HP Client Security Getting Started

ManualsBrandsHP ManualsDesktopsHP Compaq 8200 Elite Microtower PC

HP Client Security

Getting Started

Summary of content (66 pages)

PAGE 1
HP Client Security Getting Started
PAGE 2
© Copyright 2013 Hewlett-Packard Development Company, L.P. Bluetooth is a trademark owned by its proprietor and used by Hewlett-Packard Company under license. Intel is a trademark of Intel Corporation in the U.S. and other countries and is used under license. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. The information contained herein is subject to change without notice.
PAGE 3
Table of contents 1 Introduction to HP Client Security Manager ................................................................................................. 1 HP Client Security features .................................................................................................................. 1 HP Client Security product description and common use examples .................................................... 2 Password Manager .....................................................................
PAGE 4
Bluetooth Devices .............................................................................................................. 15 Bluetooth Devices Settings ............................................................................... 15 Cards ................................................................................................................................. 15 Proximity, Contactless, and Smart Card Settings ............................................. 16 PIN ..............................
PAGE 5
Backing up encryption keys .............................................................................. 32 Recovering access to an activated computer using backup keys ..................... 32 Performing an HP SpareKey Recovery ............................................................................. 33 6 HP File Sanitizer (select models only) ........................................................................................................ 34 Shredding ..........................................
PAGE 6
Deleting a trust circle ......................................................................................................... 48 Setting preferences ............................................................................................................................ 48 9 Theft recovery (select models only) ............................................................................................................ 50 10 Localized password exceptions ................................................
PAGE 7
1 Introduction to HP Client Security Manager HP Client Security allows you to protect your data, device, and identity, thereby increasing the security of your computer. The software modules available for your computer may vary depending on your model. HP Client Security software modules may be preinstalled, preloaded, or available for download from the HP website. For more information, go to http://www.hp.com.
PAGE 8
Module Key features Password Manager General users can perform the following functions: HP Drive Encryption (select models only) HP Device Access Manager HP Trust Circles Theft Recovery (Computrace, purchased separately) ● Organize, and set up user names and passwords. ● Create stronger passwords for enhanced account security for email and Web accounts. Password Manager fills in and submits the information automatically.
PAGE 9
Password Manager Password Manager stores user names and passwords, and can be used to: ● Save login names and passwords for Internet access or email. ● Automatically log the user in to a website or email. ● Manage and organize authentications. ● Select a Web or network asset and directly access the link. ● View names and passwords when necessary. ● Mark an account as compromised, so that you will be alerted for other account(s) with similar credentials.
PAGE 10
could be copied. It can also restrict access to CD/DVD drives, control of USB devices, network connections, and so on. An example would be a situation where outside vendors need access to company computers but should not be able to copy the data to a USB drive. Example 1: A manager of a medical supply company often works with personal medical records along with his company information.
PAGE 11
Protecting against targeted theft An example of targeted theft would be the theft of a computer containing confidential data and customer information at an airport security checkpoint. The following features help protect against targeted theft: ● The pre-boot authentication feature, if enabled, helps prevent access to the operating system. ◦ HP Client Security—See HP Client Security on page 12. ◦ HP Drive Encryption—See HP Drive Encryption (select models only) on page 28.
PAGE 12
NOTE: In a small organization or for individual use, these roles may all be held by the same person. For HP Client Security, the security duties and privileges can be divided into the following roles: ● Security officer—Defines the security level for the company or network and determines the security features to deploy, such as Drive Encryption. NOTE: Many of the features in HP Client Security can be customized by the security officer in cooperation with HP. For more information, go to http://www.hp.com.
PAGE 13
● Substitute special characters or numbers for letters in a key word. For example, you can use the number 1 for letters I or L. ● Combine words from 2 or more languages. ● Split a word or phrase with numbers or special characters in the middle, for example, “Mary2-2Cat45.” ● Do not use a password that would appear in a dictionary. ● Do not use your name for the password, or any other personal information, such as your birth date, pet names, or mother's maiden name, even if you spell it backwards.
PAGE 14
2 Getting started To configure HP Client Security for use with your credentials, launch HP Client Security in one of the following ways. Once the wizard has been completed by a user, it cannot be launched again by that user. 1. From the Start or Apps screen, click or tap the HP Client Security app (Windows 8). – or – From the Windows Desktop, click or tap the HP Client Security Gadget (Windows 7).
PAGE 15
Opening HP Client Security You can open the HP Client Security application in one of the following ways: NOTE: HP Client Security Setup Wizard must be completed before the HP Client Security application can be launched. ▲ From the Start or Apps screen, click or tap the HP Client Security app. – or – From the Windows desktop, click or tap the HP Client Security Gadget (Windows 7).
PAGE 16
3 Easy Setup Guide for Small Business This chapter is designed to demonstrate the basic steps to activate the most common and useful options within HP Client Security for Small Business. Numerous tools and options in this software allow you to fine-tune your preferences and set your access control. The focus of this Easy Setup Guide is to get each module running with the least amount of setup effort and time.
PAGE 17
To open Password Manager, use the keyboard combination of Ctrl+Windows key+h to open Password Manager, and then click Log in to launch and authenticate the saved shortcut. Password Manager’s Edit option allows you to view and modify the name, login name, and even reveal the passwords. HP Client Security for Small Business allows all credentials and settings to be backed up and/or copied to another computer.
PAGE 18
4 HP Client Security The HP Client Security Home page is the central location for easy access to HP Client Security features, applications, and settings. The Home page is divided into three sections: ● DATA—Provides access to applications used for managing data security. ● DEVICE—Provides access to applications used for managing device security. ● IDENTITY—Provides enrollment and management of authentication credentials.
PAGE 19
You can also enroll or delete your fingerprints on the Fingerprints page, which you can access by clicking or tapping the Fingerprints icon on the HP Client Security Home page. 1. On the Fingerprints page, swipe a finger until it is successfully enrolled. The number of fingers required to be enrolled is indicated on the page. Index or middle fingers are preferable. 2. To delete previously enrolled fingerprints, click or tap Delete. 3.
PAGE 20
HP SpareKey—Password Recovery The HP SpareKey allows you to gain access to your computer (on supported platforms) by answering three security questions. HP Client Security prompts you to set up your personal HP SpareKey during initial setup in the HP Client Security Setup Wizard. To set up your HP SpareKey: 1. On the HP SpareKey page of the wizard, select three security questions, and then enter an answer for each question. You can select a question from a predefined list or write your own question. 2.
PAGE 21
3. Type a new password in the New Windows password text box, and then type it again in the Confirm new password text box. 4. Click or tap Change to immediately change your current password to the new one that you entered. Bluetooth Devices If the administrator has enabled Bluetooth as an authentication credential, you can set up a Bluetooth phone in conjunction with other credentials for additional security. NOTE: Only Bluetooth phone devices are supported. 1.
PAGE 22
The following smart card formats are supported by HP Client Security: ● CSP ● PKCS11 The following types of contactless cards are supported by HP Client Security: ● Contactless HID iCLASS memory cards ● Contactless MiFare Classic 1k, 4k, and mini memory cards The following proximity cards are supported by HP Client Security: ● HID Proximity Cards To enroll a smart card: 1. Insert the card in an attached smart card reader. 2.
PAGE 23
To initialize a smart card PIN: 1. Present the card to the reader 2. Enter the card's assigned PIN, and then click or tap Continue. 3. Enter and confirm the new PIN, and then click or tap Continue. 4. Click or tap Yes to confirm the initialization. To clear card data: 1. Present the card to the reader 2. Enter the card's assigned PIN (for Smart cards only, and then click or tap Continue. 3. Click or tap Yes to confirm the deletion.
PAGE 24
To delete an RSA SecurID credential: ▲ Click Delete, and then select Yes to the popup dialog which asks “Are you sure you want to delete your RSA SecurID credential?” Password Manager Logging on to websites and applications is easier and more secure when you use Password Manager.
PAGE 25
For Web pages or programs where a logon has already been created The following options are displayed on the context menu: ● Fill in logon data—Displays a Verify your identity page. If successfully authenticated, your logon data is placed in the logon fields, and then the page is submitted (if submission was specified when the logon was created or last edited). ● Edit Logon—Allows you to edit your logon data for this website. ● Add Logon—Allows you to add an account to Password Manager.
PAGE 26
Editing logons To edit a logon: 1. Open the logon screen for a website or program. 2. To display a dialog box where you can edit your logon information, click or tap the Password Manager icon, and then click or tap Edit Logon. Logon fields on the screen, and the corresponding fields on the dialog box, are identified with a bold orange border.
PAGE 27
Organizing logons into categories Create one or more categories to keep your logons in order. To assign a logon to a category: 1. From the HP Client Security Home page, click or tap Password Manager. 2. Click or tap an account entry, and then click or tap Edit. 3. In the Category field, enter a category name. 4. Click or tap Save. To remove an account from a category: 1. From the HP Client Security Home page, click or tap Password Manager. 2.
PAGE 28
Password Manager makes monitoring and improving your security easy with instant and automated analysis of the strength of each of the passwords used to log on to your websites and programs. As you are entering a password during the creation of a Password Manager logon for an account, a colored bar is shown beneath the password to indicate the strength of the password.
PAGE 29
NOTE: This feature imports and exports only Password Manager data. For information about backing up and restoring additional HP Client Security data, see Backing up and restoring your data on page 26. To import data from an HP Client Security backup file: 1. From the HP Password Manager Import and Export page, click or tap Import data from an HP Client Security backup file. 2. Verify your identity. 3.
PAGE 30
● Users—Allows you to manage users and their credentials. ● My Policies—Allows you to review your authentication policies and enrollment status. ● Backup and Restore—Allows you to back up or restore HP Client Security data. ● About HP Client Security—Displays version information about HP Client Security. Administrator Policies You can configure logon and session policies for administrators of this computer.
PAGE 31
To delay the enforcement of a new or changed policy: 1. Click or tap Enforce this policy immediately. 2. Select Enforce this policy on the specific date. 3. Enter a date or use the popup calendar to select a date when this policy should be enforced. 4. If desired, select when to remind users about the new policy. 5. Click Apply. Security Features You can enable HP Client Security Features that help protect against unauthorized access to the computer. To set up security features: 1.
PAGE 32
3. Click or tap the name of the user that you want to delete. 4. Click or tap Delete User, and then click or tap Yes to confirm. To display a summary of logon and session policies enforced for a user: ▲ Click or tap Users, and then click or tap the user's tile. My Policies You can display your authentication policies and enrollment status. The My Policies page also provides links to the Administrators Policies and Standard User Policies pages. 1.
PAGE 33
3. Click or tap Backup and Restore. 4. Select Restore, and then verify your identify. 5. Select the previously created storage file. Enter the path in the field provided. To specify a different location, click or tap Browse. 6. Enter the password used to protect the file, and then click or tap Next. 7. Select the modules for which you want to restore data. 8. Click or tap Restore.
PAGE 34
5 HP Drive Encryption (select models only) HP Drive Encryption provides complete data protection by encrypting your computer's data. When Drive Encryption is activated, you must log in at the Drive Encryption login screen, which is displayed before the Windows® operating system starts. The HP Client Security Home screen allows Windows administrators to activate Drive Encryption, back up the encryption key, and select or deselect drive(s) or partition(s) for encryption.
PAGE 35
General tasks Activating Drive Encryption for standard hard drives Standard hard drives are encrypted using software encryption. Follow these steps to encrypt a drive or a disk partition: 1. Launch Drive Encryption. For more information, see Opening Drive Encryption on page 28. 2. Select the check box for the drive or partition that you want to encrypt, and then click or tap Backup Key. NOTE: For better security, select the Disable sleep mode for increased security check box.
PAGE 36
Deactivating Drive Encryption 1. Launch Drive Encryption. For more information, see Opening Drive Encryption on page 28. 2. Clear the check box for all encrypted drives, and then click or tap Apply. Drive Encryption deactivation begins. NOTE: If software encryption was used, decryption starts. It might take a number of hours, depending on the size of the encrypted hard drive partition(s) . When decryption is complete, Drive Encryption is deactivated.
PAGE 37
Encrypting additional hard drives It is highly recommended that you use HP Drive Encryption to protect your data by encrypting your hard drive. After activation any added hard drives or partitions created can be encrypted by following these steps: 1. Launch Drive Encryption. For more information, see Opening Drive Encryption on page 28. 2. For software-encrypted drives, select the drive partitions to be encrypted.
PAGE 38
Disk management ● Nickname—You can give your drives or partitions names for easier identification. ● Disconnected drives—Drive Encryption can track disks that are removed from the computer. A disk that is removed from the computer is automatically moved to the Disconnected list. If the disk is returned to the system, it will once again appear in the Connected list. ● If you no longer need to track or manage the disconnected drive, you can remove the disconnected drive from the Disconnected list.
PAGE 39
3. When the HP Drive Encryption login dialog box opens, click or tap Recovery. 4. Enter the file path or name that contains your backup key, and then click or tap Recovery. 5. When the confirmation dialog box opens, click or tap OK. The Windows logon screen is displayed. NOTE: If the recovery key is used to log on at the Drive Encryption login screen, additional credentials are required at Windows logon to access user accounts.
PAGE 40
6 HP File Sanitizer (select models only) File Sanitizer allows you to securely shred assets (for example: personal information or files, historical or Web-related data, or other data components) on the computer's internal hard drive and to periodically bleach the computer's internal hard drive.
PAGE 41
Opening File Sanitizer 1. From the Start screen, click or tap the HP Client Security app (Windows 8). – or – From the Windows desktop, double-click or double-tap the HP Client Security icon in the notification area, located at the far right of the taskbar. 2. Under Data, click or tap File Sanitizer. – or – ▲ Double-click or double-tap the File Sanitizer icon on the Windows desktop.
PAGE 42
Setting a shred schedule You can schedule a time to perform shredding automatically, or you can also shred assets manually at any time. For more information, refer to Setup procedures on page 35. 1. Open File Sanitizer, and then click or tap Settings. 2. To schedule a future time to shred selected assets, under Shred Schedule, select Never, Once, Daily, Weekly, or Monthly, and then select a day and time: 3. a. Click or tap the hour, minute, or AM/PM field. b.
PAGE 43
NOTE: The free space bleaching operation can take a significant length of time. Be sure that your computer is connected to AC power. Although free space bleaching is performed in the background, increased processor usage may affect your computer's performance. Free space bleaching can be performed after hours or when the computer is not in use. Protecting files from shredding To protect files or folders from shredding: 1. Open File Sanitizer, and then click or tap Settings. 2.
PAGE 44
– or – 1. Right-click or tap and hold the File Sanitizer icon on the Windows desktop, and then click or tap Shred Now. 2. When the confirmation dialog box opens, be sure that the assets that you want to shred are checked, and then click or tap Shred. Right-click shredding CAUTION: Shredded assets cannot be recovered. Carefully consider which items you select for manual shredding. If Enable right-click shredding has been selected on the File Sanitizer view, you can shred an asset as follows: 1.
PAGE 45
Viewing the log files Each time a shred or free space bleaching operation is performed, log files of any errors or failures are generated. The log files are always updated according to the latest shred or free space bleaching operation. NOTE: Files that were successfully shredded or bleached do not appear in the log files. One log file is created for shred operations, and another log file is created for free space bleaching operations.
PAGE 46
7 HP Device Access Manager (select models only) HP Device Access Manager controls access to data by disabling data transfer devices. NOTE: Some human interface/input devices, such as a mouse, keyboard, TouchPad, and fingerprint reader, are not controlled by Device Access Manager. For more information, see Unmanaged device classes on page 43.
PAGE 47
User view When Device Permissions is selected, the User view is displayed. Depending on the policy, standard users and administrators can view their own access for device classes or individual devices on this computer. ● Current user—The name of the user who is currently logged on is displayed. ● Device Class—The types of devices are displayed. ● Access—Your currently configured access to types of devices or specific devices is displayed.
PAGE 48
No—The setting will not propagate. ◦ Some device classes, such as DVD and CD-ROM, may be further controlled by allowing or denying access separately for read and write operations. NOTE: The Administrators group cannot be added to the User List. ● Access—Click or tap the down arrow, and then select one of the following access types to allow or deny access: ◦ Allow – Full Access ◦ Allow – Read Only ◦ Allow – JITA Required—For more information, see JITA configuration on page 42.
PAGE 49
Disabling a JITA policy for a user or group Administrators can disable user or group access to devices using Just In Time Authentication. 1. Launch Device Access Manager, and then click or tap Change. 2. Select the user or group, and then under Access for either Removable Disk drives or DVD/ CD-ROM drives click or tap the down arrow, and then select Deny. When the user logs in and attempts to access the device, access is denied.
PAGE 50
44 ◦ Legacard ◦ Media driver ◦ Medium changer ◦ Memory technology ◦ Monitor ◦ Multifunction ◦ Net client ◦ Net service ◦ Net trans ◦ Processor ◦ SCSI adapter ◦ Security accelerator ◦ Security devices ◦ System ◦ Unknown ◦ Volume ◦ Volume snapshot Chapter 7 HP Device Access Manager (select models only)
PAGE 51
8 HP Trust Circles HP Trust Circles is a file and document security application, that combines folder file encryption with a convenient trusted-circle document-sharing capability. The application encrypts files placed in userspecified folders, protecting them within a trust circle. Once protected, the files can be used and shared only by members in the circle of trust. If a protected file is received by a non-member, the file remains encrypted, and the non-member cannot access the contents.
PAGE 52
Trust Circles You can create a trust circle during initial setup after you enter your email address, or on the Trust Circle view: ▲ From the Trust Circle view, click or tap Create Trust Circle, and then enter a name for the trust circle. ● To add members to the trust circle, click or tap the M+ icon beside Members, and then follow the on-screen instructions. ● To add folders to the trust circle, click or tap the + icon beside Folders, and then follow the on-screen instructions.
PAGE 53
the response. The inviter and invitee can optionally verify the security of the Invitation process. A verification code is displayed for the invitee, which must be read to the inviter over the phone. Once the code has been verified, the inviter can send the final enrollment email. Adding members to a new trust circle: ▲ During the creation of a trust circle, you can add members by clicking or tapping the M+ icon beside Members, and then following the on-screen instructions.
PAGE 54
TIP: You can select one or more folders. Removing a file from a trust circle To remove a file from a trust circle, in Windows Explorer, right-click or tap and hold a file that is not currently encrypted, select Trust Circle, select Decrypt File. Removing members from a trust circle A member who has been fully enrolled cannot be removed from a trust circle.
PAGE 55
● Option Description New Member Confirmation Select from the following options: ◦ Confirm Automatically—After receiving acceptance from invitee(s), they are confirmed into the trust circle without any manual input, and a confirmation email is sent to the invitee(s). ◦ Confirm Manually—After receiving acceptance from invitees(s), manual input is required to enroll the new members into the trust circle, and then a confirmation email is sent to the invitee(s).
PAGE 56
9 Theft recovery (select models only) Computrace (purchased separately) allows you to remotely monitor, manage, and track your computer. Once activated, Computrace is configured from the Absolute Software Customer Center. From the Customer Center, the administrator can configure Computrace to monitor or manage the computer. If the system is misplaced or stolen, the Customer Center can assist local authorities in locating and recovering the computer.
PAGE 57
10 Localized password exceptions At the Power-on authentication level and the HP Drive Encryption level, password localization support is limited. For more information, see Windows IMEs not supported at the Power-on authentication level or the Drive Encryption level on page 51. What to do when a password is rejected Passwords can be rejected for the following reasons: ● ● A user is using an IME that is not supported. This is a common issue with double-byte languages (Korean, Japanese, Chinese).
PAGE 58
Password changes using keyboard layout that is also supported If the password is initially set with one keyboard layout, such as U.S. English (409), and then the user changes the password using a different keyboard layout that is also supported, such as Latin American (080A), the password change will work in HP Drive Encryption, but it will fail in the BIOS if the user uses characters that exist in the latter but not in the former (for example, ē).
PAGE 59
Language Windows BIOS Drive Encryption US international ◦ The ¡, ¤, ‘, ’, ¥, and × keys on the top row are rejected. n/a n/a ◦ The å, ®, and Þ keys on the second row are rejected. ◦ The á, ð, and ø keys on the third row are rejected. ◦ The æ key on the bottom row is rejected. ◦ The ğ key is rejected. n/a n/a ◦ The į key is rejected. ◦ The ų key is rejected. ◦ The ė, ı, and ż keys are rejected. ◦ The ģ, ķ, ļ, ņ, and ŗ keys are rejected. Czech Slovakian The ż key is rejected.
PAGE 60
Glossary activation The task that must be completed before any of the Drive Encryption features are accessible. Administrators can activate Drive Encryption with the HP Client Security Setup Wizard or HP Client Security. The activation process consists of activating the software, encrypting the drive, and creating the initial backup encryption key on a removable storage device. administrator See Windows administrator.
PAGE 61
See Drive Encryption pre-boot authentication. Drive Encryption pre-boot authentication A login screen that is displayed before Windows starts. Users must enter their Windows user name and their password or smart card PIN, or swipe a registered finger. If one-step logon is selected, then entering the correct information at the Drive Encryption login screen allows direct access to Windows without having to log in again at the Windows login screen.
PAGE 62
manual shred Immediate shredding of an asset or selected assets, which bypasses a scheduled shred. network account A Windows user or administrator account, either on a local computer, in a workgroup, or on a domain. PIN A personal identification number for an enrolled user to be used for authentication. PKI The Public Key Infrastructure standard that defines the interfaces for creating, using, and administering certificates and cryptographic keys.
PAGE 63
A TPM authenticates a computer, rather than a user, by storing information specific to the host system, such as encryption keys, digital certificates, and passwords. A TPM minimizes the risk that information on the computer will be compromised by physical theft or an attack by an external hacker. user Anyone enrolled in Drive Encryption. Non-administrator users have limited rights in Drive Encryption. They can only enroll (with administrator approval) and log on.
PAGE 64
Index A access controlling 40 preventing unauthorized 5 activating Drive Encryption for selfencrypting drives 29 Drive Encryption for standard hard drives 29 adding files 47 adding folders 46 adding members 46 administrative settings fingerprints 13 Advanced Settings 43 B backing up HP Client Security credentials 7 backing up encryption key bleaching manual 38 schedule 36 starting 38 Bluetooth devices 15 C cards 15 Computrace 50 configuration device class 41 controlling device access 32 Index F features,
PAGE 65
manually starting a shred operation 38 My Policies 26 O objectives, security 4 opening File Sanitizer 35 HP Device Access Manager 40 opening Drive Encryption 28 opening Trust Circle 45 P password guidelines 6 HP Client Security 6 managing 6 policies 5 secure 6 password changes using different keyboard layouts 52 password exceptions 51 Password Manager 18, 19 easy setup 10 viewing and managing saved authentications 10 password recovery 14 password rejected 51 password strength 21 PIN 17 policy administrator
PAGE 66