Embedded Security Chip Pre-Boot Authentication Overview; Enabling Embedded Security Chip Pre-Boot User Authentication; Protecting Local Storage - HP Compaq NC4010 Features Manual

The BIOS password should be stored on the smart card. This is done via the HP ProtectTools smart
2.
card security module. To complete this step, select the BIOS tab on the smart card security
module and enable smart card security. If the card has not already been initialized, HP
ProtectTools smart card security will automatically walk the user through card initialization.
Best Practice
In order to use smart card pre-boot security, it is best to create both an
administrator card and a user card. The administrator card should be kept
in a safe location away from the computer, and the user card should be
used for daily access. This will allow user access if the user card is lost or
stolen, and the administrator card can be used to create another user card.

Embedded security chip pre-boot authentication overview

Embedded security chip pre-boot authentication is a user authentication mechanism that utilizes the
trusted platform module, or embedded security chip to authenticate the user prior to allowing the
system to boot. The BIOS administrator must enable the use of the feature through a BIOS
configuration utility – F10 Setup accessed in the pre-boot environment or through the HP ProtectTools
Security Manager application. When enabled, the user is prompted for the embedded security chip
basic user key password at boot-up and the embedded security chip validates what the user enters. If
the authentication succeeds, the BIOS continues to boot the operating system. Otherwise, it may
allow several more retries but ultimately shuts down or halts the system when all allowed retries are
exhausted.
Embedded security chip pre-boot enhances system security in a number of respects:
• Using the same embedded security chip basic user key password to boot the system, as well as to
access security features at the application level. This provides the benefits of user authentication in
the pre-boot environment without requiring the user to remember and additional password
(assuming that the user is using the embedded security chip for other applications).
• Protecting the password with embedded security chip hardware and eliminating the need to save
the password in the BIOS flash for comparison. With embedded security chip pre-boot
authentication, an encrypted version of the basic user key password is stored, and this password
can only be decrypted by the TPM used to encrypt it, effectively tying the password to the system.

Enabling embedded security chip pre-boot user authentication

Similar to smart card pre-boot setup, the TPM pre-boot setup is also a two step process.
Before the TPM can be used for pre-boot authentication, ownership has to be established, which
1.
involves initializing the TPM and creating an owner password and a basic user password.
TPM initialization is handled by a wizard invoked automatically upon operating system login.
After TPM initialization, enabling of embedded security chip pre-boot authentication is controlled
2.
in the BIOS setup, which requires administrator access. This new setting is added as a field
in F10 setup under the Embedded Security menu. It is also accessible through the HP
ProtectTools Security Manager application, again requiring the BIOS administrator password.

Protecting local storage

One way to bypass strong user authentication is to remove the hard drive from a secure system and
insert it into an un-secure system. By using the primary hard drive from a secure system as a
secondary hard drive on an un-secure system, virtually all data becomes accessible. On an
unprotected hard drive that is.
5