HP ProtectTools User Guide
© Copyright 2009 Hewlett-Packard Development Company, L.P. Bluetooth is a trademark owned by its proprietor and used by Hewlett-Packard Company under license. Java is a US trademark of Sun Microsystems, Inc. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. SD Logo is a trademark of its proprietor. The information contained herein is subject to change without notice.
Table of contents 1 Introduction to security HP ProtectTools features ..................................................................................................................... 2 Achieving key security objectives ......................................................................................................... 3 Protecting against targeted theft .......................................................................................... 3 Restricting access to sensitive data ...............
5 Adding management tools 6 HP ProtectTools Security Manager Setup procedures ............................................................................................................................... 24 Getting started ................................................................................................................... 24 Registering credentials ...................................................................................................... 24 Enrolling your fingerprints ..........
Creating backup keys ........................................................................................ 39 Performing a recovery ....................................................................................... 40 8 Privacy Manager for HP ProtectTools (select models only) Setup procedures ............................................................................................................................... 42 Opening Privacy Manager .......................................................
Starting a Privacy Manager Chat session ......................................................... 54 Configuring Privacy Manager for Windows Live Messenger ............................. 55 Chatting in the Privacy Manager Chat window ................................................. 55 Viewing chat history .......................................................................................... 56 Reveal all sessions ...........................................................................
Device administrators group ............................................................................. 71 Simple Configuration ......................................................................................... 71 Starting background service ............................................................. 72 Device Class Configuration ............................................................................... 73 Denying access to a user or group ...................................................
viii
1 Introduction to security HP ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data. Administration of HP ProtectTools Security Manager is provided through the Administrative Console feature.
HP ProtectTools features The following table details the key features of HP ProtectTools modules. Module Key features Credential Manager for HP ProtectTools ● Password Manager acts as a personal password vault, streamlining the logon process with the Single Sign On feature, which automatically remembers and applies user credentials.
Achieving key security objectives The HP ProtectTools modules can work together to provide solutions for a variety of security issues, including the following key security objectives: ● Protecting against targeted theft ● Restricting access to sensitive data ● Preventing unauthorized access from internal or external locations ● Creating strong password policies ● Addressing regulatory security mandates Protecting against targeted theft An example of targeted theft would be the theft of a computer
● Device Access Manager for HP ProtectTools allows IT managers to restrict access to writeable devices so sensitive information cannot be copied from the hard drive. ● DriveLock helps ensure that data cannot be accessed even if the hard drive is removed and installed into an unsecured system.
Additional security elements Assigning security roles In managing computer security (particularly for large organizations), one important practice is to divide responsibilities and rights among various types of administrators and users. NOTE: In a small organization or for individual use, these roles may all be held by the same person.
HP ProtectTools password Set in this HP ProtectTools Function module Computer Setup utility and to the computer contents. Authenticates users of Drive Encryption, if the Java Card token is selected. Windows Logon password 6 Windows® Control Panel Chapter 1 Introduction to security Can be used for manual logon or saved on the Java Card.
Creating a secure password When creating passwords, you must first follow any specifications that are set by the program. In general, however, consider the following guidelines to help you create strong passwords and reduce the chances of your password being compromised: ● Use passwords with more than 6 characters, preferably more than 8. ● Mix the case of letters throughout your password. ● Whenever possible, mix alphanumeric characters and include special characters and punctuation marks.
2 Getting started NOTE: Administration of HP ProtectTools requires administrative privileges. The HP ProtectTools Setup Wizard guides you through setting up the most commonly used features of Security Manager. However, there is a wealth of additional functionality available through the HP ProtectTools Administrative Console. The same settings found in the wizard, as well as additional security features, can be configured through the console, which is accessed from the Windows® Start menu.
Opening HP ProtectTools Administrative Console For administrative tasks, such as setting system policies or configuring software, open the console as follows: ▲ Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. – or – In the left panel of Security Manager, click Administration.
Enabling security features The Setup Wizard will ask you to verify your identity. 1. Read the “Welcome” screen, and then click Next. 2. Verify your identity, either by typing your Windows password if you do not have any enrolled fingerprints yet, or by scanning your fingerprint with the fingerprint reader. Click Next. If your Windows password is blank, you will be asked to create one.
Enrolling your fingerprints If you have selected "Fingerprint" and if your computer has a fingerprint reader built in or connected, you will be guided through the process of setting up or "enrolling" your fingerprints: 1. An outline of two hands is displayed. Fingers that are already enrolled are highlighted in green. Click a finger on the outline. NOTE: To delete a previously enrolled fingerprint, click the corresponding finger. 2.
Setting up a smart card If you have selected "Smart card" and if a smart card reader is built in or connected to your computer, the HP ProtectTools Setup Wizard will prompt you to set up a smart card PIN (personal identification number). To set up a smart card PIN: 1. On the “Set up smart card” page, enter and confirm a PIN. You can also change your PIN. Provide your old PIN and then choose a new one. 2. 12 To continue, click Next.
Using Administrative Console HP ProtectTools Administrative Console is the central location for administering HP ProtectTools Security Manager features and applications. The console is composed of the following components: ● ● ● Tools—Displays the following categories for configuring security on your computer: ◦ Home—Allows you to select the security tasks to perform. ◦ System—Allows you to configure security features and authentication for users and devices.
3 Configuring your system The System group is accessed from the Tools menu panel on the left side of the HP ProtectTools Administrative Console screen. You can use the applications in this group to manage the policies and settings for the computer, its users, and its devices. The following applications are included in the System group: 14 ● Security—Manage features, authentication, and settings governing how users interact with this computer.
Setting up authentication for your computer Within the Authentication application, you can select which security features should be implemented on this computer, set policies governing access to the computer, and configure additional advanced settings. You can specify the credentials required to authenticate each class of user when logging into Windows or logging into Web sites and programs during a user session. To set up authentication on your computer: 1.
Settings You can allow one or more of the following security settings: ● Allow One Step logon—Allows users of this computer to skip Windows logon if authentication was performed at the BIOS or encrypted disk level. ● Allow HP SpareKey authentication for Windows logon—Allows users of this computer to use the HP SpareKey feature to log on to Windows despite any other authentication policy required by Security Manager. To edit the settings: 16 1. Click to enable or disable a specific setting. 2.
Managing users Within the Users application, you can monitor and manage this computer's HP ProtectTools users. All HP ProtectTools users are listed and verified against the policies set through Security Manager and whether or not they have registered the appropriate credentials enabling them to meet those policies. To add additional users, click Add. To delete a user, click the user, and then click Delete.
Specifying device settings Within the Device application, you can specify settings available for any built-in or attached security devices recognized by HP ProtectTools Security Manager. Fingerprints The Fingerprints page has three tabs: Enrollment, Sensitivity, and Advanced. Enrollment You can choose the minimum and maximum number of fingerprints that a user is allowed to enroll. You can also clear all of the data from the fingerprint reader.
4 Configuring your applications The Applications group is accessed from the Security Applications menu panel on the left side of HP ProtectTools Administrative Console. You can use Settings to customize the behavior of currently installed HP ProtectTools Security Manager applications. To edit your application settings: 1. In the Tools menu, from the Applications group, click Settings. 2. Click to enable or disable a specific setting. 3. Click Apply to save the changes that you have made.
General tab The following settings are available on the General tab: 20 ▲ Do not automatically launch the Setup Wizard for administrators—Select this option to prevent the wizard from automatically opening upon logon. ▲ Do not automatically launch the Getting Started wizard for users—Select this option to prevent user setup from automatically opening upon logon.
Applications tab The settings displayed here can change when new applications are added to Security Manager. The minimal settings shown by default are as follows: ● Security Manager—Enables the Security Manager application for all users of the computer. ● Enable the Discover more button—Allows all users of this computer to add applications to HP ProtectTools Security Manager by clicking the [+] Discover more button. To return all applications to their factory settings, click the Restore Defaults button.
5 Adding management tools Additional applications may be available for adding new management tools to Security Manager. The administrator of this computer may disable this feature through the Settings application. To add additional management tools, click [+] Management tools. You can access the DigitalPersona Web site to check for new applications, or you can set up a schedule for automatic updates.
6 HP ProtectTools Security Manager HP ProtectTools Security Manager allows you to significantly increase the security of your computer.
Setup procedures Getting started The HP ProtectTools Setup Wizard is displayed automatically as the default page in HP ProtectTools Security Manager until setup has been completed. To set up Security Manager, follow these steps: NOTE: If neither a fingerprint reader nor a smart card is available, perform only steps 1, 5, and 6. 1. On the “Welcome” page, click Next. 2. The following page lists the authentication methods that are available on this computer. Click Next to continue. 3.
5. You must enroll at least two fingers; index or middle fingers are preferable. Repeat steps 3 and 4 for another finger. 6. Click Next. NOTE: When enrolling fingerprints through the Getting Started process, fingerprint information is not saved until you click Next. If you leave the computer inactive for a while, or close the dashboard, the changes you made are not saved.
● Administration—Opens the HP ProtectTools Administrative Console. ● Help button—Displays information about the current screen. ● Advanced—Allows you to access the following options: ◦ Preferences—Allows you to personalize Security Manager settings. ◦ Backup and Restore—Allows you to back up or restore data. ◦ About—Displays version information about Security Manager.
General tasks The applications included in this group assist you in managing various aspects of your digital identity. ● Security Manager—Creates and manages Quick Links, which allow you to launch and log on to Web sites and programs by authenticating with your Windows password, your fingerprint, or a smart card. ● Credentials—Provides a means to easily change your Windows password, enroll your fingerprints, or set up a smart card.
● Add a New Account—Allows you to add an account to a logon. ● Open Password Manager—Launches the Password Manager application. ● Help—Displays Password Manager software help. NOTE: The administrator of this computer may have set up Security Manager to require more than one credential when verifying your identity. Adding logons You can easily add a logon for a Web site or a program by entering the logon information once. From then on, Password Manager automatically enters the information for you.
Editing logons To edit a logon, follow these steps: 1. Open the logon screen for a Web site or program. 2. To display a dialog box where you can edit your logon information, click the arrow on the Password Manager icon, and then click Edit logon. Logon fields on the screen, and their corresponding fields on the dialog box, are identified with a bold orange border. You can also display this dialog box by clicking Edit for the desired logon on the Password Manager Manage tab. 3. 4.
To add a logon to a category: 1. Place your mouse pointer over the desired logon. 2. Press and hold the left mouse button. 3. Drag the logon into the list of categories. Categories will be highlighted as you move your mouse over them. 4. Release the mouse button when the desired category is highlighted. Your logons are not moved to the category, but only copied to the selected category. You can add the same logon to more than one category, and you can display all of your logons by clicking All.
Click the icon arrow, and then click Icon Settings to customize how Password Manager handles possible logon sites. ● Prompt to add logons for logon screens—Click this option to have Password Manager prompt you to add a logon when a logon screen displays that does not already have a logon set up. ● Exclude this screen—Select the checkbox so that Password Manager will not prompt you again to add a logon for this logon screen.
Your personal ID card Your ID card uniquely identifies you as the owner of this Windows account, showing your name and a picture of your choice. It is prominently displayed in the upper-left corner of Security Manager pages, and as a Windows Sidebar gadget. Clicking your ID Card in the Windows Sidebar is one of the many ways to get quick access to Security Manager. You can change the picture and the way that your name is displayed.
Fingerprint Scan Feedback—Displays only when a fingerprint reader is available. Use this setting to adjust the feedback that occurs when you scan your fingerprint. ● Enable sound feedback—Security Manager gives you audio feedback when a fingerprint has been scanned, playing different sounds for specific program events. You may assign new sounds to these events through the Sounds tab in the Windows Control Panel, or disable sound feedback by clearing this option.
Adding applications Additional applications that provide new features for this program may be available. From the Security Manager dashboard, click [+] Discover more to browse additional applications. NOTE: If there is no [+] Discover more link in the lower-left portion of the dashboard, it has been disabled by the administrator of this computer. Security Applications Status The Security Manager Applications Status page displays the overall status of your installed security applications.
7 Drive Encryption for HP ProtectTools (select models only) CAUTION: If you decide to uninstall the Drive Encryption module, you must first decrypt all encrypted drives. If you do not, you will not be able to access the data on encrypted drives unless you have registered with the Drive Encryption recovery service. Reinstalling the Drive Encryption module will not enable you to access the encrypted drives.
Setup procedures Opening Drive Encryption 36 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. 2. In the left pane, click Drive Encryption.
General tasks Activating Drive Encryption Use the HP ProtectTools Setup Wizard to activate Drive Encryption. NOTE: This wizard is also used to add and remove users. – or – 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. 2. In the left pane, click Security, and then click Features. 3. Select the Drive Encryption check box, and then click Next. 4. Under Drives to be encrypted, select the check box for the hard drive that you want to encrypt. 5.
NOTE: If the Windows administrator has enabled Pre-boot Security in the HP ProtectTools Security Manager, you will log in to the computer immediately after the computer is turned on, rather than at the Drive Encryption login screen. 1. Click your user name, and then type your Windows password or Java™ Card PIN, or swipe a registered finger. 2. Click OK.
Advanced tasks Managing Drive Encryption (administrator task) The ”Encryption Management” page allows administrators to view and change the status of Drive Encryption (active or inactive) and to view the encryption status of all of the hard drives on the computer. ● If the status is Inactive, Drive Encryption has not yet been activated in HP ProtectTools Security Manager by the Windows administrator and is not protecting the hard drive.
CAUTION: Be sure to keep the storage device containing the backup key in a safe place, because if you forget your password or lose your Java Card, this device provides your only access to your hard drive. 1. Open HP ProtectTools Administrative Console, click Drive Encryption, and then click Recovery. 2. Click Backup Keys. 3. On the “Select Backup Disk” page, select the check box for the device where you want to back up your encryption key, and then click Next. 4.
8 Privacy Manager for HP ProtectTools (select models only) Privacy Manager for HP ProtectTools enables you to use advanced security login (authentication) methods to verify the source, integrity, and security of communication when using e-mail, Microsoft® Office documents, or instant messaging (IM).
Setup procedures Opening Privacy Manager To open Privacy Manager: 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Security Manager. 2. Click Privacy Manager. – or – Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click Privacy Manager, and then click Configuration. – or – On the toolbar of a Microsoft Outlook e-mail message, click the down arrow next to Send Securely, and then click Certificates or Trusted Contacts.
Requesting a Privacy Manager Certificate 1. Open Privacy Manager, and click Certificates. 2. Click Request a Privacy Manager certificate. 3. On the “Welcome” page, read the text, and then click Next. 4. On the “License Agreement” page, read the license agreement. 5. Be sure that the check box next to Check here to accept the terms of this license agreement is selected, and then click Next. 6. On the “Your Certificate Details” page, enter the required information, and then click Next. 7.
If you click Cancel, refer to for Adding a Trusted Contact on page 46 information on adding a Trusted Contact at a later time. Viewing Privacy Manager Certificate details 1. Open Privacy Manager, and click Certificates. 2. Click a Privacy Manager Certificate. 3. Click Certificate details. 4. When you have finished viewing the details, click OK. Renewing a Privacy Manager Certificate When your Privacy Manager Certificate nears expiration, you will be notified that you need to renew it: 1.
3. Click Delete. 4. When the confirmation dialog box opens, click Yes. 5. Click Close, and then click Apply. Restoring a Privacy Manager Certificate During installation of your Privacy Manager certificate, you are required to create a backup copy of the certificate. You may also create a backup copy from the Migration page. This backup copy can be used when migrating to another computer or to restore a certificate to the same computer. 1. Open Privacy Manager, and click Migration. 2. Click Restore.
Trusted Contacts Manager allows you to perform the following tasks: ● View Trusted Contact details ● Delete Trusted Contacts ● Check revocation status for Trusted Contacts (advanced) Adding Trusted Contacts Adding Trusted Contacts is a 3-step process: 1. You send an e-mail invitation to a Trusted Contact recipient. 2. The Trusted Contact recipient responds to the e-mail. 3. You receive the e-mail response from the Trusted Contact recipient, and click Accept.
8. When you receive an e-mail response from a recipient accepting the invitation to become a Trusted Contact, click Accept in the lower-right corner of the e-mail. A dialog box opens, confirming that the recipient has been successfully added to your Trusted Contacts list. 9. Click OK. Adding Trusted Contacts using Microsoft Outlook contacts 1. Open Privacy Manager, click Trusted Contacts Manager, and then click Invite Contacts.
Deleting a Trusted Contact 1. Open Privacy Manager, and click Trusted Contacts. 2. Click the Trusted Contact you want to delete. 3. Click Delete contact. 4. When the confirmation dialog box opens, click Yes. Checking revocation status for a Trusted Contact To see if a Trusted Contact has revoked their Privacy Manager Certificate: 1. Open Privacy Manager, and click Trusted Contacts. 2. Click a Trusted Contact. 3. Click the Advanced button.
General tasks You can use Privacy Manager with the following Microsoft products: ● Microsoft Outlook ● Microsoft Office ● Windows Live Messenger Using Privacy Manager in Microsoft Outlook When Privacy Manager in installed, a Privacy button is displayed on the Microsoft Outlook toolbar, and a Send Securely button is displayed on the toolbar of each Microsoft Outlook e-mail message.
3. Click the down arrow next to Send Securely (Privacy in Outlook 2003), and then click Sign and Send. 4. Authenticate using your chosen security login method. Sealing and sending an e-mail message Sealed e-mail messages that are digitally signed and sealed (encrypted) can only be viewed by people you choose from your Trusted Contacts list. To seal and send an e-mail message to a Trusted Contact: 1. In Microsoft Outlook, click New or Reply. 2. Type your e-mail message. 3.
Configuring Privacy Manager for Microsoft Office 1. Open Privacy Manager, click Settings, and then click the Documents tab. – or – On the toolbar of a Microsoft Office document, click the down arrow next to Sign and Encrypt, and then click Settings. 2. Select the actions you want to configure, and then click OK. Signing a Microsoft Office document 1. In Microsoft Word, Microsoft Excel, or Microsoft PowerPoint, create and save a document. 2.
To add a suggested signer to a Microsoft Word or Microsoft Excel document: 1. In Microsoft Word or Microsoft Excel, create and save a document. 2. Click the Insert menu. 3. In the Text group on the toolbar, click the arrow next to Signature Line, and then click Privacy Manager Signature Provider. The Signature Setup dialog box opens. 4. In the box under Suggested signer, enter the name of the suggested signer. 5.
NOTE: To select multiple Trusted Contact names, hold down the ctrl key and click the individual names. 5. Click OK. If you later decide to edit the document, follow the steps in Removing encryption from a Microsoft Office document on page 53. When the encryption is removed, you can edit the document. Follow the steps in this section to encrypt the document again.
Viewing an encrypted Microsoft Office document To view an encrypted Microsoft Office document from another computer, Privacy Manager must be installed on that computer. In addition, you must restore the Privacy Manager Certificate that was used to encrypt the file. A Trusted Contact wanting to view an encrypted Microsoft Office document must have a Privacy Manager Certificate, and Privacy Manager must be installed on his or her computer.
– or – a. Right-click the ProtectTools icon in the notification area, click Privacy Manager for HP ProtectTools, and then select Start Chat. b. In Live Messenger, click Actions: Start an Activity, and then select Privacy Manager Chat. NOTE: Each user must be online in Live Messenger, and the users must be displayed in each other's Live Messenger online window. Click to select an online user. Privacy Manager sends an invitation to the contact to start Privacy Manager Chat.
● Send—Click this button to send an encrypted message to your contact. ● Send signed—Select this check box to electronically sign and encrypt your messages. Then, if the message is tampered with, it will be marked as invalid when the recipient receives it. You must authenticate each time you send a signed message. ● Send hidden—Select this check box to encrypt and send a message showing only the message heading. Your contact must authenticate to read the content of the message.
Reveal sessions for a specific account Revealing a session displays the decrypted Contact Screen Name for the currently selected session. To reveal a specific chat history session: 1. In the Live Messenger History Viewer, right-click any session, and then select Reveal Session. 2. Authenticate using your chosen security login method. The Contact Screen Name is decrypted. 3. Double-click the revealed session to view its content.
Add or remove columns By default, the 3 most used columns are displayed in the Live Messenger History Viewer. You can add additional columns to the display, or you can remove columns from the display. To add columns to the display: 1. Right-click on any column heading, and then select Add/Remove Columns. 2. Select a column heading in the left panel, and then click Add to move it to the right panel. To remove columns from the display: 1.
Advanced tasks Migrating Privacy Manager Certificates and Trusted Contacts to a different computer You can securely migrate your Privacy Manager Certificates and Trusted Contacts to another computer, or back up your data for safekeeping. To do this, back up the data as a password-protected file to a network location or any removable storage device, and then restore the file to the new computer.
Central administration of Privacy Manager Your installation of Privacy Manager may be part of a centralized installation, that has been customized by your administrator. One or more of the following features may be either enabled or disabled: 60 ● Certificate use policy—You may be restricted to the use of Privacy Manager certificates issued by Comodo, or you may be allowed to use digital certificates issued by other certificate authorities.
9 File Sanitizer for HP ProtectTools File Sanitizer is a tool that allows you to securely shred assets (personal information or files, historical or Web-related data, or other data components) on your computer and to periodically bleach your hard drive. NOTE: This version of File Sanitizer supports the system hard drive only.
Shredding Shredding is different than a standard Windows® delete (also known as a simple delete in File Sanitizer) in that when you shred an asset using File Sanitizer, an algorithm that obscures the data is invoked, which makes it virtually impossible to retrieve the original asset. A Windows simple delete may leave the file (or asset) intact on the hard drive or in a state where forensic methods could be used to recover the file (or asset).
Free space bleaching Deleting an asset in Windows does not completely remove the contents of the asset from your hard drive. Windows only deletes the reference to the asset. The content of the asset still remains on the hard drive until another asset overwrites that same area on the hard drive with new information. Free space bleaching allows you to securely write random data over deleted assets, preventing users from viewing the original contents of the deleted asset.
Setup procedures Opening File Sanitizer To open File Sanitizer: 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Security Manager. 2. Click File Sanitizer. – or – ▲ Double-click the File Sanitizer icon located on your desktop. – or – ▲ Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click File Sanitizer, and then click Open File Sanitizer.
To set a free space bleaching schedule: 1. Open File Sanitizer, and click Free Space Bleaching. 2. Select the Activate Scheduler check box, enter your Windows password, and then enter a day and time to bleach your hard drive. 3. Click Apply, and then click OK. NOTE: The free space bleaching operation can take a long time. Even though free space bleaching is performed in the background, your computer may run slower due to increased processor usage.
NOTE: To remove an asset from the available shred options, click the asset, and then click Delete. 4. Under Shred the following, select the check box next to each asset that you want to confirm before shredding NOTE: To remove an asset from the shred list, click the asset, and then click Remove. 5. To protect files or folders from automatic shredding, under Do not shred the following, click Add and then browse or type the path to the file name or folder. Click Open, and then click OK.
General tasks You can use File Sanitizer to perform the following tasks: ● Use a key sequence to initiate shredding—This feature allows you to create a key sequence (for example, ctrl+alt+s) to initiate shredding. For details, refer to Using a key sequence to initiate shredding on page 67. ● Use the File Sanitizer icon to initiate shredding—This feature is similar to the drag-and-drop feature in Windows. For details, refer to Using the File Sanitizer icon on page 68.
Using the File Sanitizer icon CAUTION: Shredded assets cannot be recovered. Carefully consider which items you select for manual shredding. 1. Navigate to the document or folder you want to shred. 2. Drag the asset to the File Sanitizer icon on the desktop. 3. When the confirmation dialog box opens, click Yes. Manually shredding one asset CAUTION: Shredded assets cannot be recovered. Carefully consider which items you select for manual shredding. 1.
– or – 1. Open File Sanitizer, and click Shred. 2. Click the Shred now button. 3. When the confirmation dialog box opens, click Yes. Manually activating free space bleaching 1. Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click File Sanitizer, and then click Bleach Now. 2. When the confirmation dialog box opens, click Yes. – or – 1. Open File Sanitizer, and click Free Space Bleaching. 2. Click Bleach Now. 3.
10 Device Access Manager for HP ProtectTools (select models only) Windows® operating system administrators use Device Access Manager for HP ProtectTools to control access to the devices on a system and to protect against unauthorized access: ● Device profiles are created for each user to define the devices that they are allowed or denied permission to access.
Setup Procedures Opening Device Access Manager To open Device Access Manager, follow these steps: 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. 2. In the left pane, click Device Access Manager. Configuring device access Device Access Manager for HP ProtectTools offers three views: ● The Simple Configuration view is used to allow or deny access to classes of devices for members of the Device Administrators group.
NOTE: In order to use this view to read device access information, the user or group must be granted "read" access in the User Access Settings view. In order to use this view to modify device access information, the user or group must be granted "change" access in the User Access Settings view. ● All removable media (diskettes, USB flash drives, etc.
Stopping the Device Locking/Auditing service does not stop the device locking. Two components enforce device locking: ● Device Locking/Auditing service ● DAMDrv.sys driver Starting the service starts the device driver, but stopping the service does not stop the driver. To determine whether the background service is running, open a command prompt window, and then type sc query flcdlock. To determine whether the device driver is running, open a command prompt window, and then type sc query damdrv.
The same user, the same group, or a member of the same group can be denied write access or read+write access only for the same device or a device below this device in the device hierarchy. Example 3—If a user or group is allowed read access for a device or class of devices: The same user, the same group, or a member of the same group can be denied read access or read+write access only for the same device or a device below this device in the device hierarchy.
Allowing access for a user or a group To grant permission for a user or a group to access a device or a class of devices, follow these steps: 1. In the left pane of HP ProtectTools Administrative Console, click Device Access Manager, and then click Device Class Configuration. 2. In the device list, click one of the following: 3. ● Device class ● All devices ● Individual device Click Add. The Select Users or Groups dialog box opens. 4.
Allowing access to a class of devices for one user of a group To allow a user to access a class of devices while denying access to all other members of that user's group, follow these steps: 1. In the left pane of HP ProtectTools Administrative Console, click Device Access Manager, and then click Device Class Configuration. 2. In the device list, click the device class that you want to configure. ● Device class ● All devices ● Individual device 3.
To reset the configuration settings to the factory values, follow these steps: 1. In the left pane of HP ProtectTools Administrative Console, click Device Access Manager, and then click Device Class Configuration. 2. Click the Reset button. 3. Click Yes to confirm. 4. Click the Save icon.
Advanced tasks Controlling access to the configuration settings In the User Access Settings view, administrators specify the groups or users who are allowed to use the Simple Configuration and the Device Class Configuration pages. NOTE: A user or group must have "Full User Administrator rights" in order to modify the settings in the User Access Settings view.
Denying access to an existing group or user To deny permission for an existing group or user to view or change the configuration settings, follow these steps: 1. In the left pane of HP ProtectTools Administrative Console, click Device Access Manager, and then click User Access Settings. 2. Click a group or user to be denied access. 3. Under Permissions, click Deny for each type of permission to be denied for the selected group or user: 4.
11 LoJack Pro for HP ProtectTools Computrace LoJack Pro, powered by Absolute Software (purchased separately), addresses the growing problem of computers that are lost or stolen. Activating this software enables the Computrace agent, which remains active in your computer even if the hard drive is reformatted or replaced. LoJack Pro permits remote monitoring, management, and tracking of your computer. If your computer should be lost or stolen, Absolute’s Recovery Team will assist in its recovery.
12 Troubleshooting HP ProtectTools Security Manager Short description Details Solution Smart cards and USB tokens are not available in Security Manager if installed after the Security Manager installation. In order to use smart cards or USB tokens in Secuirty Manager, the supporting software (drivers, PKCS#11 providers, etc.) must be installed prior to Security Manager installation. Log on to Password Manager.
Short description Details Solution Password Manager does not recognize the Connect button on screen. If the Single Sign On credentials for Remote Desktop Connection (RDP) are set to Connect, when Single Sign On is relaunched, it always enters Save As instead of Connect. HP is researching a workaround for future product enhancements. The user is unable to log on to Password Manager after transitioning from sleep mode to hibernation on Windows XP Service Pack 1 only.
Device Access Manager for HP ProtectTools Users have been denied access to devices within Device Access Manager, but the devices are still accessible. ● Explanation—Simple Configuration and/or Device Class Configuration have been used within Device Access Manager to deny users access to devices. Despite being denied access, users can still access the devices. ● Solution: ◦ Verify that the HP ProtectTools Device Locking service has started.
◦ One workaround is to deny the Users group at the DVD/CD-ROM Drives level and to allow the Administrators group at the level below DVD/CD-ROM Drives. ◦ An alternate workaround is to create specific Windows groups, one for allowing access to DVD/CD and one for denying access to DVD/CD. Specific users would then be added to the appropriate group. The Simple Configuration view has been used to define a device access control policy, but administrative users cannot access devices.
Miscellaneous Software Impacted— Short description Details Solution Security Manager— Warning received: The security application can not be installed until the HP Protect Tools Security Manager is installed. All security applications such as Java Card Security and biometrics are extendable plug-ins for the Security Manager interface. Security Manager must be installed before an HP-approved security plug-in can be loaded.
Glossary activation The task that must be completed before any of the Drive Encryption features are accessible. Drive Encryption is activated using the HP ProtectTools Setup Wizard. Only an administrator can activate Drive Encryption. The activation process consists of activating the software, encrypting the drive, creating a user account, and creating the initial backup encryption key on a removable storage device. administrator See Windows administrator.
decryption Procedure used in cryptography to convert encrypted data into plain text. device access control policy The list of devices for which a user is allowed or denied access. device class All devices of a particular type, such as drives. digital certificate Electronic credentials that confirm the identity of an individual or a company by binding the identity of the digital certificate owner to a pair of electronic keys that are used to sign digital information.
Live Messenger History Viewer A Privacy Manager Chat component that allows you to search for and view encrypted chat history sessions. logon An object within Security Manager that consists of a user name and password (and possibly other selected information) that can be used to log on to Web sites or other programs. manual shred Immediate shredding of an asset or selected assets, which bypasses the automatic shred schedule.
simple delete Deletion of the Windows reference to an asset. The asset content remains on the hard drive until obscuring data is written over it by free space bleaching. Single Sign On Feature that stores authentication information and allows you to use the Security Manager to access Internet and Windows applications that require password authentication. smart card Small piece of hardware, similar in size and shape to a credit card, which stores identifying information about the owner.
Index A aborting a shred or bleach operation 69 access allowing 75 controlling 70 denying 74 denying to existing groups or users 79 granting to existing groups or users 78 preventing unauthorized 3 activating Drive Encryption 37 free space bleaching 69 adding group 79 signature line 51 suggested signer's signature line 52 suggested signers 51 user 79 allowing access 75 Applications tab settings 21, 34 applications, configuring 19 authentication 15 B background service 72 backing up data 33 HP ProtectTools
managing Drive Encryption 39 opening 36 E e-mail message Sealing for Trusted Contacts 50 signing 49 viewing a sealed message 50 e-mailing an encrypted Microsoft Office document 53 encrypting drives 35, 38, 39 Microsoft Office document 52 encryption status, displaying 38 Excel, adding a signature line 51 excluding assets from automatic deletion 66 F features, HP ProtectTools 2 File Sanitizer for HP ProtectTools icon 68 opening 64 setup procedures 64 fingerprints enrolling 11, 24 settings 18 free space bleach
opening 42 Privacy Manager Certificate 42 security login methods 41 setup procedures 42 system requirements 41 protecting assets from automatic shredding 66 R recovery, performing 40 registering credentials 24 removing encryption from a Microsoft Office document 53 group access 79 user access 79 requesting a digital certificate 43 resetting 76 restoring data 33 HP ProtectTools credentials 7 Privacy Manager Certificates and Trusted Contacts 59 restricting access to sensitive data 3 device access 70 S sealing
