HP Slate 2 Getting Started Guide
HP ProtectTools
Getting Started
© Copyright 2011 Hewlett-Packard
Development Company, L.P.
Bluetooth is a trademark owned by its
proprietor and used by Hewlett-Packard
Company under license. Intel is a
trademark of Intel Corporation in the U.S.
and other countries and is used under
license. Microsoft, Windows, and Windows
Vista are U.S. registered trademarks of
Microsoft Corporation.
The information contained herein is subject
to change without notice. The only
warranties for HP products and services are
set forth in the express warranty statements
accompanying such products and services.
Nothing herein should be construed as
constituting an additional warranty. HP shall
not be liable for technical or editorial errors
or omissions contained herein.
First Edition: January 2011
Document Part Number: 638391-001
Table of contents
1 Introduction to security .................................................................................................................................. 1
HP ProtectTools features ..................................................................................................................... 2
HP ProtectTools security product description and common use examples ......................................... 4
Credential Manager for HP ProtectTools ............................................................................. 4
Drive Encryption for HP ProtectTools .................................................................................. 4
File Sanitizer for HP ProtectTools ........................................................................................ 5
Device Access Manager for HP ProtectTools ...................................................................... 5
Privacy Manager for HP ProtectTools ................................................................................. 6
Computrace for HP ProtectTools (formerly LoJack Pro) ..................................................... 6
Embedded Security for HP ProtectTools (select models only) ............................................ 6
Achieving key security objectives ......................................................................................................... 8
Protecting against targeted theft .......................................................................................... 8
Restricting access to sensitive data ..................................................................................... 8
Preventing unauthorized access from internal or external locations ................................... 8
Creating strong password policies ....................................................................................... 9
Additional security elements ............................................................................................................... 10
Assigning security roles ..................................................................................................... 10
Managing HP ProtectTools passwords .............................................................................. 10
Creating a secure password ............................................................................. 12
Backing up and restoring HP ProtectTools credentials ..................................... 12
2 Getting started with the Setup Wizard ........................................................................................................ 13
3 HP ProtectTools Security Manager Administrative Console .................................................................... 15
Opening HP ProtectTools Administrative Console ............................................................................. 16
Using Administrative Console ............................................................................................................ 17
Configuring your system ..................................................................................................................... 18
Setting up authentication for your computer ...................................................................... 18
Logon Policy ...................................................................................................... 18
Session Policy ................................................................................................... 19
Settings .............................................................................................................................. 19
iii
Managing users ................................................................................................................. 19
Credentials ......................................................................................................................... 20
SpareKey .......................................................................................................... 20
Fingerprints ....................................................................................................... 20
Smart card ......................................................................................................... 21
Face .................................................................................................................. 21
Configuring your applications ............................................................................................................. 22
General tab ........................................................................................................................ 22
Applications tab ................................................................................................................. 22
Central Management ......................................................................................................... 22
4 HP ProtectTools Security Manager ............................................................................................................. 23
Opening Security Manager ................................................................................................................. 24
Using the Security Manager dashboard ............................................................................................. 25
Security Applications Status ............................................................................................................... 26
My Logons .......................................................................................................................................... 27
Password Manager ............................................................................................................ 27
For Web pages or programs where a logon has not yet been created ............. 27
For Web pages or programs where a logon has already been created ............ 28
Adding logons ................................................................................................... 28
Editing logons .................................................................................................... 29
Using the Logons menu .................................................................................... 30
Organizing logons into categories ..................................................................... 30
Managing your logons ....................................................................................... 30
Assessing your password strength ................................................................... 31
Password Manager icon settings ...................................................................... 31
VeriSign Identity Protection (VIP) ...................................................................... 32
Settings ............................................................................................................. 33
Credential Manager ........................................................................................................... 33
Changing your Windows password ................................................................... 33
Setting up your SpareKey ................................................................................. 34
Enrolling your fingerprints ................................................................................. 34
Setting up a smart card ..................................................................................... 35
Initializing the smart card .................................................................. 35
Registering the smart card ............................................................... 35
Configuring the smart card ............................................................... 36
Enrolling scenes for face logon ......................................................................... 36
Advanced User Settings ................................................................... 37
Your personal ID card ........................................................................................................ 39
Setting your preferences .................................................................................................... 39
Backing up and restoring your data ................................................................................... 40
iv
5 Drive Encryption for HP ProtectTools (select models only) ..................................................................... 42
Opening Drive Encryption .................................................................................................................. 43
General tasks ..................................................................................................................................... 44
Activating Drive Encryption for standard hard drives ......................................................... 44
Activating Drive Encryption for self-encrypting drives ........................................................ 44
Deactivating Drive Encryption ............................................................................................ 46
Logging in after Drive Encryption is activated .................................................................... 46
Protect your data by encrypting your hard drive ................................................................ 48
Displaying encryption status .............................................................................................. 48
Advanced tasks .................................................................................................................................. 49
Managing Drive Encryption (administrator task) ................................................................ 49
Encrypting or decrypting individual drives (software encryption only) ............... 49
Backup and recovery (administrator task) ......................................................................... 50
Backing up encryption keys .............................................................................. 50
Recovering encryption keys .............................................................................. 50
6 Privacy Manager for HP ProtectTools (select models only) ..................................................................... 51
Opening Privacy Manager .................................................................................................................. 52
Setup procedures ............................................................................................................................... 53
Managing Privacy Manager Certificates ............................................................................ 53
Requesting a Privacy Manager Certificate ........................................................ 53
Obtaining a preassigned Corporate Privacy Manager Certificate ..................... 54
Setting up a Privacy Manager Certificate .......................................................... 54
Importing a third-party certificate ....................................................................... 54
Viewing Privacy Manager Certificate details ..................................................... 55
Renewing a Privacy Manager Certificate .......................................................... 55
Setting a default Privacy Manager Certificate ................................................... 55
Deleting a Privacy Manager Certificate ............................................................. 56
Restoring a Privacy Manager Certificate ........................................................... 56
Revoking your Privacy Manager Certificate ...................................................... 56
Managing Trusted Contacts ............................................................................................... 57
Adding Trusted Contacts ................................................................................... 57
Adding a Trusted Contact ................................................................. 57
Adding Trusted Contacts using Microsoft Outlook contacts ............. 58
Viewing Trusted Contact details ........................................................................ 59
Deleting a Trusted Contact ............................................................................... 59
Checking revocation status for a Trusted Contact ............................................ 59
General tasks ..................................................................................................................................... 60
Using Privacy Manager in Microsoft Outlook ..................................................................... 60
Configuring Privacy Manager for Microsoft Outlook .......................................... 60
Signing and sending an e-mail message .......................................................... 60
v
Sealing and sending an e-mail message .......................................................... 61
Viewing a sealed e-mail message ..................................................................... 61
Using Privacy Manager in a Microsoft Office 2007 document ........................................... 61
Configuring Privacy Manager for Microsoft Office ............................................. 62
Signing a Microsoft Office document ................................................................ 62
Adding a signature line when signing a Microsoft Word or Microsoft Excel
document .......................................................................................................... 62
Adding suggested signers to a Microsoft Word or Microsoft Excel
document .......................................................................................... 62
Adding a suggested signer's signature line ...................................... 63
Encrypting a Microsoft Office document ........................................................... 63
Removing encryption from a Microsoft Office document .................................. 64
Sending an encrypted Microsoft Office document ............................................ 64
Viewing a signed Microsoft Office document .................................................... 64
Viewing an encrypted Microsoft Office document ............................................. 65
Advanced tasks .................................................................................................................................. 66
Migrating Privacy Manager Certificates and Trusted Contacts to a different computer ..... 66
Backing up Privacy Manager Certificates and Trusted Contacts ...................... 66
Restoring Privacy Manager Certificates and Trusted Contacts ........................ 66
Central administration of Privacy Manager ........................................................................ 67
7 File Sanitizer for HP ProtectTools ............................................................................................................... 68
Shredding ........................................................................................................................................... 69
Free space bleaching ......................................................................................................................... 70
Opening File Sanitizer ........................................................................................................................ 71
Setup procedures ............................................................................................................................... 72
Setting a shred schedule ................................................................................................... 72
Setting a free space bleaching schedule ........................................................................... 72
Selecting or creating a shred profile .................................................................................. 73
Selecting a predefined shred profile .................................................................. 73
Customizing a shred profile ............................................................................... 73
Customizing a simple delete profile .................................................................. 74
General tasks ..................................................................................................................................... 76
Using a key sequence to initiate shredding ....................................................................... 76
Using the File Sanitizer icon .............................................................................................. 77
Manually shredding one asset ........................................................................................... 77
Manually shredding all selected items ............................................................................... 77
Manually activating free space bleaching .......................................................................... 78
Aborting a shred or free space bleaching operation .......................................................... 78
Viewing the log files ........................................................................................................... 78
vi
8 Device Access Manager for HP ProtectTools (select models only) ......................................................... 79
Opening Device Access Manager ...................................................................................................... 80
Setup Procedures ............................................................................................................................... 81
Configuring device access ................................................................................................. 81
Simple Configuration ......................................................................................... 81
Starting the background service ....................................................... 82
Device Class Configuration ............................................................................... 82
Denying access to a user or group ................................................... 84
Allowing access for a user or a group .............................................. 84
Allowing access to a class of devices for one user of a group ......... 85
Allowing access to a specific device for one user of a group ........... 85
Removing settings for a user or a group .......................................... 86
Resetting the configuration ............................................................... 86
JITA Configuration ............................................................................................ 86
Creating a JITA for a user or group .................................................. 87
Creating an extendable JITA for a user or group ............................. 87
Disabling a JITA for a user or group ................................................. 88
Advanced Settings ............................................................................................................................. 89
Device Administrators group .............................................................................................. 89
eSATA Support .................................................................................................................. 90
Unmanaged Device Classes ............................................................................................. 90
9 Theft recovery ............................................................................................................................................... 92
10 Embedded Security for HP ProtectTools (select models only) .............................................................. 93
Setup procedures ............................................................................................................................... 94
Enabling the embedded security chip in Computer Setup ................................................. 94
Initializing the embedded security chip .............................................................................. 95
Setting up the basic user account ...................................................................................... 96
General tasks ..................................................................................................................................... 97
Using the personal secure drive ........................................................................................ 97
Encrypting files and folders ................................................................................................ 97
Sending and receiving encrypted e-mail ............................................................................ 97
Changing the Basic User Key password ........................................................................... 98
Advanced tasks .................................................................................................................................. 99
Backing up and restoring ................................................................................................... 99
Creating a backup file ....................................................................................... 99
Restoring certification data from the backup file ............................................... 99
Changing the owner password ........................................................................................ 100
Resetting a user password .............................................................................................. 100
vii
Migrating keys with the Migration Wizard ........................................................................ 101
11 Localized password exceptions .............................................................................................................. 102
Windows IMEs not supported at the Preboot Security level or the HP Drive Encryption level ......... 102
Password changes using keyboard layout that is also supported .................................................... 103
Special key handling ........................................................................................................................ 104
What to do when a password is rejected .......................................................................................... 106
Glossary ........................................................................................................................................................... 107
Index ................................................................................................................................................................. 112
viii
1 Introduction to security
HP ProtectTools Security Manager software provides security features that help protect against
unauthorized access to the computer, networks, and critical data.
Application Features
HP ProtectTools Administrative Console (for administrators
HP ProtectTools Security Manager (for users) ● Allows users to configure options provided by an
Requires Microsoft Windows administrator rights to
●
access.
Provides access to modules that are configured by an
●
administrator and not available to users.
● Allows initial security setup and configures options or
requirements for all users.
administrator.
Allows administrators to provide users limited control of
●
some HP ProtectTools modules.
The software modules available for your computer may vary depending on your model.
HP ProtectTools software modules may be preinstalled, preloaded, or available for download from the
HP Web site. For more information, visit
http://www.hp.com.
NOTE: The instructions in this guide are written with the assumption that you have already installed
the applicable HP ProtectTools software modules.
1
HP ProtectTools features
The following table details the key features of HP ProtectTools modules.
Module Key features
HP ProtectTools Administrative Console (for
administrators)
HP ProtectTools Security Manager (for users) ● Organize, set up, and change passwords.
Credential Manager for HP ProtectTools (Password
Manager)
Set up and configure levels of security and security logon
●
methods using the Security Manager Setup Wizard.
● Configure options hidden from users.
Configure Device Access Manager configurations and user
●
access.
Add and remove HP ProtectTools users and view user status
●
using administrator tools.
Configure and change user credentials such as a Windows
●
password, fingerprint, and smart card.
Configure and change File Sanitizer Shredding, Bleaching, and
●
other settings.
View settings for Device Access Manager.
●
● Configure Computrace for HP ProtectTools.
● Configure preferences and Backup and Restore options.
● Save, organize, and protect your user names and passwords.
Set up the logon screens of Web sites and programs for quick
●
and secure access.
Save Web site user names and passwords by entering them
●
into Password Manager. The next time you visit this site,
Password Manager fills in and submits the information
automatically.
Drive Encryption for HP ProtectTools (select models
only)
File Sanitizer for HP ProtectTools ● Shreds digital assets (sensitive information including application
Device Access Manager for HP ProtectTools (select
models only)
2 Chapter 1 Introduction to security
● Create stronger passwords for enhanced account security.
Password Manager fills in and submits the information
automatically.
Provides complete, full-volume hard drive encryption.
●
● Forces pre-boot authentication in order to decrypt and access
the data.
files, historical or Web-related content, or other confidential
data) on your computer and periodically bleaches deleted
assets on the hard drive.
Allows IT managers to control access to devices based on user
●
profiles.
Prevents unauthorized users from removing data using external
●
storage media, and from introducing viruses into the system
from external media.
● Allows administrators to disable access to writable devices for
specific individuals or groups of users.
Module Key features
Privacy Manager for HP ProtectTools (select models
only)
Computrace for HP ProtectTools (purchased
separately)
Embedded Security for HP ProtectTools (select
models only)
Used to obtain Certificates of Authority, which verify the source,
●
integrity, and security of communication when using Microsoft email and Microsoft Office documents.
● Provides secure asset tracking.
Monitors user activity, as well as hardware and software
●
changes.
Remains active even if the hard drive is reformatted or replaced.
●
Requires separate purchase of tracking and tracing
●
subscriptions to activate.
Uses a Trusted Platform Module (TPM) embedded security chip
●
to protect against unauthorized access to user data and
credentials stored on a computer.
● Allows creation of a personal secure drive (PSD), which is
useful in protecting user file and folder information.
● Supports third-party applications (such as Microsoft Outlook and
Internet Explorer) for protected digital certificate operations.
HP ProtectTools features 3
HP ProtectTools security product description and common use examples
Most of the HP ProtectTools security products have both user authentication (usually a password)
and an administrative backup to gain access if passwords are lost, not available, or forgotten, or any
time corporate security requires access.
NOTE: Some of the HP ProtectTools security products are designed to restrict access to data. Data
should be encrypted when it is so important that the user would rather lose the information than have
it compromised. It is recommended that all data be backed up in a secure location.
Credential Manager for HP ProtectTools
Credential Manager (part of Security Manager) stores user names and passwords, and can be used
to:
Save login names and passwords for Internet access or e-mail.
●
Automatically log the user in to a Web site or e-mail.
●
Manage and organize authentications.
●
Select a Web or network asset and directly access the link.
●
View names and passwords when necessary.
●
Example 1: A purchasing agent for a large manufacturer makes most of her corporate transactions
over the Internet. She also frequently visits several popular Web sites that require login information.
She is keenly aware of security so does not use the same password on every account. The
purchasing agent has decided to use Credential Manager to match Web links with different user
names and passwords. When she goes to a Web site to log in, Credential Manager presents the
credentials automatically. If she wants to view the user names and password, Credential Manager
can be configured to reveal them.
Credential Manager can also be used to manage and organize the authentications. This tool will allow
a user to select a Web or network asset and directly access the link. The user can also view the user
names and passwords when necessary.
Example 2: A hard-working CPA has been promoted and will now manage the entire accounting
department. The team must log in to a large number of client Web accounts, each of which uses
different login information. This login information needs to be shared with other workers, so
confidentiality is an issue. The CPA decides to organize all the Web links, company user names, and
passwords within Credential Manager for HP ProtectTools. Once complete, the CPA deploys
Credential Manager to the employees so they can work on the Web accounts and never know the
login credentials that they are using.
Drive Encryption for HP ProtectTools
Drive Encryption is used to restrict access to the data on the entire computer hard drive or a
secondary drive. Drive Encryption can also manage self-encrypting drives.
Example 1: A doctor wants to make sure only he can access any data on his computer hard drive.
The doctor activates Drive Encryption, which requires pre-boot authentication before Windows login.
Once set up, the hard drive cannot be accessed without a password before the operating system
starts. The doctor could further enhance drive security by choosing to encrypt the data with the SED
(self-encrypting drive) option.
4 Chapter 1 Introduction to security
Both Embedded Security for HP ProtectTools and Drive Encryption for HP ProtectTools do not allow
access to the encrypted data even when the drive is removed, because they are both bound to the
original motherboard.
Example 2: A hospital administrator wants to ensure only doctors and authorized personnel can
access any data on their local computer without sharing their personal passwords. The IT department
adds the administrator, doctors, and all authorized personnel as Drive Encryption users. Now only
authorized personnel can boot the computer or domain using their personal user name and
password.
File Sanitizer for HP ProtectTools
File Sanitizer for HP ProtectTools is used to permanently delete data, including Internet browser
activity, temporary files, previously deleted data, or any other information. File Sanitizer can be
configured to run either manually or automatically on a user-defined schedule.
Example 1: An attorney often deals with sensitive client information and wants to ensure that data in
deleted files cannot be recovered. The Attorney uses File Sanitizer to “shred” deleted files so it is
almost impossible to recover.
Normally when Windows deletes data, it does not actually erase the data from the hard drive. Instead,
it marks the hard drive sectors as available for future use. Until the data is written over, it can be
easily recovered using common tools available on the Internet. File Sanitizer overwrites the sectors
with random data (multiple times when necessary), thereby making the deleted data unreadable and
unrecoverable.
Example 2: A researcher wants to shred deleted data, temporary files, browser activity, and so on
automatically when she logs off. She uses File Sanitizer to schedule “shredding” so she can select
the common files or any custom files to be permanently removed automatically.
Device Access Manager for HP ProtectTools
Device Access Manager for HP ProtectTools can be used to block unauthorized access to USB flash
drives where data could be copied. It can also restrict access to CD/DVD drives, control of USB
devices, network connections, and so on. An administrator can also schedule when or how long
drives can be accessed. An example would be a situation where outside vendors need access to
company computers but should not be able to copy the data to a USB drive. Device Access Manager
for HP ProtectTools allows an administrator to restrict and manage access to hardware.
Example 1: A manager of a medical supply company often works with personal medical records
along with his company information. The employees need access to this data, however, it is
extremely important that the data is not removed from the computer by a USB drive or any other
external storage media. The network is secure, but the computers have CD burners and USB ports
that could allow the data to be copied or stolen. The Manager uses Device Access Manager to
disable the USB ports and CD burners so they cannot be used. Even though the USB ports are
blocked, mouse and keyboards will continue to function.
Example 2: An insurance company does not want its employees to install or load personal software
or data from home. Some employees need access to the USB port on all computers. The IT manager
uses Device Access Manager to enable access for some employees while blocking external access
for others.
HP ProtectTools security product description and common use examples 5
Privacy Manager for HP ProtectTools
Privacy Manager for HP ProtectTools is used when Internet e-mail communications need to be
secured. The user can create and send e-mail that can only be opened by an authenticated recipient.
With Privacy Manager, the information cannot be compromised or intercepted by an imposter.
Example 1: A stock broker wants to make sure that his e-mails only go to specific clients and that no
one can fake the e-mail account and intercept it. The stock broker signs himself and his clients up
with Privacy Manager. Privacy Manager issues them a Certificate of Authentication (CA) to each user.
Using this tool, the stock broker and his clients must authenticate before the e-mail is exchanged.
Privacy Manager for HP ProtectTools makes it easy to send and receive e-mail where the recipient
has been verified and authenticated. The mail service can also be encrypted. The encryption process
is similar to the one used during general credit card purchases on the Internet.
Example 2: A CEO wants to ensure that only the members of the board of directors can view the
information he sends through e-mail. The CEO uses the option to encrypt the e-mail sent and
received from the directors. A Privacy Manager Certificate of Authentication allows the CEO and
directors to have a copy of the encryption key so only they can decrypt the confidential e-mail.
Computrace for HP ProtectTools (formerly LoJack Pro)
Computrace for HP ProtectTools (purchased separately) is a service that can track the location of a
stolen computer whenever the user accesses the Internet.
Example 1: A school principal instructed the IT department to keep track of all the computers at his
school. After the inventory of the computers was made, the IT administrator registered all the
computers with Computrace so they could be traced in case they were ever stolen. Recently, the
school realized several computers were missing, so the IT administrator alerted the authorities and
Computrace officials. The computers were located and were returned to the school by the authorities.
Computrace for HP ProtectTools can also help remotely manage and locate computers, as well as
monitor computer usage and applications.
Example 2: A real estate company needs to manage and update computers all over the world. They
use Computrace to monitor and update the computers without having to send an IT person to each
computer.
Embedded Security for HP ProtectTools (select models only)
Embedded Security for HP ProtectTools provides the ability to create a personal secure drive. This
capability allows the user to create a virtual drive partition on the PC that is completely hidden until
accessed. Embedded Security could be used anywhere data needs to be secretly protected, while
the rest of the data is not encrypted.
Example 1: A warehouse manager has a computer that multiple workers access intermittently
throughout the day. The manager wants to encrypt and hide confidential warehouse data on the
computer. He wants the data to be so secure that even if someone steals the hard drive, they cannot
decrypt the data or read it. The warehouse manager decides to activate Embedded Security and
moves the confidential data to the personal secure drive. The warehouse manager can enter a
password and access the confidential data just like another hard drive. When he logs off or reboots
the personal secure drive, it cannot be seen or opened without the proper password. The workers
never see the confidential data when they access the computer.
Embedded Security protects encryption keys within a hardware TPM (Trusted Platform Module) chip
located on the motherboard. It is the only encryption tool that meets the minimum requirements to
6 Chapter 1 Introduction to security
resist password attacks where someone would attempt to guess the decryption password. Embedded
Security can also encrypt the entire drive and e-mail.
Example 2: A stock broker wants to transport extremely sensitive data to another computer using a
portable drive. She wants to make sure that only these two computers can open the drive, even if the
password is compromised. The stock broker uses Embedded Security TPM migration to allow a
second computer to have the necessary encryption keys to decrypt the data. During the transport
process, even with the password, only the two physical computers can decrypt the data.
HP ProtectTools security product description and common use examples 7
Achieving key security objectives
The HP ProtectTools modules can work together to provide solutions for a variety of security issues,
including the following key security objectives:
Protecting against targeted theft
●
Restricting access to sensitive data
●
Preventing unauthorized access from internal or external locations
●
Creating strong password policies
●
Protecting against targeted theft
An example of targeted theft would be the theft of a computer containing confidential data and
customer information at an airport security checkpoint. The following features help protect against
targeted theft:
● The pre-boot authentication feature, if enabled, helps prevent access to the operating system.
Refer to the following chapters:
Security Manager for HP ProtectTools
◦
◦ Embedded Security for HP ProtectTools
◦ Drive Encryption for HP ProtectTools
The Personal Secure Drive feature, provided by the Embedded Security for HP ProtectTools
●
module, encrypts sensitive data to help ensure that it cannot be accessed without authentication.
Refer to the following chapter:
Embedded Security for HP ProtectTools
◦
● Computrace can track the computer's location after a theft. Refer to the following chapter:
◦ Computrace for HP ProtectTools
Restricting access to sensitive data
Suppose a contract auditor is working onsite and has been given computer access to review sensitive
financial data; you do not want the auditor to be able to print the files or save them to a writable
device such as a CD. The following feature helps restrict access to data:
● Device Access Manager for HP ProtectTools allows IT managers to restrict access to writable
devices so sensitive information cannot be printed or copied from the hard drive onto removable
media.
Preventing unauthorized access from internal or external locations
Unauthorized access to an unsecured business computer presents a very real risk to corporate
network resources such as information from financial services, an executive, or the R&D team, and to
8 Chapter 1 Introduction to security
private information such as patient records or personal financial records. The following features help
prevent unauthorized access:
The pre-boot authentication feature, if enabled, helps prevent access to the operating system.
●
Refer to the following chapters:
Password Manager for HP ProtectTools
◦
Embedded Security for HP ProtectTools
◦
Drive Encryption for HP ProtectTools
◦
Password Manager helps ensure that an unauthorized user cannot get passwords or access to
●
password-protected applications.
Device Access Manager for HP ProtectTools allows IT managers to restrict access to writable
●
devices so sensitive information cannot be copied from the hard drive.
File Sanitizer allows secure deletion of data by shredding critical files and folders or bleaching
●
deleted assets on the hard drive (writing over data that has been deleted but is still recoverable).
Privacy Manager allows you to obtain Certificates of Authority when using Microsoft e-mail or
●
Microsoft Office documents, making the process of sending and saving important information
safe and secure.
Creating strong password policies
If a company policy goes into effect that requires the use of strong password policy for dozens of
Web-based applications and databases, Security Manager provides a protected repository for
passwords and Single Sign On convenience.
Achieving key security objectives 9
Additional security elements
Assigning security roles
In managing computer security (particularly for large organizations), one important practice is to
divide responsibilities and rights among various types of administrators and users.
NOTE: In a small organization or for individual use, these roles may all be held by the same person.
For HP ProtectTools, the security duties and privileges can be divided into the following roles:
Security officer—Defines the security level for the company or network and determines the
●
security features to deploy, such as Drive Encryption or Embedded Security.
NOTE: Many of the features in HP ProtectTools can be customized by the security officer in
cooperation with HP. For more information, see the HP Web site at
IT administrator—Applies and manages the security features defined by the security officer. Can
●
also enable and disable some features. For example, if the security officer has decided to deploy
smart cards, the IT administrator can enable both password and smart card mode.
User—Uses the security features. For example, if the security officer and IT administrator have
●
enabled smart cards for the system, the user can set the smart card PIN and use the card for
authentication.
CAUTION: Administrators are encouraged to follow “best practices” in restricting end-user
privileges and restricting user access.
http://www.hp.com.
Unauthorized users should not be granted administrative privileges.
Managing HP ProtectTools passwords
Most of the HP ProtectTools Security Manager features are secured by passwords. The following
table lists the commonly used passwords, the software module where the password is set, and the
password function.
The passwords that are set and used by IT administrators only are indicated in this table as well. All
other passwords may be set by regular users or administrators.
HP ProtectTools password Set in the following
Windows Logon password Windows® Control Panel or
Security Manager Backup and
Recovery password
Smart card PIN Credential Manager Can be used as multifactor authentication.
module
HP ProtectTools Security
Manager
Security Manager, by
individual user
Function
Can be used for manual logon and for
authentication to access various Security
Manager features.
Protects access to the Security Manager
Backup and Recovery file.
Can be used as Windows authentication.
Authenticates users of Drive Encryption, if
the smart card token is selected.
Emergency Recovery Token
password
10 Chapter 1 Introduction to security
Embedded Security, by IT
administrator
Protects access to the Emergency
Recovery Token, which is a backup file for
the embedded security chip.
HP ProtectTools password Set in the following
module
Function
Owner password Embedded Security, by IT
administrator
BIOS Administrator password Computer Setup, by IT
administrator
Protects the system and the TPM chip from
unauthorized access to all owner functions
of Embedded Security.
Protects access to the Computer Setup
utility.
Additional security elements 11
Creating a secure password
When creating passwords, you must first follow any specifications that are set by the program. In
general, however, consider the following guidelines to help you create strong passwords and reduce
the chances of your password being compromised:
Use passwords with more than 6 characters, preferably more than 8.
●
Mix the case of letters throughout your password.
●
Whenever possible, mix alphanumeric characters and include special characters and
●
punctuation marks.
Substitute special characters or numbers for letters in a key word. For example, you can use the
●
number 1 for letters I or L.
Combine words from 2 or more languages.
●
Split a word or phrase with numbers or special characters in the middle, for example,
●
“Mary2-2Cat45.”
Do not use a password that would appear in a dictionary.
●
Do not use your name for the password, or any other personal information, such as your birth
●
date, pet names, or mother's maiden name, even if you spell it backwards.
Change passwords regularly. You might change only a couple of characters that increment.
●
If you write down your password, do not store it in a commonly visible place very close to the
●
computer.
Do not save the password in a file, such as an e-mail, on the computer.
●
Do not share accounts or tell anyone your password.
●
Backing up and restoring HP ProtectTools credentials
You can use the Backup and Restore feature of HP ProtectTools to select and back up HP
ProtectTools credentials data and settings.
12 Chapter 1 Introduction to security
2 Getting started with the Setup Wizard
The Security Manager Setup Wizard guides you through enabling available security features that are
applied to all users of this computer. You can also manage these features on the Security Features
page of Administrative Console.
To set up security features through the Security Manager Setup Wizard:
1. Open HP ProtectTools Security Manager from the HP ProtectTools desktop gadget icon in
Windows Sidebar or the taskbar icon in the notification area, at the far right of the taskbar.
The banner color at the HP ProtectTools desktop gadget icon indicates one of the following
conditions:
Red—HP ProtectTools has not been set up, or an error condition exists with one of the
●
ProtectTools modules.
Yellow—Check the Applications Status page in Security Manager for settings changes that
●
must be made.
Blue—HP ProtectTools has been set up, and it is working properly.
●
A message is displayed at the bottom of the gadget icon to indicate one of the following
conditions:
Set up now—The administrator must click the gadget icon to run the Security Manager
●
Setup Wizard to configure authentication credentials for the computer.
The Setup Wizard is an independent application.
Enroll now—A user must click the gadget icon to run the Security Manager Getting Started
●
Wizard to enroll authentication credentials.
The Getting Started Wizard is displayed in the Security Manager dashboard.
Check now—Click the gadget icon to display further details on the Security Applications
●
Status page.
NOTE: The HP ProtectTools desktop gadget icon is not available in Windows XP.
13
– or –
Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative
Console. In the left pane, click Setup Wizard.
2. Read the Welcome screen, and then click Next.
3. Verify your identity by typing your Windows password, and then click Next.
If you have not yet created a Windows password, you are prompted to create one. A Windows
password is required in order to protect your Windows account from access by unauthorized
persons, and in order to use HP ProtectTools Security Manager features.
4. On the SpareKey page, select three security questions, enter an answer for each question, and
then click Next.
You can select different questions or change your answers on the SpareKey page under
Credential Manager in the Security Manager dashboard.
NOTE: This SpareKey setup applies only to the administrative user.
5. Enable security features by selecting their check boxes, and then click Next.
The more features that you select, the more secure your computer is.
NOTE: These settings apply to all users. If any check boxes are not selected, the Setup
Wizard will not prompt users to register those credentials.
Windows Logon Security—Protects your Windows accounts by requiring the use of
●
specific credentials for access.
Drive Encryption—Protects your data by encrypting your hard drives, making the
●
information unreadable by those without proper authorization.
Pre-Boot Security—Protects your computer by prohibiting access by unauthorized
●
persons prior to Windows startup.
NOTE: Pre-Boot Security is not available if the BIOS does not support it.
6. The Setup Wizard prompts you to register, or “enroll”, credentials.
If neither a fingerprint reader, a smart card, nor a webcam is available, you are prompted to
enter your Windows password. After enrolling, you may then use any enrolled credentials to
verify your identity whenever authentication is required.
NOTE: Enrollment of these credentials applies only to the administrative user.
7. On the final page of the wizard, click Finish.
The Security Manager dashboard Home page is displayed.
14 Chapter 2 Getting started with the Setup Wizard
3 HP ProtectTools Security Manager
Administrative Console
HP ProtectTools Security Manager software provides security features that help protect against
unauthorized access to the computer, networks, and critical data. Administration of HP ProtectTools
Security Manager is provided through the Administrative Console feature.
Additional applications are available (select models only) in the Security Manager dashboard to assist
with recovery of the computer if it is lost or stolen.
Using the console, the local administrator can perform the following tasks:
● Enabling or disabling security features
Specifying required credentials for authentication
●
Managing users of the computer
●
Adjusting device-specific parameters
●
Configuring installed Security Manager applications
●
● Adding additional Security Manager applications
15
Opening HP ProtectTools Administrative Console
For administrative tasks, such as setting system policies or configuring software, open the console as
follows:
Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative
▲
Console.
– or –
In the left panel of Security Manager, click Administration, and then click Administrative
Console.
16 Chapter 3 HP ProtectTools Security Manager Administrative Console
Using Administrative Console
HP ProtectTools Administrative Console is the central location for administering HP ProtectTools
Security Manager features and applications.
To open HP ProtectTools Administrative Console, click Start, click All Programs, click HP, and
▲
then click HP ProtectTools Administrative Console.
– or –
In the left panel of Security Manager, click Administration, and then click Administrative
Console.
The console is composed of the following components:
Home—Allows you to configure the following security options:
●
Increase system security
◦
Require strong authentication
◦
Manage HP ProtectTools users
◦
See how you can centrally manage HP ProtectTools
◦
System—Allows you to configure the following security features and authentication for users
●
and devices:
Security
◦
Users
◦
Credentials
◦
Applications—Allows you to configure settings for HP ProtectTools Security Manager and for
●
Security Manager applications.
Data—Provides an expanding menu of links to Security Manager applications that protect your
●
data.
Central Management—Displays tabs for accessing additional solutions, product updates, and
●
messages.
Setup Wizard—Guides you through setting up HP ProtectTools Security Manager.
●
About—Displays information about HP ProtectTools Security Manager, such as the version
●
number and copyright notice.
Main area—Displays application-specific screens.
●
?—Displays the Administrative Console software Help. This icon is located at the top right of the
window frame, next to the minimize and maximize icons.
Using Administrative Console 17
Configuring your system
The System group is accessed from the menu panel on the left side of HP ProtectTools
Administrative Console. You can use the applications in this group to manage the policies and
settings for the computer, its users, and its devices.
The following applications are included in the System group:
Security—Manage features, authentication, and settings governing how users interact with this
●
computer.
Users—Set up, manage, and register users of this computer.
●
Credentials—Manage settings for security devices built into or attached to the computer.
●
Setting up authentication for your computer
Within the Authentication application, you can set policies governing access to the computer. You can
specify the credentials required to authenticate each class of user when logging on to Windows or
logging on to Web sites and programs during a user session.
To set up authentication on your computer:
1. In the left panel of Administrative Console, click Security, and then click Authentication.
2. To configure logon authentication, click the Logon Policy tab, make changes, and then click
Apply.
3. To configure session authentication, click the Session Policy tab, make changes, and then click
Logon Policy
To define policies governing the credentials required to authenticate a user when logging on to
Windows:
1. In the left panel of Administrative Console, click Security, and then click Authentication.
2. On the Logon Policy tab, click the down arrow, and then select a category of user:
3. Specify the authentication credentials required for the selected category of user.
4. Choose whether ONE of the specified credentials is required, or if ALL of the specified
5. Click Apply.
Apply.
For administrators of this computer
●
For users who are not administrators
●
credentials are required in order to authenticate a user.
18 Chapter 3 HP ProtectTools Security Manager Administrative Console
Session Policy
To define policies governing the credentials required to access HP ProtectTools applications during a
Windows session:
1. In the left panel of Administrative Console, click Security, and then click Authentication.
2. On the Session Policy tab, click the down arrow, and then select a category of user:
●
●
3. Click the down arrow, and then select the authentication credentials required for the selected
category of user:
●
●
●
4. Click Apply.
For administrators of this computer
For users who are not administrators
Require one of the specified credentials
NOTE: Clearing the check boxes for all of the credentials has the same effect as selecting
Do not require authentication.
Require all of the specified credentials
Do not require authentication—Selecting this option clears all credentials from the
window.
Settings
1. Select the check box to enable the following setting, or clear the check box to disable it:
Allow One Step logon—Allows users of this computer to skip Windows logon if authentication
was performed at the BIOS or encrypted disk level.
2. Click Apply.
Managing users
Within the Users application, you can monitor and manage this computer's HP ProtectTools users.
All HP ProtectTools users are listed and verified against the policies set through Security Manager,
and whether or not they have registered the appropriate credentials enabling them to meet those
policies.
To manage users, select from the following settings:
To add additional users, click Add.
●
To delete a user, click the user, and then click Delete.
●
To set up additional credentials for the user, click the user, and then click Enroll.
●
To view the policies for a specific user, select the user, and then view the policies in the lower
●
window.
Configuring your system 19
Credentials
Within the Credentials application, you can specify settings available for any built-in or attached
security devices recognized by HP ProtectTools Security Manager.
SpareKey
You can configure whether or not to allow SpareKey authentication for Windows logon, and manage
the security questions that will be presented to users during their SpareKey enrollment.
1. Select the check box to enable or clear it to disable the use of SpareKey authentication for
Windows logon.
2. Select the security questions that will be presented to users during their SpareKey enrollment.
You can specify up to three custom questions, or you can allow users to type their own
passphrase.
3. Click Apply.
Fingerprints
If a fingerprint reader is installed or connected to the computer, the Fingerprints page displays the
following tabs:
Enrollment—Choose the minimum and maximum number of fingerprints that a user is allowed
●
to enroll.
You can also clear all of the data from the fingerprint reader.
CAUTION: Clearing all of the data from the fingerprint reader erases all fingerprint data for all
users, including administrators. If the logon policy requires fingerprints only, all users may be
prevented from logging on to the computer.
Sensitivity—Move the slider to adjust the sensitivity used by the fingerprint reader when it
●
swipes your fingerprints.
If your fingerprint is not recognized consistently, you may need to select a lower sensitivity
setting. A higher setting increases the sensitivity to variations in fingerprint swipes and therefore
decreases the possibility of a false acceptance. The Medium-High setting provides a good mix
of security and convenience.
Advanced—Select one of the following options to configure the fingerprint reader to conserve
●
power and to enhance visual feedback:
Optimized—The fingerprint reader activates when needed. You may observe a slight delay
◦
when the reader is used for the first time.
◦ Conserve power—The fingerprint reader is slower to respond, but the setting requires less
power.
Full power—The fingerprint reader is always ready to be used, but this setting uses the
◦
most power.
20 Chapter 3 HP ProtectTools Security Manager Administrative Console
Smart card
If a smart card reader is installed or connected to the computer, the Smart card page has two tabs:
●
●
NOTE: Features that are not supported by your smart card are not available.
Settings—Configure the computer to automatically lock when a smart card is removed.
NOTE: The computer locks only if the smart card was used as an authentication credential
when logging on to Windows. Removing a smart card that was not used to log on to Windows
does not lock the computer.
Administration—Select from the following options:
Initialize the smart card—Prepares a smart card for use with HP Protect Tools. If a smart
◦
card has been previously initialized outside of HP ProtectTools (contains an asymmetric
key-pair and associated certificate), it does not need to be initialized again, unless
initialization with a specific certificate is desired.
◦ Change smart card PIN—Enables you to change the PIN used with the smart card.
Erase HP ProtectTools data only—Erases only the HP ProtectTools certificate created
◦
during initialization of the card. No other data is erased from the card.
◦ Erase all data on the smart card—Erases all data on the specified smart card. The card
can no longer be used with HP ProtectTools or any other applications.
Face
Click Apply.
▲
If a webcam is installed or connected to the computer, and if the Face Recognition program is
installed, you can set the security level for Face Recognition to balance the ease of use and the
difficulty of breaching the security of the computer.
1. Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative
Console.
2. Click Credentials, and then click Face.
3. For more convenience, click the slider to move it to the left, or for more accuracy, click the slider
to move it to the right.
Convenience—To make it easier for enrolled users to gain access in marginal situations,
●
click the slider bar to move it to the Convenience position.
Balance—To provide a good compromise between security and usability, or if you have
●
sensitive information or your computer is located in an area where unauthorized logon
attempts can occur, click the slider bar to move it to the Balance position.
● Accuracy—To make it more difficult for a user to gain access if enrolled scenes or current
lighting conditions are below normal and less likely that a false acceptance can occur, click
the slider bar to move it to the Accuracy position.
4. Click Advanced, and then configure additional security. For more information, refer to
User Settings on page 37.
5. Click Apply.
Configuring your system 21
Advanced
Configuring your applications
You can use Settings to customize the behavior of currently installed HP ProtectTools Security
Manager applications.
To edit your application settings:
1. In the left panel of Administrative Console, under Applications, click Settings.
2. Select the check box next to a specific setting to enable it, or clear the check box to disable the
setting.
3. Click Apply.
General tab
The following settings are available on the General tab:
Do not automatically launch the Setup Wizard for administrators—Select this option to
●
prevent the wizard from automatically opening upon logon.
● Do not automatically launch the Getting Started Wizard for users—Select this option to
prevent user setup from automatically opening upon logon.
Applications tab
The settings displayed here can change when new applications are added to Security Manager. The
minimal settings shown by default are as follows:
● Applications status—Enables the status to be displayed for all applications.
Password Manager—Enables Password Manager for all users of the computer.
●
Privacy Manager—Enables Privacy Manager for all users of the computer.
●
Enable the Central Management link—Allows all users of this computer to add applications to
●
HP ProtectTools Security Manager by clicking Central Management.
To return all applications to their factory settings, click the Restore Defaults button.
Central Management
Additional applications may be available for adding new management tools to Security Manager. The
administrator of this computer may disable this feature on the Settings page. The Central
Management page has two tabs:
Business Solutions—If an internet connection is available, you can access the DigitalPersona
●
Web site (
Updates and Messages
●
◦
http://www.digitalpersona.com/) to check for new applications.
To request information about new applications and updates, select the check box for Keep
me informed about new applications and updates.
To set up a schedule for automatic updates, select the number of days.
◦
To check for updates, click Check Now.
◦
22 Chapter 3 HP ProtectTools Security Manager Administrative Console
Loading...