Page 2
Logo is a trademark of its proprietor. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Additional security elements ... 6 Assigning security roles ... 6 Managing HP ProtectTools passwords ... 6 HP ProtectTools Backup and Restore ... 8 2 Credential Manager for HP ProtectTools Setup procedures ... 12 Logging on to Credential Manger ... 12 Registering credentials ...
Page 4
Resetting a user password ... 34 Enabling and disabling Embedded Security ... 34 Migrating keys with the Migration Wizard ... 35 4 Java Card Security for HP ProtectTools General tasks ... 38 Changing a Java Card PIN ... 38 Selecting the card reader ... 38 Removing an account ...
Page 5
Managing boot options ... 44 Enabling and disabling system configuration options ... 45 Advanced tasks ... 47 Managing HP ProtectTools add-on module settings ... 47 Managing Computer Setup passwords ... 49 6 Device Access Manager for HP ProtectTools Starting background service ... 54 Simple configuration ...
Drive Encryption for HP ProtectTools The software modules available for your computer may vary depending on your model. For example, Embedded Security for HP ProtectTools is available only for computers on which the Trusted Platform Module (TPM) embedded security chip is installed.
HP ProtectTools features The following table details the key features of HP ProtectTools modules: Module Credential Manager for HP ProtectTools Embedded Security for HP ProtectTools Java Card Security for HP ProtectTools BIOS Configuration for HP ProtectTools Device Access Manager for HP ProtectTools...
Select Start > All Programs > HP ProtectTools Security Manager. ▲ NOTE: After you have configured the Credential Manager module, you can also open HP ProtectTools by logging on to Credential Manager directly from the Windows logon screen. For more information, refer to ENWW “Logging on to Windows with Credential Manager on page...
Achieving key security objectives The HP ProtectTools modules can work together to provide solutions for a variety of security issues, including the following key security objectives: ● Protecting against targeted theft ● Restricting access to sensitive data ● Preventing unauthorized access from internal or external locations ●...
Credential Manager ● “Using Single Sign On on page ● Device Access Manager for HP ProtectTools allows IT managers to restrict access to writeable devices so sensitive information cannot be copied from the hard drive. See configuration on page ●...
In a small organization or for individual use, these roles may all be held by the same person. For HP ProtectTools, the security duties and privileges can be divided into the following roles: ● Security officer—Defines the security level for the company or network and determines the security features to deploy, such as Java™...
Page 13
Also known as BIOS administrator, Setup, or Security Setup password Power-on password Windows Logon password ENWW Set in this HP ProtectTools Function module turned on, restarted, or restored from hibernation. Embedded Security, by IT Protects access to the Emergency Recovery...
Do not share accounts or tell anyone your password. HP ProtectTools Backup and Restore HP ProtectTools Backup and Restore provides a convenient and quick way to back up and restore credentials from all supported HP ProtectTools modules. Backing up credentials and settings You can back up credentials in the following ways: ●...
Page 15
Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click HP ProtectTools, and then click Backup and Restore. In the right pane, click Backup Options. The HP ProtectTools Backup Wizard opens. Follow the on-screen instructions to back up credentials.
Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click HP ProtectTools, and then click Backup and Restore. In the right pane, click Restore. The HP ProtectTools Restore Wizard opens. Follow the on-screen instructions. Configuring settings Select Start >...
Credential Manager for HP ProtectTools Credential Manager for HP ProtectTools protects against unauthorized access to your computer using the following security features: ● Alternatives to passwords when logging on to Windows, such as using a Java Card or biometric reader to log on to Windows. For additional information, refer to on page 13.”...
● From the Windows logon screen ● From the notification area, by double-clicking the HP ProtectTools Security Manager icon ● From the “Credential Manager” page of ProtectTools Security Manager, by clicking the Log On link in the upper-right corner of the window Follow the on-screen instructions to log on to Credential Manager.
Before you begin, you must be logged on to Windows with an administrator account, but not logged on to Credential Manager. Open HP ProtectTools Security Manager by double-clicking the HP ProtectTools Security Manager icon in the notification area. The HP ProtectTools Security Manager window opens.
15.” Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager. In the right pane, click Register Smart Card or Token. The Credential Manager Registration Wizard opens.
PIN to complete the authentication. To create a new virtual token: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager. In the right pane, click Virtual Token. The Credential Manager Registration Wizard opens.
Clearing an identity from the system NOTE: This does not affect your Windows user account. Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager. In the right pane, click Clear Identity for this Account.
Credential Manager settings on page To lock the computer: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager. In the right pane, click Lock Workstation. The Windows logon screen is displayed. You must use a Windows password or the Credential Manager Logon Wizard to unlock the computer.
Adding an account Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Services and Applications. In the right pane, click Windows Logon, and then click Add a Network Account. The Add Network Account Wizard opens.
Click Yes to complete the registration. Using manual (drag and drop) registration Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Services and Applications. In the right pane, click Single Sign On, and then click Register New Application. The SSO Application Wizard opens.
To export an application: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Services and Applications. In the right pane, under Single Sign On, click Manage Applications and Credentials.
User inactivity Restricting access to an application Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Services and Applications. In the right pane, under Application Protection, click Manage Protected Applications. The Application Protection Service dialog box opens.
Click OK. Changing restriction settings for a protected application Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Services and Applications. In the right pane, under Application Protection, click Manage Protected Applications. The Application Protection Service dialog box opens.
To specify how users or administrators log on: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Authentication and Credentials. In the right pane, click the Authentication tab.
“Authentication and Credentials” page, you can create custom requirements. To configure custom requirements: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Authentication and Credentials. In the right pane, click the Authentication tab.
To modify Credential Manager settings: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Settings. In the right pane, click the appropriate tab for the settings you want to modify.
Example 2—Using the “Advanced Settings” page to require user verification before Single Sign On Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Settings. In the right pane, click the Single Sign On tab.
The TPM embedded security chip enhances and enables other HP ProtectTools Security Manager security features. For example, Credential Manager for HP ProtectTools can use the embedded chip as an authentication factor when the user logs on to Windows. On select models, the TPM embedded security chip also enables enhanced BIOS security features accessed through BIOS Configuration for HP ProtectTools.
Enabling the embedded security chip The embedded security chip must be enabled in the Computer Setup utility. This procedure cannot be performed in BIOS Configuration for HP ProtectTools. To enable the embedded security chip: Open Computer Setup by turning on or restarting the computer, and then pressing “f10 = ROM Based Setup”...
Basic User Keys for all users. To initialize the embedded security chip: Right-click the HP ProtectTools Security Manager icon in the notification area, at the far right of the taskbar, and then select Embedded Security Initialization. The HP ProtectTools Embedded Security Initialization Wizard opens.
To set up a basic user account and enable the user security features: If the Embedded Security User Initialization Wizard is not open, select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Embedded Security, and then click User Settings.
General tasks After the basic user account is set up, you can perform the following tasks: ● Encrypting files and folders ● Sending and receiving encrypted e-mail Using the Personal Secure Drive After setting up the PSD, you are prompted to type the Basic User Key password at the next logon. If the Basic User Key password is entered correctly, you can access the PSD directly from Windows Explorer.
Changing the Basic User Key password To change the Basic User Key password: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Embedded Security, and then click User Settings. In the right pane, under Basic User Key password, click Change.
Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Embedded Security, and then click Backup. In the right pane, click Backup. The HP Embedded Security for ProtectTools Backup Wizard opens. Follow the on-screen instructions.
Changing the owner password To change the owner password: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Embedded Security, and then click Advanced. In the right pane, under Owner Password, click Change. Type the old owner password, and then set and confirm the new owner password.
Migrating keys with the Migration Wizard Migration is an advanced administrator task that allows the management, restoration, and transfer of keys and certificates. For details on migration, refer to the Embedded Security online Help. ENWW Advanced tasks...
Page 42
Chapter 3 Embedded Security for HP ProtectTools ENWW...
Java Card Security for HP ProtectTools Java Card Security for HP ProtectTools manages the Java Card setup and configuration for computers equipped with an optional card reader. With Java Card Security, you can accomplish the following tasks: ● Access Java Card Security features ●...
NOTE: The Java Card PIN must be between 4 and 8 numeric characters. Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Java Card Security, and then click General. Insert a Java Card (with an existing PIN) into the card reader.
NOTE: The Java Card PIN must be between 4 and 8 numeric characters. Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Java Card Security, and then click Advanced. Insert a new Java Card into the card reader.
You must assign a name to a Java Card before it can be used for power-on authentication. To assign a name to a Java Card: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Java Card Security, and then click Advanced.
When you are prompted to create a recovery file, click Cancel to create a recovery file at a later time or click OK and follow the on-screen instructions in the HP ProtectTools Backup Wizard to create a recovery file now.
Java Card. To create a user Java Card: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Java Card Security, and then click Advanced. Insert a Java Card that will be used as a user card.
BIOS Configuration for HP ProtectTools BIOS Configuration for HP ProtectTools provides access to the Computer Setup utility security and configuration settings. This gives users Windows access to system security features that are managed by Computer Setup. With BIOS Configuration, you can accomplish the following objectives: ●...
If you have enabled MultiBoot, select the boot order by selecting a boot device, and then clicking the up arrow or the down arrow to adjust its order in the list. Click Apply, and then click OK in the HP ProtectTools window. Chapter 5 BIOS Configuration for HP ProtectTools at startup and entering Computer Setup.
Some of the items listed below may not be supported by your computer. To enable or disable devices or security options: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click BIOS Configuration. Type your Computer Setup administrator password at the BIOS administrator password prompt, and then click OK.
Page 52
Embedded WWAN Device Radio ● Embedded Bluetooth® Device Radio ● LAN/WLAN Switching ● Wake on LAN from Off Click Apply, and then click OK in the HP ProtectTools window to save your changes and exit. Chapter 5 BIOS Configuration for HP ProtectTools ENWW...
Advanced tasks Managing HP ProtectTools add-on module settings Some of the features of HP ProtectTools Security Manager can be managed in BIOS Configuration. Enabling and disabling smart card power-on authentication support Enabling this option allows you to use a smart card for user authentication when you turn on the computer.
NOTE: To fully enable the power-on authentication feature, you must also configure the TPM embedded security chip using the Embedded Security for HP ProtectTools module. To enable power-on authentication support for embedded security: Select Start > All Programs > HP ProtectTools Security Manager.
Setup, and also to manage various password settings. CAUTION: saved immediately upon clicking the Apply or OK button in the HP ProtectTools window. Be sure that you remember what password you have set, because you will not be able to undo a password setting without supplying the previous password.
Type and confirm the password in the Enter Password and Verify Password boxes. Click OK in the Passwords dialog box. Click Apply, and then click OK in the HP ProtectTools window. Changing the power-on password To change the power-on password: Select Start >...
Click OK in the Passwords dialog box. Click Apply, and then click OK in the HP ProtectTools window. Setting password options You can use BIOS Configuration for HP ProtectTools to set password options to enhance the security of your system. Enabling and disabling stringent security...
Page 58
In the right pane, under Password Options, enable or disable Require password on restart. Click Apply, and then click OK in the HP ProtectTools window. Chapter 5 BIOS Configuration for HP ProtectTools ENWW...
Device Access Manager for HP ProtectTools This security tool is available to administrators only. Device Access Manager for HP ProtectTools has the following security features that protect against unauthorized access to devices attached to your computer system: ● Device profiles that are created for each user to define device access ●...
For device profiles to be applied, the HP ProtectTools Device Locking/Auditing background service must be running. When you first attempt to apply device profiles, HP ProtectTools Security Manager opens a dialog box to ask if you would you like to start the background service. Click Yes to start the background service and set it to start automatically whenever the system boots.
All serial and parallel ports for all non-administrators To deny access to a class of device for all non-administrators: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Device Access Manager, and then click Simple Configuration.
Adding a user or a group Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Device Access Manager, and then click Device Class Configuration. In the device list, click the device class that you want to configure.
To allow access to a specific device for one user but not the group: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Device Access Manager, and then click Device Class Configuration.
Page 64
Chapter 6 Device Access Manager for HP ProtectTools ENWW...
Drive Encryption for HP ProtectTools CAUTION: encrypted drives. If you do not, you will not be able to access the data on encrypted drives unless you have registered with the Drive Encryption recovery service (see Reinstalling the Drive Encryption module will not enable you to access the encrypted drives.
Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Drive Encryption, and then click Encryption Management. In the right pane, click Activate. The Drive Encryption for HP ProtectTools Wizard opens. Follow the on-screen instructions to activate encryption.
User management Add a user Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Drive Encryption, and then click User Management. In the right pane, click Add. Click a user name in the User Name list or type a user name in the Username box.
In the right pane, click Click here to backup your keys. Select a diskette, flash storage device, or some other USB-connected storage media on which to save the recovery information, and then click Next. The Drive Encryption for HP ProtectTools Wizard opens.
Single Sign On, which is available in the Credential Manager online Help files. If a specific Single Sign On cannot be disabled for a given application, call HP technical support and request 3rd-level support through your HP Service contact. The browse option was removed because it allowed non-users to delete and rename files and take control of Windows.
PC, Credential Manager can only change the password used to log on. HP is researching a workaround for future product enhancements. HP is researching a workaround for future product enhancements.
Page 71
Manager has the virtual token registered, the user must reregister the token to restore the association. Solution HP is investigating resolution options for future customer software releases. This is currently by design. When uninstalling Credential Manager without keeping identities, the system (server) part of the token is...
Microsoft EFS is supported only on NTFS and does not function on FAT32. This is a feature of Microsoft EFS and is not related to HP ProtectTools software. This is as designed. Users have access rights to an emergency archive so that they can save/update their Basic User Key backup copy.
Page 73
This is as designed. The Computer Setup (f10) Utility password can only be removed by a user who knows the password. However, HP strongly recommends having the Computer Setup (f10) Utility password protected at all times. This is by design.
Page 74
This is by design—to avoid issues with Microsoft EFS, a 30-second watchdog timer was created to generate the error message). HP will correct this in a future release. The ability to encrypt does not require password authentication, since this is a feature of the Microsoft EFS encryption.
Page 75
Usage of secure e- mail is set and controlled by 3rd-party applications. The HP wizard allows linkage to the three reference applications for immediate customization. HP is working to resolve the XML-file-overwrite issue and will provide a solution in a future SoftPaq.
Page 76
The processes are working as designed and function properly; however, the internal Embedded Security error message is not clear and should state a more appropriate message. HP is working to enhance this in future products. The non-selected users can be restored by resetting the TPM, running the restore process, and selecting all users before the next default daily backup runs.
Page 77
\SYSTEM to (computer name)\(admin name). This is the default setting if the Scheduled Task is created manually. HP is working to provide future product releases with default settings that include computer name\admin name. HP will address this issue in future releases.
If a user is a member of both those groups (e.g., Administrator), which takes precedence? Solution Verify that the HP ProtectTools Device Locking service has started. As an administrative user, browse to Control Panel > Administrative Tools > Services. In the Services window, search for the HP ProtectTools Device Locking/Auditing service.
2.0.0.9 (or greater) If the FW version does not match 2.18, download and update the TPM firmware. The TPM Firmware SoftPaq is a support download available on the HP Web site at http://www.hp.com. This is related to a timing dependency on plug-in...
Page 80
Embedded Security Device, which hides the other Embedded Security options (including Power-on authentication support). However, after reenabling Embedded Security Device, Power-on authentication support remains enabled. HP is working on a resolution, which will be provided in future Web-based ROM SoftPaq offerings. ENWW...
Page 81
Software Impacted— Short description Security Power-On Authentication overlaps the BIOS Password during boot sequence. The BIOS asks for both the old and new passwords through Computer Setup after the Owner password is changed. ENWW Details Power-On Authentication prompts the user to log on to the system using the TPM password, but, if the user presses f10 to access the BIOS, the user is granted Read rights access only.
Page 83
Glossary Authentication Process of verifying whether a user is authorized to perform a task, for example, accessing a computer, modifying settings for a particular program, or viewing secured data. Automatic DriveLock Security feature that causes the DriveLock passwords to be generated and protected by the TPM Embedded Security chip.
Page 84
Identity In the HP ProtectTools Credential Manager, a group of credentials and settings that is handled like an account or profile for a particular user. Java Card Small piece of hardware, similar in size and shape to a credit card, which stores identifying information about the owner.
Page 85
Automatic DriveLock 49 background service, Device Access Manager 54 backing up and restoring certification information 33 Embedded Security 33 HP ProtectTools modules 8 Single Sign On data 20 basic user account 30 Basic User Key password changing 32 setting 30...
Page 86
Windows Logon 17 Windows logon password, changing 15 Windows logon, allow 25 data, restricting access to 4 decrypting a drive 59 Device Access Manager for HP ProtectTools background service 54 device class configuration 56 device class, allowing access to one 56...