ProtectTools Getting Started
© Copyright 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Table of contents 1 Introduction Accessing the ProtectTools Security Manager ..................................................................................... 2 Understanding security roles ................................................................................................................ 2 Managing ProtectTools passwords ..................................................................................................... 3 Creating a secure password .......................................
Creating a backup Java Card ............................................................................ 26 4 Embedded Security for ProtectTools Setup procedures ............................................................................................................................... 28 Enabling the embedded security chip ............................................................................... 28 Initializing the embedded security chip ............................................................
Creating a new account .................................................................................... 49 Registering credentials ...................................................................................................... 49 Registering fingerprints .................................................................................... 49 Set up the fingerprint reader ............................................................. 50 Use your registered fingerprint to log on to windows ..........
vi ENWW
1 Introduction ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data.
Accessing the ProtectTools Security Manager To access the ProtectTools Security Manager from the Microsoft® Windows® Control Panel: ▲ Select Start > All Programs > HP ProtectTools Security Manager. NOTE After you have configured the Credential Manager module, you can also open ProtectTools by logging on to Credential Manager directly from the Windows logon screen. For more information, refer to “Logging on to Windows with Credential Manager,” in Chapter 6 "Credential Manager for ProtectTools.
Managing ProtectTools passwords Most of the ProtectTools Security Manager features are secured by passwords. The following table lists the commonly used passwords, the software module where the password is set, and the password function. The passwords that are set and used by IT administrators only are indicated in this table as well. All other passwords may be set by regular users or administrators.
ProtectTools password Set in this ProtectTools module Function Emergency Recovery Token password Embedded Security, by IT administrator Protects access to the Emergency Recovery Token, which is a backup file for the embedded security chip. Owner password Embedded Security, by IT administrator Protects the system and the TPM chip from unauthorized access to all owner functions of Embedded Security.
Creating a secure password When creating passwords, you must first follow any specifications that are set by the program. In general, however, consider the following guidelines to help you create strong passwords and reduce the chances of your password being compromised: ENWW ● Use passwords with more than 6 characters, preferably more than 8. ● Mix the case of letters throughout your password. ● Whenever possible, mix alphanumeric characters and include special characters and punctuation marks.
6 Chapter 1 Introduction ENWW
2 Smart Card Security for ProtectTools Smart Card Security for ProtectTools manages the smart card setup and configuration for computers equipped with an optional smart card reader. With Smart Card Security, you can ENWW ● Access smart card security features. ● Initialize a smart card so that it can be used with other ProtectTools modules, such as Credential Manager for ProtectTools.
Initializing the smart card You must initialize the smart card before using it. To initialize the smart card: 1. Insert the smart card into the reader. 2. Select Start > All Programs > HP ProtectTools Security Manager. 3. In the left pane, select Smart Card Security, and then select Smart Card. 4. In the right pane, click Initialize. 5. Type your name in the first box in the Initialize the smart card dialog box. 6. Set and confirm the smart card PIN in the appropriate boxes.
Smart card BIOS security mode When enabled, smart card BIOS security mode requires you to use a smart card to start the computer. The process of enabling smart card BIOS security mode involves the following steps: 1. Enable Smart Card Power-on Authentication Support in BIOS Configuration. Refer to “Enabling and disabling Smart card or Java Card power-on authentication support,” in Chapter 5, “BIOS Configuration for ProtectTools.
Enabling smart card BIOS security mode and setting the smart card administrator password To enable smart card BIOS security mode and set the smart card administrator password: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Smart Card Security, and then select BIOS. 3. In the right pane, under BIOS Security Mode, click Enable. 4. Click Next. 5. Enter the Computer Setup setup password at the prompt, and then click Next. 6.
Changing the smart card administrator password The smart card administrator password is set as part of the process for enabling smart card BIOS security mode. You can change the smart card administrator password after it has been set. Refer to “Smart card BIOS security mode,” earlier in this chapter, for more information about the smart card administrator password. NOTE The following procedure updates the smart card administrator password stored on the card and in Computer Setup.
Setting and changing the smart card user password To set or change the smart card user password: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Smart Card Security, and then select BIOS. 3. In the right pane, under BIOS Security Mode, next to BIOS user card, click the Set button. NOTE If there is already a user password in Computer Setup, click the Change button. 4. Enter the smart card PIN and click Next. 5. Insert the new user card and click Next.
Storing the administrator or user card password If you want to create a backup card and have already set the administrator password, you can store the password on the new card. CAUTION This procedure updates only the password on the card and not in Computer Setup. You will not be able to access the computer with the new card. To store the administrator or user card password: 1. Insert a smart card into the reader. 2. Select Start > All Programs > HP ProtectTools Security Manager. 3.
General tasks Updating BIOS smart card settings To require a smart card PIN when you restart the computer: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Smart Card Security, and then select BIOS. 3. In the right pane, under Smart Card BIOS Password Properties, click Settings. 4. Select the check box to require a PIN at reboot. NOTE To eliminate this requirement, clear the check box. 5. Enter the smart card PIN and click OK.
Backing up and restoring smart cards After you have initialized a smart card and the card is ready for use, it is highly recommended that you create a smart card recovery file. The recovery file can be used to transfer the smart card data from one smart card to another smart card. This file can also be used to back up the original smart card or to restore the data when a smart card is lost or stolen.
Restoring smart card data You can restore the smart card data from the recovery file. This is especially useful if a card was lost or stolen, or if you want to create a backup smart card. If you use a card with previous data saved on it, the data will be overwritten. Before you begin, you will need the following: ● Access to a computer with Smart Card Security software installed ● Smart card recovery file ● Smart card recovery file password ● Smart card To restore a smart card: 16 1.
Creating a backup smart card It is highly recommended that you create duplicate smart cards for backup purposes. Two methods can be used to create a backup card, depending upon whether the smart card password was manually or randomly generated. To create a replacement smart card with a randomly generated smart card password: ▲ Insert a smart card into the reader, and then load the appropriate recovery file onto it. For more information, refer to “Restoring smart card data,” earlier in this chapter.
18 Chapter 2 Smart Card Security for ProtectTools ENWW
3 Java Card Security for ProtectTools Java Card Security for ProtectTools manages the Java Card setup and configuration for computers equipped with an optional smart card reader. With Java Card Security, you can ENWW ● Access Java Card security features. ● Work with the Computer Setup utility to enable Java Card authentication in a power-on environment, and to configure separate Java Cards for an administrator and a user.
General tasks The “General” page allows you to perform the following tasks: ● Change a Java Card PIN ● Select the smart card reader NOTE The smart card reader uses both Java Cards and smart cards. This feature is available if you have more than one smart card reader on the computer. Changing a Java Card PIN To change a Java Card PIN: NOTE The Java Card PIN must be between 4 and 8 numeric characters. 1. Select Start > All Programs > HP ProtectTools Security Manager. 2.
Advanced tasks (administrators only) The “Advanced” page allows you to perform the following tasks: ● Assign a Java Card PIN ● Assign a name to a Java Card ● Set power-on authentication ● Back up and restore Java Cards NOTE You must have a Computer Setup setup password in order to get to the “Advanced” page. Assigning a Java Card PIN You must assign a PIN to a Java Card before it can be used for power-on authentication.
Assigning a name to a Java Card You must assign a name to a Java Card before it can be used for power-on authentication. To assign a name to a Java Card: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Java Card Security, and then select Advanced. 3. When the Setup Password dialog box displays, enter your Computer Setup setup password, and then click OK. 4. Insert the Java Card into the smart card reader.
Enabling Java Card power-on authentication and creating an administrator Java Card To enable Java Card power-on authentication: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Java Card Security, and then select Advanced. 3. When the Computer Setup Password dialog box displays, enter your Computer Setup setup password, and then click OK. 4. Insert the Java Card into the smart card reader.
Creating a user Java Card NOTE Power-on authentication and an administrator card must be set up in order to create a user Java Card. To create a user Java Card: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Java Card Security, and then select Advanced. 3. When the Setup Password dialog box displays, enter your Computer Setup setup password, and then click OK. 4. Insert a Java Card that will be used as a user card. 5.
Backing up and restoring Java Cards After you have assigned power-on authentication identity to a Java Card, it is highly recommended that you create a Java Card recovery file. The recovery file can be used to transfer the Java Card power-on authentication identity data from one Java Card to another Java Card. This file can also be used to back up the original Java Card or to restore the data when a Java Card is lost or stolen.
Restoring Java Card data You can restore the Java Card data from the recovery file. This is especially useful if a card was lost or stolen, or if you want to create a backup Java Card. If you use a card with previous data saved on it, the data will be overwritten. Before you begin, you will need the following: ● Access to a computer with Java Card Security software installed ● Java Card recovery file ● Java Card recovery file password ● Java Card To restore a Java Card: 1.
4 Embedded Security for ProtectTools NOTE The integrated Trusted Platform Module (TPM) embedded security chip must be installed in your computer to use Embedded Security for ProtectTools. Embedded Security for ProtectTools protects against unauthorized access to user data or credentials.
Setup procedures CAUTION To reduce security risk, it is highly recommended that your IT administrator immediately initialize the embedded security chip. Failure to initialize the embedded security chip could result in an unauthorized user, a computer worm, or a virus taking ownership of the computer and gaining control over the owner tasks, such as handling the emergency recovery archive, and configuring user access settings.
Initializing the embedded security chip In the initialization process for Embedded Security, you will ● Set an owner password for the embedded security chip that protects access to all owner functions on the embedded security chip. ● Set up the emergency recovery archive, which is a protected storage area that allows reencryption of the Basic User Keys for all users. To initialize the embedded security chip: 1.
Setting up the basic user account Setting up a basic user account in Embedded Security ● Produces a Basic User Key that protects encrypted information, and sets a Basic User Key password to protect the Basic User Key. ● Sets up a personal secure drive (PSD) for storing encrypted files and folders. CAUTION Safeguard the Basic User Key password. Encrypted information cannot be accessed or recovered without this password. To set up a basic user account and enable the user security features: 1.
General tasks After the basic user account is set up, you can perform the following tasks: ● Encrypting files and folders. ● Sending and receiving encrypted e-mail. Using the Personal Secure Drive After setting up the PSD, you are prompted to enter the Basic User Key password at the next logon. If the Basic User Key password is entered correctly, you can access the PSD directly from Windows Explorer.
Changing the Basic User Key password To change the Basic User Key password: 32 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Embedded Security, and then select User Settings. 3. In the right pane, under Basic User Key password, click Change. 4. Type the old password, and then set and confirm the new password. 5. Click OK.
Advanced tasks Backing up and restoring The Embedded Security backup feature creates an archive that contains certification information to be restored in case of emergency. Creating a backup file To create a backup file: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Embedded Security, and then select Backup. 3. In the right pane, click Backup. 4. Click Browse to choose the location where the backup file will be saved. 5.
Changing the owner password To change the owner password: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Embedded Security, and then select Advanced. 3. In the right pane, under Owner Password, click Change. 4. Type the old owner password, and then set and confirm the new owner password. 5. Click OK. Resetting a user password An administrator can help a user to reset a forgotten password. For more information, refer to the online Help.
Migrating keys with the Migration Wizard Migration is an advanced administrator task that allows the management, restoration, and transfer of keys and certificates. For details on migration, refer to the Embedded Security online Help.
36 Chapter 4 Embedded Security for ProtectTools ENWW
5 BIOS Configuration for ProtectTools BIOS Configuration for ProtectTools provides access to the Computer Setup utility security and configuration settings. This gives users Windows access to system security features that are managed by Computer Setup. With BIOS Configuration, you can ● Manage power-on passwords and administrator passwords. ● Configure other power-on authentication features, such as enabling smart card passwords and embedded security authentication support.
General tasks BIOS Configuration allows you to manage various computer settings that would otherwise be accessible only by pressing f10 at startup and entering Computer Setup. Managing boot options You can use BIOS Configuration to manage various settings for tasks that run when you turn on or restart the computer. To manage boot options: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select BIOS Configuration. 3.
Enabling and disabling system configuration options NOTE Some of the items listed below may not be supported by your computer. To enable or disable devices or security options: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select BIOS Configuration. 3. Enter your Computer Setup administrator password at the BIOS administrator password prompt, and then click OK. 4.
● 5.
Advanced tasks Managing ProtectTools settings Some of the features of ProtectTools Security Manager can be managed in BIOS Configuration. Enabling and disabling Smart card or Java Card power-on authentication support Enabling this option allows you to use the smart card or the Java Card for user authentication when you turn on the computer.
Enabling and disabling power-on authentication support for Embedded Security Enabling this option allows the system to use the TPM embedded security chip (if available) for user authentication when you turn on the computer. NOTE To fully enable the power-on authentication feature, you must also configure the TPM embedded security chip using the Embedded Security for ProtectTools module. To enable power-on authentication support for embedded security: 1.
Enabling and disabling Automatic DriveLock hard drive protection When this option is enabled, the DriveLock passwords will be automatically generated and set in the drive, and protected by the TPM embedded security chip. NOTE The automatically generated passwords will not be set in the drive until the computer is restarted and you successfully enter the TPM embedded security password at the password prompt.
If you have set a setup password, you will be prompted for the password before opening the BIOS Configuration portion of ProtectTools. NOTE After you have set a setup password, the Set button on the “Passwords” page is replaced by a Change button. Setting the power-on password To set the power-on password: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select BIOS Configuration, and then select Security. 3.
Changing the setup password To change the Computer Setup setup password: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select BIOS Configuration, and then select Security. 3. In the right pane, next to Setup Password, click Change. 4. Type the current password in the Old Password box. 5. Type and confirm the new password in the Enter New Password and Verify New Password boxes. 6. Click OK in the Passwords dialog box. 7.
46 3. In the right pane, under Password Options, enable or disable Require password on restart. 4. Click Apply, and then click OK in the ProtectTools window to save your changes.
6 Credential Manager for ProtectTools Credential Manager for ProtectTools has security features that provide protection against unauthorized access to your computer. These features include the following: ENWW ● Alternatives to passwords when logging on to Microsoft Windows, such as using a smart card or biometric reader to log on to Windows. For additional information, refer to “Registering credentials” later in this chapter.
Setup procedures Logging on to Credential Manger Depending upon the configuration, you can log on to Credential Manager in any of the following ways: ● Credential Manager Logon Wizard (preferred) ● Credential Manager icon in the notification area ● ProtectTools Security Manager NOTE If you use the Credential Manager Logon prompt on the Windows Logon screen to log in to Credential Manager, you are logged in to Windows at the same time.
Creating a new account You can use the Credential Manager Logon Wizard to create a new user account. Before you begin, you must be logged on to Windows with an administrator account, but not logged on to Credential Manager. To create a new account: 1. Open Credential Manager by double-clicking the icon in the notification area. The Credential Manager Logon Wizard opens. 2. On the “Introduce Yourself” page, click More, and then click Sign Up for a New Account. 3. Click Next. 4.
Set up the fingerprint reader NOTE If you are using an optional fingerprint reader, connect the reader to the computer before performing the steps below. To set up the fingerprint reader: 1. In Windows, double-click the Credential Manager icon in the notification area of the taskbar. – or – Select Start > All Programs > ProtectTools Security Manager, and then click Credential Manager in the left pane. 2. On the “My Identity” page, click Log On, located in the upper-right corner of the page.
Use your registered fingerprint to log on to windows To log on to Windows using your fingerprint: 1. Immediately after you have registered your fingerprints, restart Windows. 2. In the upper-left corner of the screen, click Log on to Credential Manager. 3. At the Credential Manager Logon Wizard dialog box, instead of clicking a user name, swipe any of your registered fingers to log on to Windows. 4. Type your Windows password to associate the fingerprint with the password.
General tasks All users have access to the “My Identity” page in Credential Manager. From the “My Identity” page, you can ● Create and register authentication credentials. ● Manage passwords. ● Manage Microsoft Network accounts. ● Manage single sign on credentials. Creating a virtual token A virtual token works very much like a smart card or USB token. The token is saved either on the computer hard drive or in the Windows registry.
Changing a token PIN You can change the PIN for a smart card or virtual token from the “My Identity” page in Credential Manager. 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select My Identity. 3. In the right pane, under I Want To, click More, and then click Change Token PIN. 4. Click Next. 5. Select the token for which you want to change the PIN, and then click Next. 6.
Restoring an Identity To restore an identity: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select My Identity. 3. In the right pane, under I Want To, click More, and then click Restore Identity. 4. Click Next. 5. On the “Device Type” page, select the device type where the backup was stored, and then click Next. 6. Follow the on-screen instructions for the device you selected, and then click Finish. 7.
Locking the computer To secure your computer when you are away from your desk, use the Lock Workstation feature. This prevents unauthorized users from gaining access to your computer. Only you and members of the administrators group on your computer can unlock it. NOTE For added security, you can configure the Lock Workstation feature to require a smart card, biometric reader, or token to unlock the computer. For more information, refer to “Configuring Credential Manager settings,” later in this chapter.
Adding accounts You can add additional local or domain accounts after logging on to Credential Manager. To add an account: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select My Identity. 3. In the right pane, under Microsoft Network Logon, click Add a Network Account. 4. Type the user name for the new account in the User name box. 5. Click the domain from the list of available domains. 6.
Using Single Sign On Credential Manager has a Single Sign On feature that stores user names and passwords for multiple Internet and Windows applications, and automatically enters logon credentials when you access a registered application. NOTE Security and privacy are important features of Single Sign On. All credentials are encrypted and are available only after successful logon to Credential Manager.
NOTE You will not see the finger icon move across the page, but when you drag the pointer over the logon box in the application, a rectangular icon is displayed. 7. On the “Application Information” page of the SSO Registration Wizard, enter the name and description for the application. 8. Click Finish. 9. Type the logon credential—for example, the user name and password—into the application box. 10. In the confirmation dialog box, confirm or modify the credential name, and then click Yes.
To export an application: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select My Identity. 3. In the right pane, under Single Sign On, click Manage Applications and Credentials. 4. Click the application entry you want to export. Then click More, and then click Export Application. 5. Follow the on-screen instructions to complete the export. 6. Click OK. Importing applications To import an application: 1.
Advanced tasks (administrator only) The “Authentication and Credentials” page and the “Advanced Settings” page of Credential Manager are available only to those users with administrator rights. From these pages, you can ● Specify how users and administrators log on. ● Configure credential properties. ● Configure Credential Manager program settings.
Configuring custom authentication requirements If the set of authentication credentials you want is not listed on the Authentication tab of the “Authentication and Credentials” page, you can create custom requirements. To configure custom requirements: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select Authentication and Credentials. 3. In the right pane, click the Authentication tab. 4.
Configuring Credential Manager settings From the “Advanced Settings” page, you can access and modify various settings using the following : ● General—Allows you to modify the settings for basic configuration. ● Single Sign On—Allows you to modify the settings for how Single Sign On works for the current user, such as how it handles detection of logon screens, automatic logon to registered dialogs, and password display.
Example 2—Using the “Advanced Settings” page to require user verification before Single Sign On To require Single Sign On to verify your credentials before logging on to a registered dialog box or Web page: ENWW 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select Advanced Settings. 3. In the right pane, click the Single Sign On tab. 4.
64 Chapter 6 Credential Manager for ProtectTools ENWW
Glossary Authentication Process of verifying whether a user is authorized to perform a task, for example, accessing a computer, modifying settings for a particular program, or viewing secured data. Automatic DriveLock Security feature that causes the DriveLock passwords to be generated and protected by the TPM Embedded Security chip.
Identity In the ProtectTools Credential Manager, a group of credentials and settings that is handled like an account or profile for a particular user. Java Card Small piece of hardware, similar in size and shape to a credit card, which stores identifying information about the owner. Used to authenticate the owner to a computer. Migration A task that allows the management, restoration, and transfer of keys and certificates. Network account domain.
Index A account basic user 30 Credential Manager 49 Automatic DriveLock 43 B backup embedded security 33 identity 53 single sign on 58 smart card 15 basic user account 30 Basic User Key password changing 32 setting 30 biometric readers 50 BIOS administrator card password changing 11 definition 3 setting 10 BIOS administrator password definition 3 BIOS Configuration for ProtectTools 37 BIOS setup password changing 45 setting 44 BIOS smart card security 9 BIOS user card password definition 3 setting and chan
properties application 58 authentication 60 credential 61 W Windows logon password 4 Windows network account 56 R recovery identity 54 smart cards 16 registering application 57 credentials 49 S security setup password 3 Single Sign On automatic registration 57 exporting applications 58 manual registration 57 modifying application properties 58 removing applications 58 smart card administrator password changing 11 definition 3 setting 9 smart card BIOS security 9 smart card PIN changing 14 definition 3 sma
