HP ProtectTools User Guide
© Copyright 2009 Hewlett-Packard Development Company, L.P. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. Bluetooth is a trademark owned by its proprietor and used by Hewlett-Packard Company under license. Java is a US trademark of Sun Microsystems, Inc. SD Logo is a trademark of its proprietor. The information contained herein is subject to change without notice.
Table of contents 1 Introduction to security HP ProtectTools features ..................................................................................................................... 2 Accessing HP ProtectTools Security .................................................................................................... 4 Achieving key security objectives ......................................................................................................... 6 Protecting against targeted theft .......
Exporting an application .................................................................. 19 Importing an application ................................................................... 20 Modifying credentials ........................................................................ 20 Using Application Protection .............................................................................................. 21 Restricting access to an application ...........................................................
Deleting a Trusted Contact ............................................................................... 38 Checking revocation status for a Trusted Contact ............................................ 39 General tasks ..................................................................................................................................... 40 Using Privacy Manager in Microsoft Office ........................................................................
Advanced tasks .................................................................................................................................. 73 Backing up and restoring ................................................................................................... 73 Creating a backup file ...................................................................................... 73 Restoring certification data from the backup file ...............................................
1 Introduction to security HP ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data.
HP ProtectTools features The following table details the key features of HP ProtectTools modules: Module Key features Credential Manager for HP ProtectTools ● Credential Manager acts as a personal password vault, streamlining the logon process with the Single Sign On feature, which automatically remembers and applies user credentials.
Module Key features Embedded Security for HP ProtectTools (select models only) ● Embedded Security uses a Trusted Platform Module (TPM) embedded security chip to help protect against unauthorized access to sensitive user data or credentials stored locally on a PC. ● Embedded Security allows creation of a personal secure drive (PSD), which is useful in protecting user file and folder information.
Accessing HP ProtectTools Security To access HP ProtectTools Security Manager: 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager for Administrators. – or– Click Start, click Control Panel, and then click System and Security. Click HP ProtectTools Security Manager. NOTE: If you are not an HP ProtectTools administrator, you can run HP ProtectTools in nonadministrator mode to view information, but you cannot make changes. 2.
● The wizard guides Windows® operating system administrators through the configuration of levels of security and of the security logon methods that are used in a pre-boot environment, in Credential Manager, and in Drive Encryption. ● Users also use the setup wizard to configure their security logon methods. NOTE: To access each HP ProtectTools module to set up more powerful features, click the module name.
Achieving key security objectives The HP ProtectTools modules can work together to provide solutions for a variety of security issues, including the following key security objectives: ● Protecting against targeted theft ● Restricting access to sensitive data ● Preventing unauthorized access from internal or external locations ● Creating strong password policies ● Addressing regulatory security mandates Protecting against targeted theft An example of this type of incident would be the targeted thef
information such as patient records or personal financial records. The following features help prevent unauthorized access: ● ● ● The pre-boot authentication feature, if enabled, helps prevent access to the operating system.
Additional security elements Assigning security roles In managing computer security (particularly for large organizations), one important practice is to divide responsibilities and rights among various types of administrators and users. NOTE: In a small organization or for individual use, these roles may all be held by the same person.
HP ProtectTools password Set in this HP ProtectTools module Function Emergency Recovery Token password Embedded Security, by IT administrator Protects access to the Emergency Recovery Token, which is a backup file for the embedded security chip. Owner password Embedded Security, by IT administrator Protects the system and the TPM chip from unauthorized access to all owner functions of Embedded Security.
Creating a secure password When creating passwords, you must first follow any specifications that are set by the program. In general, however, consider the following guidelines to help you create strong passwords and reduce the chances of your password being compromised: ● Use passwords with more than 6 characters, preferably more than 8. ● Mix the case of letters throughout your password. ● Whenever possible, mix alphanumeric characters and include special characters and punctuation marks.
2 Credential Manager for HP ProtectTools Credential Manager for HP ProtectTools protects against unauthorized access to your computer using the following security features: ● Alternatives to passwords when logging on to Windows, such as using a Java Card or biometric reader to log on to Windows. For additional information, refer to “Registering credentials on page 12.” ● Single Sign On feature that automatically remembers credentials for Web sites, applications, and protected network resources.
Setup procedures Logging on to Credential Manager Depending on the configuration, you can log on to Credential Manager in any of the following ways: ● Double-click the HP ProtectTools Security Manager icon in the notification area. ● Click Start, click All Programs, and then select HP ProtectTools Security Manager for Administrators. ● In Windows XP, click Start, and then click HP ProtectTools Security Manager.
Setting up the fingerprint reader 1. In HP ProtectTools Security Manager, click Credential Manager in the left pane. 2. Click My Identity, and then click Register Fingerprints. 3. Follow the on-screen instructions to complete registering your fingerprints and setting up the fingerprint reader. 4. To set up the fingerprint reader for a different Windows user, log on to Windows as that user and then repeat the steps listed above. Using your registered fingerprint to log on to Windows 1.
Registering other credentials 1. In HP ProtectTools Security Manager, click Credential Manager. 2. Click My Identity, and then click Register Credentials. The Credential Manager Registration Wizard opens. 3. 14 Follow the on-screen instructions.
General tasks All users have access to the “My Identity” page in Credential Manager. From the “My Identity” page, you can perform the following tasks: ● Change the Windows logon password ● Change a token PIN ● Lock a workstation NOTE: This option is available only if the Credential Manager classic logon prompt is enabled. See “Example 1—Using the “Advanced Settings” page to allow Windows logon from Credential Manager on page 24.
3. On the Device Type dialog box, click the desired type of device, and then click Next. 4. Select the token for which you want to change the PIN, and then click Next. 5. Follow the on-screen instructions to complete the PIN change. NOTE: If you enter the incorrect PIN for the token several times in sequence, the token gets locked out. You will be unable to use this token until you unlock it.
Locking the computer (workstation) This feature is available if you log on to Windows using Credential Manager. To secure your computer when you are away from your desk, use the Lock Workstation feature. This prevents unauthorized users from gaining access to your computer. Only you and members of the administrators group on your computer can unlock it. NOTE: This option is available only if the Credential Manager classic logon prompt is enabled.
5. 6. Select More, and then click Wizard Options. a. If you want this to be the default user name the next time that you log on to the computer, select the Use last network account for Windows logon check box. b. If you want this logon policy to be the default method, select the Use last policy on next logon check box. Follow the on-screen instructions. If your authentication information is correct, you will be logged on to your Windows account and to Credential Manager.
Using manual (drag and drop) registration 1. In HP ProtectTools Security Manager, click Credential Manager, and then click Services and Applications in the left pane. 2. Click Manage Applications & Credentials. The Credential Manager Single Sign On dialog box is displayed. 3. To modify or remove a previously registered web site or application, select the desired record in the list. 4. Follow the on-screen instructions. Managing applications and credentials Modifying application properties 1.
To export an application: 1. In HP ProtectTools Security Manager, click Credential Manager, and then click Services and Applications in the left pane. 2. Click Manage Applications & Credentials. The Credential Manager Single Sign On dialog box is displayed. 3. Click the application entry you want to export, and then click More. 4. Follow the on-screen instructions to complete the export. 5. Click OK. Importing an application 1.
NOTE: You must authenticate your identity before viewing the password. 5. Follow the on-screen instructions. 6. Click OK. Using Application Protection This feature allows you to configure access to applications. You can restrict access based on the following criteria: ● Category of user ● Time of use ● User inactivity Restricting access to an application 1. In HP ProtectTools Security Manager, click Credential Manager in the left pane, and then click Services and Applications. 2.
Changing restriction settings for a protected application 1. Click Manage Protected Applications. 2. Select a category of user whose access you want to manage. NOTE: If the category is not Everyone, you may need to click Override default settings to override the settings for the Everyone category. 3. Click the application you want to change, and then click Properties. The Properties dialog box for that application opens. 4. Click the General tab. Select one of the following settings: 5.
Advanced tasks (administrator only) The “Authentication and Credentials” page and the “Advanced Settings” page of Credential Manager are available only to those users with administrator rights.
4. 5. Click the credential type you want to modify. You can modify the credential using one of the following choices: ● To register the credential, click Register, and then follow the on-screen instructions. ● To delete the credential, click Clear, and then click Yes in the confirmation dialog box. ● To modify the credential properties, click Properties, and then follow the on-screen instructions. Click Apply, and then click OK.
NOTE: Selecting the Use Credential Manager with classic logon prompt check box allows you to lock your computer. See “Locking the computer (workstation) on page 17.
Example 2—Using the “Advanced Settings” page to require user verification before Single Sign On 26 1. In HP ProtectTools Security Manager, click Credential Manager, and then click Settings. 2. Click the Single Sign On tab. 3. Under When registered logon dialog or Web page is visited, select the Authenticate user before submitting credentials check box. 4. Click Apply, and then click OK. 5. Restart the computer.
3 Drive Encryption for HP ProtectTools (select models only) CAUTION: If you decide to uninstall the Drive Encryption module, you must first decrypt all encrypted drives. If you do not, you will not be able to access the data on encrypted drives unless you have registered with the Drive Encryption recovery service. Reinstalling the Drive Encryption module will not enable you to access the encrypted drives.
Setup procedures Opening Drive Encryption 28 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager for Administrators. 2. Click Drive Encryption.
General tasks Activating Drive Encryption Use the HP ProtectTools Security Manager setup wizard to activate Drive Encryption. Deactivating Drive Encryption Use the HP ProtectTools Security Manager setup wizard to deactivate Drive Encryption.
Advanced tasks Managing Drive Encryption (administrator task) The “Encryption Management” page allows Windows administrators to view and change the status of Drive Encryption (active or inactive) and to view the encryption status of all of the hard drives on the computer. Activating a TPM-protected password (select models only) Use the Embedded Security tool in HP ProtectTools to activate the TPM. After activation, logging in at the Drive Encryption logon screen requires the Windows user name and password.
The encryption key is saved on the storage device you selected. 5. Click OK when the confirmation dialog box opens. Performing a recovery Performing a local recovery 1. Turn on the computer. 2. Insert the removable storage device that stores your backup key. 3. When the Drive Encryption for HP ProtectTools logon dialog box opens, click Cancel. 4. Click Options in the lower-left corner of the screen, and then click Recovery. 5. Click Local recovery, and then click Next. 6.
4 Privacy Manager for HP ProtectTools (select models only) Privacy Manager for HP ProtectTools enables you to use advanced security logon (authentication) methods to verify the source, integrity, and security of communication when using e-mail, Microsoft® Office documents, or instant messaging (IM).
Opening Privacy Manager To open Privacy Manager: 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager. 2. Click Privacy Manager: Sign and Chat. – or – Right-click the HP ProtectToolsicon in the notification area, at the far right of the taskbar, click Privacy Manager: Sign and Chat, and then click Configuration.
Setup procedures Managing Privacy Manager Certificates Manager Certificates protect data and messages using a cryptographic technology called public key infrastructure (PKI). PKI requires users to obtain cryptographic keys and a Privacy Manager Certificate issued by a certificate authority (CA).
6. Authenticate using your chosen security logon method. 7. If you choose to begin the Trusted Contact invitation process, follow the on-screen instructions. – or – If you click Cancel, refer to Managing Trusted Contacts for information on adding a Trusted Contact at a later time. Viewing Privacy Manager Certificate details 1. Open Privacy Manager, and click Certificate Manager. 2. Click a Privacy Manager Certificate. 3. Click Certificate details. 4.
To delete a Privacy Manager Certificate: 1. Open Privacy Manager, and click Certificate Manager. 2. Click the Privacy Manager Certificate you want to delete, and then click Advanced. 3. Click Delete. 4. When the confirmation dialog box opens, click Yes. 5. Click Close, and then click Apply.
Adding Trusted Contacts 1. You send an e-mail invitation to a Trusted Contact recipient. 2. The Trusted Contact recipient responds to the e-mail. 3. You receive the e-mail response from the Trusted Contact recipient, and click Accept. You can send Trusted Contact e-mail invitations to individual recipients or you can send the invitation to all the contacts in your Microsoft Outlook address book.
Adding Trusted Contacts using your Microsoft Outlook address book 1. Open Privacy Manager, click Trusted Contacts Manager, and then click Invite Contacts. – or – In Microsoft Outlook, click the down arrow next to Send Securely on the toolbar, and then click Invite All My Outlook Contacts. 2. When the “Trusted Contact Invitation” page opens, select the e-mails address of the recipients you want to add as Trusted Contacts and then click Next. 3. When the “Sending Invitation” page opens, click Finish.
Checking revocation status for a Trusted Contact 1. Open Privacy Manager, and click Trusted Contacts Manager. 2. Click a Trusted Contact. 3. Click the Advanced button. The Advanced Trusted Contact Management dialog box opens. 4. Click Check Revocation. 5. Click Close.
General tasks Using Privacy Manager in Microsoft Office After you install your Privacy Manager Certificate, a Sign and Encrypt button is displayed on the right side of the toolbar of all Microsoft Word, Microsoft Excel, and Microsoft PowerPoint documents. Configuring Privacy Manager in a Microsoft Office document 1. Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click Privacy Manager, and then click Configuration. 2.
4. Click the down arrow next to Sign and Encrypt, and then click Sign Document. 5. Authenticate using your chosen security logon method. Adding suggested signers to a Microsoft Word or Microsoft Excel document You can add more than one signature line to your document by appointing suggested signers. A suggested signer is a user who is designated by the owner of a Microsoft Word or Microsoft Excel document to add a signature line to the document.
To encrypt a Microsoft Office document: 1. In Microsoft Word, Microsoft Excel, or Microsoft PowerPoint, create and save a document. 2. Click the Home menu. 3. Click the down arrow next to Sign and Encrypt, and then click Encrypt Document. The Select Trusted Contacts dialog box opens. 4. Click the name of a Trusted Contact who will be able to open the document and view its contents. NOTE: To select multiple Trusted Contact names, hold down the ctrl key and click the individual names. 5. Click OK.
NOTE: You do not need to have a Privacy Manager Certificate in order to view a signed Microsoft Office document. When a signed Microsoft Office document is opened, a Signatures dialog box opens next to the document, displaying the name of the user who signed the document and the date it was signed. You can right-click the name to view additional details.
3. Click the down arrow next to Send Securely, and then click Seal for Trusted Contacts and Send. 4. Authenticate using your chosen security logon method. Viewing a sealed e-mail message When you open a sealed e-mail message, the security label is displayed in the heading of the e-mail.
Configuring Privacy Manager Chat for Windows Live Messenger 1. In Privacy Manager Chat, click the Configure Privacy Manager Chat button. – or – In Privacy Manager, click Settings, and then click the Chat tab. – or – In Privacy Manager History Viewer, click theSettings button. 2. To specify the amount of time Privacy Manager Chat waits before locking your session, select a number from the Lock session after _ minutes of inactivity box. 3.
Starting the Chat History viewer 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager. 2. Click Privacy Manager: Sign and Chat, and then click Chat History Viewer. – or – ▲ In a Chat session, click History Viewer or History. – or – ▲ On the “Chat Configuration” page, click Start Live Messenger History Viewer. Reveal all sessions Revealing all sessions displays the decrypted Contact Screen Name for the currently selected session (s) and all sessions in the same account.
You can only search for text in revealed (decrypted) sessions that are displayed in the viewer window. These are the sessions where the Contact Screen Name is shown in plain text. 1. In the Chat History Viewer, click the Search button. 2. Enter the search text, configure any desired search parameters, and then click OK. Sessions that contain the text are highlighted in the viewer window. Delete a session 1. Select a chat history session. 2. Click Delete.
Advanced tasks Migrating Privacy Manager Certificates and Trusted Contacts to a different computer You can securely migrate your Privacy Manager Certificates and Trusted Contacts to a different computer. To do this, export them as a password-protected file to a network location or any removable storage device, and then import the file to the new computer.
5 File Sanitizer for HP ProtectTools File Sanitizer is a tool that allows you to securely shred assets (personal information or files, historical or Web-related data, or other data components) on your computer and periodically bleach your hard drive. NOTE: This version of File Sanitizer supports the system hard drive only. About shredding Deleting an asset in Windows does not completely remove the contents of the asset from your hard drive. Windows only deletes the reference to the asset.
Setup procedures Opening File Sanitizer To open File Sanitizer: 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager. 2. Click File Sanitizer. – or – ● Double-click the File Sanitizer icon. – or – ● Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click File Sanitizer, and then click Open File Sanitizer. Setting a shred schedule 1. Open File Sanitizer, and click Shred. 2. To shred files now, click Browse.
To select a predefined shred profile: 1. Open File Sanitizer, and then click Settings. 2. Click a predefined shred profile. 3. Click View Details to view the list of assets that are selected for shredding. 4. Under Shred the following, select the check box next to each asset that you want to confirm before shredding. 5. Click Cancel, and then click OK.
NOTE: If you use the simple delete option, free space bleaching can be performed occasionally on the assets that have been deleted manually or by using the Windows Recycle Bin. 1. Open File Sanitizer, click Settings, click Simple Delete Setting, and then click View Details. 2. Select the assets you want to delete: ● Under Available delete options, click an asset, and then click Add. ● To add a custom asset, click Add Custom Option, enter a file name or folder name, and then click OK.
General tasks Using a key sequence to initiate shredding To specify a key sequence, follow these steps: 1. Open File Sanitizer, and click Shred. 2. Select the Key sequence check box. 3. Select either the CTRL box or the ALT box, and then select the SHIFT box. For example, to initiate automatic shredding using the s key and ctrl+shift, enter s in the box, and then select the CTRL and SHIFT options. NOTE: Be sure to select a key sequence that is different from other key sequences you have configured.
– or – 1. Open File Sanitizer, and click Shred. 2. Click the Browse button. 3. When the Browse dialog box opens, navigate to the asset you want to shred, and then click OK. 4. When the confirmation dialog box opens, click Yes. Manually shredding all selected items 1. Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click File Sanitizer, and then click Shred Now. 2. When the confirmation dialog box opens, click Yes. – or – 1.
Viewing the log files Each time a shred or free space bleaching operation is performed, log files of any errors or failures are generated. The log files are always updated according to the latest shred or free space bleaching operation. NOTE: Files that are successfully shredded or bleached do not appear in the log files. One log file is created for shred operations and another log file is created for free space bleaching operations.
6 BIOS Configuration for HP ProtectTools BIOS Configuration for HP ProtectTools provides access to the Computer Setup utility security and configuration settings. This gives users Windows access to system security features that are managed by Computer Setup. With BIOS Configuration, you can accomplish the following objectives: ● Manage administrator passwords. ● Configure other power-on authentication features, such as embedded security authentication.
General tasks BIOS Configuration allows you to manage various computer settings that would otherwise be accessible only by pressing f10 at startup to enter Computer Setup. Accessing BIOS Configuration To access BIOS Configuration: 1. Click Start, click Settings, and then click Control Panel. 2. Click HP ProtectTools Security Manager, and then click BIOS Configuration. You can also access BIOS Configuration from an icon in the notification area, at the far right of the taskbar.
Viewing or changing settings To view or change configuration settings: 1. 2. Click one of the BIOS Configuration pages: ● File ● Security ● System Configuration Make your changes, and then click Apply to save your changes and leave the window open. – or – Make your changes, and then click OK to save your changes and close the window. 3. Exit and restart the computer. Your changes go into effect when the computer restarts.
Viewing system information Use the “File” page to view the following types of information: ● Identification information about the computer (including the serial number) and about batteries in the system ● Specification information about the processor; cache and memory size; video version; keyboard controller version; and system ROM NOTE: The “File” page is for information purposes only. None of the displayed information can be modified.
Advanced tasks Setting security options Use the “Security” page of BIOS Configuration to enhance the security of your computer. NOTE: Not all options are available on all computers, and additional options may also be included. To set security options: 1. Access BIOS Configuration, and click Security. 2. Select any of the options listed in the table below. 3. Change the settings as needed. 4. Click Apply to apply the new settings and leave the window open.
Option Action Power-On Authentication Support Enable or disable support for smart card power-on authentication. NOTE: This feature is supported only on computers with optional smart card readers. Automatic Drivelock Support Enable or disable. Administrator Tools Option Action HP SpareKey Enable or disable. Always Prompt for HP SpareKey Enrollment Enable or disable. Fingerprint Reset on Reboot (if present) Enable or disable.
To set system configuration options: 1. Access BIOS Configuration, and then click System Configuration. 2. Select one of the following options, as described in the table below: ● Language options ● Port options ● Boot options ● Device configuration options ● Built-in device options ● AMT options (select models only) ● Security level options 3. Change the settings as needed. 4. Click Apply to apply the new settings to the system and leave the window open.
Option Action Serial Port Enable or disable. Parallel Port Enable or disable. Flash Media Reader Enable or disable. USB Port Enable or disable. 1394 port Enable or disable. Express Card slot Enable or disable. Smart Card Enable or disable. Boot options Option Action Startup Menu Delay (Sec) Set the Startup Menu Delay, in seconds. Custom Logo Enable or disable. Express Boot Popup Delay (Sec) Set the Express Boot Popup Delay, in seconds. CD-ROM Boot Enable or disable.
Option Action UEFI Boot Mode Enable or disable. HDD Translation Mode Select Bit-shift or LBA-assisted. Virtualization technology Enable or disable the option to allow multiple virtual machines to run side by side on the same computer. Built-in device options Option Action Wireless Button State Enable or disable. Embedded WLAN Device Radio Enable or disable. Fingerprint Device Enable or disable. Notebook MultiBay Enable or disable. Notebook Upgrade Bay Security Level Enable or disable.
Option Action Serial Port Mode Security Level Change, view, or hide. Parallel Port Mode Security Level Change, view, or hide. CD-ROM Boot Security Level Change, view, or hide. Floppy Boot Security Level Change, view, or hide. Internal Network Adapter Boot Security Level Change, view, or hide. USB Legacy Support Security Level Change, view, or hide. Fan Always on while on AC Power Security Level Change, view, or hide. Flash Media Reader Security Level Change, view, or hide.
66 Option Action USB Key Provisioning Support Change, view, or hide. Firmware Progress Event Support Security Level Change, view, or hide. Unconfigure AMT Security Level Change, view, or hide. Terminal Emulation Mode Security Level Change, view, or hide. Firmware Progress Event Support Security Level Change, view, or hide. Integrated Camera Security Level Change, view, or hide. Asset Tracking Number Security Level Change, view, or hide. Ownership Tag Security Level Change, view, or hide.
7 Embedded Security for HP ProtectTools (select models only) NOTE: The integrated Trusted Platform Module (TPM) embedded security chip must be installed in your computer to use Embedded Security for HP ProtectTools. Embedded Security for HP ProtectTools protects against unauthorized access to user data or credentials.
Setup procedures CAUTION: To reduce security risk, it is highly recommended that your IT administrator immediately initialize the embedded security chip. Failure to initialize the embedded security chip could result in an unauthorized user, a computer worm, or a virus taking ownership of the computer and gaining control over the owner tasks, such as handling the emergency recovery archive, and configuring user access settings.
Initializing the embedded security chip In the initialization process for Embedded Security, you will perform the following tasks: ● Set an owner password for the embedded security chip that protects access to all owner functions on the embedded security chip. ● Set up the emergency recovery archive, which is a protected storage area that allows reencryption of the Basic User Keys for all users. To initialize the embedded security chip: 1.
Setting up the basic user account Setting up a basic user account in Embedded Security accomplishes the following tasks: ● Produces a Basic User Key that protects encrypted information, and sets a Basic User Key password to protect the Basic User Key. ● Sets up a personal secure drive (PSD) for storing encrypted files and folders. CAUTION: Safeguard the Basic User Key password. Encrypted information cannot be accessed or recovered without this password.
General tasks After the basic user account is set up, you can perform the following tasks: ● Encrypting files and folders ● Sending and receiving encrypted e-mail Using the Personal Secure Drive After setting up the PSD, you are prompted to type the Basic User Key password at the next logon. If the Basic User Key password is entered correctly, you can access the PSD directly from Windows Explorer.
Changing the Basic User Key password To change the Basic User Key password: 72 1. Click Start , click All Programs, and then click HP ProtectTools Security Manager. 2. In the left pane, click Embedded Security, and then click User Settings. 3. In the right pane, under Basic User Key password, click Change. 4. Type the old password, and then set and confirm the new password. 5. Click OK.
Advanced tasks Backing up and restoring The Embedded Security backup feature creates an archive that contains certification information to be restored in case of emergency. Creating a backup file To create a backup file: 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager. 2. In the left pane, click Embedded Security, and then click Backup. 3. In the right pane, click Backup. The HP Embedded Security for ProtectTools Backup Wizard opens. 4.
Changing the owner password To change the owner password: 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager. 2. In the left pane, click Embedded Security, and then click Advanced. 3. In the right pane, under Owner Password, click Change. 4. Type the old owner password, and then set and confirm the new owner password. 5. Click OK. Resetting a user password An administrator can help a user to reset a forgotten password.
Migrating keys with the Migration Wizard Migration is an advanced administrator task that allows the management, restoration, and transfer of keys and certificates. For details on migration, refer to the Embedded Security software Help.
8 Device Access Manager for HP ProtectTools (select models only) This security tool is available to administrators only.
Starting background service For device profiles to be applied, the HP ProtectTools Device Locking/Auditing background service must be running. When you first attempt to apply device profiles, HP ProtectTools Security Manager opens a dialog box to ask if you would you like to start the background service. Click Yes to start the background service and set it to start automatically whenever the system boots.
Simple configuration When Device Access Manager is installed, a Device Administrators group is created, and is then populated by the system administrator. Simple configuration allows you to deny access to the following classes of devices for all non-Device Administrators: ● All removable media (floppy disks, pen drives, etc.
Device class configuration (advanced) More selections are available to allow specific users or groups of users to be granted or denied access to types of devices. Adding a user or a group 1. Click Start, click All Programs, and then click HP ProtectTools Security Manager. 2. In the left pane, click Device Access Manager, and then click Device Class Configuration. 3. In the device list, click the device class that you want to configure. 4. Click Add. The Select Users or Groups dialog box opens. 5.
4. Under User/Groups, add the group to be denied access. 5. Click Deny next to the group to be denied access. 6. Navigate to the folder below that of the required class and add the specific user. Click Allow to grant this user access. 7. Click Apply, and then click OK. Allowing access to a specific device for one user of a group You can allow one user access to a specific device while denying access to all other members of that user's group for all devices in the class.
9 Troubleshooting Credential Manager for HP ProtectTools Short description Details Solution Using the Credential Manager Network Accounts option, a user can select which domain account to log on to. When TPM authentication is used, this option is not available. All other authentication methods work properly. Using TPM authentication, the user is only logged on to the local computer. Using Credential Manager Single Sign On tools allows the user to authenticate other accounts.
Short description Details Solution Windows password from Credential local PC, Credential Manager can only change the Manager, the administrator gets an error password used to log on. logon failure: User account restriction. Credential Manager has incompatibility issues with Corel WordPerfect 12 password GINA. If the user logs on to Credential Manager, HP is researching a workaround for future product creates a document in WordPerfect, and enhancements.
Short description Details Solution HP is investigating resolution options for future customer software releases. The security Restore Identity process loses association with virtual token. When user restores identity, Credential Manager can lose the association with the location of the virtual token at logon screen. Even though Credential Manager has the virtual token registered, the user must reregister the token to restore the association. This is currently by design.
Embedded Security for HP ProtectTools (select models only) 84 Short description Details Solution Encrypting folders, subfolders, and files on PSD causes an error message. If the user copies files and folders to the PSD and tries to encrypt folders/files or folders/subfolders, the Error Applying Attributes message is displayed. The user can encrypt the same files on the C: \ drive or an extra installed hard drive. This is as designed. Cannot Take Ownership With Another OS In MultiBoot Platform.
Short description Details Solution Errors occur after a power loss interrupts Embedded Security initialization.
Short description Details Solution An intermittent encrypt and decrypt error occurs: The process cannot access the file because it is being used by another process. This is an extremely intermittent error To resolve the failure: during file encryption or decryption which occurs because the file is being used by 1. Restart the system. another process, even though that file or 2. Log off. folder is not being processed by the operating system or other applications. 3. Log back on.
Short description Details Solution Secure e-mail is supported, even when secure e-mail is not specified in the User Initialization Wizard or when secure e-mail configuration is disabled in user policies. Embedded security software and the wizard do not control settings of an email client (Outlook, Outlook Express, or Netscape). This behavior is as designed. Configuration of TPM email settings does not prohibit editing encryption settings directly in an e-mail client.
Short description Details Solution and is not accessed by another process. The user must reboot the system in order to delete the PSD and it is not loaded after reboot. An internal error is detected when the user is restoring from the Automatic Backup Archive. The security system exhibits a restore error with multiple users. In Embedded Security, if the user clicks the Restore under Backup option to restore from the automatic backup Archive and then selects SPSystemBackup.
Short description Details Solution Automatic backup does not work with the mapped drive. When an administrator sets up Automatic Backup in Embedded Security, it creates an entry in Windows > Tasks > Scheduled Task. This Windows Scheduled Task is set to use NT AUTHORITY\SYSTEM for rights to execute the backup. This works properly to any local drive. The workaround is to change the NT AUTHORITY \SYSTEM to (computer name)\(admin name). This is the default setting if the Scheduled Task is created manually.
Device Access Manager for HP ProtectTools Short description Details Solution Users have been denied access to devices within Device Access Manager, but the devices are still accessible. Simple Configuration and/or Device Class Configuration have been used within Device Access Manager to deny users access to devices. Despite being denied access, users can still access the devices. Verify that the HP ProtectTools Device Locking service has started.
Miscellaneous Software Impacted— Short description Details Solution Security Manager— Warning received: The security application can not be installed until the HP Protect Tools Security Manager is installed. All security applications such as Embedded Security, Java Card Security, and biometrics are extendable plug-ins for the Security Manager interface. Security Manager must be installed before an HP-approved security plug-in can be loaded.
Software Impacted— Short description Details Solution an error is returned when closing the Security Manager interface. upper right of the screen to close Security Manager before all plug-in applications have finished loading. Manager. Since PTHOST.exe is the shell housing the other applications (plug-ins), it depends on the ability of the plug-in to complete its load time (services). Closing the shell before the plug-in has had time to complete loading is the root cause.
Software Impacted— Short description Details Solution Security Power-On Authentication overlaps the BIOS Password during boot sequence. Power-On Authentication prompts the user to log on to the system using the TPM password, but, if the user presses f10 to access the BIOS, the user is granted Read rights access only. To be able to write to BIOS, the user must type the BIOS password instead of the TPM password at the Poweron Authentication window.
Glossary activation The task that must be completed before any of the Drive Encryption features are accessible. Drive Encryption is activated using the HP ProtectTools Security Manager setup wizard. Only an administrator can activate Drive Encryption. The activation process consists of activating the software, encrypting the drive, creating a user account, and creating the initial backup encryption key on a removable storage device. administrator See Windows administrator.
digital certificate Electronic credentials that confirm the identity of an individual or a company by binding the identity of the digital certificate owner to a pair of electronic keys that are used to sign digital information. digital signature Data sent with a file that verifies the sender of the material, and that the file has not been modified after it was signed. domain Group of computers that are part of a network and share a common directory database.
PSD Personal secure drive, which provides a protected storage area for sensitive information. reboot Process of restarting the computer. reveal A task that allows the user to decrypt one or more chat history sessions, displaying the Contact Screen Name(s) in plain text and making the session available for viewing. revocation password A password that is created when a user requests a digital certificate. The password is required when the user wants to revoke his or her digital certificate.
trusted IM communication A communication session during which trusted messages are sent from a trusted sender to a Trusted Contact. trusted message Trusted Contact. A communication session during which trusted messages are sent from a trusted sender to a Trusted Platform Module (TPM) embedded security chip (select models only) The generic term for the HP ProtectTools Embedded Security Chip.
Index A access controlling 76 preventing unauthorized 6 accessing 57 accessing HP ProtectTools Security 4 account basic user 70 administrator tasks Credential Manager 23 advanced tasks BIOS Configuration 60 Credential Manager 23 Device Access Manager 79 Embedded Security 73 AMT options 64 B background service, Device Access Manager 77 backing up and restoring certification information 73 Embedded Security 73 HP ProtectTools credentials 10 Single Sign On data 19 basic user account 70 Basic User Key password
user or group, denying access to 79 user or group, removing 79 device configuration options 61, 63 disabling Embedded Security 74 Embedded Security, permanently 74 Drive Encryption for HP ProtectTools activating 29 activating a TPM-protected password 30 backup and recovery 30 creating backup keys 30 deactivating 29 decrypting individual drives 30 encrypting individual drives 30 logging in after Drive Encryption is activated 29 managing Drive Encryption 30 opening 28 performing a local recovery 31 performing
adding a signature line when signing a Microsoft Word or Microsoft Excel document 40 adding a suggested signer's signature line 41 adding a trusted contact 37 adding Privacy Manager chat activity 44 Adding suggested signers to a Microsoft Word or Microsoft Excel document 41 adding trusted contacts 37 adding trusted contacts using Microsoft Outlook address book 38 chatting in the Privacy Manager Chat window 45 checking revocation status for a trusted contact 39 configuring Privacy Manager Chat for Windows Li
modifying application properties 19 removing applications 19 system configuration options boot options 61 built-in device options 61 device configuration options 61 port options 61 system configuration options 61 T targeted theft, protecting against 6 token, Credential Manager 13 TPM chip enabling 68 initializing 69 troubleshooting Credential Manager 81 Device Access Manager 90 Embedded Security 84 miscellaneous 91 U unauthorized access, preventing 6 V viewing file options 59 viewing settings 58 virtual tok
