HP ProtectTools Getting Started
© Copyright 2012 Hewlett-Packard Development Company, L.P. Bluetooth is a trademark owned by its proprietor and used by Hewlett-Packard Company under license. Intel is a trademark of Intel Corporation in the U.S. and other countries and is used under license. Microsoft, Windows, and Windows Vista are U.S. registered trademarks of Microsoft Corporation. The information contained herein is subject to change without notice.
Table of contents 1 Introduction to security .................................................................................................................................. 1 HP ProtectTools features ..................................................................................................................... 2 HP ProtectTools security product description and common use examples ......................................... 4 Password Manager ..........................................................
HP ProtectTools Security Manager Administrative Console .................................................................... 21 Opening HP ProtectTools Administrative Console ............................................................................. 22 Using Administrative Console ............................................................................................................ 22 Configuring your system .........................................................................................
Using the Password Manager Quick Links menu ............................................. 39 Organizing logons into categories ..................................................................... 39 Managing your logons ....................................................................................... 40 Assessing your password strength ................................................................... 41 Password Manager icon settings .................................................................
Advanced tasks .................................................................................................................................. 59 Managing Drive Encryption (administrator task) ................................................................ 59 Using Enhanced Security with TPM (select models only) ................................. 60 Encrypting or decrypting individual drive partitions (software encryption only) .............................................................................
Signing a Microsoft Office document ................................................................ 75 Adding a signature line when signing a Microsoft Word or Microsoft Excel document .......................................................................................................... 75 Adding suggested signers to a Microsoft Word or Microsoft Excel document .......................................................................................... 75 Adding a suggested signer's signature line ......
Simple Configuration ......................................................................................... 90 Starting the background service ....................................................... 91 Device Class Configuration ............................................................................... 91 Denying access to a user or group ................................................... 93 Allowing access for a user or a group ..............................................
Password changes using keyboard layout that is also supported .................................................... 110 Special key handling ........................................................................................................................ 111 What to do when a password is rejected .......................................................................................... 113 13 Related documentation ........................................................................................
x
1 Introduction to security HP ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data. Application Features HP ProtectTools Administrative Console (for administrators) ● Requires Microsoft Windows administrator rights to access. ● Provides access to modules that are configured by an administrator and not available to users.
HP ProtectTools features The following table details the key features of HP ProtectTools modules.
Module Key features File Sanitizer for HP ProtectTools (select models only) ● Allows you to securely shred digital assets (securely delete sensitive information including application files, historical or Web-related content, or other confidential data) on your computer and periodically bleach the hard drive (write over data that has been previously deleted, but is still present on the hard drive in order to make recovery of the data more difficult).
HP ProtectTools security product description and common use examples Most of the HP ProtectTools security products have both user authentication (usually a password) and an administrative backup to gain access if passwords are lost, not available, or forgotten, or any time corporate security requires access. NOTE: Some of the HP ProtectTools security products are designed to restrict access to data.
moves the confidential data to the personal secure drive. The warehouse manager can enter a password and access the confidential data just like another hard drive. When he logs off or reboots the personal secure drive, it cannot be seen or opened without the proper password. The workers never see the confidential data when they access the computer. Embedded Security protects encryption keys within a hardware TPM (Trusted Platform Module) chip located on the system board.
Device Access Manager for HP ProtectTools (select models only) Device Access Manager for HP ProtectTools allows an administrator to restrict and manage access to hardware. Device Access Manager for HP ProtectTools can be used to block unauthorized access to USB flash drives where data could be copied. It can also restrict access to CD/DVD drives, control of USB devices, network connections, and so on.
Example 2: A real estate company needs to manage and update computers all over the world. They use Computrace to monitor and update the computers without having to send an IT person to each computer.
Restricting access to sensitive data Suppose a contract auditor is working onsite and has been given computer access to review sensitive financial data; you do not want the auditor to be able to print the files or save them to a writable device such as a CD. The following feature helps restrict access to data: ● Device Access Manager for HP ProtectTools allows IT managers to restrict access to communication devices so that sensitive information cannot be copied from the hard drive.
Additional security elements Assigning security roles In managing computer security (particularly for large organizations), one important practice is to divide responsibilities and rights among various types of administrators and users. NOTE: In a small organization or for individual use, these roles may all be held by the same person.
HP ProtectTools password Set in the following module Function Basic User Key password Embedded Security Used to access Embedded Security features, such as secure email, file, and folder encryption. When used for power-on authentication, also protects access to the computer contents when the computer is turned on, restarted, or restored from hibernation.
Backing up credentials and settings You can back up credentials in the following ways: ● Use Drive Encryption for HP ProtectTools to select and back up HP ProtectTools credentials. ● Use the Backup and Recovery tool in HP ProtectTools Security Manager as a central location from which you can back up and restore security credentials from some of the installed HP ProtectTools modules.
12 Chapter 1 Introduction to security
2 Getting started with the Setup Wizard The Security Manager Setup Wizard guides you through enabling available security features that are applied to all users of this computer. You can also manage these features on the Security Features page of Administrative Console. To set up security features through the Security Manager Setup Wizard: 1.
3. Verify your identity by typing your Windows password, and then click Next. If you have not yet created a Windows password, you are prompted to create one. A Windows password is required in order to protect your Windows account from access by unauthorized persons, and in order to use HP ProtectTools Security Manager features. 4. On the SpareKey page, select three security questions, enter an answer for each question, and then click Next.
3 Easy Setup Guide for Small Business This chapter is designed to demonstrate the basic steps to activate the most common and useful options within HP ProtectTools for Small Business. There are numerous tools and options available in this software that will allow you to fine-tune your preferences and set your access control. This Easy Setup Guide will focus on getting each module running with the least amount of setup effort and time.
Getting started 1. Open HP ProtectTools Security Manager from the Gadget icon, task bar icon (blue shield), or click Start > All Programs > Security and Protection > HP ProtectTools Security Manager. 2. Enter your Windows password, or create a Windows password. 3. Complete the setup wizard. NOTE: By default, HP ProtectTools Security Manager is set to Strong Authentication Policy.
Password Manager Passwords! We all have quite a number of them – especially if you regularly access websites or use applications that require you to log in. The normal user either uses the same password for every application and website, or gets really creative and promptly forgets which password goes with which application. Password Manager can automatically remember your passwords to sites that are not critical or give you the ability to discern which sites to remember and which to omit.
File Sanitizer for HP ProtectTools File Sanitizer is designed to make it very difficult for an unauthorized person to recover data you have deleted. Multiple options allow you to erase manually or to establish a regular schedule to erase selected files and folders, including browser history. To start permanently erasing your deleted data, select the file or folders you no longer need. 18 1. Navigate to Security Manager > File Sanitizer > Settings.
Device Access Manager for HP ProtectTools Device Access Manager can be used to restrict the use of various internal and external storage devices so your data will remain secured on the hard drive and not walk out the door of your business. An example would be to allow a user access to your data but block them from copying it to a CD, personal music player, or USB memory device. Below is an easy way to set this up. 1.
Drive Encryption for HP ProtectTools Drive Encryption for HP ProtectTools is used to protect your data by encrypting the entire hard drive. The data on your hard drive will stay protected if your PC is ever stolen and/or if the hard drive is removed from the original computer and placed in a different computer. An additional security benefit is that Drive Encryption requires you to properly authenticate using your user name and password before the computer will start.
4 HP ProtectTools Security Manager Administrative Console HP ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data. Administration of HP ProtectTools Security Manager is provided through the Administrative Console feature. Additional applications are available (select models only) in the Security Manager dashboard to assist with recovery of the computer if it is lost or stolen.
Opening HP ProtectTools Administrative Console For administrative tasks, such as setting system policies or configuring software, open the console as follows: ▲ Click Start, click All Programs, click Security and Protection, and then click HP ProtectTools Administrative Console. – or – In the left panel of Security Manager, click Administration, and then click Administrative Console.
Configuring your system The System group is accessed from the menu panel on the left side of HP ProtectTools Administrative Console. You can use the applications in this group to manage the policies and settings for the computer, its users, and its devices. The following applications are included in the System group: ● Security—Manage features, authentication, and settings governing how users interact with this computer. ● Users—Set up, manage, and register users of this computer.
8. To return to the original settings, click Restore Defaults. 9. Click Apply. Session Policy To define policies governing the credentials required to access HP ProtectTools applications during a Windows session: 1. In the left panel of Administrative Console, click Security, and then click Authentication. 2. On the Session Policy tab, click the down arrow, and then select a category of user: ● For administrators of this computer ● For standard users 3.
● To set up additional credentials for the user, click the user, and then click Enroll. ● To view the policies for a specific user, select the user, and then view the policies in the lower window. Credentials Within the Credentials application, you can specify settings available for any built-in or attached security devices recognized by HP ProtectTools Security Manager and configure settings.
Face If a webcam is installed or connected to the computer, and if the Face Recognition program is installed, you can set the security level for Face Recognition to balance the ease of use and the difficulty of breaching the security of the computer. 1. Click Credentials, and then click Face. 2. For more convenience, click the slider to move it to the left, or for more accuracy, click the slider to move it to the right.
3. 4. Initialize (format) the smart card. a. Launch the smart card initialization tool, or it may be displayed when you insert the smart card into the reader (for example: Start > Programs > ActivIdentity > ActivClient > PIN initialization tool). b. Follow the on-screen instructions to set up a PIN. c. Note the unlock code for future reference. Create a key pair and certificate. a. Click Start, click All Programs, click Security and Protection, and then click HP ProtectTools Administrative Console.
Configuring the smart card If a smart card reader is installed or connected to the computer, the Smart card page has two tabs: ● Settings—Select the Lock the computer upon smart card removal check box to configure the computer to automatically lock when a smart card is removed, and then click Apply. NOTE: The computer locks only if the smart card was used as an authentication credential when logging on to Windows. Removing a smart card that was not used to log on to Windows does not lock the computer.
Bluetooth phone in conjunction with other credentials for additional security. Specify the Bluetooth settings: ▲ To allow silent authentication, select the check box, and then click Apply. PIN If PIN has been selected as an authentication credential, you can use a PIN in conjunction with other credentials for additional security. Specify the PIN settings: 1. Click the up or down arrow to select the minimal PIN length. The maximum number of digits allowed is 8. 2. Click Apply.
● Antimalware Central—Enables Antimalware Central for all users of the computer. ● Enable the Central Management link—Allows all users of this computer to learn how to centrally manage HP ProtectTools Security Manager with DigitalPersona Pro. 1. Select the check box next to a specific setting to enable it, or clear the check box to disable the setting. 2. Click Apply. To return all applications to their factory settings, click the Restore Defaults button.
For more information, see the Device Access Manager software Help by clicking the blue ? icon at the top right of the Device Access Manager page. Communications The Communications section of the left panel of Administrative Console allows you to configure settings for the Privacy Manager application: ● Settings ● Allow the use of third-party certificates By default, only special Comodo-issued certificates can be used.
32 Chapter 4 HP ProtectTools Security Manager Administrative Console
5 HP ProtectTools Security Manager HP ProtectTools Security Manager allows you to significantly increase the security of your computer. You can use preloaded Security Manager applications, as well as additional applications available for immediate download from the Web: ● Manage your logon and passwords. ● Easily change your Windows® operating system password. ● Set program preferences. ● Use fingerprints for extra security and convenience. ● Enroll one or more scenes for authentication.
Using the Security Manager dashboard The Security Manager dashboard is the central location for easy access to Security Manager features, applications, and settings. ▲ To open the Security Manager dashboard, click Start, click All Programs, click Security and Protection, and then click HP ProtectTools Security Manager. The dashboard displays the following components: ● ID Card—Displays the Windows user name and a selected picture identifying the logged on user account.
Your personal ID card Your ID card uniquely identifies you as the owner of this Windows account, showing your name and a picture of your choice. It is prominently displayed in the upper-left corner of Security Manager pages. You can change the picture and the way that your name is displayed. By default, your full Windows user name and the picture you selected during Windows setup are shown. To change the displayed name: 1. Open the Security Manager dashboard.
A message is displayed at the bottom of the gadget icon to indicate one of the following conditions: ◦ Set up now—The administrator must click the gadget icon to run the Security Manager Setup Wizard to configure authentication credentials for the computer. The Setup Wizard is displayed in a separate window. ◦ Enroll now—A user must click the gadget icon to run the Security Manager Getting Started Wizard to enroll authentication credentials.
Password Strength tab ● Check the strength of individual passwords used for websites and applications, as well as the overall password strength. ● Password strength is illustrated by red, yellow, or green status indicators. The Password Manager icon is displayed in the upper-left corner of a Web page or application logon screen. When a logon has not yet been created for that website or application, a plus sign is displayed on the icon.
after browsing to the website or program, or click a logon from the Password Manager Quick Links menu to have Password Manager open the website or program and log you on. To add a logon: 1. Open the logon screen for a website or program. 2. Click the arrow on the Password Manager icon, and then click one of the following, depending on whether the logon screen is for a website or a program: 3. ● For a website, click Add [domain name] to Password Manager.
Editing logons To edit a logon, follow these steps: 1. Open the logon screen for a website or program. 2. To display a dialog box where you can edit your logon information, click the arrow on the Password Manager icon, and then click Edit Logon. Logon fields on the screen, and their corresponding fields on the dialog box, are identified with a bold orange border. You can also display this dialog box by clicking Edit for the desired logon on the Password Manager Manage tab. 3.
To add a category: 1. From the Security Manager dashboard, click Password Manager. 2. Click the Manage tab, and then click Add Category. 3. Enter a name for the category. 4. Click OK. To add a logon to a category: 1. Place your mouse pointer over the desired logon. 2. Press and hold the left mouse button. 3. Drag the logon into the list of categories. Categories are highlighted as you move your mouse pointer over them. 4. Release the mouse button when the desired category is highlighted.
Assessing your password strength Using strong passwords for logon to your websites and programs is an important aspect of protecting your identity. Password Manager makes monitoring and improving your security easy with instant and automated analysis of the strength of each of the passwords used to log on to your websites and programs.
Settings You can specify settings for personalizing Password Manager: 1. Prompt to add logons for logon screens—The Password Manager icon with a plus sign is displayed whenever a website or program logon screen is detected, indicating that you can add a logon for this screen to the Logons menu. To disable this feature, clear the check box beside Prompt to add logons for logon screens. 2.
Credential Manager You use your Security Manager credentials to verify that you are really you. The administrator of this computer can set up which credentials may be used to prove your identity when logging on to your Windows account, websites, or programs. Available credentials can vary, depending on the security devices built into or connected to this computer.
You can select different questions or change your answers on the SpareKey page under Credential Manager. After your SpareKey is set up, you can access your computer using your SpareKey from a pre-boot logon screen or the Windows Welcome screen.
4. During scene enrollment you can watch a demonstration by clicking Play Video or change the background lighting, click the Light bulb icon. If this is the initial enrollment, a dialog will appear asking if you want to see a demonstration video. Click Yes or No. 5. Click the Camera icon, and then follow the on-screen instructions to enroll your scene. NOTE: Be sure to look at your image, turning your head accordingly, while the scenes are being captured. 6. Click Next.
Dark mode If the lighting is too dark during the face logon process, the face logon screen background color switches automatically to a white screen to provide better illumination of the face. To switch the face logon screen background color manually, click the Light bulb icon. Learning If face logon is unsuccessful but you enter your password successfully, you may be prompted to save a series of images to increase the chances of successful face logon in the future.
Initializing the smart card HP ProtectTools Security Manager can support a number of different smart cards. The number and type of characters used as PIN numbers may vary. The manufacturer of the smart card should provide tools to install a security certificate and PIN management that HP ProtectTools will use in its security algorithm. Administrators can initialize the smart card using the manufacturer’s software and HP ProtectTools Administrative Console.
manufacturer, and if the administrator has enabled a proximity card as an authentication credential, you can use a proximity card in conjunction with other credentials for additional security. ▲ To set up your proximity card, place it very close to the reader, and then follow the on-screen instructions. Bluetooth If the administrator has enabled Bluetooth as an authentication credential, you can set up a Bluetooth phone in conjunction with other credentials for additional security.
Central Management The Central Management page displays tabs for accessing information about central management of security solutions with DigitalPersona Pro, as well as scheduling product updates and online messages. NOTE: If there is no Central Management link in the lower-left portion of the dashboard, it has been disabled by the administrator of this computer. ● Business Solutions tab 1. Open the Security Manager dashboard. For more information, see Opening Security Manager on page 33. 2.
Fingerprint tab NOTE: The Fingerprint tab is available only if the computer has a fingerprint reader and the correct driver is installed. ● Quick Actions—Use Quick Actions to select the Security Manager task to be performed when you hold down a designated key while swiping your fingerprint. To assign a Quick Action to one of the listed keys, click a (Key) + Fingerprint option, and then select one of the available tasks from the menu.
7. Enter a password to protect the file. 8. Click Finish. To restore your data: 1. Open the Security Manager dashboard. For more information, see Opening Security Manager on page 33. 2. On the left panel of the dashboard, click Advanced, and then click Backup and Restore. 3. Click Restore data. 4. Select the previously created storage file. Enter the path in the field provided, or click Browse. 5. Enter the password used to protect the file. 6.
52 Chapter 5 HP ProtectTools Security Manager
6 Drive Encryption for HP ProtectTools (select models only) Drive Encryption for HP ProtectTools provides complete data protection by encrypting your computer's data. When Drive Encryption is activated, you must log in at the Drive Encryption login screen, which is displayed before the Windows® operating system starts.
Opening Drive Encryption Administrators can access Drive Encryption from HP ProtectTools Administrative Console. 1. Click Start, click All Programs, click Security and Protection, and then click HP ProtectTools Administrative Console. 2. In the left pane, click Drive Encryption. General tasks Activating Drive Encryption for standard hard drives Standard hard drives are encrypted using software encryption. Follow these steps to activate Drive Encryption: 1.
Activating Drive Encryption for self-encrypting drives Self-encrypting drives meeting Trusted Computing Group's OPAL specification for self-encrypting drive management can be encrypted using either software encryption or hardware encryption. Follow these steps to activate Drive Encryption for self-encrypting drives: NOTE: Hardware encryption is available only if ALL drives in your computer are self-encrypting drives meeting Trusted Computing Group's OPAL specification for self-encrypting drive management.
Hardware encryption 1. Click Start, click All Programs, click Security and Protection, and then click HP ProtectTools Administrative Console. 2. In the left pane, click the + icon to the left of Security to display the available options. 3. Click Features. 4. Select the Drive Encryption check box, and then click Next. 5. If the Use hardware drive encryption check box is available at the bottom of the screen, be sure that it is selected.
3. Click Features. 4. Clear the Drive Encryption check box, and then click Next. Drive Encryption deactivation begins. NOTE: If software encryption was used, decryption starts. It might take a number of hours, depending on the size of the encrypted hard drive partition(s) . When decryption is complete, Drive Encryption is deactivated. If hardware encryption was used, the drive is instantly decrypted, and after a few minutes, Drive Encryption is deactivated.
● RSA SID800 v2 ● RSA SID800 Rev D (Sahara) ● Aladdin eToken Java 72kl ● Gemalto .NET ● Gemalto .NET v2+ ● Gemalto CyberFlex Access 2 Internal readers ● Alcor Internal USB reader ● Ricoh NOTE: If the recovery key is used to log in at the Drive Encryption login screen, additional credentials are required at Windows logon to access user accounts.
In a software encryption scenario, the drive encryption status is displayed as one of the following for each hard drive or hard drive partition: ● Not encrypted ● Encrypted ● Encrypting ● Decrypting In a hardware encryption scenario, the drive encryption status is displayed as one of the following ● Not encrypted ● Encrypted If the hard drive is in the process of being encrypted or decrypted, a progress bar displays the percentage completed and the time remaining to complete the encryption or de
Using Enhanced Security with TPM (select models only) After the Trusted Platform Module (TPM) is activated and the Drive Encryption Enhanced Security with TPM functionality is selected, the Drive Encryption password is protected by the TPM security chip. If the hard drive is removed and installed in another computer, access to the drive is denied. CAUTION: TPM ownership cannot be shared with Windows TPM.msc and Embedded Security. Use of Embedded Security for HP ProtectTools is highly recommended.
Encrypting or decrypting individual drive partitions (software encryption only) Administrators can use the Drive Encryption Settings page to encrypt one or more hard drive partition(s) on the computer or decrypt any drive partition(s) that have already been encrypted. 1. Click Start, click All Programs, click Security and Protection, and then click HP ProtectTools Administrative Console. 2. In the left pane, click the + icon to the left of Drive Encryption to display the available options. 3.
CAUTION: Be sure to keep the storage device containing the backup key in a safe place, because if you forget your password, lose your smart card, or do not have a finger registered, this device provides your only access to the computer. The storage place should also be secure, because the storage device allows access to Windows. NOTE: To save the encryption key, you must use a USB storage device with the FAT32 or FAT16 format.
Recovering encryption keys Administrators can recover an encryption key from the removable storage device where it was saved previously: 1. Turn on the computer. 2. Insert the removable storage device that contains your backup key. 3. When the Drive Encryption for HP ProtectTools login dialog box opens, click Options. 4. Click Recovery. 5. Select the file that contains your backup key or click Browse to search for it, and then click Next. 6. When the confirmation dialog box opens, click OK.
64 Chapter 6 Drive Encryption for HP ProtectTools (select models only)
7 Privacy Manager for HP ProtectTools (select models only) Privacy Manager for HP ProtectTools enables you to use advanced security login (authentication) methods to verify the source, integrity, and security of communications when using email or Microsoft® Office documents.
Setup procedures Managing Privacy Manager Certificates Privacy Manager Certificates protect data and messages using a cryptographic technology called public key infrastructure (PKI). PKI requires users to obtain cryptographic keys and a Privacy Manager Certificate issued by a certificate authority (CA).
Obtaining a preassigned Corporate Privacy Manager Certificate 1. In Outlook, open the email that you received indicating that a Corporate Certificate has been preassigned to you. 2. Click Obtain. You will receive an email in Microsoft Outlook with your Privacy Manager Certificate attached. To install the certificate, see Setting up a Privacy Manager Certificate on page 67. Setting up a Privacy Manager Certificate 1.
3. Choose whether to import a certificate already installed on this computer or a certificate stored as a PFX (Personal Information Exchange/PKCS#12) file, and then click Next. ● To import a certificate installed on this computer, select the desired certificate, and then click Next. ● To select a PFX certificate, click Browse, navigate to the location of the PFX file, and then click Next. Type the PFX file password, and then click Next. 4. When the import process is complete, click Next. 5.
If you have more than one Privacy Manager Certificate on your computer installed from within Privacy Manager, you can specify one as the default certificate: 1. Open Privacy Manager, and then click Certificates. 2. Click the Privacy Manager Certificate that you want to use as the default, and then click Set default. 3. Click OK. NOTE: You are not required to use your default Privacy Manager Certificate.
NOTE: A revoked Privacy Manager Certificate is not deleted. The certificate can still be used to view files that are encrypted. 1. Open Privacy Manager, and then click Certificates. 2. Click Advanced. 3. Click the Privacy Manager Certificate you want to revoke, and then click Revoke. 4. When the confirmation dialog box opens, click Yes. 5. Authenticate using your chosen security login method. 6. Follow the on-screen instructions.
3. When the Trusted Contact Invitation dialog box opens, read the text, and then click OK. An email is automatically generated. 4. Enter the email addresses of the recipients you want to add as Trusted Contacts. 5. Edit the text and sign your name (optional). 6. Click Send. NOTE: If you have not obtained a Privacy Manager Certificate, a message informs you that you must have a Privacy Manager Certificate in order to send a Trusted Contact request. Click OK to launch the Certificate Request Wizard.
7. When you receive an email response from a recipient accepting the invitation to become a Trusted Contact, click Accept in the lower-right corner of the email. A dialog box opens, confirming that the recipient has been successfully added to your Trusted Contacts list. 8. Click OK. Viewing Trusted Contact details 1. Open Privacy Manager, and then click Trusted Contacts. 2. Click a Trusted Contact. 3. Click Contact details. 4. When you have finished viewing the details, click OK.
General tasks You can use Privacy Manager with the following Microsoft products: ● Microsoft Outlook ● Microsoft Office Using Privacy Manager in Microsoft Outlook When Privacy Manager is installed, a Privacy button is displayed on the Microsoft Outlook toolbar, and a Send Securely button is displayed on the toolbar of each Microsoft Outlook email message.
3. Click the down arrow next to Send Securely (Privacy in Outlook 2003), and then click Sign and Send. 4. Authenticate using your chosen security login method. Sealing and sending an email message Sealed email messages that are digitally signed and sealed (encrypted) can only be viewed by people you choose from your Trusted Contacts list. To seal and send an email message to a Trusted Contact: 1. In Microsoft Outlook, click New or Reply. 2. Type your email message. 3.
Configuring Privacy Manager for Microsoft Office 1. Open Privacy Manager, click Settings, and then click the Documents tab. – or – On the toolbar of a Microsoft Office document, click the down arrow next to Sign and Encrypt, and then click Settings. 2. Select the actions you want to configure, and then click OK. Signing a Microsoft Office document 1. In Microsoft Word, Microsoft Excel, or Microsoft PowerPoint, create and save a document. 2.
To add a suggested signer to a Microsoft Word or Microsoft Excel document: 1. In Microsoft Word or Microsoft Excel, create and save a document. 2. Click the Insert menu. 3. In the Text group on the toolbar, click the arrow next to Signature Line, and then click Privacy Manager Signature Provider. The Signature Setup dialog box opens. 4. In the box under Suggested signer, enter the name of the suggested signer. 5.
3. Click the name of a Trusted Contact who will be able to open the document and view its contents. NOTE: To select multiple Trusted Contact names, hold down the ctrl key, and then click the individual names. 4. Click OK. If you later decide to edit the document, follow the steps in Removing encryption from a Microsoft Office document on page 77. When the encryption is removed, you can edit the document. Follow the steps in this section to encrypt the document again.
Viewing an encrypted Microsoft Office document To view an encrypted Microsoft Office document from another computer, Privacy Manager must be installed on that computer. You must also restore the Privacy Manager Certificate that was used to encrypt the file. If your certificate has been lost, in order to view an encrypted Microsoft Office document, you must restore the Privacy Manager Certificate that was used to encrypt the file.
3. On the Migration File page, click Browse to search for the file, and then click Next. 4. Enter the password you used when you created the backup file, and then click Next. 5. On the Migration File page, click Finish. Central administration of Privacy Manager Your installation of Privacy Manager may be part of a centralized installation that has been customized by your administrator.
80 Chapter 7 Privacy Manager for HP ProtectTools (select models only)
8 File Sanitizer for HP ProtectTools (select models only) File Sanitizer allows you to securely shred assets (for example: personal information or files, historical or Web-related data, or other data components) on the computer's internal hard drive and to periodically bleach the computer's internal hard drive.
of the asset still remains on the hard drive until another asset overwrites that same area on the hard drive with new information. Free space bleaching allows you to securely write random data over deleted assets, preventing users from viewing the original contents of the deleted asset. NOTE: Free space bleaching can be performed occasionally for assets that you delete by selecting Simple Delete Settings in File Sanitizer, by moving the assets to the Windows Recycle Bin, or by deleting the assets manually.
● Web browser quit—Shreds all selected Web-related assets, such as browser URL history, when you close a Web browser. ● Key sequence—Allows you to specify a key sequence to initiate shredding. For details, see Using a key sequence to initiate shredding on page 86. NOTE: A .dll file is shredded and removed from the system only if it has been moved to the Recycle Bin. 3.
3. To view the assets that are selected for shredding, click View Details. a. Selected items will be shredded, and a confirmation message will be displayed. Unchecked items will be shredded without a confirmation message. Select the check box to display a confirmation message before shredding the item, or clear the check box to shred the item without displaying a confirmation message. NOTE: Even if the check box for an asset is cleared, the asset will be shredded. b. 4. Click Apply. Click Apply.
NOTE: Files in this list are protected as long as they remain in the list. To remove an asset from the exclusions list, click the asset, and then click Delete. 6. Click Apply. Customizing a simple delete profile The simple delete profile performs a standard asset delete action without shredding. You can customize a simple delete profile by specifying which assets to include, which assets to confirm before deleting, and which assets to exclude.
General tasks You can use File Sanitizer to perform the following tasks: ● Use a key sequence to initiate shredding—This feature allows you to create a key sequence (for example, ctrl+alt+s) to initiate shredding. For details, see Using a key sequence to initiate shredding on page 86. ● Use the File Sanitizer icon to initiate shredding—This feature is similar to the drag-and-drop feature in Windows. For details, see Using the File Sanitizer icon on page 87.
Using the File Sanitizer icon CAUTION: Shredded assets cannot be recovered. Carefully consider which items you select for manual shredding. 1. Navigate to the document or folder you want to shred. 2. Drag the asset to the File Sanitizer icon on the desktop. 3. When the confirmation dialog box opens, click Yes. Manually shredding one asset CAUTION: Shredded assets cannot be recovered. Carefully consider which items you select for manual shredding. 1.
– or – 1. Open File Sanitizer, and then click Shred. 2. Click the Shred now button. 3. When the confirmation dialog box opens, click Yes. Manually activating free space bleaching 1. Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click File Sanitizer, and then click Bleach Now. 2. When the confirmation dialog box opens, click Yes. – or – 1. Open File Sanitizer, and then click Free Space Bleaching. 2. Click Bleach Now. 3.
9 Device Access Manager for HP ProtectTools (select models only) HP ProtectTools Device Access Manager controls access to data by disabling data transfer devices. NOTE: Some human interface/input devices, such as a mouse, keyboard, TouchPad, and fingerprint reader, are not controlled by Device Access Manager. For more information, see Unmanaged Device Classes on page 99.
Setup Procedures Configuring device access HP ProtectTools Device Access Manager offers four views: ● Simple Configuration—Allow or deny access to classes of devices, based on membership in the Device Administrators group. ● Device Class Configuration—Allow or deny access to types of devices or specific devices for specific users or groups.
Starting the background service The first time a new policy is defined and applied, the HP ProtectTools Device Locking/Auditing background service starts automatically, and it is set to start automatically whenever the system starts. NOTE: A device profile must be defined before the background service prompt is displayed. Administrators can also start or stop this service: 1. In Windows 7, click Start, click Control Panel, and then click System and Security.
The Device Class Configuration view has the following sections: ● ● Device List—Shows all the device classes and devices that are installed on the system or that may have been installed on the system previously. ◦ Protection is usually applied for a device class. A selected user or group will be able to access any device in the device class. ◦ Protection may also be applied to specific devices.
The same user, the same group, or a member of the same group can be denied write access or read+write access only for the same device or a device below this device in the device hierarchy. Example 6—If a user or group is denied read+write access for a device or class of devices: The same user, the same group, or a member of the same group can be granted read access or read+write access only for a device below this device in the device hierarchy.
Allowing access to a class of devices for one user of a group To allow a user to access a class of devices while denying access to all other members of that user's group: 1. In the left pane of HP ProtectTools Administrative Console, click Device Access Manager, and then click Device Class Configuration. 2. In the device list, click the device class that you want to configure. ● Device class ● All devices ● Individual device 3.
Removing settings for a user or a group To remove permission for a user or a group to access a device or a class of devices, follow these steps: 1. In the left pane of HP ProtectTools Administrative Console, click Device Access Manager, and then click Device Class Configuration. 2. In the device list, click the device class that you want to configure. ● Device class ● All devices ● Individual device 3. Under User/Groups, click the user or group you want to remove, and then click Remove. 4.
The JITA period can also be extended, if configured to do so. In this scenario, 1 minute before the JITA period is about to expire, users can click the prompt to extend their access without having to reauthenticate. Whether the user is given a limited or unlimited JITA period, as soon as the user logs off the system or another user logs in, the JITA period expires. The next time the user logs in and attempts to access a JITA-enabled device, a prompt to enter credentials is displayed.
Disabling a JITA for a user or group Administrators can disable user or group access to devices using just-in-time authentication. 1. In the left pane of HP ProtectTools Administrative Console, click Device Access Manager, and then click JITA Configuration. 2. From the device’s drop-down menu, select either removable media or DVD/CD-ROM drives. 3. Select the user or group whose JITA you wish to disable. 4. Clear the Enabled check box. 5. Click Apply.
Advanced Settings Advanced Settings provides the following functions: ● Management of the Device Administrators group ● Management of drive letters to which Device Access Manager never denies access. The Device Administrators group is used to exclude trusted users (trusted in terms of device access) from the restrictions imposed by a Device Access Manager policy. Trusted users usually include System Administrators. See Device Administrators group on page 98 for more information.
3. Click OK. 4. Click Apply. Alternative methods for managing membership of this group include: ● For Windows 7 Professional or Windows Vista, users can be added to this group using the standard “Local Users and Groups” Microsoft Management Console (MMC) snap-in.
● ● ◦ Hard disk controller (HDC) ◦ Human interface device (HID) class Power ◦ Battery ◦ Advanced power management (APM) support Miscellaneous ◦ Computer ◦ Decoder ◦ Display ◦ Processor ◦ System ◦ Unknown ◦ Volume ◦ Volume snapshot ◦ Security devices ◦ Security accelerator ◦ Intel® unified display driver ◦ Media driver ◦ Medium changer ◦ Multifunction ◦ Legacard ◦ Net client ◦ Net service ◦ Net trans ◦ SCSI adapter 100 Chapter 9 Device Access Manager for HP Pro
10 Theft recovery (select models only) Computrace for HP ProtectTools (purchased separately) allows you to remotely monitor, manage, and track your computer. Once activated, Computrace for HP ProtectTools is configured from the Absolute Software Customer Center. From the Customer Center, the administrator can configure Computrace for HP ProtectTools to monitor or manage the computer.
102 Chapter 10 Theft recovery (select models only)
11 Embedded Security for HP ProtectTools (select models only) NOTE: The integrated Trusted Platform Module (TPM) embedded security chip must be installed in your computer to use Embedded Security for HP ProtectTools. Embedded Security for HP ProtectTools protects against unauthorized access to user data or credentials.
To enable the embedded security chip in Computer Setup: 1. Open Computer Setup by turning on or restarting the computer, and then pressing f10 while the “f10 = ROM Based Setup” message is displayed in the lower-left corner of the screen. 2. If you have not set an administrator password, use the arrow keys to select Security, select Setup password, and then press enter. 3. Type your password in the New password and Verify new password boxes, and then press f10. 4.
To set up a basic user account and enable the user security features: 1. If the Embedded Security User Initialization Wizard is not open, click Start, click All Programs, click Security and Protection, and then click HP ProtectTools Security Manager. 2. In the left pane, click Embedded Security, and then click User Settings. 3. In the right pane, under Embedded Security Features, click Configure. The Embedded Security User Initialization Wizard opens. 4. Follow the on-screen instructions.
3. 4. Click one of the following options: ● Apply changes to this folder only. ● Apply changes to this folder, subfolders, and files. Click OK. Sending and receiving encrypted email Embedded Security enables you to send and receive encrypted email, but the procedures vary depending upon the program you use to access your email. For more information, see the Embedded Security software Help, and the software Help for your email program.
Restoring certification data from the backup file To restore data from the backup file: 1. Click Start, click All Programs, click Security and Protection, and then click HP ProtectTools Administrative Console. 2. In the left pane, click Embedded Security, and then click Backup. 3. In the right pane, click Restore all. The HP Embedded Security for ProtectTools Backup Wizard opens. 4. Follow the on-screen instructions. Changing the owner password Administrators can change the owner password: 1.
108 Chapter 11 Embedded Security for HP ProtectTools (select models only)
12 Localized password exceptions At the Preboot Security level and the HP Drive Encryption level, password localization support is limited, as described in the following sections. Windows IMEs not supported at the Preboot Security level or the HP Drive Encryption level In Windows, the user can choose an IME (input method editor) to enter complex characters and symbols, such as Japanese or Chinese characters, by using a standard western keyboard.
Password changes using keyboard layout that is also supported If the password is initially set with one keyboard layout, such as U.S. English (409), and then the user changes the password using a different keyboard layout that is also supported, such as Latin American (080A), the password change will work in HP Drive Encryption, but it will fail in the BIOS if the user uses characters that exist in the latter but not in the former (for example, ē).
Special key handling ● Chinese, Slovakian, Canadian French and Czech When a user selects one of the preceding keyboard layouts and then enters a password (for example, abcdef), the same password must be entered while pressing the shift key for lower case and the shift key and caps lock key for upper case in BIOS Preboot Security and HP Drive Encryption. Numeric passwords must be entered using the numeric keypad.
Language Windows BIOS Drive Encryption Czech ◦ The ğ key is rejected. n/a n/a ◦ The į key is rejected. ◦ The ų key is rejected. ◦ The ė, ı, and ż keys are rejected. ◦ The ģ, ķ, ļ, ņ, and ŗ keys are rejected. Slovakian The ż key is rejected. ◦ The š, ś, and ş keys are rejected when typed, but they are accepted when entered with the soft keyboard. ◦ The ţ dead key generates two characters. n/a Hungarian The ż key is rejected. The ţ key generates two characters.
What to do when a password is rejected Passwords can be rejected for the following reasons: ● ● A user is using an IME that is not supported. This is a common issue with double-byte languages (Korean, Japanese, Chinese). To resolve this issue: 1. Click Start, click Control Panel, and then click Regional and Language Options. 2. Click the Keyboard and Languages tab, and then follow the on-screen instructions. 3. On the Settings tab, click the Add button to add a supported keyboard (add U.S.
114 Chapter 12 Localized password exceptions
13 Related documentation For more information about Security Manager for HP ProtectTools: ● To access this guide, select Start, click Help and Support, and then click User Guides. ● On the Web, go to http://www.hp.com/services/protecttools (English only).
116 Chapter 13 Related documentation
Glossary activation The task that must be completed before any of the Drive Encryption features are accessible. Drive Encryption is activated using the HP ProtectTools Setup Wizard. Only an administrator can activate Drive Encryption. The activation process consists of activating the software, encrypting the drive, creating a user account, and creating the initial backup encryption key on a removable storage device.
cryptography The practice of encrypting and decrypting data so that it can be decoded only by specific individuals. dashboard A central location where general users can access and manage the features and settings in Security Manager for HP ProtectTools. decryption A procedure used in cryptography to convert encrypted data into plain text. device access control policy The list of devices for which a user is allowed or denied access. device class All devices of a particular type, such as drives.
free space bleaching The secure writing of random data over deleted assets to distort the contents of the deleted asset. group A group of users that have the same level of access or denial to a device class or a specific device. HP SpareKey Recovery The ability to access your computer by answering security questions correctly. ID card A Windows desktop gadget that serves to visually identify your desktop with your user name and chosen picture.
A process that copies program information from a previously saved backup file into this program. revocation password A password that is created when a user requests a digital certificate. The password is required when the user wants to revoke his or her digital certificate. This ensures that only the user may revoke the certificate. SATA device mode A data transfer mode between a computer and mass storage devices, such as hard drives and optical drives.
Trusted Contact invitation An email that is sent to a person, asking them to become a Trusted Contact. Trusted Contact recipient A person who receives an invitation to become a Trusted Contact. Trusted Contacts list A listing of Trusted Contacts. trusted message A communication session during which trusted messages are sent from a trusted sender to a Trusted Contact. Trusted Platform Module (TPM) embedded security chip The generic term for the HP ProtectTools Embedded Security Chip.
122 Glossary
Index A aborting a shred or bleach operation 88 access controlling 89 preventing unauthorized 8 account, basic user 104 activating Drive Encryption for selfencrypting drives 55 Drive Encryption for standard hard drives 54 free space bleaching 88 adding signature line 75 suggested signer's signature line 76 suggested signers 75 Administrative Console configuring 23 using 22 Advanced Settings 98 advanced tasks, Embedded Security 106 allowing access 93 Antimalware Central 48 Applications 29 applications addin
digital certificate deleting 69 receiving 67 renewing 68 requesting 66 restoring 69 revoking 69 setting a default 68 setting up 67 viewing details 68 DigitalPass 42 documentation, related 115 Drive Encryption for HP ProtectTools 53, 59 activating 54 backup and recovery 61 deactivating 54 decrypting individual drives 59 easy setup 20 encrypting individual drives 59 logging in after Drive Encryption is activated 54 managing Drive Encryption 59 E Easy Setup Guide for Small Business 15 email message sealing for
M management tools 31 managing credentials 43 encrypting or decrypting drive partitions 61 passwords 29, 36, 37 users 24 manually shredding all selected items 87 one asset 87 messages 31, 49 Microsoft Excel, adding signature line 75 Microsoft Office document emailing encrypted 77 encrypting 76 removing encryption 77 signing 75 Microsoft Word, adding signature line 75 O objectives, security 7 opening Device Access Manager for HP ProtectTools 89 Drive Encryption 54 File Sanitizer for HP ProtectTools 82 HP Pro
shred profile 82 creating 83, 84 customizing 84 selecting 83 shred schedule, setting 82 shredding aborting 88 automatic 86 cancelling 88 key sequence 86 manual 87 signing email message 73 Microsoft Office document 75 Simple Configuration 90 simple delete, customizing 85 smart card 46 changing the PIN 47 configuring 28 initializing 26, 47 PIN 9 registering 27, 47 software encryption 55, 56, 58, 61 SpareKey setting up 43 settings 25 special key handling 111 specify security settings 24 suggested signer adding
