Reference Guide ProtectTools Security Manager Document Part Number: 389171-003 February 2006
© Copyright 2005, 2006 Hewlett-Packard Development Company, L.P. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. Java is a U.S. trademark of Sun Microsystems, Inc. Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries. The information contained herein is subject to change without notice.
Contents 1 Introduction ProtectTools Security Manager . . . . . . . . . . . . . . . . . . . . Accessing the ProtectTools Security Manager . . . . . Understanding Security Roles . . . . . . . . . . . . . . . . . . . . . Managing ProtectTools Passwords . . . . . . . . . . . . . . . . . Creating a Secure Password . . . . . . . . . . . . . . . . . . . 1–1 1–2 1–3 1–4 1–8 2 Smart Card Security for ProtectTools Basic concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 3 Java Card Security for ProtectTools Basic concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–1 General tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–2 Changing a Java Card PIN. . . . . . . . . . . . . . . . . . . . . 3–2 Selecting the smart card reader . . . . . . . . . . . . . . . . . 3–3 Advanced tasks (administrators only) . . . . . . . . . . . . . . . 3–4 Assigning a Java Card PIN . . . . . . . . . . . . . . . . . . . .
Contents 5 BIOS Configuration for ProtectTools Basic concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing boot options . . . . . . . . . . . . . . . . . . . . . . . Enabling and disabling system configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Introduction ProtectTools Security Manager ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data.
Introduction Accessing the ProtectTools Security Manager To access the ProtectTools Security Manager from the Microsoft® Windows® Control Panel: » Select Start > All Programs > HP ProtectTools Security Manager. you have configured the Credential Manager module, ✎ After you can also open ProtectTools by logging on to Credential Manager directly from the Windows logon screen.
Introduction Understanding Security Roles In managing computer security (particularly for large organizations), one important practice is to divide responsibilities and rights among various types of administrators and users. organization or for individual use, these roles may ✎ Inall abesmall held by the same person.
Introduction Managing ProtectTools Passwords Most of the ProtectTools Security Manager features are secured by passwords. The following table lists the commonly used passwords, the software module where the password is set, and the password function. The passwords that are set and used by IT administrators only are indicated in this table as well. All other passwords may be set by regular users or administrators.
Introduction ProtectTools Password Set in this ProtectTools Module Smart card administrator password Smart Card Security, by IT administrator Used for smart card power-on (BIOS) authentication. Allows access to the Computer Setup utility and the computer contents when the computer is turned on, restarted, or restored from hibernation. It also allows for creating recovery files to restore user or administrator cards. Smart Card Security Used for smart card power-on (BIOS) authentication.
Introduction ProtectTools Password Set in this ProtectTools Module Java™ Card PIN Java Card Security Protects access to the Java Card contents and authenticates users of the Java Card. When used for power-on authentication, the Java Card PIN also protects access to the Computer Setup utility and to the computer contents. Basic User Key password Embedded Security Used to access Embedded Security features, such as secure e-mail, file, and folder encryption.
Introduction ProtectTools Password Set in this ProtectTools Module Function Credential Manager logon password Credential Manager This password offers 2 options: ■ It can be used in a separate logon to access Credential Manager after logging on to Microsoft Windows. ■ It can be used in place of the Windows logon process, allowing access to Windows and Credential Manager simultaneously.
Introduction Creating a Secure Password When creating passwords, you must first follow any specifications that are set by the program. In general, however, consider the following guidelines to help you create strong passwords and reduce the chances of your password being compromised: 1–8 ■ Use passwords with more than 6 characters, preferably more than 8. ■ Mix the case of letters throughout your password.
2 Smart Card Security for ProtectTools Basic concepts Smart Card Security for ProtectTools manages the smart card setup and configuration for computers equipped with an optional smart card reader. With Smart Card Security, you can ■ Access smart card security features. ■ Initialize a smart card so that it can be used with other ProtectTools modules, such as Credential Manager for ProtectTools.
Smart Card Security for ProtectTools Initializing the smart card You must initialize the smart card before using it. To initialize the smart card: 1. Insert the smart card into the reader. 2. Select Start > All Programs > HP ProtectTools Security Manager. 3. In the left pane, select Smart Card Security, and then select Smart Card. 4. In the right pane, click Initialize. 5. Type your name in the first box in the Initialize the smart card dialog box. 6.
Smart Card Security for ProtectTools Smart card BIOS security mode When enabled, smart card BIOS security mode requires you to use a smart card to start the computer. The process of enabling smart card BIOS security mode involves the following steps: 1. Enable Smart Card Power-on Authentication Support in BIOS Configuration. Refer to “Enabling and disabling Smart card or Java Card power-on authentication support,” in Chapter 5, “BIOS Configuration for ProtectTools.
Smart Card Security for ProtectTools Enabling smart card BIOS security mode and setting the smart card administrator password To enable smart card BIOS security mode and set the smart card administrator password: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Smart Card Security, and then select BIOS. 3. In the right pane, under BIOS Security Mode, click Enable. 4. Click Next. 5. Enter the Computer Setup setup password at the prompt, and click Next. 6.
Smart Card Security for ProtectTools Disabling smart card BIOS security mode When disabling smart card BIOS security mode, the smart card administrator and user passwords are disabled, and the use of the smart card is no longer needed to access the computer. card BIOS security mode has previously been enabled, ✎ Ifthesmart button on the “Smart Card Security BIOS” page changes to Disable. To disable smart card security: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2.
Smart Card Security for ProtectTools Changing the smart card administrator password The smart card administrator password is set as part of the process for enabling smart card BIOS security mode. You can change the smart card administrator password after it has been set. Refer to “Smart card BIOS security mode,” earlier in this chapter, for more information about the smart card administrator password.
Smart Card Security for ProtectTools Setting and changing the smart card user password To set or change the smart card user password: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Smart Card Security, and then select BIOS. 3. In the right pane, under BIOS Security Mode, next to BIOS user card, click the Set button. there is already a user password in Computer Setup, ✎ Ifclick the Change button. 4. Enter the smart card PIN and click Next. 5.
Smart Card Security for ProtectTools 7. Under Boot Requirements, select the check box if you require the smart card PIN to be entered at startup. you do not require the smart card PIN to be entered at ✎ Ifstartup, clear this check box. 8. Enter the smart card PIN and click OK. The system prompts you to create a recovery file. is highly recommended that you create a recovery file. For ✎ Itmore information, refer to “Creating a recovery file,” later in this chapter. 9.
Smart Card Security for ProtectTools 4. In the right pane, under BIOS Password on Smart Card, click Store. 5. In the BIOS Password Wizard, you can either ❏ Enter a password manually. ❏ Generate a random 32-byte password. a known password enables you to create duplicate ✎ Using cards without using a recovery file. Generating a random password offers more security; however, you must have a recovery file to make backup cards 6. Under Access Privilege, click either Administrator or User for the type of card.
Smart Card Security for ProtectTools General tasks Updating BIOS smart card settings To require a smart card PIN when you restart the computer: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Smart Card Security, and then select BIOS. 3. In the right pane, under Smart Card BIOS Password Properties, click Settings. 4. Select the check box to require a PIN at reboot. ✎ To eliminate this requirement, clear the check box. 5. Enter the smart card PIN and click OK.
Smart Card Security for ProtectTools Changing the smart card PIN To change the smart card PIN: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Smart Card Security, and then select Smart Card. 3. In the right pane, under Change PIN, click Change PIN. 4. Type your current smart card PIN. 5. Set and confirm the new PIN. 6. Click OK in the confirmation dialog box.
Smart Card Security for ProtectTools Creating a recovery file To create a recovery file: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Smart Card Security, and then select Smart Card. 3. In the right pane, under Recovery, click Create. 4. Enter the smart card PIN and click OK. 5. Enter the file path and file name in the Filename box.
Smart Card Security for ProtectTools Restoring smart card data You can restore the smart card data from the recovery file. This is especially useful if a card was lost or stolen, or if you want to create a backup smart card. If you use a card with previous data saved on it, the data will be overwritten.
Smart Card Security for ProtectTools Creating a backup smart card It is highly recommended that you create duplicate smart cards for backup purposes. Two methods can be used to create a backup card, depending upon whether the smart card password was manually or randomly generated. To create a replacement smart card with a randomly generated smart card password: » Insert a smart card into the reader, and then load the appropriate recovery file onto it.
3 Java Card Security for ProtectTools Basic concepts Java Card Security for ProtectTools manages the Java Card setup and configuration for computers equipped with an optional smart card reader. With Java Card Security, you can ■ Access Java Card security features. ■ Work with the Computer Setup utility to enable Java Card authentication in a power-on environment, and to configure separate Java Cards for an administrator and a user.
Java Card Security for ProtectTools General tasks The “General” page allows you to perform the following tasks: ■ Change a Java Card PIN ■ Select the smart card reader smart card reader uses both Java Cards and smart ✎ The cards. This feature is available if you have more than one smart card reader on the computer. Changing a Java Card PIN To change a Java Card PIN: Java Card PIN must be between 4 and 8 numeric ✎ The characters. 1. Select Start > All Programs > HP ProtectTools Security Manager. 2.
Java Card Security for ProtectTools Selecting the smart card reader Ensure that the correct smart card reader is selected in Java Card Security before using the Java Card. If the correct reader is not selected in Java Card Security, some of the features may be unavailable or incorrectly displayed. To select the smart card reader: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Java Card Security, and then select General. 3.
Java Card Security for ProtectTools Advanced tasks (administrators only) The “Advanced” page allows you to perform the following tasks: ■ Assign a Java Card PIN ■ Assign a name to a Java Card ■ Set power-on authentication ■ Back up and restore Java Cards must have a Computer Setup setup password in order to ✎ You get to the “Advanced” page. Assigning a Java Card PIN You must assign a PIN to a Java Card before it can be used for power-on authentication.
Java Card Security for ProtectTools Assigning a name to a Java Card You must assign a name to a Java Card before it can be used for power-on authentication. To assign a name to a Java Card: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Java Card Security, and then select Advanced. 3. When the Setup Password dialog box displays, enter your Computer Setup setup password, and then click OK. 4. Insert the Java Card into the smart card reader.
Java Card Security for ProtectTools Setting power-on authentication When enabled, power-on authentication requires you to use a Java Card to start the computer. The process of enabling Java Card power-on authentication involves the following steps: 1. Enable Java Card power-on authentication support in BIOS Configuration or Computer Setup. Refer to “Enabling and disabling Smart card or Java Card power-on authentication support,” in Chapter 5, “BIOS Configuration for ProtectTools.” 2.
Java Card Security for ProtectTools Enabling Java Card power-on authentication and creating an administrator Java Card To enable Java Card power-on authentication: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Java Card Security, and then select Advanced. 3. When the Computer Setup Password dialog box displays, enter your Computer Setup setup password, and then click OK. 4. Insert the Java Card into the smart card reader.
Java Card Security for ProtectTools b. If applicable, enter your DriveLock user password in the DriveLock password box, and then enter it again in the Confirm password box. c. Enter the Java Card PIN. d. Click OK. 7. When you are prompted to create a recovery file, refer to “Creating a recovery file,” or you can click Cancel and create a recovery file at a later time. Creating a user Java Card authentication and an administrator card must be set ✎ Power-on up in order to create a user Java Card.
Java Card Security for ProtectTools Disabling Java Card power-on authentication When you disable Java Card power-on authentication, the use of the Java Card is no longer needed to access the computer. To disable Java Card power-on authentication: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Java Card Security, and then select Advanced. 3. When the Setup Password dialog box displays, enter your Computer Setup setup password, and then click OK. 4.
Java Card Security for ProtectTools Backing up and restoring Java Cards After you have assigned power-on authentication identity to a Java Card, it is highly recommended that you create a Java Card recovery file. The recovery file can be used to transfer the Java Card power-on authentication identity data from one Java Card to another Java Card. This file can also be used to back up the original Java Card or to restore the data when a Java Card is lost or stolen.
Java Card Security for ProtectTools 5. Enter the file path and file name in the Filename box. avoid loss of access to the computer, do not save the Ä To recovery file on the computer hard drive; you will not be able to access the file without the Java Card. Also, a recovery file saved on the hard drive may be accessible to others, posing a security risk. 6. Enter a recovery file password in the Recovery file password box, and then enter it again in the Confirm password box. 7.
Java Card Security for ProtectTools 4. Insert the diskette or other media containing the Java Card recovery file. 5. Insert a Java Card into the reader. If the card has not been assigned a PIN, you will be prompted to create a PIN. For detailed instructions on assigning a PIN to the Java Card, refer to “Assigning a Java Card PIN,” earlier in this chapter. 6. In the right pane, under Recovery, click Restore. 7. Ensure that the correct recovery file name is selected, and enter the recovery file password. 8.
4 Embedded Security for ProtectTools Basic concepts integrated Trusted Platform Module (TPM) embedded ✎ The security chip must be installed in your computer to use Embedded Security for ProtectTools. Embedded Security for ProtectTools protects against unauthorized access to user data or credentials.
Embedded Security for ProtectTools The TPM embedded security chip enhances and enables other ProtectTools Security Manager security features. For example, Credential Manager for ProtectTools can use the embedded chip as an authentication factor when the user logs on to Windows. On select models, the TPM embedded security chip also enables enhanced BIOS security features accessed through BIOS Configuration for ProtectTools.
Embedded Security for ProtectTools 5. Under Embedded Security, if the device is hidden, select Available. 6. Select Embedded security device state and change to Enable. 7. Press f10 to accept the changes to the Embedded Security configuration. 8. To save your preferences and exit Computer Setup, use the arrow keys to select File > Save changes and exit. Then follow the instructions on the screen.
Embedded Security for ProtectTools 6. Click Browse and choose the location for the emergency recovery archive, and then click Next. 7. Click Next on the “Summary” page. ❏ If you do not want to set up a basic user account at this time, clear the Start the Embedded Security User Initialization Wizard check box, and then click Finish. You can start the wizard manually to set up a basic user account at any time by following the instructions in the next section.
Embedded Security for ProtectTools 3. In the right pane, under Embedded Security Features, click Configure. The Embedded Security User Initialization Wizard opens. 4. Click Next. 5. Set and confirm the Basic User Key password, and then click Next. 6. Click Next to confirm settings. 7. Select the security features you want, and then click Next. 8. Click Next again. use secure e-mail, you must first configure the e-mail ✎ To client to use a digital certificate that is created with Embedded Security.
Embedded Security for ProtectTools General tasks After the basic user account is set up, you can perform the following tasks: ■ Encrypting files and folders ■ Sending and receiving encrypted e-mail Using the Personal Secure Drive After setting up the PSD, you are prompted to enter the Basic User Key password at the next logon. If the Basic User Key password is entered correctly, you can access the PSD directly from Windows Explorer.
Embedded Security for ProtectTools To encrypt files and folders: 1. Right-click the file or folder that you want to encrypt. 2. Click Encrypt. 3. Click one of the following options: ❏ Apply changes to this folder only. ❏ Apply changes to this folder, subfolders, and files. 4. Click OK. Sending and receiving encrypted e-mail Embedded Security enables you to send and receive encrypted e-mail, but the procedures vary depending upon the program you use to access your e-mail.
Embedded Security for ProtectTools Advanced tasks Backing up and restoring The Embedded Security backup feature creates an archive that contains certification information to be restored in case of emergency. Creating a backup file To create a backup file: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Embedded Security, and then select Backup. 3. In the right pane, click Backup. 4. Click Browse to choose the location where the backup file will be saved. 5.
Embedded Security for ProtectTools Restoring certification data from the backup file To restore data from the backup file: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Embedded Security, and then select Backup. 3. In the right pane, click Restore. 4. Click Browse to select the backup file from the stored location. 5. Click Next. 6. Select whether to start the Embedded Security User Initialization Wizard.
Embedded Security for ProtectTools Changing the owner password To change the owner password: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Embedded Security, and then select Advanced. 3. In the right pane, under Owner Password, click Change. 4. Type the old owner password, and then set and confirm the new owner password. 5. Click OK. Resetting a user password An administrator can help a user to reset a forgotten password.
Embedded Security for ProtectTools Permanently disabling Embedded Security To permanently disable Embedded Security: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Embedded Security, and then select Advanced. 3. In the right pane, under Embedded Security, click Disable. 4. Enter your owner password at the prompt, and then click OK. Enabling Embedded Security after permanent disable To enable Embedded Security after permanently disabling it: 1.
5 BIOS Configuration for ProtectTools Basic concepts BIOS Configuration for ProtectTools provides access to the Computer Setup utility security and configuration settings. This gives users Windows access to system security features that are managed by Computer Setup. With BIOS Configuration, you can ■ Manage power-on passwords and setup passwords. ■ Configure other power-on authentication features, such as enabling smart card passwords and embedded security authentication support.
BIOS Configuration for ProtectTools General tasks BIOS Configuration allows you to manage various computer settings that would otherwise be accessible only by pressing f10 at startup and entering the Computer Setup utility. Managing boot options You can use BIOS Configuration to manage various settings for tasks that run when you turn on or restart the computer. To manage boot options: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select BIOS Configuration. 3.
BIOS Configuration for ProtectTools Enabling and disabling system configuration options of the items listed below may not be supported by your ✎ Some computer. To enable or disable system configuration options: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select BIOS Configuration. 3. Enter your Computer Setup setup password at the BIOS administrator password prompt, and then click OK. 4.
BIOS Configuration for ProtectTools ◆ Internal Network Adapter Boot ◆ Internal Network Adapter Boot Mode (PXE or RPL) ◆ Boot Order ❏ Device Configurations ◆ NumLock at Boot ◆ Swapping Fn/Ctrl Keys ◆ Multiple Pointing Devices ◆ USB Legacy Support ◆ Parallel port mode (standard, bidirectional, EPP, or ECP) ◆ Data Execution Prevention ◆ SATA Native Mode ◆ Dual Core CPU ◆ Automatic Intel® SpeedStep Functionality Support ◆ Fan Always on While on AC Power ◆ BIOS DMA Data Transfers ◆
BIOS Configuration for ProtectTools Advanced tasks Managing ProtectTools settings Some of the features of ProtectTools Security Manager can be managed in BIOS Configuration. Enabling and disabling Smart card or Java Card power-on authentication support Enabling this option allows you to use the smart card or the Java Card for user authentication when you turn on the computer.
BIOS Configuration for ProtectTools Enabling and disabling power-on authentication support for Embedded Security Enabling this option allows the system to use the TPM embedded security chip (if available) for user authentication when you turn on the computer. enable the power-on authentication feature, you must ✎ Toalsofully configure the TPM embedded security chip using the Embedded Security for ProtectTools module. To enable power-on authentication support for embedded security: 1.
BIOS Configuration for ProtectTools Enabling and disabling Automatic DriveLock hard drive protection When this option is enabled, the DriveLock passwords will be automatically generated and set in the drive, and protected by the TPM embedded security chip. automatically generated passwords will not be set in the ✎ The drive until the computer is restarted and you successfully enter the TPM embedded security password at the password prompt.
BIOS Configuration for ProtectTools 4. In the left pane, select Security. 5. Under Embedded Security, select Enable next to Automatic DriveLock Support. disable automatic DriveLock protection for Embedded ✎ To Security, select Disable. 6. Click Apply, and then click OK in the ProtectTools window to save your changes. Managing Computer Setup passwords You can use BIOS Configuration to set and change the power-on and setup passwords in Computer Setup, and also to manage various password settings.
BIOS Configuration for ProtectTools Setting the power-on password To set the power-on password: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select BIOS Configuration, and then select Security. 3. In the right pane, next to Power-On Password, click Set. 4. Type and confirm the password in the Enter Password and Verify Password boxes. 5. Click OK in the Passwords dialog box. 6. Click Apply, and then click OK in the ProtectTools window to save your changes.
BIOS Configuration for ProtectTools Setting the setup password To set the Computer Setup setup password: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select BIOS Configuration, and then select Security. 3. In the right pane, next to Setup Password, click Set. 4. Set and confirm the password in the Enter Password and Confirm Password boxes. 5. Click OK in the Passwords dialog box. 6. Click Apply, and then click OK in the ProtectTools window to save your changes.
BIOS Configuration for ProtectTools Setting password options You can use BIOS Configuration for ProtectTools to set password options to enhance the security of your system. Enabling and disabling stringent security Ä CAUTION: To prevent the computer from becoming permanently unusable, record your configured setup password, power-on password, or smart card PIN in a safe place away from your computer. Without these passwords or PIN, the computer cannot be unlocked.
BIOS Configuration for ProtectTools Enabling and disabling power-on authentication on Windows restart This option allows you to enhance security by requiring users to enter a power-on, TPM, or smart card password when Windows restarts. To enable or disable power-on authentication on Windows restart: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select BIOS Configuration, and then select Security. 3.
6 Credential Manager for ProtectTools Basic concepts Credential Manager for ProtectTools has security features that provide protection against unauthorized access to your computer. These features include the following: ■ Alternatives to passwords when logging on to Microsoft Windows, such as using a smart card or biometric reader to log on to Windows. For additional information, refer to “Registering credentials” later in this chapter.
Credential Manager for ProtectTools Setup procedures Logging on to Credential Manger Depending upon the configuration, you can log on to Credential Manager in any of the following ways: ■ Credential Manager Logon Wizard (preferred) ■ Credential Manager icon in the notification area ■ ProtectTools Security Manager you use the Credential Manager Logon prompt on the ✎ IfWindows Logon screen to log in to Credential Manager, you are logged in to Windows at the same time.
Credential Manager for ProtectTools Using the Credential Manager Logon Wizard To log on to Credential Manger using the Credential Manager Logon Wizard: 1. Open the Credential Manager Logon Wizard in any of the following ways: ❏ From the Windows logon screen ❏ From the notification area, by double-clicking the ProtectTools icon. ❏ From the “Credential Manager” page of Protect Tools Security Manager, by clicking the Log On link on the upper-right side of the window. 2. Click Next. 3.
Credential Manager for ProtectTools Creating a new account You can use the Credential Manager Logon Wizard to create a new user account. Before you begin, you must be logged on to Windows with an administrator account, but not logged on to Credential Manager. To create a new account: 1. Open Credential Manager by double-clicking the icon in the notification area. The Credential Manager Logon Wizard opens. 2. On the “Introduce Yourself” page, click the More button, and then click Sign Up for a New Account.
Credential Manager for ProtectTools Registering credentials You can use the “My Identity” page to register your various authentication methods, or credentials. After they have been registered, you can use these methods to log on to Credential Manager. Registering fingerprints A fingerprint reader allows you to log on to Microsoft Windows using a registered fingerprint in ProtectTools Security Manager instead of using a Windows password.
Credential Manager for ProtectTools 3. On the “Introduce Yourself” page, click Next to accept the default user name. there are other users registered on this computer, you can ✎ Ifselect the person whose fingerprints need to be registered by entering the Windows user name. 4. On the “Enter Password” page, enter the user’s Windows password, if one has been established. Otherwise, click Finish. 5. On the “My Services and Applications” page, click Register Fingerprints.
Credential Manager for ProtectTools 8. Click a different finger on the screen to register, and then repeat steps 6 and 7. must register at least 2 fingers in order to complete the Ä You setup. you click Finish before registering at least 2 fingers, an ✎ Iferror message is displayed. Click OK to continue. 9. After you have registered at least 2 fingers, click Finish, and then click OK. 10.
Credential Manager for ProtectTools Registering a smart card or token To register a smart card or token: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select My Identity. 3. In the right pane, under I Want To, click Register Smart Card or Token. 4. Click Next. 5. Click the authentication method you want to register, and then click Next. 6. Follow the on-screen instructions to complete the registration.
Credential Manager for ProtectTools General tasks All users have access to the “My Identity” page in Credential Manager. From the “My Identity” page, you can ■ Create and register authentication credentials. ■ Manage passwords. ■ Manage Microsoft Network accounts. ■ Manage single sign on credentials. Creating a virtual token A virtual token works very much like a smart card or USB token. The token is saved either on the computer hard drive or in the Windows registry.
Credential Manager for ProtectTools Changing the Windows logon password You can change your Windows logon password from the “My Identity” page in Credential Manager. 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select My Identity. 3. In the right pane, under I Want To, click Change Windows Logon Password. 4. Type your old password in the Old password box. 5.
Credential Manager for ProtectTools Managing identity Backing up an identity It is recommended that you back up your identity in Credential Manager, in case of data loss or accidental removal. To back up an identity: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select My Identity. 3. In the right pane, under I Want To, click More, and then click Backup Identity. 4. Click Next. 5.
Credential Manager for ProtectTools Restoring an identity To restore an identity: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select My Identity. 3. In the right pane, under I Want To, click More, and then click Restore Identity. 4. Click Next. 5. On the “Device Type” page, select the device type where the backup was stored, and then click Next. 6.
Credential Manager for ProtectTools Locking the computer To secure your computer when you are away from your desk, use the Lock Workstation feature. This prevents unauthorized users from gaining access to your computer. Only you and members of the administrators group on your computer can unlock it. added security, you can configure the Lock Workstation ✎ For feature to require a smart card, biometric reader, or token to unlock the computer.
Credential Manager for ProtectTools Using Microsoft Network logon You can use Credential Manager to log on to Windows, either at a local computer or on a network domain. When you log on to Credential Manager for the first time, the system automatically adds your local Windows user account as the network account for the Network Logon service. Refer to “Logging on for the first time,” earlier in this chapter, for more information.
Credential Manager for ProtectTools Adding accounts You can add additional local or domain accounts after logging on to Credential Manager. To add an account: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select My Identity. 3. In the right pane, under Microsoft Network Logon, click Add a Network Account. 4. Set the user name for the new account in the User name box. 5. Click the domain from the list of available domains. 6.
Credential Manager for ProtectTools 4. Click the account you want to remove, and then click Remove. 5. In the confirmation dialog box, click Yes. Setting a default user You can set or change the default user after logging on to Credential Manager. To set a default user: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select My Identity. 3. In the right pane under Microsoft Network Logon, click Manage Network Accounts. 4.
Credential Manager for ProtectTools Using Single Sign On Credential Manager has a Single Sign On feature that stores user names and passwords for multiple Internet and Windows applications, and automatically enters logon credentials when you access a registered application. and privacy are important features of Single Sign On. ✎ Security All credentials are encrypted and are available only after successful logon to Credential Manager.
Credential Manager for ProtectTools 2. On the Credential Manager Single Sign On dialog box, click Options to configure the following settings for the registration: ❏ Do not suggest to use SSO with this site or application. ❏ Fill in credentials only. Do not submit. ❏ Ask confirmation before submitting credentials. 3. Click Yes to complete the registration. Using manual (drag and drop) registration 1. Select Start > All Programs > HP ProtectTools Security Manager. 2.
Credential Manager for ProtectTools 8. Click Finish. 9. Enter the logon credential—for example, the user name and password—into the application box. 10. In the confirmation dialog box, confirm or modify the credential name, and then click Yes. Managing applications and credentials Modifying application properties To modify application properties: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select My Identity. 3.
Credential Manager for ProtectTools 3. In the right pane, under Single Sign On, click Manage Applications and Credentials. 4. Click the application entry you want to remove, and then click Remove. 5. Click Yes in the confirmation dialog box. 6. Click OK. Exporting applications You can export applications to create a backup copy of the Single Sign On application script. This file can then be used to recover the Single Sign On data.
Credential Manager for ProtectTools Importing applications To import an application: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select My Identity. 3. In the right pane, under Single Sign On, click Manage Applications and Credentials. 4. Click the application entry you want to import. Then click More, and then click Import Application. 5. Follow the on-screen instructions to complete the import. 6. Click OK.
Credential Manager for ProtectTools Advanced tasks (administrator only) The “Authentication and Credentials” page and the “Advanced Settings” page of Credential Manager are available only to those users with administrator rights. From these pages, you can ■ Specify how users and administrators log on. ■ Configure credential properties. ■ Configure Credential Manager program settings.
Credential Manager for ProtectTools Configuring custom authentication requirements If the set of authentication credentials you want is not listed on the Authentication tab of the “Authentication and Credentials” page, you can create custom requirements. To configure custom requirements: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select Authentication and Credentials. 3. In the right pane, click the Authentication tab. 4.
Credential Manager for ProtectTools Configuring Credential Manager properties From the Credentials tab of the “Authentication and Credentials” page, you can view the list of available authentication methods, and modify the settings. To configure the credentials: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select Authentication and Credentials. 3. In the right pane, click the Credentials tab. 4.
Credential Manager for ProtectTools Configuring Credential Manager settings From the “Advanced Settings” page, you can access and modify various settings using the following tabs:. ■ General—Allows you to modify the settings for basic configuration. ■ Single Sign On—Allows you to modify the settings for how Single Sign On works for the current user, such as how it handles detection of logon screens, automatic logon to registered dialogs, and password display.
Credential Manager for ProtectTools Example 1—Using the “Advanced Settings” Page to allow Windows logon from Credential Manager To enable logging on to Windows from Credential Manager: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, select Credential Manager, and then select Advanced Settings. 3. In the right pane, click the General tab. 4. Select the Use Credential Manager to log on to Windows check box. 5. Click Apply, and then click OK to save your changes. 6.
Glossary The following terms are used in this document and throughout the ProtectTools Security Manager. Authentication—Process of verifying whether a user is authorized to perform a task, for example, accessing a computer, modifying settings for a particular program, or viewing secured data. Automatic DriveLock—Security feature that causes the DriveLock passwords to be generated and protected by the TPM Embedded Security chip.
Glossary Cryptography—Practice of encrypting and decrypting data so that it can be decoded only by specific individuals. Decryption—Procedure used in cryptography to convert encrypted data into plain text. DriveLock—Security feature that links the hard drive to a user and requires the user to correctly enter the DriveLock password when the computer starts up.
Glossary Migration—a task that allows the management, restoration, and transfer of keys and certificates. Network account—Windows user or administrator account, either on a local computer, in a workgroup, or on a domain. Personal secure drive (PSD)—Provides a protected storage area for sensitive data. Power-on authentication—Security feature that requires some form of authentication, such as a smart card, security chip, or password, when the computer is turned on.
Glossary Trusted Platform Module (TPM) embedded security chip (select models only)—Integrated security chip that can protect highly sensitive user information from malicious attackers. It is the root-of-trust in a given platform. The TPM provides cryptographic algorithms and operations that meets the Trusted Computing Group (TCG) specifications. USB token—Security device that stores identifying information about a user.
Index A account basic user 4–4 Credential Manager 6–4 Automatic DriveLock 5–7 B backup embedded security 4–8 identity 6–11 Java Card 3–12 single sign on 6–20 smart card 2–11, 3–10 basic user account 4–4 Basic User Key password changing 4–7 definition 1–6 setting 4–5 biometric readers 6–5 BIOS administrator card password changing 2–6 definition 1–5 setting 2–4 BIOS administrator password changing 5–10 definition 1–4 setting 5–10 Reference Guide BIOS Configuration for ProtectTools 5–1 BIOS smart card secur
Index power-on authentication 5–5 smart card authentication 5–5 smart card BIOS security 2–5 stringent security 5–11 system configuration options 5–3 E Embedded Security for ProtectTools 4–1 emergency recovery 4–3 emergency recovery token password definition 1–6 setting 4–3 enabling Automatic DriveLock 5–7 power-on authentication 5–5 smart card authentication 5–5 smart card BIOS security 2–3 stringent security 5–11 system configuration options 5–3 TPM chip 4–2 encrypting files and folders 4–6 F F10 Setup
Index power-on authentication 3–6 enabling and disabling 5–5 on Windows restart 5–12 power-on password definition 1–4 setting and changing 5–9 properties application 6–19 authentication 6–22 credential 6–24 ProtectTools Security Manager 1–1 R recovery identity 6–12 Java Cards 3–11 smart cards 2–13 registering application 6–17 credentials 6–5 S security setup password 1–4 Single Sign On automatic registration 6–17 exporting applications 6–20 manual registration 6–18 modifying application properties 6–19 r