Technical Whitepaper HP Client Security Commercial Managed IT Software Contents Executive summary .............................................................................................................................. 3 System requirements and prerequisites ........................................................................................... 3 Supported operating systems .............................................................................................3 Supported hardware options ..
Accessing Devices ........................................................................................................................ 20 Define a policy .............................................................................................................................. 20 Just In Time Authentication (JITA) Configuration .................................................................... 21 HP File Sanitizer .....................................................................................
Executive summary This white paper is intended for IT staff. The paper contains sections describing: HP’s strategic approach to Security A description of HP Client Security (formerly known as HP ProtectTools), the application that consolidates HP security features so the user can set up and modify all the configurable HP security features available on their HP Business PC.
Bluetooth phone o iOS o Microsoft Windows o Android DigitalPersona Fingerprint sensor integrated on Elitepad Security Jacket o FIPS 201 certified o HP ProtectTools Security Manager V8.0 or greater required. Pre-requisites Microsoft .Net Framework 3.5, 4.5 Windows Installer MSI 4.
Introduction HP’s decorated history in personal computer security has been based on the belief that security should be built in and not bolted on. This belief has led to the development of HP Client Security (formerly known as HP ProtectTools); the specially developed multi-layered, hassle-free enterprise-level Windows application. It is the reason why HP includes Client Security on Business Desktops, Notebooks and Workstations.
Layer Data protection Description unauthorized access. Starting with new 2013 PCs, HP Drive Encryption is FIPS 140-2 L1 certified.
5. For the use cases outlined in the DOD 5220.22-M Supplement. Traditional hard drives supported. 6. Windows required. When included, HP Trust Circles Standard allows up to 5 Trust Circles with up to 5 contacts in each Trust Circle. HP Trust Circles Pro required for unrestricted number of Trust Circles and contacts. HP Trust Circles Reader is available to allow a contact to participate in an invited Trust Circle. Available at http://hptc.cryptomill.com. 7.
Layer Device protection (See Absolute Data Protect (ADP)on page 31) Hardware-based Description • 4 years of service included in the ElitePad 900 and Windows 8 EliteBook Revolve 810 • Upgrade to LoJack for theft recovery available when the user logs into my.absolute.com to manage their account Microsoft Security Essentials (Win7) / Microsoft Defender (Win8.x) 4 Prevents and detects most malware attacks from compromising a PC, not based on subscriptions that can expire.
Layer Identity protection HP Password Manager 3 Description Allows a user to conveniently use unique usernames and passwords for websites and applications. After the user identifies themselves with any enrolled credential, Password Manger enters the appropriate account information on their behalf.
HP Client Security – Manageability Options HP Client Security has multiple management options: Local Management - HP Client Security application allows for full policy configuration. o Limited users may not change policies. o Policies can be set in an image before deployment.
Generate a PKI key pair to be used by the authentication service in conjunction with cryptographic functions. Generate the PKI and symmetric keys (UUK) upon enrolling a user. The UUK is not stored in the clear or simply obfuscated on the hard drive. The key is always protected via a credential. User’s Windows password is used to derive a key that is then used to encrypt the UUK.
HP Client Security offers a one-time wizard shown in Figure 1, which guides a user through the setup of core security features that include: Figure 1 HP Client Security Setup Wizard Password authentication o Prompts user to verify their identity by typing their Windows password. This prevents other users from setting up the system using another person’s account. o Requires user to create a Windows password if one doesn’t already exist.
o Reflects fingerprint enrollment process in a progress bar. o Uses lower text area to provide feedback or guideline to the user. Drive Encryption activation (if installed) o Automatically selects the primary system partition to be encrypted if the user does not skip this feature enrollment. o If primary disk is an Opal self-encrypting drive (SEDs) then it will perform hardware encryption automatically. o User must select the encryption recovery key back-up mode.
Client Security features, applications, and settings. Figure 2 HP Client Security Home Page The Home page is divided into three sections: Identity Provides Credential Manager features of enrollment and management of authentication credentials (password, fingerprint, cards, Bluetooth, PIN, and HP SpareKey) and ability to access Password Manager in order to add/edit/manage logon data for websites and applications.
Figure 3 HP Client Security User Management Policies The Administrators Policies window shown in Figure 4 provides the ability to configure login and session policies for the applicable user(s). The Standard Users Policies has a similar interface. Logon policies govern the credentials required to log on to Windows. Session policies govern the credentials required to verify identity within a Windows session, such as with Password Manager, Trust Circles, and Just In Time Authentication.
Password Manager Password Manager provides the ability to automatically remember and then supply credentials for websites, applications, and protected network resources. Password Manager includes a personal password vault that makes accessing protected information more secure. Password Manager protects the data with encryption and an Access Control List (ACL). Key features of Password Manager include: Checks the strength of individual passwords used for websites and applications when adding login data.
Backup and Restore To back up Password Manager login credentials click the ‘Advanced Settings’ icon to access HP Client Security Backup and Restore. This is not a user data backup solution. HP Client Security Backup and Restore: Requires creation of a password for the backup file in order to prevent it from being restored by another user. The backup file can be saved on the PC or SkyDrive. By default, once installed and signed in, a SkyDrive folder will be created in the …Users\SkyDrive
Validity Fingerprint Reader Sensor/Driver (VFS495) Technology The VFS495 meets the requirements of FIPS140-2, but is not FIPS 140 certified. The VFS495 uses the following encryption and data security technologies: Advanced Encryption Standard (AES) hardware block - Encrypts/decrypts data stream with AES-CBC-256 and RSA- Hardware exponentiation block - Performs RSA operations.
Embedded Secure Template Database will securely protect application-provided user payload data / user credentials bound to the finger enrollment. Up to 50 finger enrollments may be stored in the secure database, beyond this, fingers must be removed before new enrollments can be performed. The following items are included in the manageability scheme for the fingerprint reader: o Min/max finger enrollment count. o Fingerprint matcher threshold (convenience vs. accuracy adjustment).
HP Device Access Manager (HPDAM) HP Device Access Manager speaks to HP’s strong commitment to security and its ability to respond to customer needs with innovative solutions. A common assumption with today’s PC usage model is that users who are authorized to log on to a personal computer and access sensitive data are also able to copy that information. In reality, this is not always the case. Companies may need to allow users to view sensitive data, but restrict their ability to copy that data.
Just In Time Authentication (JITA) Configuration JITA Configuration shown in Figure 5 allows the administrator to view and modify lists of user groups that are allowed to access devices using JITA. JITA-enabled users will be able to access some devices for which policies created in the Device Class Configuration have been restricted. Figure 5 HP Device Access Manager The JITA period authorization can be for a set number of minutes or an “Unlimited” duration that will not expire.
HP File Sanitizer File Sanitizer allows you to securely shred personal information or files, historical or Web-related data, or other data components on the computer's internal hard drive; and to periodically bleach the computer's internal hard drive. File sanitization is more intensive process than simple file deletion. When you shred an asset using File Sanitizer, the files are overwritten with meaningless data, making it virtually impossible to retrieve the original asset.
HP Trust Circles The HP Trust Circles file and document security application combines folder file encryption with a convenient trusted-circle document-sharing capability. The application encrypts files placed in userspecified folders, protecting them within a Trust Circle. Once protected, the files can be shared with anyone, but only those in the Trust Circle can truly access them. If a protected file is received by a non-member, the file remains encrypted, and the non-member cannot access the contents.
o User can change the settings for requiring Periodic Authentication which requires that the user is authenticated after the specified timeout and while performing sensitive operations. This setting allows users the authentication to turn on or off as well as the time limit. Backup/Restore Backups save the internal database and are password protected. This includes the profile, Trust Circles, and member Information; as well as the license information.
HP Drive Encryption HP Drive Encryption (HPDE) shown in Figure 6 provides complete data protection by encrypting your computer's data so it becomes unreadable to an unauthorized person. If an encrypted drive is removed from the system and attached to a USB enclosure, it cannot be read from another PC without proper authorization. Figure 6 HP Drive Encryption When the drive is encrypted, the Drive Encryption login window displays before the Windows® operating system starts.
Launch via Wizard HPDE can be activated from HP Client Security Setup wizard shown in Figure 7. Figure 7 Wizard Page Completing the wizard performs the following: Allows selection of the location for backing up the encryption key. The user can choose either Removable Media or SkyDrive or both. If the encryption key backup fails, an error will be displayed to the user and the wizard will not proceed. Activates HPDE: o Automatically select and encrypt the primary system partition.
Launch via HP Client Security HPDE can be alternatively activated from HP Client Security under “DATA” category shown in Figure 8. Figure 8 Launch HPDE Using HP Client Security HP Client Security provides the following options: Select partition to encrypt from a list of partitions.
Color Message Can be dismissed? Yes/No Action • Upon clicking on the “Requires Attention button”, the administrator will be redirected to the HPCS Drive Encryption Activation page. Yellow Your drive is currently being encrypted. When completed, your data will be protected with encryption. Yes No action Yellow Your drive is currently being decrypted. Yes No action Yellow Your drive is managed. HP Client Security cannot manage this drive.
o Supported Languages o Windows 8.1 (32-bit and 64-bit) HPDE supports 35 languages (English, Brazilian Portuguese, Czech, French, German, Italian, Japanese, Korean, Russian, Simplified Chinese, Traditional Chinese (Taiwan/Hong Kong), Spanish, Thai, Arabic, Danish, Dutch, Finnish, Polish, Sweden, Turkish, Bulgarian, Hebrew, Hungarian, Norwegian, Portuguese (Iberian), Slovak, Croatian, Estonian, Greek, Latvian, Lithuanian, Romanian, Serbian, Slovenian).
first domain to require authentication, One Step Logon will provide authentication to Windows and directly log the user in to the desktop without an additional authentication. This feature may be enabled or disabled by an administrator.
✖ File and Folder Encryption ✔ Infineon Trusted Platform Module HP PC’s feature a Trusted Platform Module (TPM) embedded security chip on select HP business notebooks, desktops and workstations. This embedded security chip is certified to the Trusted Computing Group (TCG) Evaluation Assurance Level 4+ (EAL4+) standard. HP platforms support the latest TPM v1.2. The Trusted Computing Group (TCG) is an international industry standards group. The TCG develops specifications amongst its members.
HP Computrace and HP Absolute Data Protect HP Computrace provides a single cloud-based console (http://cc.absolute.com) for administrators and users who want to persistently track and secure all of their endpoints. Computers can be remotely managed and secured to ensure - and most importantly prove - that endpoint IT compliance processes are properly implemented and enforced.
HP ElitePad 900 G1 and EliteBook Revolve 810 with Windows 8.x include a 4 year license of Absolute Data Protect. All devices with ADP also feature the BIOS Absolute Persistence module. If the Agent is removed or missing, the persistence module will automatically reinstall itself so you can stay connected with your device even when it’s lost or stolen.
Appendix A - Frequently Asked Questions Q. What authentication technologies are supported by HP Client Security? A. HP Client Security Manager is a security platform that has been designed to easily grow with the user's needs. It supports the following authentication technologies currently, but may support additional technologies as they become available. Password Fingerprint Smart Card, Contactless Card, Proximity Card Bluetooth PIN Q.
Q. Regarding the TPM chip itself, does it store any user specific information? If so, how can I clear it? A. No. The TPM can be cleared via F10 Computer Setup Menu to return to factory default/cleared state. Q. How does Credential Manager differ from other single sign-on solutions? A. Most technologies and features provided by HP Client Security Manager are individually available. The value of HP Client Security is that it brings these technologies together in a single, easy to use security solution.
Q. Is Disk Sanitizer available as a product, available standalone or only as part of HP Client Security? Where is the information about the hardware it might or might not work on? A. HP Disk Sanitizer is a feature built into most HP Business Notebook’s BIOS, 2006 and later. HP Disk Sanitizer External edition is available on hp.com for supported HP Business Desktops. Supports traditional hard drives only.
Appendix B- Certifications and Standards HP Drive Wncryption o WinMagic Cryptographic Engine 6.
