ProtectTools
User Guide

Advertising

   Summary of Contents for HP Compaq 2210b

  • Page 1

    ProtectTools User Guide...

  • Page 2

    Logo is a trademark of its proprietor. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    Additional security elements ... 6 Assigning security roles ... 6 Managing HP ProtectTools passwords ... 6 HP ProtectTools Backup and Restore ... 8 2 Credential Manager for HP ProtectTools Setup procedures ... 12 Logging on to Credential Manger ... 12 Registering credentials ...

  • Page 4: Table Of Contents

    Resetting a user password ... 34 Enabling and disabling Embedded Security ... 34 Migrating keys with the Migration Wizard ... 35 4 Java Card Security for HP ProtectTools General tasks ... 38 Changing a Java Card PIN ... 38 Selecting the card reader ... 38 Removing an account ...

  • Page 5: Table Of Contents

    Managing boot options ... 44 Enabling and disabling system configuration options ... 45 Advanced tasks ... 47 Managing HP ProtectTools add-on module settings ... 47 Managing Computer Setup passwords ... 49 6 Device Access Manager for HP ProtectTools Starting background service ... 54 Simple configuration ...

  • Page 6

    Glossary ... 77 Index ... 79 ENWW...

  • Page 7

    Drive Encryption for HP ProtectTools The software modules available for your computer may vary depending on your model. For example, Embedded Security for HP ProtectTools is available only for computers on which the Trusted Platform Module (TPM) embedded security chip is installed.

  • Page 8: Hp Protecttools Features

    HP ProtectTools features The following table details the key features of HP ProtectTools modules: Module Credential Manager for HP ProtectTools Embedded Security for HP ProtectTools Java Card Security for HP ProtectTools BIOS Configuration for HP ProtectTools Device Access Manager for HP ProtectTools...

  • Page 9: Accessing Hp Protecttools Security

    Select Start > All Programs > HP ProtectTools Security Manager. ▲ NOTE: After you have configured the Credential Manager module, you can also open HP ProtectTools by logging on to Credential Manager directly from the Windows logon screen. For more information, refer to ENWW “Logging on to Windows with Credential Manager on page...

  • Page 10: Achieving Key Security Objectives, Protecting Against Targeted Theft, Restricting Access To Sensitive Data

    Achieving key security objectives The HP ProtectTools modules can work together to provide solutions for a variety of security issues, including the following key security objectives: ● Protecting against targeted theft ● Restricting access to sensitive data ● Preventing unauthorized access from internal or external locations ●...

  • Page 11: Preventing Unauthorized Access From Internal Or External Locations, Creating Strong Password Policies

    Credential Manager ● “Using Single Sign On on page ● Device Access Manager for HP ProtectTools allows IT managers to restrict access to writeable devices so sensitive information cannot be copied from the hard drive. See configuration on page ●...

  • Page 12: Additional Security Elements, Assigning Security Roles, Managing Hp Protecttools Passwords

    In a small organization or for individual use, these roles may all be held by the same person. For HP ProtectTools, the security duties and privileges can be divided into the following roles: ● Security officer—Defines the security level for the company or network and determines the security features to deploy, such as Java™...

  • Page 13

    Also known as BIOS administrator, Setup, or Security Setup password Power-on password Windows Logon password ENWW Set in this HP ProtectTools Function module turned on, restarted, or restored from hibernation. Embedded Security, by IT Protects access to the Emergency Recovery...

  • Page 14: Creating A Secure Password, Hp Protecttools Backup And Restore, Backing Up Credentials And Settings

    Do not share accounts or tell anyone your password. HP ProtectTools Backup and Restore HP ProtectTools Backup and Restore provides a convenient and quick way to back up and restore credentials from all supported HP ProtectTools modules. Backing up credentials and settings You can back up credentials in the following ways: ●...

  • Page 15

    Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click HP ProtectTools, and then click Backup and Restore. In the right pane, click Backup Options. The HP ProtectTools Backup Wizard opens. Follow the on-screen instructions to back up credentials.

  • Page 16: Restoring Credentials, Configuring Settings

    Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click HP ProtectTools, and then click Backup and Restore. In the right pane, click Restore. The HP ProtectTools Restore Wizard opens. Follow the on-screen instructions. Configuring settings Select Start >...

  • Page 17

    Credential Manager for HP ProtectTools Credential Manager for HP ProtectTools protects against unauthorized access to your computer using the following security features: ● Alternatives to passwords when logging on to Windows, such as using a Java Card or biometric reader to log on to Windows. For additional information, refer to on page 13.”...

  • Page 18: Setup Procedures, Logging On To Credential Manger, Using The Credential Manager Logon Wizard

    ● From the Windows logon screen ● From the notification area, by double-clicking the HP ProtectTools Security Manager icon ● From the “Credential Manager” page of ProtectTools Security Manager, by clicking the Log On link in the upper-right corner of the window Follow the on-screen instructions to log on to Credential Manager.

  • Page 19: Logging On For The First Time, Registering Credentials, Registering Fingerprints

    Before you begin, you must be logged on to Windows with an administrator account, but not logged on to Credential Manager. Open HP ProtectTools Security Manager by double-clicking the HP ProtectTools Security Manager icon in the notification area. The HP ProtectTools Security Manager window opens.

  • Page 20: Setting Up The Fingerprint Reader, Using Your Registered Fingerprint To Log On To Windows

    15.” Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager. In the right pane, click Register Smart Card or Token. The Credential Manager Registration Wizard opens.

  • Page 21: General Tasks, Creating A Virtual Token, Changing The Windows Logon Password, Changing A Token Pin

    PIN to complete the authentication. To create a new virtual token: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager. In the right pane, click Virtual Token. The Credential Manager Registration Wizard opens.

  • Page 22: Managing Identity, Clearing An Identity From The System

    Clearing an identity from the system NOTE: This does not affect your Windows user account. Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager. In the right pane, click Clear Identity for this Account.

  • Page 23: Locking The Computer, Using Windows Logon, Logging On To Windows With Credential Manager

    Credential Manager settings on page To lock the computer: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager. In the right pane, click Lock Workstation. The Windows logon screen is displayed. You must use a Windows password or the Credential Manager Logon Wizard to unlock the computer.

  • Page 24: Adding An Account, Removing An Account, Using Single Sign On, Registering A New Application

    Adding an account Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Services and Applications. In the right pane, click Windows Logon, and then click Add a Network Account. The Add Network Account Wizard opens.

  • Page 25: Managing Applications And Credentials, Using Manual (drag And Drop) Registration, Modifying Application Properties

    Click Yes to complete the registration. Using manual (drag and drop) registration Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Services and Applications. In the right pane, click Single Sign On, and then click Register New Application. The SSO Application Wizard opens.

  • Page 26: Exporting An Application, Importing An Application, Modifying Credentials

    To export an application: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Services and Applications. In the right pane, under Single Sign On, click Manage Applications and Credentials.

  • Page 27: Using Application Protection, Restricting Access To An Application, Removing Protection From An Application

    User inactivity Restricting access to an application Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Services and Applications. In the right pane, under Application Protection, click Manage Protected Applications. The Application Protection Service dialog box opens.

  • Page 28: Changing Restriction Settings For A Protected Application

    Click OK. Changing restriction settings for a protected application Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Services and Applications. In the right pane, under Application Protection, click Manage Protected Applications. The Application Protection Service dialog box opens.

  • Page 29: Advanced Tasks (administrator Only), Specifying How Users And Administrators Log On

    To specify how users or administrators log on: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Authentication and Credentials. In the right pane, click the Authentication tab.

  • Page 30: Configuring Custom Authentication Requirements, Configuring Credential Properties

    “Authentication and Credentials” page, you can create custom requirements. To configure custom requirements: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Authentication and Credentials. In the right pane, click the Authentication tab.

  • Page 31: Configuring Credential Manager Settings

    To modify Credential Manager settings: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Settings. In the right pane, click the appropriate tab for the settings you want to modify.

  • Page 32: Example 2—using The "advanced Settings" Page To Require User Verification Before Single Sign On

    Example 2—Using the “Advanced Settings” page to require user verification before Single Sign On Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Credential Manager, and then click Settings. In the right pane, click the Single Sign On tab.

  • Page 33

    The TPM embedded security chip enhances and enables other HP ProtectTools Security Manager security features. For example, Credential Manager for HP ProtectTools can use the embedded chip as an authentication factor when the user logs on to Windows. On select models, the TPM embedded security chip also enables enhanced BIOS security features accessed through BIOS Configuration for HP ProtectTools.

  • Page 34: Enabling The Embedded Security Chip, Setup Procedures

    Enabling the embedded security chip The embedded security chip must be enabled in the Computer Setup utility. This procedure cannot be performed in BIOS Configuration for HP ProtectTools. To enable the embedded security chip: Open Computer Setup by turning on or restarting the computer, and then pressing “f10 = ROM Based Setup”...

  • Page 35: Initializing The Embedded Security Chip

    Basic User Keys for all users. To initialize the embedded security chip: Right-click the HP ProtectTools Security Manager icon in the notification area, at the far right of the taskbar, and then select Embedded Security Initialization. The HP ProtectTools Embedded Security Initialization Wizard opens.

  • Page 36: Setting Up The Basic User Account

    To set up a basic user account and enable the user security features: If the Embedded Security User Initialization Wizard is not open, select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Embedded Security, and then click User Settings.

  • Page 37: Using The Personal Secure Drive, General Tasks, Encrypting Files And Folders

    General tasks After the basic user account is set up, you can perform the following tasks: ● Encrypting files and folders ● Sending and receiving encrypted e-mail Using the Personal Secure Drive After setting up the PSD, you are prompted to type the Basic User Key password at the next logon. If the Basic User Key password is entered correctly, you can access the PSD directly from Windows Explorer.

  • Page 38: Changing The Basic User Key Password

    Changing the Basic User Key password To change the Basic User Key password: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Embedded Security, and then click User Settings. In the right pane, under Basic User Key password, click Change.

  • Page 39: Advanced Tasks, Backing Up And Restoring, Creating A Backup File

    Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Embedded Security, and then click Backup. In the right pane, click Backup. The HP Embedded Security for ProtectTools Backup Wizard opens. Follow the on-screen instructions.

  • Page 40: Changing The Owner Password, Resetting A User Password, Enabling And Disabling Embedded Security

    Changing the owner password To change the owner password: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Embedded Security, and then click Advanced. In the right pane, under Owner Password, click Change. Type the old owner password, and then set and confirm the new owner password.

  • Page 41: Migrating Keys With The Migration Wizard

    Migrating keys with the Migration Wizard Migration is an advanced administrator task that allows the management, restoration, and transfer of keys and certificates. For details on migration, refer to the Embedded Security online Help. ENWW Advanced tasks...

  • Page 42

    Chapter 3 Embedded Security for HP ProtectTools ENWW...

  • Page 43

    Java Card Security for HP ProtectTools Java Card Security for HP ProtectTools manages the Java Card setup and configuration for computers equipped with an optional card reader. With Java Card Security, you can accomplish the following tasks: ● Access Java Card Security features ●...

  • Page 44: Changing A Java Card Pin, General Tasks, Selecting The Card Reader

    NOTE: The Java Card PIN must be between 4 and 8 numeric characters. Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Java Card Security, and then click General. Insert a Java Card (with an existing PIN) into the card reader.

  • Page 45: Advanced Tasks (administrators Only), Assigning A Java Card Pin

    NOTE: The Java Card PIN must be between 4 and 8 numeric characters. Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Java Card Security, and then click Advanced. Insert a new Java Card into the card reader.

  • Page 46: Assigning A Name To A Java Card, Setting Power-on Authentication

    You must assign a name to a Java Card before it can be used for power-on authentication. To assign a name to a Java Card: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Java Card Security, and then click Advanced.

  • Page 47: Enabling Java Card Power-on Authentication And Creating An Administrator Java Card

    When you are prompted to create a recovery file, click Cancel to create a recovery file at a later time or click OK and follow the on-screen instructions in the HP ProtectTools Backup Wizard to create a recovery file now.

  • Page 48: Creating A User Java Card, Disabling Java Card Power-on Authentication

    Java Card. To create a user Java Card: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Java Card Security, and then click Advanced. Insert a Java Card that will be used as a user card.

  • Page 49

    BIOS Configuration for HP ProtectTools BIOS Configuration for HP ProtectTools provides access to the Computer Setup utility security and configuration settings. This gives users Windows access to system security features that are managed by Computer Setup. With BIOS Configuration, you can accomplish the following objectives: ●...

  • Page 50: Managing Boot Options

    If you have enabled MultiBoot, select the boot order by selecting a boot device, and then clicking the up arrow or the down arrow to adjust its order in the list. Click Apply, and then click OK in the HP ProtectTools window. Chapter 5 BIOS Configuration for HP ProtectTools at startup and entering Computer Setup.

  • Page 51: Enabling And Disabling System Configuration Options

    Some of the items listed below may not be supported by your computer. To enable or disable devices or security options: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click BIOS Configuration. Type your Computer Setup administrator password at the BIOS administrator password prompt, and then click OK.

  • Page 52

    Embedded WWAN Device Radio ● Embedded Bluetooth® Device Radio ● LAN/WLAN Switching ● Wake on LAN from Off Click Apply, and then click OK in the HP ProtectTools window to save your changes and exit. Chapter 5 BIOS Configuration for HP ProtectTools ENWW...

  • Page 53: Managing Hp Protecttools Add-on Module Settings, Advanced Tasks

    Advanced tasks Managing HP ProtectTools add-on module settings Some of the features of HP ProtectTools Security Manager can be managed in BIOS Configuration. Enabling and disabling smart card power-on authentication support Enabling this option allows you to use a smart card for user authentication when you turn on the computer.

  • Page 54: Enabling And Disabling Power-on Authentication Support For Embedded Security

    NOTE: To fully enable the power-on authentication feature, you must also configure the TPM embedded security chip using the Embedded Security for HP ProtectTools module. To enable power-on authentication support for embedded security: Select Start > All Programs > HP ProtectTools Security Manager.

  • Page 55: Managing Computer Setup Passwords, Enabling And Disabling Automatic Drivelock Hard Drive Protection

    Setup, and also to manage various password settings. CAUTION: saved immediately upon clicking the Apply or OK button in the HP ProtectTools window. Be sure that you remember what password you have set, because you will not be able to undo a password setting without supplying the previous password.

  • Page 56: Setting The Power-on Password, Changing The Power-on Password, Setting The Setup Password

    Type and confirm the password in the Enter Password and Verify Password boxes. Click OK in the Passwords dialog box. Click Apply, and then click OK in the HP ProtectTools window. Changing the power-on password To change the power-on password: Select Start >...

  • Page 57: Changing The Setup Password, Setting Password Options, Enabling And Disabling Stringent Security

    Click OK in the Passwords dialog box. Click Apply, and then click OK in the HP ProtectTools window. Setting password options You can use BIOS Configuration for HP ProtectTools to set password options to enhance the security of your system. Enabling and disabling stringent security...

  • Page 58

    In the right pane, under Password Options, enable or disable Require password on restart. Click Apply, and then click OK in the HP ProtectTools window. Chapter 5 BIOS Configuration for HP ProtectTools ENWW...

  • Page 59

    Device Access Manager for HP ProtectTools This security tool is available to administrators only. Device Access Manager for HP ProtectTools has the following security features that protect against unauthorized access to devices attached to your computer system: ● Device profiles that are created for each user to define device access ●...

  • Page 60: Starting Background Service

    For device profiles to be applied, the HP ProtectTools Device Locking/Auditing background service must be running. When you first attempt to apply device profiles, HP ProtectTools Security Manager opens a dialog box to ask if you would you like to start the background service. Click Yes to start the background service and set it to start automatically whenever the system boots.

  • Page 61: Simple Configuration

    All serial and parallel ports for all non-administrators To deny access to a class of device for all non-administrators: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Device Access Manager, and then click Simple Configuration.

  • Page 62: Device Class Configuration (advanced), Adding A User Or A Group

    Adding a user or a group Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Device Access Manager, and then click Device Class Configuration. In the device list, click the device class that you want to configure.

  • Page 63: Allowing Access To A Specific Device For One User Of A Group

    To allow access to a specific device for one user but not the group: Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Device Access Manager, and then click Device Class Configuration.

  • Page 64

    Chapter 6 Device Access Manager for HP ProtectTools ENWW...

  • Page 65: Drive Encryption For Hp Protecttools

    Drive Encryption for HP ProtectTools CAUTION: encrypted drives. If you do not, you will not be able to access the data on encrypted drives unless you have registered with the Drive Encryption recovery service (see Reinstalling the Drive Encryption module will not enable you to access the encrypted drives.

  • Page 66

    Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Drive Encryption, and then click Encryption Management. In the right pane, click Activate. The Drive Encryption for HP ProtectTools Wizard opens. Follow the on-screen instructions to activate encryption.

  • Page 67: User Management

    User management Add a user Select Start > All Programs > HP ProtectTools Security Manager. In the left pane, click Drive Encryption, and then click User Management. In the right pane, click Add. Click a user name in the User Name list or type a user name in the Username box.

  • Page 68: Recovery

    In the right pane, click Click here to backup your keys. Select a diskette, flash storage device, or some other USB-connected storage media on which to save the recovery information, and then click Next. The Drive Encryption for HP ProtectTools Wizard opens.

  • Page 69: Credential Manager For Hp Protecttools

    Single Sign On, which is available in the Credential Manager online Help files. If a specific Single Sign On cannot be disabled for a given application, call HP technical support and request 3rd-level support through your HP Service contact. The browse option was removed because it allowed non-users to delete and rename files and take control of Windows.

  • Page 70: Chapter 8 Troubleshooting

    PC, Credential Manager can only change the password used to log on. HP is researching a workaround for future product enhancements. HP is researching a workaround for future product enhancements.

  • Page 71

    Manager has the virtual token registered, the user must reregister the token to restore the association. Solution HP is investigating resolution options for future customer software releases. This is currently by design. When uninstalling Credential Manager without keeping identities, the system (server) part of the token is...

  • Page 72: Embedded Security For Hp Protecttools

    Microsoft EFS is supported only on NTFS and does not function on FAT32. This is a feature of Microsoft EFS and is not related to HP ProtectTools software. This is as designed. Users have access rights to an emergency archive so that they can save/update their Basic User Key backup copy.

  • Page 73

    This is as designed. The Computer Setup (f10) Utility password can only be removed by a user who knows the password. However, HP strongly recommends having the Computer Setup (f10) Utility password protected at all times. This is by design.

  • Page 74

    This is by design—to avoid issues with Microsoft EFS, a 30-second watchdog timer was created to generate the error message). HP will correct this in a future release. The ability to encrypt does not require password authentication, since this is a feature of the Microsoft EFS encryption.

  • Page 75

    Usage of secure e- mail is set and controlled by 3rd-party applications. The HP wizard allows linkage to the three reference applications for immediate customization. HP is working to resolve the XML-file-overwrite issue and will provide a solution in a future SoftPaq.

  • Page 76

    The processes are working as designed and function properly; however, the internal Embedded Security error message is not clear and should state a more appropriate message. HP is working to enhance this in future products. The non-selected users can be restored by resetting the TPM, running the restore process, and selecting all users before the next default daily backup runs.

  • Page 77

    \SYSTEM to (computer name)\(admin name). This is the default setting if the Scheduled Task is created manually. HP is working to provide future product releases with default settings that include computer name\admin name. HP will address this issue in future releases.

  • Page 78: Device Access Manager For Hp Protecttools

    If a user is a member of both those groups (e.g., Administrator), which takes precedence? Solution Verify that the HP ProtectTools Device Locking service has started. As an administrative user, browse to Control Panel > Administrative Tools > Services. In the Services window, search for the HP ProtectTools Device Locking/Auditing service.

  • Page 79: Miscellaneous

    2.0.0.9 (or greater) If the FW version does not match 2.18, download and update the TPM firmware. The TPM Firmware SoftPaq is a support download available on the HP Web site at http://www.hp.com. This is related to a timing dependency on plug-in...

  • Page 80

    Embedded Security Device, which hides the other Embedded Security options (including Power-on authentication support). However, after reenabling Embedded Security Device, Power-on authentication support remains enabled. HP is working on a resolution, which will be provided in future Web-based ROM SoftPaq offerings. ENWW...

  • Page 81

    Software Impacted— Short description Security Power-On Authentication overlaps the BIOS Password during boot sequence. The BIOS asks for both the old and new passwords through Computer Setup after the Owner password is changed. ENWW Details Power-On Authentication prompts the user to log on to the system using the TPM password, but, if the user presses f10 to access the BIOS, the user is granted Read rights access only.

  • Page 82

    Chapter 8 Troubleshooting ENWW...

  • Page 83

    Glossary Authentication Process of verifying whether a user is authorized to perform a task, for example, accessing a computer, modifying settings for a particular program, or viewing secured data. Automatic DriveLock Security feature that causes the DriveLock passwords to be generated and protected by the TPM Embedded Security chip.

  • Page 84

    Identity In the HP ProtectTools Credential Manager, a group of credentials and settings that is handled like an account or profile for a particular user. Java Card Small piece of hardware, similar in size and shape to a credit card, which stores identifying information about the owner.

  • Page 85

    Automatic DriveLock 49 background service, Device Access Manager 54 backing up and restoring certification information 33 Embedded Security 33 HP ProtectTools modules 8 Single Sign On data 20 basic user account 30 Basic User Key password changing 32 setting 30...

  • Page 86

    Windows Logon 17 Windows logon password, changing 15 Windows logon, allow 25 data, restricting access to 4 decrypting a drive 59 Device Access Manager for HP ProtectTools background service 54 device class configuration 56 device class, allowing access to one 56...

  • Page 87

    34 changing power-on 50 changing setup 51 Computer Setup, managing 49 emergency recovery token 29 guidelines 8 HP ProtectTools 6 managing 6 owner 29 policies, creating 5 resetting user 34 secure, creating 8 setting options 51 setting power-on 50...

  • Page 88

    Index ENWW...

Comments to this Manuals

Symbols: 0
Latest comments: