HP ProtectTools Getting Started
© Copyright 2012 Hewlett-Packard Development Company, L.P. Bluetooth is a trademark owned by its proprietor and used by Hewlett-Packard Company under license. Intel is a trademark of Intel Corporation in the U.S. and other countries and is used under license. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. The information contained herein is subject to change without notice.
Table of contents 1 Introduction to security .................................................................................................................................. 1 HP ProtectTools features ..................................................................................................................... 1 HP ProtectTools security product description and common use examples ......................................... 2 Password Manager ...........................................................
Using Administrative Console ............................................................................................................ 15 Configuring your system ..................................................................................................................... 16 Setting up authentication for your computer ...................................................................... 16 Logon Policy ...............................................................................................
Credential Manager ........................................................................................................... 29 Changing your Windows password ................................................................... 30 Setting up your SpareKey ................................................................................. 30 Enrolling your fingerprints ................................................................................. 31 Enrolling scenes for face logon .........................
7 Device Access Manager for HP ProtectTools (select models only) ......................................................... 46 Opening Device Access Manager ...................................................................................................... 46 Setup Procedures ............................................................................................................................... 47 Configuring device access ............................................................................
1 Introduction to security HP ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data. Application Features HP ProtectTools Security Manager Administrative Console (for administrators) ● Requires Microsoft Windows® administrator rights to access. ● Provides access to modules that are configured by an administrator and not available to users.
Module Key features Credential Manager General users can perform the following functions: Password Manager Drive Encryption for HP ProtectTools (select models only) Device Access Manager for HP ProtectTools (select models only) Theft Recovery (Computrace for HP ProtectTools, purchased separately) ● Change user names and passwords. ● Configure and change user credentials such as a Windows password, fingerprint, face images, smart card, proximity card, or contactless card.
Password Manager Password Manager stores user names and passwords, and can be used to: ● Save login names and passwords for Internet access or email. ● Automatically log the user in to a website or email. ● Manage and organize authentications. ● Select a Web or network asset and directly access the link. ● View names and passwords when necessary. Example 1: A purchasing agent for a large manufacturer makes most of her corporate transactions over the Internet.
of USB devices, network connections, and so on. An example would be a situation where outside vendors need access to company computers but should not be able to copy the data to a USB drive. Example 1: A manager of a medical supply company often works with personal medical records along with his company information. The employees need access to this data, however, it is extremely important that the data is not removed from the computer by a USB drive or any other external storage media.
Protecting against targeted theft An example of targeted theft would be the theft of a computer containing confidential data and customer information at an airport security checkpoint. The following features help protect against targeted theft: ● The pre-boot authentication feature, if enabled, helps prevent access to the operating system. ◦ Security Manager for HP ProtectTools—See HP ProtectTools Security Manager on page 23.
Additional security elements Assigning security roles In managing computer security (particularly for large organizations), one important practice is to divide responsibilities and rights among various types of administrators and users. NOTE: In a small organization or for individual use, these roles may all be held by the same person.
Creating a secure password When creating passwords, you must first follow any specifications that are set by the program. In general, however, consider the following guidelines to help you create strong passwords and reduce the chances of your password being compromised: ● Use passwords with more than 6 characters, preferably more than 8. ● Mix the case of letters throughout your password. ● Whenever possible, mix alphanumeric characters and include special characters and punctuation marks.
2 Getting started To configure settings for HP ProtectTools, use the HP Client Security Setup Wizard or the HP ProtectTools Security Manager Setup Wizard. After you have completed the HP Client Security Setup Wizard, application status is displayed on the HP Client Security Dashboard. HP Client Security Setup Wizard NOTE: Administration of HP ProtectTools requires administrative privileges.
HP ProtectTools Security Manager Setup Wizard NOTE: Administration of HP ProtectTools requires administrative privileges. The HP ProtectTools Security Manager Setup Wizard guides you through setting up the features of Security Manager. Besides the settings found in the wizard, administrators can configure many additional security features through the Administrative Console. These settings apply to the computer and all users who share the computer.
3 Easy Setup Guide for Small Business This chapter is designed to demonstrate the basic steps to activate the most common and useful options within HP ProtectTools for Small Business. There are numerous tools and options available in this software that will allow you to fine-tune your preferences and set your access control. This Easy Setup Guide will focus on getting each module running with the least amount of setup effort and time.
To start saving web locations, user names, and passwords: 1. As an example, navigate to a participating website or application, and then click the Password Manager icon in the upper-left corner of the Web page to add the web authentication. 2. Name the link (optional) and enter a user name and password into Password Manager. NOTE: The areas that Password Manager will use now and for subsequent visits are highlighted. 3. When complete, click the OK button. 4.
7. Select the desired user, and then click OK > OK > Apply. Your choice is displayed in the Users/Groups box. 8. Select the Device Class that the user will be using, select Allow or Deny, and then click Apply. Drive Encryption for HP ProtectTools Drive Encryption for HP ProtectTools is used to protect your data by encrypting the entire hard drive.
4 HP ProtectTools Security Manager Administrative Console HP ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data. Administration of HP ProtectTools Security Manager is provided through the Administrative Console feature. Additional applications are available in the Security Manager User Console to assist with recovery of the computer if it is lost or stolen (select models only).
4. Drive Encryption—If Drive Encryption for HP ProtectTools is installed, you can activate encryption on the primary drive: ● Software encryption for a traditional hard drive ● Hardware encryption if a self-encrypting drive is detected. You must save an encryption key on one or more of the following before encryption is enabled: NOTE: If you cancel the wizard at this time, you will not be able to activate Windows and Drive Encryption authentication.
● The Administrative Console is launched for a configuration requiring administrator privilege. ● The Status Dashboard stays open after the User Console or the Administrative Console is launched, and once you have configured settings and closed the Console, the status is refreshed. Opening HP ProtectTools Administrative Console Use the HP ProtectTools Administrative Console for administrative tasks, such as setting system policies or configuring software.
● About—Displays information about HP ProtectTools Security Manager, such as the version number and copyright notice. ● Main area—Displays application-specific screens. ?—Displays the Administrative Console Help. This icon is located at the top right of the window frame, next to the minimize and maximize icons. Configuring your system The System group is accessed from the menu panel on the left side of HP ProtectTools Administrative Console.
8. To return to the original settings, click Restore Defaults. 9. Click Apply. Session Policy To define policies governing the credentials required to perform authentication during a Windows session: 1. In the left panel of Administrative Console, click Security, and then click Authentication. 2. On the Session Policy tab, select a user category, such as Administrators or Standard users. 3. Click an authentication credential to display the edit dialog. 4.
SpareKey You can configure whether or not to allow SpareKey authentication for Windows logon, and manage the security questions that will be presented to users during their SpareKey enrollment. 1. Select the security questions that will be presented to users during their SpareKey enrollment. You can specify up to three custom questions, or you can allow users to type their own passphrase. 2. To allow SpareKey recovery for Windows logon, select the check box. 3. Click Apply.
Face If a webcam is installed or connected to the computer, and if the Face Recognition program is installed, administrators can set the security level for Face Recognition to balance the ease of use and the difficulty of breaching the security of the computer. 1. Click Credentials, and then click Face. 2. For more convenience, click the slider to move it to the left, or for more accuracy, click the slider to move it to the right.
c. Be sure that Initialize the smart card is selected. d. Enter your PIN, click Apply, and then follow the on-screen instructions. After the smart card has been successfully initialized, you need to register the smart card. Registering the smart card After initializing the smart card, administrators can register the card as an authentication method in HP ProtectTools Administrative Console: 1. Click Setup Wizard. 2. In the Welcome screen, click Next. 3.
Contactless card A contactless card is a small plastic card containing a computer chip. If a contactless card reader is connected to the computer, if the associated driver from the manufacturer has been installed, and if a contactless card has been selected as an authentication credential, you can use your contactless card for authentication.
General tab The following settings are available on the General tab: ● Do not automatically launch the Setup Wizard for administrators—Select this option to prevent the wizard from automatically opening upon logon. ● Do not automatically launch the Getting Started Wizard for users—Select this option to prevent user setup from automatically opening upon logon. 1. Select the check box next to a specific setting to enable it, or clear the check box to disable the setting. 2. Click Apply.
5 HP ProtectTools Security Manager HP ProtectTools Security Manager allows you to significantly increase the security of your computer. You can use preloaded Security Manager applications, as well as additional applications available for immediate download from the Web: ● Manage your logon and passwords. ● Easily change your Windows® operating system password. ● Set program preferences. ● Use fingerprints for extra security and convenience. ● Enroll one or more scenes for authentication.
● My Computer—Manage the security of your computer with Device Access Manager. NOTE: This item is not displayed if the application is not installed. ● Administration—Allows administrators to access the Administrative Console to manage security and users. ● Advanced—Displays commands for accessing additional features, including: ◦ Preferences—Allows you to personalize Security Manager settings. ◦ Backup and Restore—Allows you to back up or restore data.
Password Manager offers the following options: Manage tab ● Add, edit, or delete logons. ● Use Quick Links to launch your default browser and log on to any website or program, after it has been set up. ● Drag and drop to organize your Quick Links into categories. ● See at a glance whether any of your passwords are a security risk. Password Strength tab ● Check the strength of individual passwords used for websites and applications, as well as the overall password strength.
NOTE: The administrator of this computer may have set up Security Manager to require more than one credential when verifying your identity. Adding logons You can easily add a logon for a website or a program by entering the logon information once. From then on, Password Manager automatically enters the information for you.
Editing logons To edit a logon, follow these steps: 1. Open the logon screen for a website or program. 2. To display a dialog box where you can edit your logon information, click the arrow on the Password Manager icon, and then click Edit Logon. Logon fields on the screen, and their corresponding fields on the dialog box, are identified with a bold orange border. You can also display this dialog box by clicking Edit for the desired logon on the Password Manager Manage tab. 3. 4.
To add a logon to a category: 1. Place your mouse pointer over the desired logon. 2. Press and hold the left mouse button. 3. Drag the logon into the list of categories. Categories are highlighted as you move your mouse pointer over them. 4. Release the mouse button when the desired category is highlighted. Your logons are not moved to the category, but only copied to the selected category. You can add the same logon to more than one category, and you can display all of your logons by clicking All.
Password Manager icon settings Password Manager attempts to identify logon screens for websites and programs. When it detects a logon screen for which you have not created a logon, Password Manager prompts you to add a logon for the screen by displaying the Password Manager icon with a plus sign. 1. Click the icon, and then click Icon Settings to customize how Password Manager handles possible logon sites.
Available credentials can vary, depending on the security devices built into or connected to this computer. Supported credentials, requirements, and current status are displayed when you click Credential Manager under My Logons, and may include the following: ● Password ● SpareKey ● Fingerprints ● Face ● Smart card ● Contactless Card ● Proximity Card ● Bluetooth ● PIN To enroll or change a credential, click the link and follow the on-screen instructions.
Enrolling your fingerprints If the administrator selected Fingerprints on the Choose your credentials screen and if your computer has a fingerprint reader built in or connected, the HP ProtectTools Security Manager Setup Wizard guides you through the process of setting up, or "enrolling," your fingerprints: You can also enroll your fingerprints on the Fingerprint page under Credential Manager in the Security Manager User Console. 1.
6. Click the Camera icon, and then follow the on-screen instructions to enroll your scene. NOTE: Be sure to look at your image, turning your head accordingly, while the scenes are being captured. 7. Click Next. You can also enroll scenes from the Security Manager User Console: 1. Open the Security Manager User Console. For more information, see Opening Security Manager on page 23. 2. Under My Logons, click Credential Manager, and then click Face. 3. Click Advanced to configure additional options.
Learning If face logon is unsuccessful but you enter your password successfully, you may be prompted to save a series of images to increase the chances of successful face logon in the future. Deleting a scene To delete a currently enrolled scene: 1. Open the Security Manager User Console. For more information, see Opening Security Manager on page 23. 2. Under My Logons, click Credential Manager, and then click Face. 3. Click the scene to be deleted, and then click the Trash can icon. 4.
Administrators can initialize the smart card using the manufacturer’s software and HP ProtectTools Administrative Console. For more information, see the HP ProtectTools Administrative Console software Help. Registering the smart card After the smart card is initialized, users can register it in Security Manager: 1. Open the Security Manager User Console. For more information, see Opening Security Manager on page 23. 2. Click Credential Manager, and then click Smart card. 3.
NOTE: Only Bluetooth phone devices are supported. 1. Be sure that Bluetooth functionality is enabled on the computer, and that the Bluetooth phone is set in discovery mode. To connect the phone, you may be required to type an automatically generated code on the Bluetooth device. Depending on the Bluetooth device configuration settings, a comparison of pairing codes between the computer and the phone may be required. 2. To enroll the phone, select it, and then click Enroll. 3.
NOTE: The Fingerprint tab is available only if the computer has a fingerprint reader and the correct driver is installed. ● Quick Actions—Use Quick Actions to select the Security Manager task to be performed when you hold down a designated key while swiping your fingerprint. To assign a Quick Action to one of the listed keys, click a (Key) + Fingerprint option, and then select one of the available tasks from the menu. ● Fingerprint Scan Feedback—Displayed only when a fingerprint reader is available.
To restore your data: 1. Open the Security Manager User Console. For more information, see Opening Security Manager on page 23. 2. On the left panel of the User Console, click Advanced, and then click Backup and Restore. 3. Click Restore data. 4. Select the previously created storage file. Enter the path in the field provided, or click Browse. 5. Enter the password used to protect the file. 6. Select the modules for which you want to restore data.
6 Drive Encryption for HP ProtectTools (select models only) Drive Encryption for HP ProtectTools provides complete data protection by encrypting your computer's data. When Drive Encryption is activated, you must log on at the Drive Encryption login screen, which is displayed before the Windows® operating system starts.
General tasks Activating Drive Encryption for standard hard drives Standard hard drives are encrypted using software encryption. Follow these steps to activate Drive Encryption: 1. Launch HP ProtectTools Administrative Console. For more information, see Opening HP ProtectTools Administrative Console on page 15. 2. In the left panel, click Setup Wizard. 3. Select the Drive Encryption check box, and then click Next. 4. To back up the encryption key, connect an external device for recording this key.
4. Under Drives to be encrypted, select the check box for the hard drive that you want to encrypt, and then click Next. 5. To back up the encryption key, insert the storage device into the appropriate slot. 6. Under Back up Drive Encryption keys, select the check box for the storage device where the encryption key will be saved. 7. Click Apply. NOTE: The computer will restart. Drive Encryption has been activated.
Deactivating Drive Encryption Administrators can use the HP ProtectTools Security Manager Setup Wizard to deactivate Drive Encryption. See the HP ProtectTools Security Manager software Help for more information. 1. Launch HP ProtectTools Administrative Console. For more information, see Opening HP ProtectTools Administrative Console on page 15. 2. In the left panel, click Setup Wizard. 3. Clear the Drive Encryption check box, and then click Next. Drive Encryption deactivation begins.
Supported smart cards ● ActivIdentity Oberthur Cosmopol IC 64k V5.2 ● Gemalto Cyberflex Access 64k V2c ● ActivIdentity Activkey SIM (Gemalto Cyberflex Access 64k V2c) NOTE: If the recovery key is used to log on at the Drive Encryption login screen, additional credentials are required at Windows logon to access user accounts.
Hardware encryption ◦ Encrypted ◦ Not encrypted (for additional drives) Using Enhanced Security with TPM (select models only) If the Trusted Platform Module (TPM) is activated and the Drive Encryption Enhanced Security with TPM functionality is selected, the Drive Encryption password is protected by the TPM security chip. If the hard drive is removed and installed in another computer, access to the drive is denied. CAUTION: TPM ownership cannot be shared with Windows TPM.msc.
NOTE: To save the encryption key, you must use a USB storage device with the FAT32 or FAT16 format. A USB memory stick, Secure Digital (SD) Memory Card, or MultiMedia Card (MMC) may be used for backup. 1. Launch HP ProtectTools Administrative Console. For more information, see Opening HP ProtectTools Administrative Console on page 15. 2. In the left panel, click the + icon to the left of Drive Encryption to display the available options. 3. Click Backing up Encryption Keys. 4.
To perform an HP SpareKey Recovery if you forget your password: 1. Turn on the computer. 2. When the Drive Encryption for HP ProtectTools page is displayed, navigate to the user logon page. 3. Click SpareKey. NOTE: If your SpareKey has not been initialized in Security Manager, the SpareKey button is not available. 4. Type correct answers to the displayed questions, and then click Logon. The Windows logon screen is displayed.
7 Device Access Manager for HP ProtectTools (select models only) HP ProtectTools Device Access Manager controls access to data by disabling data transfer devices. NOTE: Some human interface/input devices, such as a mouse, keyboard, TouchPad, and fingerprint reader, are not controlled by Device Access Manager. For more information, see Unmanaged Device Classes on page 54.
Setup Procedures Configuring device access HP ProtectTools Device Access Manager offers four views: ● Simple Configuration—Allow or deny access to classes of devices, based on membership in the Device Administrators group. ● Device Class Configuration—Allow or deny access to types of devices or specific devices for specific users or groups.
Starting the background service The first time a new policy is defined and applied, the HP ProtectTools Device Locking/Auditing background service starts automatically, and it is set to start automatically whenever the system starts. NOTE: A device profile must be defined before the background service prompt is displayed. Administrators can also start or stop this service. Stopping the Device Locking/Auditing service does not stop device locking.
The same user, the same group, or a member of the same group can be granted write access or read+write access only for a device below this device in the device hierarchy. Example 2—If a user or group is allowed write access for a device or class of devices: The same user, the same group, or a member of the same group can be denied write access or read+write access only for the same device or a device below this device in the device hierarchy.
Allowing access for a user or a group To grant permission for a user or a group to access a device or a class of devices: 1. In the left pane of HP ProtectTools Administrative Console, click Device Access Manager, and then click Device Class Configuration. 2. In the device list, click one of the following: 3. ● Device class ● All devices ● Individual device Click Add. The Select Users or Groups dialog box opens. 4. Click Advanced, and then click Find Now to search for users or groups to add.
4. Click Deny next to the group to be denied access. 5. Navigate to the specific device to which access is to be allowed for the user in the device list. 6. Click Add. The Select Users or Groups dialog box opens. 7. Click Advanced, and then click Find Now to search for users or groups to add. 8. Click a user to be allowed access, and then click OK. 9. Click Allow to grant this user access. 10. Click Apply.
JITA-enabled users will be able to access some devices for which policies created in the Device Class Configuration or Simple Configuration view have been restricted. ● Scenario—A Simple Configuration policy is configured to deny all non-Device Administrators access to the DVD/CD-ROM drive. ● Result—A JITA-enabled user who attempts to access the DVD/CD-ROM drive receives the same “access denied” message as a non-JITA-enabled user.
6. Select the Extendable check box. 7. Click Apply. The user must log out and then log on again for the new JITA setting to be applied. Disabling a JITA for a user or group Administrators can disable user or group access to devices using just-in-time authentication. 1. In the left pane of HP ProtectTools Administrative Console, click Device Access Manager, and then click JITA Configuration. 2. From the device’s drop-down menu, select either removable media or DVD/CD-ROM drives. 3.
Device Administrators group When Device Access Manager is installed, a Device Administrators group is created. The Device Administrators group is used to exclude trusted users (trusted in terms of device access) from the restrictions imposed by a Device Access Manager policy. Trusted users usually include System Administrators. NOTE: Adding a user to the Device Administrators group does not automatically allow the user to access devices.
● ● ◦ Hard disk controller (HDC) ◦ Human interface device (HID) class Power ◦ Battery ◦ Advanced power management (APM) support Miscellaneous ◦ Computer ◦ Decoder ◦ Display ◦ Processor ◦ System ◦ Unknown ◦ Volume ◦ Volume snapshot ◦ Security devices ◦ Security accelerator ◦ Intel® unified display driver ◦ Media driver ◦ Medium changer ◦ Multifunction ◦ Legacard ◦ Net client ◦ Net service ◦ Net trans ◦ SCSI adapter Advanced Settings 55
8 Theft recovery (select models only) Computrace for HP ProtectTools (purchased separately) allows you to remotely monitor, manage, and track your computer. Once activated, Computrace for HP ProtectTools is configured from the Absolute Software Customer Center. From the Customer Center, the administrator can configure Computrace for HP ProtectTools to monitor or manage the computer.
9 Localized password exceptions At the Preboot Security level and the HP Drive Encryption level, password localization support is limited, as described in the following sections. What to do when a password is rejected Passwords can be rejected for the following reasons: ● ● A user is using an IME that is not supported. This is a common issue with double-byte languages (Korean, Japanese, Chinese). To resolve this issue: 1.
Password changes using keyboard layout that is also supported If the password is initially set with one keyboard layout, such as U.S. English (409), and then the user changes the password using a different keyboard layout that is also supported, such as Latin American (080A), the password change will work in HP Drive Encryption, but it will fail in the BIOS if the user uses characters that exist in the latter but not in the former (for example, ē).
Language Windows BIOS Drive Encryption Spanish 40a is not supported. It nevertheless works because the software converts it to c0a. However, because of subtle differences between the keyboard layouts, it is recommended that Spanish-speaking users change their Windows keyboard layout to 1040a (Spanish Variation) or 080a (Latin American). n/a n/a US international ◦ The ¡, ¤, ‘, ’, ¥, and × keys on the top row are rejected. n/a n/a ◦ The å, ®, and Þ keys on the second row are rejected.
Glossary activation The task that must be completed before any of the Drive Encryption features are accessible. Drive Encryption is activated using the HP ProtectTools Setup Wizard. Only an administrator can activate Drive Encryption. The activation process consists of activating the software, encrypting the drive, creating a user account, and creating the initial backup encryption key on a removable storage device.
domain A group of computers that are part of a network and share a common directory database. Domains are uniquely named, and each has a set of common rules and procedures. Drive Encryption Protects your data by encrypting your hard drive(s), making the information unreadable by those without proper authorization. Drive Encryption logon screen A logon screen that is displayed before Windows starts up. Users must enter their Windows user name and their password or smart card PIN.
PKI The Public Key Infrastructure standard that defines the interfaces for creating, using, and administering certificates and cryptographic keys. power-on authentication A security feature that requires some form of authentication, such as a smart card, security chip, or password, when the computer is turned on. reboot The process of restarting the computer. restore A process that copies program information from a previously saved backup file into this program.
Index A access controlling 46 preventing unauthorized 5 activating Drive Encryption for selfencrypting drives 39 Drive Encryption for standard hard drives 39 Administrative Console configuring 16 using 15 Advanced Settings 53 allowing access 50 Applications 21 Applications tab, settings 22 authentication 16, 32 B background service 48 backing up data 36 encryption key 43 HP ProtectTools credentials Bluetooth 21, 34 C Computrace 56 configuration device class 48 resetting 51 simple 47 configuring Administrati
J JITA configuration 51 creating extendable for user or group 52 creating for user or group 52 disabling for user or group 53 Just-in-time Authentication Configuration 51 K key security objectives 4 L learning 33 Light bulb icon 32 logging in to the computer 41 logons adding 26 categories 27 editing 27 managing 28 M managing credentials 29 encrypting or decrypting drive partitions 43 passwords 22, 24, 25 users 17 O objectives, security 4 opening Device Access Manager for HP ProtectTools 46 HP ProtectTools A