passwords 3
Windows logon password Windows Control Panel Can be used in manual logon or saved
on the Java Card.
Backup scheduler password
NOTE A Windows user
password is used to configure
the backup scheduler for
embedded security.
Embedded Security, by IT administrator Sets backup scheduler for embedded
Security
PKCS #12 Import password
NOTE Each imported
certificate has a password
specific to that certificate.
Embedded Security, by IT administrator Password used for Encryption key from
other certificates, if imported
NOTE Not required for normal
software operation; user may
opt to set this password when
using embedded security to
send important certificates
Password Reset Token Embedded Security, by IT administrator Customer provided tool allowing the
owner to reset the Basic User password
if lost; password is used to perform this
reset operation
Microsoft Recovery Agent administrator
password
NOTE The Recovery Agent
can be any local machine
Administrator. If the Recovery
Agent is created, then one
would need to log in as that
administrator and a password is
required. The Recovery Agent
can decrypt all users’ encrypted
data just by opening it (no
Wizard required).
Microsoft, by IT Security administrator Ensure that the Personal Secure Drive
(PSD) encrypted data can be recovered.
See
http://www.microsoft.com/technet/
prodtechnol/winxppro/support/
dataprot.mspx for more information.
NOTE Not required for normal
software operation; user may
opt to set this password when
using embedded security to
send important certificates
Virtual Token Master PIN Credential Manager Customer option to store owner
credentials with Credential Manager
Virtual Token User PIN Credential Manager Customer option to store owner
credentials with Credential Manager
Backup Identity wizard password Credential Manager, by IT administrator Used to protect access to an identity
backup when using Credential Manager
Virtual Token Authentication password Credential Manager Used to register virtual token
authentication by Credential Manager
TPM authentication alias Credential Manager Used in place of the Basic User
password by credential manager, at the
option of administrator or user
Fingerprint logon Credential Manager Credential Manager allows the user to
replace the Windows password logon
with a convenient and secure fingerprint
logon. Unlike Password, fingerprint
credentials cannot be shared, given
away, stolen, or guessed. Used by
Credential Manager
USB Token authentication Credential Manager Used by Credential Manager as a token
authentication instead of a password
Table 1-1 Password Management (continued)
4 Chapter 1 Introduction ENWW
Multifactor Authentication Credential Manager Logon
Credential Manager Logon enables multifactor authentication technology to log on to the Windows
operating system. This raises the security of the standard Windows password logon by requiring strong
multifactor authentication. This also enhances the convenience of the everyday logon experience by
eliminating the need to remember user passwords. A unique feature of Credential Manager Logon is its
ability to aggregate multiple account credentials into one user identity, which allows the use of multifactor
authentication only once and multiple access to different Windows accounts with the same set of
credentials.
Multifactor user authentication supports any combination of user passwords, dynamic or single-use
passwords, TPM, Java Cards, USB tokens, virtual tokens, and biometrics. Credential Manager also
supports alternative authentication methods, providing the possibility for multiple user access privileges
for the same application or service. A user can consolidate all credentials, application password, and
network accounts into a single data unit called User Identity. User identity is always encrypted and
protected with multifactor authentication.
Creating a Secure Password
When creating passwords, you must first follow any specifications that are set by the program. In
general, however, consider the following guidelines to help you create strong passwords and reduce
the chances of your password being compromised:
●
Use passwords with more than 6 characters, preferably more than 8.
●
Mix the case of letters throughout your password.
●
Whenever possible, mix alphanumeric characters and include special characters and punctuation
marks.
●
Substitute special characters or numbers for letters in a key word. For example, you can use the
number 1 for letters I or L.
●
Combine words from 2 or more languages.
●
Split a word or phrase with numbers or special characters in the middle, for example,
“Mary22Cat45”.
●
Do not use a password that would appear in a dictionary.
●
Do not use your name for the password, or any other personal information, such as birth date, pet
names, or mother's maiden name, even if you spell it backwards.
●
Change passwords regularly. You might change only a couple of characters that increment.
●
If you write down your password, do not store it in a commonly visible place very close to the
computer.
●
Do not save the password in a file, such as an e-mail, on the computer.
●
Do not share accounts or tell anyone your password.
ENWW Managing ProtectTools Passwords 5
Advanced Tasks
Managing ProtectTools Settings
Some of the features of ProtectTools Security Manager can be managed in BIOS Configuration.
Enabling and Disabling Java Card Power-On Authentication Support
If this option is available, enabling it allows you to use the Java Card for user authentication when you
turn on the computer.
NOTE To fully enable the Power-On Authentication feature, you must also configure the Java
Card using the Java Card Security for ProtectTools module.
To enable Java Card Power-On Authentication support:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, select BIOS Configuration.
3. Enter your Computer Setup administrator password at the BIOS administrator password prompt,
and then click OK.
4. In the left pane, select Security.
5. Under Java Card Security, select Enable.
NOTE To disable Java Card Power-On Authentication, select Disable.
6. Click Apply, and then click OK in the ProtectTools window to save your changes.
Enabling and Disabling Power-On Authentication Support for Embedded Security
If this option is available, enabling it allows the system to use the TPM embedded security chip for user
authentication when you turn on the computer.
NOTE To fully enable the Power-On Authentication feature, you must also configure the TPM
embedded security chip using the Embedded Security for ProtectTools module.
To enable Power-On Authentication support for embedded security:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, select BIOS Configuration.
3. Enter your Computer Setup administrator password at the BIOS administrator password prompt,
and then click OK.
4. In the left pane, select Security.
5. Under Embedded Security, select Enable Power-On Authentication Support.
NOTE To disable Power-On Authentication for Embedded Security, select Disable.
6. Click Apply, and then click OK in the ProtectTools window to save your changes.
6 Chapter 1 Introduction ENWW
Managing Computer Setup Passwords
You can use BIOS Configuration to set and change the power-on and setup passwords in Computer
Setup, and also to manage various password settings.
CAUTION The passwords you set through the Passwords page in BIOS Configuration are
saved immediately upon clicking the Apply or OK button in the ProtectTools window. Make sure
you remember what password you have set, because you will not be able to undo a password
setting without supplying the previous password.
The power-on password can protect the computer from unauthorized use.
NOTE After you have set a power-on password, the Set button on the Passwords page is
replaced by a Change button.
The Computer Setup administrator password protects the configuration settings and system
identification information in Computer Setup. After this password is set, it must be entered to access
Computer Setup.
If you have set an administrator password, you will be prompted for the password before opening the
BIOS Configuration portion of ProtectTools.
NOTE After you have set an administrator password, the Set button on the Passwords page
is replaced by a Change button.
Setting the Power-On Password (if available)
To set the power-on password:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, select BIOS Configuration, and then select Security.
3. In the right pane, next to Power-On Password, click Set.
4. Type and confirm the password in the Enter Password and Verify Password boxes.
5. Click OK in the Passwords dialog box.
6. Click Apply, and then click OK in the ProtectTools window to save your changes.
Changing the Power-On Password (if available)
To change the power-on password:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, select BIOS Configuration, and then select Security.
3. In the right pane, next to Power-On Password, click Change.
4. Type the current password in theOld Password box.
5. Set and confirm the new password in the Enter New Password and Verify New Password boxes.
ENWW Advanced Tasks 7
6. Click OK in the Passwords dialog box.
7. Click Apply, and then click OK in the ProtectTools window to save your changes.
System Setup
1. Initialize HP ProtectTools Embedded Security.
2. Initialize Basic User Key.
HP Power-On Authentication Support starts as soon as the Basic User Key is set and the Basic User
password is set for Power-On. After the next reboot, HP ProtectTools Power-On Authentication Support
is initialized and the Basic User password must be used to start the computer. Once Power-On
Authentication Support is functioning, the option to enter the BIOS Setup is no longer seen. If the user
enters the Setup password at the Power-On Authentication Support window, the user enters the BIOS.
If Embedded Security Basic User password is already set, then the password must be changed to
establish password protection using Power On Authentication.
Changing Power-On Authentication Support
Password Power-On Authentication Support uses the Embedded Basic User password. To change the
password:
1. Enter F10 BIOS settings (must have Setup Password as described in Setup steps above) and
navigate to Security > Embedded Security Device > Reset authentication credential.
2. Press the arrow key to change the setting from Do not reset to Reset
3. Navigate to Security Manager > Embedded Security > User Settings > Basic User
Password > Change.
4. Enter the old password, then enter and confirm the new password.
5. Reboot into Power-On Authentication Support.
The password window requests the user enter the old password first.
6. Enter the old password and enter the new password. (Entering the wrong new password three
times will flash a new window stating that the password is invalid and Power-On Authentication will
revert back to the original Embedded Security Password F1 = Boot.
At this point, the passwords will not be synchronized and user must change the Embedded Security
password again to re synchronize them.)
Changing User Accounts
Power-On Authentication only supports a single user at a time. The following steps can be used to
change user accounts that control Power-On Authentication.
1. Navigate to F10 BIOS > Security > Embedded Security Device > Reset authentication
credential.
2. Press the arrow key to move the cursor sideways, then press any key to continue.
3. Press F10 twice, then Enter to Save Changes and Exit.
8 Chapter 1 Introduction ENWW
4. Create/logon to a targeted change Microsoft Windows user.
5. Open Embedded Security and initialize a Basic User Key for the new Windows user account. If a
Basic User Key already exists, change the Basic User password to take ownership of Power-On
Authentication.
Power-On Authentication now accepts only the new user's Basic User password.
CAUTION Many products are available to the customer that protect data through software
encryption, hardware encryption and hardware. Most are managed using passwords. Failure to
manage these tools and passwords can lead to data loss and hardware lockout up to and
including replacement. Please review all appropriate help files before attempting to use these
tools.
Setting the Computer Setup Administrator Password
To set the Computer Setup administrator password:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, select BIOS Configuration, and then select Security.
3. In the right pane, next to Setup Password, click Set.
4. Type and confirm the password in the Enter Password and Confirm Password boxes.
5. Click OK in the Passwords dialog box.
6. Click Apply, and then click OK in the ProtectTools window to save your changes.
Changing the Computer Setup Administrator Password
To change the Computer Setup administrator password:
1. Select Start > All Programs > HP ProtectTools Security Manager.
2. In the left pane, select BIOS Configuration, and then select Security.
3. In the right pane, next to Setup Password, click Change.
4. Type the current password in the Old Password box.
5. Set and confirm the new password in the Enter New Password and Verify New Password boxes.
6. Click OK in the Passwords dialog box.
7. Click Apply, and then click OK in the ProtectTools window to save your changes.
ENWW Advanced Tasks 9
Loading...