Page 1
HP ProtectTools Security Manager Guide HP Compaq Business Desktops...
Page 2
No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Hewlett-Packard Company. HP ProtectTools Security Manager Guide HP Compaq Business Desktops First Edition (August 2006) Document Part Number: 431330-001...
About This Book This guide provides instructions for configuring and using HP ProtectTools Security Manager. WARNING! Text set off in this manner indicates that failure to follow directions could result in bodily harm or loss of life. CAUTION Text set off in this manner indicates that failure to follow directions could result in damage to equipment or loss of information.
Introduction HP ProtectTools Security Manager ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data. Enhanced security functionality is provided by the following modules: ● HP BIOS Configuration for ProtectTools ●...
Understanding Security Roles In managing computer security (particularly for large organizations), one important practice is to divide responsibilities and rights among various types of administrators and users. NOTE In a small organization or for individual use, these roles may all be held by the same person.
Page 9
Table 1-1 Password Management (continued) next Embedded Security Basic User Key is initialized. The Embedded Security TPM chip protects the password for Power-On Authentication. Java Card administrator password Java Card Security, by IT administrator Links the Java Card to the computer for identification purposes.
Table 1-1 Password Management (continued) Windows logon password Windows Control Panel Can be used in manual logon or saved on the Java Card. Backup scheduler password Embedded Security, by IT administrator Sets backup scheduler for embedded Security NOTE A Windows user password is used to configure the backup scheduler for embedded security.
Multifactor Authentication Credential Manager Logon Credential Manager Logon enables multifactor authentication technology to log on to the Windows operating system. This raises the security of the standard Windows password logon by requiring strong multifactor authentication. This also enhances the convenience of the everyday logon experience by eliminating the need to remember user passwords.
Advanced Tasks Managing ProtectTools Settings Some of the features of ProtectTools Security Manager can be managed in BIOS Configuration. Enabling and Disabling Java Card Power-On Authentication Support If this option is available, enabling it allows you to use the Java Card for user authentication when you turn on the computer.
Managing Computer Setup Passwords You can use BIOS Configuration to set and change the power-on and setup passwords in Computer Setup, and also to manage various password settings. CAUTION The passwords you set through the Passwords page in BIOS Configuration are saved immediately upon clicking the Apply or OK button in the ProtectTools window.
Click OK in the Passwords dialog box. Click Apply, and then click OK in the ProtectTools window to save your changes. System Setup Initialize HP ProtectTools Embedded Security. Initialize Basic User Key. HP Power-On Authentication Support starts as soon as the Basic User Key is set and the Basic User password is set for Power-On.
Create/logon to a targeted change Microsoft Windows user. Open Embedded Security and initialize a Basic User Key for the new Windows user account. If a Basic User Key already exists, change the Basic User password to take ownership of Power-On Authentication.
Dictionary Attack Behavior with Power-On Authentication A dictionary attack is a method used to break into security systems by systematically testing all possible passwords to break a security system. A dictionary attack against Embedded Security could try to detect the Owner password, the Basic User password, or password-protected keys. Embedded Security offers an enhanced Dictionary Attack Defense.
HP BIOS Configuration for ProtectTools Basic Concepts BIOS Configuration for ProtectTools provides access to the Computer Setup Utility security and configuration settings. This gives users Windows access to system security features that are managed by Computer Setup. With BIOS Configuration, you can ●...
Page 18
Chapter 2 HP BIOS Configuration for ProtectTools ENWW...
HP Embedded Security for ProtectTools Basic Concepts If available, Embedded Security for ProtectTools protects against unauthorized access to user data or credentials. This module provides the following security features: ● Enhanced Microsoft Encrypting File System (EFS) file and folder encryption ●...
Setup Procedures CAUTION To reduce security risk, it is highly recommended that the IT administrator immediately initialize the TPM embedded security chip. If the TPM embedded security chip is not initialized, an unauthorized user or a computer worm could gain access to the computer or a virus could initialize the TPM embedded security chip and restrict access to the PC.
HP Credential Manager for ProtectTools Basic Concepts Credential Manager for ProtectTools has security features that provide a secure and convenient computing environment. These features include the following: ● Alternatives to passwords when logging on to Microsoft Windows, such as using a Java Card or biometric reader ●...
Logging On for the First Time The first time you open Credential Manager, log on with your regular Windows Logon password. A Credential Manager account is then automatically created with your Windows logon credentials. After logging on to Credential Manager, you can register additional credentials, such as a fingerprint or a Java Card.
HP Java Card Security for ProtectTools Basic Concepts Java Card Security for ProtectTools manages the Java Card setup and configuration for computers equipped with an optional Java Card reader. With Java Card Security for ProtectTools, you can ● Access Java Card Security features ●...
Page 24
Chapter 5 HP Java Card Security for ProtectTools ENWW...
Third-Party Solutions Platforms containing a TPM require both a TCG Software Stack (TSS) and embedded security software. All models provide the TSS; embedded security software must be purchased separately for some models. For those models, an NTRU TSS is provided to support customer third-party purchase of embedded security software.
HP Client Manager for Remote Deployment Background HP Trustworthy platforms equipped with a Trusted Platform Module (TPM) ship with the TPM deactivated (default state). Enabling the TPM is an administrative option protected by HP BIOS-enforced policies. The administrator must be present to enter BIOS configuration options (F10 options) to enable the TPM.
Page 28
Chapter 7 HP Client Manager for Remote Deployment ENWW...
Troubleshooting Credential Manager for ProtectTools Short description Details Solution Using Credential Manager Using TPM authentication, the user is Using Credential Manager Single Sign On tools allows Network Accounts option, only logged into the local computer. user to authenticate other accounts. a user can select which domain account to log into.
Short description Details Solution Domain administrators This happens after a domain Credential Manager cannot change a domain user's cannot change Windows administrator logs on to a domain and account password through Change Windows password even with registers the domain identity with password.
Page 31
Short description Details Solution Click when Java Card/token is inserted. Select the Advise to log-on checkbox. Users lose all Credential If the TPM module is removed or This is as designed. Manager credentials damaged, users lose all credentials The TPM Module is designed to protect the Credential protected by the TPM, if protected by the TPM.
Page 32
Short description Details Solution ProtectTools, or HP Client Manager. To enable the TPM embedded security chip: Open Computer Setup by turning on or restarting the computer, and then pressing while the F10 = ROM Based Setup message is displayed in the lower-left corner of the screen. Use the arrow keys to select Security >...
Embedded Security for ProtectTools Short description Details Solution Encrypting folders, sub If the user copies files and folders to the This is as designed. folders, and files on PSD PSD and tries to encrypt folders/files or Moving files/folders to the PSD automatically encrypts causes error message.
Page 34
Short description Details Solution encryption/decryption and user does not enter a password, the To reduce the time required to encrypt/decrypt data scan times. Basic User password prompt times out, using HP ProtectTools Embedded Security EFS, the allowing NAV2005 to continue with the user should disable Auto-Protect on Symantec scan.
Page 35
Short description Details Solution the system becomes Basic User password. If the user does The user has to log off and back on to view the PSD active after Standby status not enter the password and the system password box again. goes into Standby, the password dialog box is no longer available when the user resumes.
Page 36
Short description Details Solution until the Admin tool is closed. If user clicks No in that dialog box, then the Admin tool does not open at all and uninstall proceeds. Intermittent system lockup System may lock up with a black screen Root Cause suspicion is a timing issue in low memory occurs after creating PSD and non-responding keyboard and...
Page 37
Short description Details Solution user if the system can automate the logon to Infineon TPM User Authentication. If user selects Yes, then the location of SPEmRecToken automatically appears in the text box. Even though this location is correct, the following error message is displayed: No Emergency Recovery Token is provided.
Page 38
Short description Details Solution Resetting System ROM to Resetting the system ROM to default Unhide the TPM in BIOS: default hides TPM. hides the TPM to Windows. This does Open the Computer Setup (F10) Utility, navigate to not allow the security software to operate Security >...
Miscellaneous Software Impacted— Details Solution Short description HP ProtectTools Security All security applications such as HP ProtectTools Security Manager software must be Manager—Warning Embedded Security, Java Card, and installed before installing any security plug-in. received: The security biometrics are extendable plug-ins for application can not be the HP Security Manager interface.
Page 40
Software Impacted— Details Solution Short description an error is returned when upper right of the screen to close Manager. Since PTHOST.exe is the shell housing the closing the Security Security Manager before all plug-in other applications (plug-ins), it depends on the ability of Manager interface.
Page 41
Software Impacted— Details Solution Short description changing the Owner password in Embedded Security Windows software. ENWW Miscellaneous...
Glossary Advanced Encryption Standard (AES) A symmetric 128-bit block data encryption technique Application Programming Interface (API) A series of internal operating system functions that applications can use to perform various tasks Authentication Process of verifying whether a user is authorized to perform a task, for example, accessing a computer, modifying settings for a particular program, or viewing secured data.
Page 44
Identity In the ProtectTools Credential Manager, a group of credentials and settings that is handled like an account or profile for a particular user. Java Card Small piece of hardware, similar in size and shape to a credit card, which stores identifying information about the owner.
Page 45
Trusted Platform Module (TPM) embedded security chip (some models only) Integrated security chip that can protect highly sensitive user information from malicious attackers. It is the root-of-trust in a given platform. The TPM provides cryptographic algorithms and operations that meet the Trusted Computing Group (TCG) specifications.