HP ProtectTools User Guide
© Copyright 2008 Hewlett-Packard Development Company, L.P. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. Bluetooth is a trademark owned by its proprietor and used by Hewlett-Packard Company under license. Java is a US trademark of Sun Microsystems, Inc. SD Logo is a trademark of its proprietor. The information contained herein is subject to change without notice.
Table of contents 1 Introduction to security HP ProtectTools features ..................................................................................................................... 2 Accessing HP ProtectTools Security .................................................................................................... 4 Achieving key security objectives ......................................................................................................... 6 Protecting against targeted theft .......
Exporting an application .................................................................. 18 Importing an application ................................................................... 19 Modifying credentials ........................................................................ 19 Using Application Protection .............................................................................................. 20 Restricting access to an application ...........................................................
Adding Trusted Contacts using your Microsoft Outlook address book .................................................................................................. 38 Viewing Trusted Contact details ........................................................................ 38 Deleting a Trusted Contact ............................................................................... 38 Checking revocation status for a Trusted Contact ............................................ 39 General tasks ...............
Setup procedures ............................................................................................................................... 69 Enabling the embedded security chip ............................................................................... 69 Initializing the embedded security chip ............................................................................. 70 Setting up the basic user account ......................................................................................
1 Introduction to security HP ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data.
HP ProtectTools features The following table details the key features of HP ProtectTools modules: Module Key features Credential Manager for HP ProtectTools ● Credential Manager acts as a personal password vault, streamlining the logon process with the Single Sign On feature, which automatically remembers and applies user credentials.
Module Key features Embedded Security for HP ProtectTools (select models only) ● Embedded Security uses a Trusted Platform Module (TPM) embedded security chip to help protect against unauthorized access to sensitive user data or credentials stored locally on a PC. ● Embedded Security allows creation of a personal secure drive (PSD), which is useful in protecting user file and folder information.
Accessing HP ProtectTools Security To access HP ProtectTools Security Manager from Windows® Control Panel: 1. In Windows Vista®, click Start, and then click HP ProtectTools Security Manager for Administrators. – or – In Windows XP, click Start, click All Programs, and then click HP ProtectTools Security Manager. NOTE: If you are not an HP ProtectTools administrator, you can run HP ProtectTools in nonadministrator mode to view information, but you cannot make changes. 2.
● The wizard guides Windows operating system administrators through the configuration of levels of security and of the security logon methods that are used in a pre-boot environment, in Credential Manager, and in Drive Encryption. ● Users also use the setup wizard to configure their security logon methods. NOTE: To access each HP ProtectTools module to set up more powerful features, click the module icon.
Achieving key security objectives The HP ProtectTools modules can work together to provide solutions for a variety of security issues, including the following key security objectives: ● Protecting against targeted theft ● Restricting access to sensitive data ● Preventing unauthorized access from internal or external locations ● Creating strong password policies ● Addressing regulatory security mandates Protecting against targeted theft An example of this type of incident would be the targeted thef
information such as patient records or personal financial records. The following features help prevent unauthorized access: ● ● ● The pre-boot authentication feature, if enabled, helps prevent access to the operating system.
Additional security elements Assigning security roles In managing computer security (particularly for large organizations), one important practice is to divide responsibilities and rights among various types of administrators and users. NOTE: In a small organization or for individual use, these roles may all be held by the same person.
HP ProtectTools password Set in this HP ProtectTools module Function Emergency Recovery Token password Embedded Security, by IT administrator Protects access to the Emergency Recovery Token, which is a backup file for the embedded security chip. Owner password Embedded Security, by IT administrator Protects the system and the TPM chip from unauthorized access to all owner functions of Embedded Security.
Creating a secure password When creating passwords, you must first follow any specifications that are set by the program. In general, however, consider the following guidelines to help you create strong passwords and reduce the chances of your password being compromised: ● Use passwords with more than 6 characters, preferably more than 8. ● Mix the case of letters throughout your password. ● Whenever possible, mix alphanumeric characters and include special characters and punctuation marks.
2 Credential Manager for HP ProtectTools Credential Manager for HP ProtectTools protects against unauthorized access to your computer using the following security features: ● Alternatives to passwords when logging on to Windows, such as using a Java Card or biometric reader to log on to Windows. For additional information, refer to “Registering credentials on page 12.” ● Single Sign On feature that automatically remembers credentials for Web sites, applications, and protected network resources.
Using the Credential Manager Logon Wizard To log on to Credential Manager using the Credential Manager Logon Wizard, use the following steps: 1. 2.
Setting up the fingerprint reader 1. In HP ProtectTools Security Manager, click Credential Manager in the left pane. 2. Click My Identity, and then click Register Fingerprints. 3. Follow the on-screen instructions to complete registering your fingerprints and setting up the fingerprint reader. 4. To set up the fingerprint reader for a different Windows user, log on to Windows as that user and then repeat the steps listed above. Using your registered fingerprint to log on to Windows 1.
Registering other credentials 1. In HP ProtectTools Security Manager, click Credential Manager. 2. Click My Identity, and then click Register Credentials. The Credential Manager Registration Wizard opens. 3. 14 Follow the on-screen instructions.
General tasks All users have access to the “My Identity” page in Credential Manager. From the “My Identity” page, you can perform the following tasks: ● Change the Windows logon password ● Change a token PIN ● Lock a workstation NOTE: This option is available only if the Credential Manager classic logon prompt is enabled. See “Example 1—Using the “Advanced Settings” page to allow Windows logon from Credential Manager on page 24.
NOTE: If you enter the incorrect PIN for the token several times in sequence, the token gets locked out. You will be unable to use this token until you unlock it. Locking the computer (workstation) This feature is available if you log on to Windows using Credential Manager. To secure your computer when you are away from your desk, use the Lock Workstation feature. This prevents unauthorized users from gaining access to your computer.
5. 6. Select More, and then click Wizard Options. a. If you want this to be the default user name the next time that you log on to the computer, select the Use last user name on next logon check box. b. If you want this logon policy to be the default method, select the Use last policy on next logon check box. Follow the on-screen instructions. If your authentication information is correct, you will be logged on to your Windows account and to Credential Manager.
Using manual (drag and drop) registration 1. In HP ProtectTools Security Manager, click Credential Manager, and then click Services and Applications in the left pane. 2. Click Manage Services and Applications. The Credential Manager Single Sign On dialog box is displayed. 3. To modify or remove a previously registered web site or application, select the desired record in the list. 4. Follow the on-screen instructions. Managing applications and credentials Modifying application properties 1.
To export an application: 1. In HP ProtectTools Security Manager, click Credential Manager, and then click Services and Applications in the left pane. 2. Click Manage Services and Applications. The Credential Manager Single Sign On dialog box is displayed. 3. Click the application entry you want to export, and then click More. 4. Follow the on-screen instructions to complete the export. 5. Click OK. Importing an application 1.
NOTE: You must authenticate your identity before viewing the password. 5. Follow the on-screen instructions. 6. Click OK. Using Application Protection This feature allows you to configure access to applications. You can restrict access based on the following criteria: ● Category of user ● Time of use ● User inactivity Restricting access to an application 1. In HP ProtectTools Security Manager, click Credential Manager in the left pane, and then click Services and Applications. 2.
Changing restriction settings for a protected application 1. Click Application Protection. 2. Select a category of user whose access you want to manage. NOTE: If the category is not Everyone, you may need to click Override default settings to override the settings for the Everyone category. 3. Click the application you want to change, and then click Properties. The Properties dialog box for that application opens. 4. Click the General tab. Select one of the following settings: 5.
Advanced tasks (administrator only) The “Authentication and Credentials” page and the “Advanced Settings” page of Credential Manager are available only to those users with administrator rights.
Configuring custom authentication requirements If the set of authentication credentials you want is not listed on the Authentication tab of the “Authentication and Credentials” page, you can create custom requirements. To configure custom requirements: 1. In HP ProtectTools Security Manager, click Credential Manager in the left pane. 2. Click Multifactor Authentication. 3. In the right pane, click the Authentication tab. 4. Click the category (Users or Administrators) from the category list. 5.
Configuring Credential Manager settings From the “Advanced Settings” page, you can access and modify various settings using the following tabs: ● General—Allows you to modify the settings for basic configuration. ● Single Sign On—Allows you to modify the settings for how Single Sign On works for the current user, such as how it handles detection of logon screens, automatic logon to registered logon dialogs, and password display.
Example 2—Using the “Advanced Settings” page to require user verification before Single Sign On 1. In HP ProtectTools Security Manager, click Credential Manager, and then click Settings. 2. Click the Single Sign On tab. 3. Under When registered logon dialog or Web page is visited, select the Authenticate user before submitting credentials check box. 4. Click Apply, and then click OK. 5. Restart the computer.
3 Drive Encryption for HP ProtectTools (select models only) CAUTION: If you decide to uninstall the Drive Encryption module, you must first decrypt all encrypted drives. If you do not, you will not be able to access the data on encrypted drives unless you have registered with the Drive Encryption recovery service. Reinstalling the Drive Encryption module will not enable you to access the encrypted drives. Setup procedures Opening Drive Encryption 26 1.
General tasks Activating Drive Encryption Use the HP ProtectTools Security Manager setup wizard to activate Drive Encryption. Deactivating Drive Encryption Use the HP ProtectTools Security Manager setup wizard to deactivate Drive Encryption.
Advanced tasks Managing Drive Encryption (administrator task) The “Encryption Management” page allows Windows administrators to view and change the status of Drive Encryption (active or inactive) and to view the encryption status of all of the hard drives on the computer. Activating a TPM-protected password (select models only) Use the Embedded Security tool in HP ProtectTools to activate the TPM. After activation, logging in at the Drive Encryption logon screen requires the Windows user name and password.
The encryption key is saved on the storage device you selected. 5. Click OK when the confirmation dialog box opens. Registering for online recovery The Online Drive Encryption Key Recovery Service stores a backup copy of your encryption key, which will enable you to access your computer if you forget your password and do not have access to your local backup. NOTE: You must be connected to the Internet and have a valid e-mail address to register and to recover your password through this service. 1.
Managing an existing online recovery account After you create an online recovery account, you can access the SafeBoot Recovery Service Web site to recover access to your computer if you lose your password, modify your personal settings, reset the password you use for the online recovery account, and view or renew your account. 1. Open Drive Encryption, and then click Recovery. 2. Click Manage. 3. When the “SafeBoot Recovery Service” Web page opens, click Recovery Service Account or Recovery Process.
NOTE: This section describes how to perform an online recovery when you have access to a different computer with an Internet connection. If you do not have access to such a computer, contact HP technical support. 1. Turn on the computer. 2. When the Drive Encryption for HP ProtectTools logon dialog box opens, click Cancel. 3. Click Options in the lower-left corner of the screen, and then click Recovery. 4. Click Web recovery, and then click Next. 5. Record the client code, and then click Next. 6.
4 Privacy Manager for HP ProtectTools (select models only) Privacy Manager for HP ProtectTools enables you to use advanced security logon (authentication) methods to verify the source, integrity, and security of communication when using e-mail, Microsoft® Office documents, or instant messaging (IM).
Opening Privacy Manager To open Privacy Manager: 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager. 2. Click Privacy Manager: Sign and Chat. – or – Right-click the HP ProtectToolsicon in the notification area, at the far right of the taskbar, click Privacy Manager: Sign and Chat, and then click Configuration.
Setup procedures Managing Privacy Manager Certificates Manager Certificates protect data and messages using a cryptographic technology called public key infrastructure (PKI). PKI requires users to obtain cryptographic keys and a Privacy Manager Certificate issued by a certificate authority (CA).
6. Authenticate using your chosen security logon method. 7. If you choose to begin the Trusted Contact invitation process, follow the on-screen instructions. – or – If you click Cancel, refer to Managing Trusted Contacts for information on adding a Trusted Contact at a later time. Viewing Privacy Manager Certificate details 1. Open Privacy Manager, and click Certificate Manager. 2. Click a Privacy Manager Certificate. 3. Click Certificate details. 4.
To delete a Privacy Manager Certificate: 1. Open Privacy Manager, and click Certificate Manager. 2. Click the Privacy Manager Certificate you want to delete, and then click Advanced. 3. Click Delete. 4. When the confirmation dialog box opens, click Yes. 5. Click Close, and then click Apply.
Adding Trusted Contacts 1. You send an e-mail invitation to a Trusted Contact recipient. 2. The Trusted Contact recipient responds to the e-mail. 3. You receive the e-mail response from the Trusted Contact recipient, and click Accept. You can send Trusted Contact e-mail invitations to individual recipients or you can send the invitation to all the contacts in your Microsoft Outlook address book.
Adding Trusted Contacts using your Microsoft Outlook address book 1. Open Privacy Manager, click Trusted Contacts Manager, and then click Invite Contacts. – or – In Microsoft Outlook, click the down arrow next to Send Securely on the toolbar, and then click Invite All My Outlook Contacts. 2. When the “Trusted Contact Invitation” page opens, select the e-mails address of the recipients you want to add as Trusted Contacts and then click Next. 3. When the “Sending Invitation” page opens, click Finish.
Checking revocation status for a Trusted Contact 1. Open Privacy Manager, and click Trusted Contacts Manager. 2. Click a Trusted Contact. 3. Click the Advanced button. The Advanced Trusted Contact Management dialog box opens. 4. Click Check Revocation. 5. Click Close.
General tasks Using Privacy Manager in Microsoft Office After you install your Privacy Manager Certificate, a Sign and Encrypt button is displayed on the right side of the toolbar of all Microsoft Word, Microsoft Excel, and Microsoft PowerPoint documents. Configuring Privacy Manager in a Microsoft Office document 1. Open Privacy Manager, click Settings, and then click the Documents tab.
You can add more than one signature line to your document by appointing suggested signers. A suggested signer is a user who is designated by the owner of a Microsoft Word or Microsoft Excel document to add a signature line to the document. Suggested signers can be you or another person who you want to sign your document.
3. Click the down arrow next to Sign and Encrypt, and then click Encrypt Document. The Select Trusted Contacts dialog box opens. 4. Click the name of a Trusted Contact who will be able to open the document and view its contents. NOTE: To select multiple Trusted Contact names, hold down the ctrl key and click the individual names. 5. Click OK. 6. Authenticate using your chosen security logon method. If you later decide to edit the document, follow the steps in Signing a Microsoft Office Document .
Viewing an encrypted Microsoft Office document To view an encrypted Microsoft Office document from another computer, Privacy Manager must be installed on that computer. In addition, you must import the Privacy Manager Certificate that was used to encrypt the file. A Trusted Contact wanting to view an encrypted Microsoft Office document must have a Privacy Manager Certificate, and Privacy Manager must be installed on his or her computer.
When you open a sealed e-mail message, the security label is displayed in the heading of the e-mail.
Configuring Privacy Manager Chat for Windows Live Messenger 1. In Privacy Manager Chat, click the Settings button. – or – In Privacy Manager, click Settings, and then click the Chat tab. – or – In Privacy Manager History Viewer, click theSettings button. 2. To specify the amount of time Privacy Manager Chat waits before locking your session, select a number from the Lock session after _ minutes of inactivity box. 3.
Starting the Chat History viewer 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager. 2. Click Privacy Manager: Sign and Chat, and then click Chat History Viewer. – or – ▲ In a Chat session, click History Viewer or History. – or – ▲ On the “Chat Configuration” page, click Start Live Messenger History Viewer. Reveal all sessions Revealing all sessions displays the decrypted Contact Screen Name for the currently selected session (s) and all sessions in the same account.
You can only search for text in revealed (decrypted) sessions that are displayed in the viewer window. These are the sessions where the Contact Screen Name is shown in plain text. 1. In the Chat History Viewer, click the Search button. 2. Enter the search text, configure any desired search parameters, and then click OK. Sessions that contain the text are highlighted in the viewer window. Delete a session 1. Select a chat history session. 2. Click Delete.
Advanced tasks Migrating Privacy Manager Certificates and Trusted Contacts to a different computer You can securely migrate your Privacy Manager Certificates and Trusted Contacts to a different computer. To do this, export them as a password-protected file to a network location or any removable storage device, and then import the file to the new computer.
5 File Sanitizer for HP ProtectTools File Sanitizer is a tool that allows you to securely shred assets (personal information or files, historical or Web-related data, or other data components) on your computer and periodically bleach your hard drive. NOTE: File Sanitizer currently operates only on the hard drive. About shredding Deleting an asset in Windows does not completely remove the contents of the asset from your hard drive. Windows only deletes the reference to the asset.
Setup procedures Opening File Sanitizer To open File Sanitizer: 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager. 2. Click File Sanitizer. – or – ● Double-click the File Sanitizer icon. – or – ● Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click File Sanitizer, and then click Open File Sanitizer. Setting a shred schedule 1. Open File Sanitizer, and click Shred. 2.
Setting a free space bleaching schedule NOTE: Free space bleaching is for those assets that you delete using the Windows Recycle Bin or for manually deleted assets. Free space bleaching provides no additional security to shredded assets. To set a free space bleaching schedule: 1. Open File Sanitizer, and click Free Space Bleaching. 2. Select the Activate Scheduler check box, enter your Windows password, and then enter a day and time to bleach your hard drive. 3. Click Apply, and then click OK.
3. Select the assets you want to shred: a. Under Available shred options, click an asset, and then click Add. b. To add a custom asset, click Add Custom Option, enter a file name or folder name, and then click OK. Click the custom asset, and then click Add. NOTE: To delete an asset from the available shred options, click the asset, and then click Delete. 4. Under Shred the following, select the check box next to each asset that you want to confirm before shredding.
NOTE: Only file extensions can be excluded from deleting. For example, if you add the .BMP file extension, all files with the .BMP extension will be excluded from deletion. To remove an asset from the exclusions list, click the asset, and then click Delete. 5. When you finish configuring the simple delete profile, click Apply, and then click OK. Setting a shred schedule 1. Open File Sanitizer, and click Shred. 2.
Selecting or creating a shred profile Selecting a predefined shred profile When you choose a predefined shred profile (High Security, Medium Security, or Low Security), a predefined erasure method and list of assets are automatically selected. You can click the View Details button to view the predefined list of assets that are selected for shredding. To select a predefined shred profile: 1. Open File Sanitizer, and then click Settings. 2. Click a predefined shred profile. 3.
NOTE: Only file extensions can be excluded from shredding. For example, if you add the .BMP file extension, all files with the .BMP extension will be excluded from shredding. To remove an asset from the exclusions list, click the asset, and then click Delete. 6. When you finish configuring the shred profile, click Apply, and then click OK. Customizing a simple delete profile The simple delete profile performs a standard asset delete without shredding.
General tasks Using a key sequence to initiate shredding To specify a key sequence, follow these steps: 1. Open File Sanitizer, and click Shred. 2. Select the Key sequence check box. 3. Enter a character in the available box, and then select the CTRL, ALT, or SHIFT box, or select all three. For example, to initiate automatic shredding using the s key and ctrl+shift, enter s in the box, and then select the CTRL and SHIFT options.
– or – 1. Open File Sanitizer, and click Shred. 2. Click the Browse button. 3. When the Browse dialog box opens, navigate to the asset you want to shred, and then click OK. 4. When the confirmation dialog box opens, click Yes. – or – 1. Open File Sanitizer, and click Shred. 2. Click the Shred Now button. 3. When the confirmation dialog box opens, click Yes. Manually shredding all selected items 1.
Viewing the log files Each time a shred or free space bleaching operation is performed, log files of any errors or failures are generated. The log files are always updated according to the latest shred or free space bleaching operation. NOTE: Files that are successfully shredded or bleached do not appear in the log files. One log file is created for shred operations and another log file is created for free space bleaching operations.
6 BIOS Configuration for HP ProtectTools BIOS Configuration for HP ProtectTools provides access to the Computer Setup utility security and configuration settings. This gives users Windows access to system security features that are managed by Computer Setup. With BIOS Configuration, you can accomplish the following objectives: ● Manage administrator passwords. ● Configure other power-on authentication features, such as embedded security authentication.
General tasks BIOS Configuration allows you to manage various computer settings that would otherwise be accessible only by pressing f10 at startup to enter Computer Setup. Accessing BIOS Configuration To access BIOS Configuration: 1. Click Start, click Settings, and then click Control Panel. 2. Click HP ProtectTools Security Manager, and then click BIOS Configuration. You can also access BIOS Configuration from an icon in the notification area, at the far right of the taskbar.
Viewing or changing settings To view or change configuration settings: 1. 2. Click one of the BIOS Configuration pages: ● File ● Security ● System Configuration Make your changes, and then click Apply to save your changes and leave the window open. – or – Make your changes, and then click OK to save your changes and close the window. 3. Exit and restart the computer. Your changes go into effect when the computer restarts.
Advanced tasks Setting security options Use the “Security” page of BIOS Configuration to enhance the security of your computer. NOTE: Not all options are available on all computers, and additional options may also be included. To set security options: 1. Access BIOS Configuration, and click Security. 2. Select any of the options listed in the table below. 3. Change the settings as needed. 4. Click Apply to apply the new settings and leave the window open.
Option Action Power-On Authentication Support Enable or disable support for smart card power-on authentication. NOTE: This feature is supported only on computers with optional smart card readers. Automatic Drivelock Support Enable or disable. Administrator Tools Option Action HP SpareKey Enable or disable. Fingerprint Reset on Reboot (if present) Enable or disable. Password Policy Option Action At least one symbol required Enable or disable. At least one number required Enable or disable.
To set system configuration options: 1. Access BIOS Configuration, and then click System Configuration. 2. Select one of the following options, as described in the table below: ● Port options ● Boot options ● Device configuration options ● Built-in device options ● AMT options (select models only) ● Security level options 3. Change the settings as needed. 4. Click Apply to apply the new settings to the system and leave the window open.
Device configuration options Option Action USB Legacy Support Enable or disable. Parallel port mode Select a parallel port mode: standard, bidirectional, EPP (Enhanced Parallel Port), or ECP (Enhanced Capabilities Port). Fan always on while on AC power Enable or disable the system fan when connected to an AC outlet. Data execution prevention Enable/disable the option to monitor memory use and shut down suspicious programs. SATA device mode Select IDE, AHCI, or RAID.
Option Action Firmware Progress Event Support Enable or disable. Unconfigure AMT on next boot Enable or disable. Security Level options NOTE: 66 These settings control the access level of HP ProtectTools users. Option Action CD-ROM Boot Security Level Change, view, or hide. Floppy Boot Security Level Change, view, or hide. Internal Network Adapter Boot Security Level Change, view, or hide. USB Legacy Support Security Level Change, view, or hide.
Network Interface Controller (LAN) Security Level Change, view, or hide. OS Management of TPM Security Level Change, view, or hide. Reset of TPM from OS Security Level Change, view, or hide. Virtualization Technology Security Level Change, view, or hide. Terminal Emulation Mode Security Level Change, view, or hide. Firmware Verbosity Security Level Change, view, or hide. Firmware Progress Event Support Security Level Change, view, or hide. Unconfigure AMT Security Level Change, view, or hide.
7 Embedded Security for HP ProtectTools (select models only) NOTE: The integrated Trusted Platform Module (TPM) embedded security chip must be installed in your computer to use Embedded Security for HP ProtectTools. Embedded Security for HP ProtectTools protects against unauthorized access to user data or credentials.
Setup procedures CAUTION: To reduce security risk, it is highly recommended that your IT administrator immediately initialize the embedded security chip. Failure to initialize the embedded security chip could result in an unauthorized user, a computer worm, or a virus taking ownership of the computer and gaining control over the owner tasks, such as handling the emergency recovery archive, and configuring user access settings.
Initializing the embedded security chip In the initialization process for Embedded Security, you will perform the following tasks: ● Set an owner password for the embedded security chip that protects access to all owner functions on the embedded security chip. ● Set up the emergency recovery archive, which is a protected storage area that allows reencryption of the Basic User Keys for all users. To initialize the embedded security chip: 1.
General tasks After the basic user account is set up, you can perform the following tasks: ● Encrypting files and folders ● Sending and receiving encrypted e-mail Using the Personal Secure Drive After setting up the PSD, you are prompted to type the Basic User Key password at the next logon. If the Basic User Key password is entered correctly, you can access the PSD directly from Windows Explorer.
Changing the Basic User Key password To change the Basic User Key password: 1. Click Start , click All Programs, and then click HP ProtectTools Security Manager. 2. In the left pane, click Embedded Security, and then click User Settings. 3. In the right pane, under Basic User Key password, click Change. 4. Type the old password, and then set and confirm the new password. 5. Click OK.
Changing the owner password To change the owner password: 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager. 2. In the left pane, click Embedded Security, and then click Advanced. 3. In the right pane, under Owner Password, click Change. 4. Type the old owner password, and then set and confirm the new owner password. 5. Click OK. Resetting a user password An administrator can help a user to reset a forgotten password.
Migrating keys with the Migration Wizard Migration is an advanced administrator task that allows the management, restoration, and transfer of keys and certificates. For details on migration, refer to the Embedded Security software Help.
8 Device Access Manager for HP ProtectTools (select models only) This security tool is available to administrators only.
Simple configuration This feature allows you to deny access to the following classes of devices: ● USB devices for all non-administrators ● All removable media (floppy disks, pen drives, etc.) for all non-administrators ● All DVD/CD-ROM drives for all non-administrators ● All serial and parallel ports for all non-administrators To deny access to a class of device for all non-administrators: 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager. 2.
Device class configuration (advanced) More selections are available to allow specific users or groups of users to be granted or denied access to types of devices. Adding a user or a group 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager. 2. In the left pane, click Device Access Manager, and then click Device Class Configuration. 3. In the device list, click the device class that you want to configure. 4. Click Add. The Select Users or Groups dialog box opens. 5.
4. Under User/Groups, add the group to be denied access. 5. Click Deny next to the group to be denied access. 6. Navigate to the folder below that of the required class and add the specific user. Click Allow to grant this user access. 7. Click Apply, and then click OK. Allowing access to a specific device for one user of a group You can allow one user access to a specific device while denying access to all other members of that user's group for all devices in the class.
9 Troubleshooting Credential Manager for HP ProtectTools Short description Details Solution Using the Credential Manager Network Accounts option, a user can select which domain account to log on to. When TPM authentication is used, this option is not available. All other authentication methods work properly. Using TPM authentication, the user is only logged on to the local computer. Using Credential Manager Single Sign On tools allows the user to authenticate other accounts.
Short description Details Solution Windows password from Credential local PC, Credential Manager can only change the Manager, the administrator gets an error password used to log on. logon failure: User account restriction. Credential Manager has incompatibility issues with Corel WordPerfect 12 password GINA. If the user logs on to Credential Manager, HP is researching a workaround for future product creates a document in WordPerfect, and enhancements.
Short description Details Solution HP is investigating resolution options for future customer software releases. The security Restore Identity process loses association with virtual token. When user restores identity, Credential Manager can lose the association with the location of the virtual token at logon screen. Even though Credential Manager has the virtual token registered, the user must reregister the token to restore the association. This is currently by design.
Embedded Security for HP ProtectTools (select models only) 82 Short description Details Solution Encrypting folders, subfolders, and files on PSD causes an error message. If the user copies files and folders to the PSD and tries to encrypt folders/files or folders/subfolders, the Error Applying Attributes message is displayed. The user can encrypt the same files on the C: \ drive or an extra installed hard drive. This is as designed. Cannot Take Ownership With Another OS In MultiBoot Platform.
Short description Details Solution Errors occur after a power loss interrupts Embedded Security initialization.
Short description Details Solution An intermittent encrypt and decrypt error occurs: The process cannot access the file because it is being used by another process. This is an extremely intermittent error To resolve the failure: during file encryption or decryption which occurs because the file is being used by 1. Restart the system. another process, even though that file or 2. Log off. folder is not being processed by the operating system or other applications. 3. Log back on.
Short description Details Solution Secure e-mail is supported, even when secure e-mail is not specified in the User Initialization Wizard or when secure e-mail configuration is disabled in user policies. Embedded security software and the wizard do not control settings of an email client (Outlook, Outlook Express, or Netscape). This behavior is as designed. Configuration of TPM email settings does not prohibit editing encryption settings directly in an e-mail client.
Short description Details Solution and is not accessed by another process. The user must reboot the system in order to delete the PSD and it is not loaded after reboot. An internal error is detected when the user is restoring from the Automatic Backup Archive. The security system exhibits a restore error with multiple users. In Embedded Security, if the user clicks the Restore under Backup option to restore from the automatic backup Archive and then selects SPSystemBackup.
Short description Details Solution Automatic backup does not work with the mapped drive. When an administrator sets up Automatic Backup in Embedded Security, it creates an entry in Windows > Tasks > Scheduled Task. This Windows Scheduled Task is set to use NT AUTHORITY\SYSTEM for rights to execute the backup. This works properly to any local drive. The workaround is to change the NT AUTHORITY \SYSTEM to (computer name)\(admin name). This is the default setting if the Scheduled Task is created manually.
Device Access Manager for HP ProtectTools Short description Details Solution Users have been denied access to devices within Device Access Manager, but the devices are still accessible. Simple Configuration and/or Device Class Configuration have been used within Device Access Manager to deny users access to devices. Despite being denied access, users can still access the devices. Verify that the HP ProtectTools Device Locking service has started.
Miscellaneous Software Impacted— Short description Details Solution Security Manager— Warning received: The security application can not be installed until the HP Protect Tools Security Manager is installed. All security applications such as Embedded Security, Java Card Security, and biometrics are extendable plug-ins for the Security Manager interface. Security Manager must be installed before an HP-approved security plug-in can be loaded.
Software Impacted— Short description Details Solution an error is returned when closing the Security Manager interface. upper right of the screen to close Security Manager before all plug-in applications have finished loading. Manager. Since PTHOST.exe is the shell housing the other applications (plug-ins), it depends on the ability of the plug-in to complete its load time (services). Closing the shell before the plug-in has had time to complete loading is the root cause.
Software Impacted— Short description Details Solution Security Power-On Authentication overlaps the BIOS Password during boot sequence. Power-On Authentication prompts the user to log on to the system using the TPM password, but, if the user presses f10 to access the BIOS, the user is granted Read rights access only. To be able to write to BIOS, the user must type the BIOS password instead of the TPM password at the Poweron Authentication window.
Glossary activation. The task that must be completed before any of the Drive Encryption features are accessible. Drive Encryption is activated using the HP ProtectTools Security Manager setup wizard. Only an administrator can activate Drive Encryption. The activation process consists of activating the software, encrypting the drive, creating a user account, and creating the initial backup encryption key on a removable storage device. administrator. See Windows administrator. asset.
cryptographic service provider (CSP). Provider or library of cryptographic algorithms that can be used in a well-defined interface to perform particular cryptographic functions. cryptography. Practice of encrypting and decrypting data so that it can be decoded only by specific individuals. decryption. Procedure used in cryptography to convert encrypted data into plain text. digital certificate.
network account. Windows user or administrator account, either on a local computer, in a workgroup, or on a domain. personal secure drive (PSD). Provides a protected storage area for sensitive information. power-on authentication. Security feature that requires some form of authentication, such as a Java Card, security chip, or password, when the computer is turned on. Privacy Manager certificate.
suggested signer. A user who is designated by the owner of a Microsoft Word or Microsoft Excel document to add a signature line to the document. token. See security logon method. Trusted Contact invitation. An e-mail that is sent to a person, asking them to become a Trusted Contact. Trusted Contact list. A listing of Trusted Contacts. Trusted Contact recipient. Trusted Contact. A person who receives an invitation to become a Trusted Contact. A person who has accepted a Trusted Contact invitation.
Index A access controlling 75 preventing unauthorized 6 accessing 60 accessing HP ProtectTools Security 4 account basic user 70 administrator tasks Credential Manager 22 advanced tasks BIOS Configuration 62 Credential Manager 22 Device Access Manager 77 Embedded Security 72 AMT options 65 B background service, Device Access Manager 75 backing up and restoring certification information 72 Embedded Security 72 HP ProtectTools credentials 10 Single Sign On data 18 basic user account 70 Basic User Key password
user or group, denying access to 77 user or group, removing 77 device configuration options 63, 65 disabling Embedded Security 73 Embedded Security, permanently 73 Drive Encryption for HP ProtectTools activating 27 activating a TPM-protected password 28 backup and recovery 28 creating backup keys 28 deactivating 27 decrypting individual drives 28 encrypting individual drives 28 logging in after Drive Encryption is activated 27 managing an existing online recovery account 30 managing Drive Encryption 28 open
port options 63, 64 power-on password definition 9 Privacy Manager 40 Privacy Manager for HP ProtectTools add or remove columns 47 adding a signature line when signing a Microsoft Word or Microsoft Excel document 40 adding a suggested signer's signature line 41 adding a trusted contact 37 adding Privacy Manager chat activity 44 Adding suggested signers to a Microsoft Word or Microsoft Excel document 40 adding trusted contacts 37 adding trusted contacts using Microsoft Outlook address book 38 chatting in the
predefined 51, 54 selecting or creating 51, 54 simple delete profile customizing 52, 55 Single Sign On automatic registration 17 exporting applications 18 manual registration 18 modifying application properties 18 removing applications 18 system configuration options boot options 63 built-in device options 63 device configuration options 63 port options 63 system configuration options 63 T targeted theft, protecting against 6 token, Credential Manager 13 TPM chip enabling 69 initializing 70 troubleshooting
