HP ProtectTools Getting Started
© Copyright 2011 Hewlett-Packard Development Company, L.P. Bluetooth is a trademark owned by its proprietor and used by Hewlett-Packard Company under license. Intel is a trademark of Intel Corporation in the U.S. and other countries and is used under license. Microsoft, Windows, and Windows Vista are U.S. registered trademarks of Microsoft Corporation. The information contained herein is subject to change without notice.
Table of contents 1 Introduction to security .................................................................................................................................. 1 HP ProtectTools features ..................................................................................................................... 2 HP ProtectTools security product description and common use examples ......................................... 4 Credential Manager for HP ProtectTools ....................................
Managing users ................................................................................................................. 19 Credentials ......................................................................................................................... 20 SpareKey .......................................................................................................... 20 Fingerprints .......................................................................................................
Drive Encryption for HP ProtectTools (select models only) ..................................................................... 42 Opening Drive Encryption .................................................................................................................. 43 General tasks ..................................................................................................................................... 44 Activating Drive Encryption for standard hard drives ................................
Sealing and sending an e-mail message .......................................................... 61 Viewing a sealed e-mail message ..................................................................... 61 Using Privacy Manager in a Microsoft Office 2007 document ........................................... 61 Configuring Privacy Manager for Microsoft Office ............................................. 62 Signing a Microsoft Office document ................................................................
8 Device Access Manager for HP ProtectTools (select models only) ......................................................... 79 Opening Device Access Manager ...................................................................................................... 80 Setup Procedures ............................................................................................................................... 81 Configuring device access ............................................................................
Migrating keys with the Migration Wizard ........................................................................ 101 11 Localized password exceptions .............................................................................................................. 102 Windows IMEs not supported at the Preboot Security level or the HP Drive Encryption level ......... 102 Password changes using keyboard layout that is also supported .................................................... 103 Special key handling ..
1 Introduction to security HP ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data. Application Features HP ProtectTools Administrative Console (for administrators ● Requires Microsoft Windows administrator rights to access. ● Provides access to modules that are configured by an administrator and not available to users.
HP ProtectTools features The following table details the key features of HP ProtectTools modules. Module Key features HP ProtectTools Administrative Console (for administrators) ● Set up and configure levels of security and security logon methods using the Security Manager Setup Wizard. ● Configure options hidden from users. ● Configure Device Access Manager configurations and user access. ● Add and remove HP ProtectTools users and view user status using administrator tools.
Module Key features Privacy Manager for HP ProtectTools (select models only) ● Used to obtain Certificates of Authority, which verify the source, integrity, and security of communication when using Microsoft email and Microsoft Office documents. Computrace for HP ProtectTools (purchased separately) ● Provides secure asset tracking. ● Monitors user activity, as well as hardware and software changes. ● Remains active even if the hard drive is reformatted or replaced.
HP ProtectTools security product description and common use examples Most of the HP ProtectTools security products have both user authentication (usually a password) and an administrative backup to gain access if passwords are lost, not available, or forgotten, or any time corporate security requires access. NOTE: Some of the HP ProtectTools security products are designed to restrict access to data.
Both Embedded Security for HP ProtectTools and Drive Encryption for HP ProtectTools do not allow access to the encrypted data even when the drive is removed, because they are both bound to the original motherboard. Example 2: A hospital administrator wants to ensure only doctors and authorized personnel can access any data on their local computer without sharing their personal passwords. The IT department adds the administrator, doctors, and all authorized personnel as Drive Encryption users.
Privacy Manager for HP ProtectTools Privacy Manager for HP ProtectTools is used when Internet e-mail communications need to be secured. The user can create and send e-mail that can only be opened by an authenticated recipient. With Privacy Manager, the information cannot be compromised or intercepted by an imposter. Example 1: A stock broker wants to make sure that his e-mails only go to specific clients and that no one can fake the e-mail account and intercept it.
resist password attacks where someone would attempt to guess the decryption password. Embedded Security can also encrypt the entire drive and e-mail. Example 2: A stock broker wants to transport extremely sensitive data to another computer using a portable drive. She wants to make sure that only these two computers can open the drive, even if the password is compromised.
Achieving key security objectives The HP ProtectTools modules can work together to provide solutions for a variety of security issues, including the following key security objectives: ● Protecting against targeted theft ● Restricting access to sensitive data ● Preventing unauthorized access from internal or external locations ● Creating strong password policies Protecting against targeted theft An example of targeted theft would be the theft of a computer containing confidential data and customer in
private information such as patient records or personal financial records. The following features help prevent unauthorized access: ● The pre-boot authentication feature, if enabled, helps prevent access to the operating system. Refer to the following chapters: ◦ Password Manager for HP ProtectTools ◦ Embedded Security for HP ProtectTools ◦ Drive Encryption for HP ProtectTools ● Password Manager helps ensure that an unauthorized user cannot get passwords or access to password-protected applications.
Additional security elements Assigning security roles In managing computer security (particularly for large organizations), one important practice is to divide responsibilities and rights among various types of administrators and users. NOTE: In a small organization or for individual use, these roles may all be held by the same person.
HP ProtectTools password Set in the following module Function Owner password Embedded Security, by IT administrator Protects the system and the TPM chip from unauthorized access to all owner functions of Embedded Security. BIOS Administrator password Computer Setup, by IT administrator Protects access to the Computer Setup utility.
Creating a secure password When creating passwords, you must first follow any specifications that are set by the program. In general, however, consider the following guidelines to help you create strong passwords and reduce the chances of your password being compromised: ● Use passwords with more than 6 characters, preferably more than 8. ● Mix the case of letters throughout your password. ● Whenever possible, mix alphanumeric characters and include special characters and punctuation marks.
2 Getting started with the Setup Wizard The Security Manager Setup Wizard guides you through enabling available security features that are applied to all users of this computer. You can also manage these features on the Security Features page of Administrative Console. To set up security features through the Security Manager Setup Wizard: 1.
– or – Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. In the left pane, click Setup Wizard. 2. Read the Welcome screen, and then click Next. 3. Verify your identity by typing your Windows password, and then click Next. If you have not yet created a Windows password, you are prompted to create one.
3 HP ProtectTools Security Manager Administrative Console HP ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data. Administration of HP ProtectTools Security Manager is provided through the Administrative Console feature. Additional applications are available (select models only) in the Security Manager dashboard to assist with recovery of the computer if it is lost or stolen.
Opening HP ProtectTools Administrative Console For administrative tasks, such as setting system policies or configuring software, open the console as follows: ▲ Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. – or – In the left panel of Security Manager, click Administration, and then click Administrative Console.
Using Administrative Console HP ProtectTools Administrative Console is the central location for administering HP ProtectTools Security Manager features and applications. ▲ To open HP ProtectTools Administrative Console, click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. – or – In the left panel of Security Manager, click Administration, and then click Administrative Console.
Configuring your system The System group is accessed from the menu panel on the left side of HP ProtectTools Administrative Console. You can use the applications in this group to manage the policies and settings for the computer, its users, and its devices. The following applications are included in the System group: ● Security—Manage features, authentication, and settings governing how users interact with this computer. ● Users—Set up, manage, and register users of this computer.
Session Policy To define policies governing the credentials required to access HP ProtectTools applications during a Windows session: 1. In the left panel of Administrative Console, click Security, and then click Authentication. 2. On the Session Policy tab, click the down arrow, and then select a category of user: 3.
Credentials Within the Credentials application, you can specify settings available for any built-in or attached security devices recognized by HP ProtectTools Security Manager. SpareKey You can configure whether or not to allow SpareKey authentication for Windows logon, and manage the security questions that will be presented to users during their SpareKey enrollment. 1. Select the check box to enable or clear it to disable the use of SpareKey authentication for Windows logon. 2.
Smart card If a smart card reader is installed or connected to the computer, the Smart card page has two tabs: ● Settings—Configure the computer to automatically lock when a smart card is removed. NOTE: The computer locks only if the smart card was used as an authentication credential when logging on to Windows. Removing a smart card that was not used to log on to Windows does not lock the computer.
Configuring your applications You can use Settings to customize the behavior of currently installed HP ProtectTools Security Manager applications. To edit your application settings: 1. In the left panel of Administrative Console, under Applications, click Settings. 2. Select the check box next to a specific setting to enable it, or clear the check box to disable the setting. 3. Click Apply.
4 HP ProtectTools Security Manager HP ProtectTools Security Manager allows you to significantly increase the security of your computer. You can use preloaded Security Manager applications, as well as additional applications available for immediate download from the Web: ● Manage your logon and passwords. ● Easily change your Windows® operating system password. ● Set program preferences. ● Use fingerprints for extra security and convenience. ● Enroll one or more scenes for authentication.
Opening Security Manager You can open Security Manager in any of the following ways: ● Click Start, click All Programs, click HP, and then click HP ProtectTools Security Manager. ● Double-click the HP ProtectTools icon in the notification area, at the far right of the taskbar. ● Right-click the HP ProtectTools icon, and click Open HP ProtectTools Security Manager. ● Click the HP ProtectTools desktop gadget icon.
Using the Security Manager dashboard The Security Manager dashboard is the central location for easy access to Security Manager features, applications, and settings. ▲ To open the Security Manager dashboard, click Start, click All Programs, click HP, and then click HP ProtectTools Security Manager. The dashboard displays the following components: ● ID Card—Displays the Windows user name and a selected picture identifying the logged on user account.
Security Applications Status You can view the status of your installed security applications in two locations: ● HP ProtectTools desktop gadget The banner color at the top of the HP ProtectTools gadget icon changes to reflect the overall security status of your installed security applications.
My Logons The applications included in this group assist you in managing various aspects of your digital identity. ● Password Manager—Creates and manages Quick Links, which allow you to launch and log on to Web sites and programs by authenticating with your Windows password, your fingerprint, or a smart card. ● Credential Manager—Provides a means to easily change your Windows password, enroll your fingerprints, or set up a smart card.
For Web pages or programs where a logon has already been created The following options are displayed on the context menu: ● Fill in logon data—Places your logon data in the logon fields and then submits the page (if submission was specified when the logon was created or last edited). ● Edit logon—Allows you to edit your logon data for this Web site. ● Add Logon—Allows you to add an account to a logon. ● Open Password Manager—Launches Password Manager.
The plus sign is removed from the Password Manager icon to notify you that the logon has been created. f. If Password Manager does not detect the logon fields, click More fields. ● Select the check box for each field that is required for logon, or clear the check box for any fields that are not required for logon. ● If Password Manager cannot detect all of the logon fields, a message is displayed asking if you want to continue. Click Yes. ● A dialog box opens with your logon fields filled in.
4. ● To view the password for this logon, click Show password. ● To have the logon fields filled in, but not submitted, clear the Automatically submit logon data check box. Click OK. Using the Logons menu Password Manager provides a fast, easy way to launch the Web sites and programs for which you have created logons. Double-click a program or Web site logon from the Logons menu, or from the Manage tab in Password Manager, to open the logon screen, and then fill in your logon data.
Your logons are listed on the Manage tab. If multiple logons have been created for the same Web site, each logon is then listed under the Web site name and indented in the logon list. To manage your logons: ▲ From the Security Manager dashboard, click Password Manager, and then click the Manage tab. ● Add a logon—Click Add Logon and follow the on-screen instructions.
To add a logon for a screen that has been previously excluded: ◦ While the previously excluded Web site logon or the program page is displayed, open the Security Manager dashboard, and then click Password Manager. ◦ Click Add Logon. The Add Logon dialog box opens with the Web site logon screen or program listed in the Current screen field. ◦ Click Continue. The Add Logon to Password Manager screen is displayed. ◦ Follow the on-screen instructions.
To register a VeriSign VIP token for a Web site: 1. Log on to a VeriSign VIP-enabled Web site manually or with a Password Manager logon. 2. Click the displayed VeriSign VIP balloon to create a logon for this site. 3. In the Add Logon to Password Manager dialog box, select I want VIP security on this site. This option appears only for sites where VeriSign VIP security is available.
To change your Windows password, follow these steps: 1. From the Security Manager dashboard, click Credential Manager, and then click Password. 2. Enter your current password in the Current Windows password text box. 3. Type a new password in the New Windows password text box, and then type it again in the Confirm new password text box. 4. Click Change to immediately change your current password to the new one that you entered.
Setting up a smart card Administrators must initialize and register the smart card before it can be used for authentication. Initializing the smart card HP ProtectTools Security Manager can support a number of different smart cards. The number and type of characters used as PIN numbers may vary. The manufacturer of the smart card should provide tools to install a security certificate and management PIN that HP ProtectTools will use in its security algorithm. NOTE: ActivIdentity software must be installed.
Configuring the smart card If a smart card reader is installed or connected to the computer, the Smart card page has two tabs: ● Settings—Configure the computer to automatically lock when a smart card is removed. NOTE: The computer locks only if the smart card was used as an authentication credential when logging on to Windows. Removing a smart card that was not used to log on to Windows does not lock the computer.
5. Click the Camera icon, and then follow the on-screen instructions to enroll your scene. Follow the on-screen instructions, and be sure to look at your image while the scenes are being captured. 6. Click Next. 7. Click Finish. You can also enroll scenes from the Security Manager dashboard: 1. Open the Security Manager dashboard. For more information, refer to Opening Security Manager on page 24. 2. Under My Logons, click Credential Manager, and then click Face. 3.
Once a PIN is created, you can select from the following options: Change, Reset, or Remove a PIN. ● Use Bluetooth for additional security—Select this option to pair your Bluetoothcapable phone with Face Recognition. During Windows logon, once your face is authenticated, Face Recognition also verifies the presence of the paired Bluetooth phone. If the phone is present (with Bluetooth enabled), then you are allowed to log on to Windows. ◦ Be sure that Bluetooth is enabled on both the computer and the phone.
Your personal ID card Your ID card uniquely identifies you as the owner of this Windows account, showing your name and a picture of your choice. It is prominently displayed in the upper-left corner of Security Manager pages. You can change the picture and the way that your name is displayed. By default, your full Windows user name and the picture you selected during Windows setup are shown. To change the displayed name: 1. Open the Security Manager dashboard.
NOTE: The Fingerprint tab is available only if the computer has a fingerprint reader and the correct driver is installed. ● Quick Actions—Use Quick Actions to select the Security Manager task to be performed when you hold down a designated key while swiping your fingerprint. To assign a Quick Action to one of the listed keys, click a (Key) + Fingerprint option, and then select one of the available tasks from the menu. ● Fingerprint Scan Feedback—Displayed only when a fingerprint reader is available.
To restore your data: 1. Open the Security Manager dashboard. For more information, refer to Opening Security Manager on page 24. 2. In the left panel of the dashboard, click Advanced, and then click Backup and Restore. 3. Click Restore data. 4. Select the previously created storage file. Enter the path in the field provided, or click Browse. 5. Enter the password used to protect the file. 6. Select the modules for which you want to restore data.
5 Drive Encryption for HP ProtectTools (select models only) Drive Encryption for HP ProtectTools provides complete data protection by encrypting your computer hard drive. When Drive Encryption is activated, you must log in at the Drive Encryption login screen, which is displayed before the Windows® operating system starts. The HP ProtectTools Security Manager Setup Wizard allows Windows administrators to activate Drive Encryption, back up the encryption key, and select or deselect drive(s).
Opening Drive Encryption Administrators can access Drive Encryption from HP ProtectTools Administrative Console. 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. 2. In the left pane, click Drive Encryption.
General tasks Activating Drive Encryption for standard hard drives Standard hard drives are encrypted using software encryption. Follow these steps to activate Drive Encryption: 1. Use the HP ProtectTools Security Manager Setup Wizard to activate Drive Encryption. 2. Follow the on-screen instructions until the Enable security features page is displayed, and then continue with step 4 below. – or – 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. 2.
NOTE: If your computer does not have a self-encrypting drive meeting Trusted Computing Group's OPAL specification for self-encrypting drive management, then the hardware encryption option is not available, and software encryption is used by default. If there is a mix of self-encrypting drives and standard hard drives, then the hardware encryption option is not available, and software encryption is used by default. – or – Software encryption 1.
5. Be sure that the Use hardware drive encryption check box is selected at the bottom of the screen. 6. Under Drives to be encrypted, select the check box for the hard drive that you want to encrypt, and then click Next. 7. To back up the encryption key, insert the storage device into the appropriate slot. NOTE: To save the encryption key, you must use a USB storage device with the FAT32 format. A floppy disk, USB memory stick, Secure Digital (SD) Memory Card, or MMC may be used for backup. 8.
NOTE: In a hardware encryption scenario, be sure that the computer is turned off. If the computer is not turned off and then restarted, the Drive Encryption pre-boot authentication screen is not displayed. NOTE: When waking from Sleep or Standby, Drive Encryption pre-boot authentication is not displayed for software or hardware encryption, unless it is disabled. When waking from Hibernation, Drive Encryption pre-boot authentication is displayed.
Protect your data by encrypting your hard drive It is highly recommended that you use the HP ProtectTools Security Manager Setup Wizard to protect your data by encrypting your hard drive: 1. In the left pane, click the + icon to the left of Drive Encryption to display the available options. 2. Click Settings. 3. For software-encrypted drives, select the drive partitions to be encrypted.
Advanced tasks Managing Drive Encryption (administrator task) Administrators can use the Settings page under Drive Encryption to view and change the status of Drive Encryption (enabled, inactive, or hardware encryption was activated) and to view the encryption status of all of the hard drives on the computer. NOTE: Hardware encryption cannot be changed on the Settings page.
NOTE: Dynamic partitions are not supported. If a partition is displayed as available, but it cannot be encrypted when selected, the partition is dynamic. A dynamic partition results from shrinking a partition to create a new partition within Disk Management. A warning is displayed if a partition will be converted to a dynamic partition.
6 Privacy Manager for HP ProtectTools (select models only) Privacy Manager for HP ProtectTools enables you to use advanced security login (authentication) methods to verify the source, integrity, and security of communications when using e-mail or Microsoft® Office documents.
Opening Privacy Manager To open Privacy Manager: ● To access Outlook-specific features in Microsoft Outlook, click Send Securely in the Privacy group on the Message tab. ● To access most features in Microsoft Office documents, click Sign and Encrypt in the Privacy group on the Home tab. ● To access additional features, access the HP ProtectTools Security Manager dashboard. ◦ Click Start, click All Programs, click HP, click HP ProtectTools Security Manager, and then click Privacy Manager.
Setup procedures Managing Privacy Manager Certificates Privacy Manager Certificates protect data and messages using a cryptographic technology called public key infrastructure (PKI). PKI requires users to obtain cryptographic keys and a Privacy Manager Certificate issued by a certificate authority (CA).
Obtaining a preassigned Corporate Privacy Manager Certificate 1. In Outlook, open the e-mail that you received indicating that a Corporate Certificate has been preassigned to you. 2. Click Obtain. You will receive an e-mail in Microsoft Outlook with your Privacy Manager Certificate attached. To install the certificate, refer to Setting up a Privacy Manager Certificate on page 54. Setting up a Privacy Manager Certificate 1.
3. Choose whether to import a certificate already installed on this computer or a certificate stored as a PFX (Personal Information Exchange/PKCS#12) file, and then click Next. ● To import a certificate installed on this computer, select the desired certificate, and then click Next. ● To select a PFX certificate, click Browse, navigate to the location of the PFX file, and then click Next. Type the PFX file password, and then click Next. 4. When the import process is complete, click Next. 5.
NOTE: You are not required to use your default Privacy Manager Certificate. From within the various Privacy Manager functions, you can select any of your Privacy Manager Certificates to use. Deleting a Privacy Manager Certificate If you delete a Privacy Manager Certificate, you cannot open any files or view any data that you encrypted with that certificate.
5. Authenticate using your chosen security login method. 6. Follow the on-screen instructions. Managing Trusted Contacts Trusted Contacts are users with whom you have exchanged Privacy Manager Certificates, enabling you to securely communicate with one another.
NOTE: If you have not obtained a Privacy Manager Certificate, a message informs you that you must have a Privacy Manager Certificate in order to send a Trusted Contact request. Click OK to launch the Certificate Request Wizard. Refer to Requesting a Privacy Manager Certificate on page 53 for more information. 7. Authenticate using your chosen security login method.
Viewing Trusted Contact details 1. Open Privacy Manager, and then click Trusted Contacts. 2. Click a Trusted Contact. 3. Click Contact details. 4. When you have finished viewing the details, click OK. Deleting a Trusted Contact 1. Open Privacy Manager, and then click Trusted Contacts. 2. Click the Trusted Contact you want to delete. 3. Click Delete contact. 4. When the confirmation dialog box opens, click Yes.
General tasks You can use Privacy Manager with the following Microsoft products: ● Microsoft Outlook ● Microsoft Office Using Privacy Manager in Microsoft Outlook When Privacy Manager is installed, a Privacy button is displayed on the Microsoft Outlook toolbar, and a Send Securely button is displayed on the toolbar of each Microsoft Outlook e-mail message.
3. Click the down arrow next to Send Securely (Privacy in Outlook 2003), and then click Sign and Send. 4. Authenticate using your chosen security login method. Sealing and sending an e-mail message Sealed e-mail messages that are digitally signed and sealed (encrypted) can only be viewed by people you choose from your Trusted Contacts list. To seal and send an e-mail message to a Trusted Contact: 1. In Microsoft Outlook, click New or Reply. 2. Type your e-mail message. 3.
Configuring Privacy Manager for Microsoft Office 1. Open Privacy Manager, click Settings, and then click the Documents tab. – or – On the toolbar of a Microsoft Office document, click the down arrow next to Sign and Encrypt, and then click Settings. 2. Select the actions you want to configure, and then click OK. Signing a Microsoft Office document 1. In Microsoft Word, Microsoft Excel, or Microsoft PowerPoint, create and save a document. 2.
To add a suggested signer to a Microsoft Word or Microsoft Excel document: 1. In Microsoft Word or Microsoft Excel, create and save a document. 2. Click the Insert menu. 3. In the Text group on the toolbar, click the arrow next to Signature Line, and then click Privacy Manager Signature Provider. The Signature Setup dialog box opens. 4. In the box under Suggested signer, enter the name of the suggested signer. 5.
4. Click the name of a Trusted Contact who will be able to open the document and view its contents. NOTE: To select multiple Trusted Contact names, hold down the ctrl key, and then click the individual names. 5. Click OK. If you later decide to edit the document, follow the steps in Removing encryption from a Microsoft Office document on page 64. When the encryption is removed, you can edit the document. Follow the steps in this section to encrypt the document again.
When a signed Microsoft Office document is opened, a Digital Signatures icon is displayed in the status bar at the bottom of the document window. 1. Click the Digital Signatures icon to toggle display of the Signatures dialog box, which displays the name of all users who signed the document and the date each user signed it. 2. To view additional details about each signature, right-click a name in the Signatures dialog box, and then select Signature Details.
Advanced tasks Migrating Privacy Manager Certificates and Trusted Contacts to a different computer You can securely migrate your Privacy Manager Certificates and Trusted Contacts to another computer, or back up your data for safekeeping. To do this, back up the data as a passwordprotected file to a network location or any removable storage device, and then restore the file to the new computer.
Central administration of Privacy Manager Your installation of Privacy Manager may be part of a centralized installation that has been customized by your administrator. One or more of the following features may be either enabled or disabled: ● Certificate use policy—You may be restricted to the use of Privacy Manager Certificates issued by Comodo, or you may be allowed to use digital certificates issued by other certificate authorities.
7 File Sanitizer for HP ProtectTools File Sanitizer allows you to securely shred assets (for example: personal information or files, historical or Web-related data, or other data components) on your computer and to periodically bleach deleted assets on your hard drive. NOTE: 68 This version of File Sanitizer supports the computer hard drive only.
Shredding Shredding is different than a standard Windows® delete (also known as a simple delete in File Sanitizer). When you shred an asset using File Sanitizer, the files are overwritten with meaningless data, making it virtually impossible to retrieve the original asset. A Windows simple delete may leave the file (or asset) intact on the hard drive or in a state where forensic methods could be used to recover it.
Free space bleaching Deleting an asset in Windows does not completely remove the contents of the asset from your hard drive. Windows only deletes the reference to the asset. The content of the asset still remains on the hard drive until another asset overwrites that same area on the hard drive with new information. Free space bleaching allows you to securely write random data over deleted assets, preventing users from viewing the original contents of the deleted asset.
Opening File Sanitizer 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Security Manager. 2. Click File Sanitizer. – or – ▲ Double-click the File Sanitizer icon on your desktop. – or – ▲ Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click File Sanitizer, and then click Open File Sanitizer.
Setup procedures Setting a shred schedule You can select a predefined shred profile or create your own shred profile. For more information, refer to Selecting or creating a shred profile on page 73. You can also shred assets manually at any time. For more information, refer to Using a key sequence to initiate shredding on page 76. NOTE: A scheduled task starts at a specific time. If the system is turned off or is in Sleep/Standby at the scheduled time, File Sanitizer will not attempt to relaunch the task.
Selecting or creating a shred profile You can specify an erasure method and select the assets to shred by selecting a predefined profile or by creating your own profile. Selecting a predefined shred profile When you choose a predefined shred profile, a predefined erasure method and list of assets are automatically selected. You can also view the predefined list of assets that are selected for shredding. 1. Open File Sanitizer, and then click Settings. 2. Click a predefined shred profile: 3.
To remove an asset from the available shred options, click the asset, and then click Delete. 4. Selected items will be shredded, and a confirmation message will be displayed. Unselected items will be shredded without a confirmation message.—Select the check box to display a confirmation message before shredding the item, or clear the check box to shred the item without displaying a confirmation message. NOTE: Even if the check box for an asset is cleared, the asset will be shredded.
4. To protect assets from automatic deleting: a. Under Do not delete the following, click Add, and then browse or type the path to the file or folder. b. Click Open, and then click OK. To remove an asset from the exclusions list, click the asset, and then click Delete. 5. Click Apply.
General tasks You can use File Sanitizer to perform the following tasks: ● Use a key sequence to initiate shredding—This feature allows you to create a key sequence (for example, ctrl+alt+s) to initiate shredding. For details, refer to Using a key sequence to initiate shredding on page 76. ● Use the File Sanitizer icon to initiate shredding—This feature is similar to the drag-and-drop feature in Windows. For details, refer to Using the File Sanitizer icon on page 77.
Using the File Sanitizer icon CAUTION: Shredded assets cannot be recovered. Carefully consider which items you select for manual shredding. 1. Navigate to the document or folder you want to shred. 2. Drag the asset to the File Sanitizer icon on the desktop. 3. When the confirmation dialog box opens, click Yes. Manually shredding one asset CAUTION: Shredded assets cannot be recovered. Carefully consider which items you select for manual shredding. 1.
– or – 1. Open File Sanitizer, and then click Shred. 2. Click the Shred now button. 3. When the confirmation dialog box opens, click Yes. Manually activating free space bleaching 1. Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, click File Sanitizer, and then click Bleach Now. 2. When the confirmation dialog box opens, click Yes. – or – 1. Open File Sanitizer, and then click Free Space Bleaching. 2. Click Bleach Now. 3.
8 Device Access Manager for HP ProtectTools (select models only) HP ProtectTools Device Access Manager controls access to data by disabling data transfer devices. NOTE: Some human interface/input devices, such as a mouse, keyboard, TouchPad, and fingerprint reader, are not controlled by Device Access Manager. For more information, refer to Unmanaged Device Classes on page 90.
Opening Device Access Manager 1. Log in as an administrator. 2. Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. 3. In the left pane, click Device Access Manager. Users can view the HP ProtectTools Device Access Manager policy using HP ProtectTools Security Manager. This console provides a read-only view.
Setup Procedures Configuring device access HP ProtectTools Device Access Manager offers four views: ● Simple Configuration—Allow or deny access to classes of devices, based on membership in the Device Administrators group. ● Device Class Configuration—Allow or deny access to types of devices or specific devices for specific users or groups.
Starting the background service The first time a new policy is defined and applied, the HP ProtectTools Device Locking/Auditing background service starts automatically, and it is set to start automatically whenever the system starts. NOTE: A device profile must be defined before the background service prompt is displayed. Administrators can also start or stop this service: 1. In Windows 7, click Start, click Control Panel, and then click System and Security.
The Device Class Configuration view has the following sections: ● ● Device List—Shows all the device classes and devices that are installed on the system or that may have been installed on the system previously. ◦ Protection is usually applied for a device class. A selected user or group will be able to access any device in the device class. ◦ Protection may also be applied to specific devices.
The same user, the same group, or a member of the same group can be denied write access or read+write access only for the same device or a device below this device in the device hierarchy. Example 6—If a user or group is denied read+write access for a device or class of devices: The same user, the same group, or a member of the same group can be granted read access or read+write access only for a device below this device in the device hierarchy.
Allowing access to a class of devices for one user of a group To allow a user to access a class of devices while denying access to all other members of that user's group: 1. In the left pane of HP ProtectTools Administrative Console, click Device Access Manager, and then click Device Class Configuration. 2. In the device list, click the device class that you want to configure. ● Device class ● All devices ● Individual device 3.
Removing settings for a user or a group To remove permission for a user or a group to access a device or a class of devices, follow these steps: 1. In the left pane of HP ProtectTools Administrative Console, click Device Access Manager, and then click Device Class Configuration. 2. In the device list, click the device class that you want to configure. ● Device class ● All devices ● Individual device 3. Under User/Groups, click the user or group you want to remove, and then click Remove. 4.
The JITA period can also be extended, if configured to do so. In this scenario, 1 minute before the JITA period is about to expire, users can click the prompt to extend their access without having to reauthenticate. Whether the user is given a limited or unlimited JITA period, as soon as the user logs off the system or another user logs in, the JITA period expires. The next time the user logs in and attempts to access a JITA-enabled device, a prompt to enter credentials is displayed.
Disabling a JITA for a user or group Administrators can disable user or group access to devices using just-in-time authentication. 1. In the left pane of HP ProtectTools Administrative Console, click Device Access Manager, and then click JITA Configuration. 2. From the device’s drop-down menu, select either removable media or DVD/CD-ROM drives. 3. Select the user or group whose JITA you wish to disable. 4. Clear the Enabled check box. 5. Click Apply.
Advanced Settings Advanced Settings provides the following functions: ● Management of the Device Administrators group ● Management of drive letters to which Device Access Manager never denies access. The Device Administrators group is used to exclude trusted users (trusted in terms of device access) from the restrictions imposed by a Device Access Manager policy. Trusted users usually include system administrators. Refer to Device Administrators group on page 89 for more information.
3. Click OK. 4. Click Apply. Alternative methods for managing membership of this group include: ● For Windows 7 Professional or Windows Vista, users can be added to this group using the standard “Local Users and Groups” Microsoft Management Console (MMC) snap-in.
● ● ◦ Hard disk controller (HDC) ◦ Human interface device (HID) class Power ◦ Battery ◦ Advanced power management (APM) support Miscellaneous ◦ Computer ◦ Decoder ◦ Display ◦ Processor ◦ System ◦ Unknown ◦ Volume ◦ Volume snapshot ◦ Security devices ◦ Security accelerator ◦ Intel® unified display driver ◦ Media driver ◦ Medium changer ◦ Multifunction ◦ Legacard ◦ Net client ◦ Net service ◦ Net trans ◦ SCSI adapter Advanced Settings 91
9 Theft recovery Computrace for HP ProtectTools (purchased separately) allows you to remotely monitor, manage, and track your computer. Once activated, Computrace for HP ProtectTools is configured from the Absolute Software Customer Center. From the Customer Center, the administrator can configure Computrace for HP ProtectTools to monitor or manage the computer. If the system is misplaced or stolen, the Customer Center can assist local authorities in locating and recovering the computer.
10 Embedded Security for HP ProtectTools (select models only) NOTE: The integrated Trusted Platform Module (TPM) embedded security chip must be installed in your computer to use Embedded Security for HP ProtectTools. Embedded Security for HP ProtectTools protects against unauthorized access to user data or credentials.
Setup procedures CAUTION: To reduce security risk, it is highly recommended that your IT administrator immediately initialize the embedded security chip. Failure to initialize the embedded security chip could result in an unauthorized user, a computer worm, or a virus taking ownership of the computer and gaining control over the owner tasks, such as handling the emergency recovery archive and configuring user access settings.
Initializing the embedded security chip In the initialization process for Embedded Security, you will perform the following tasks: ● Set an owner password for the embedded security chip that protects access to all owner functions on the embedded security chip. ● Set up the emergency recovery archive, which is a protected storage area that allows reencryption of the Basic User Keys for all users. To initialize the embedded security chip: 1.
Setting up the basic user account Setting up a basic user account in Embedded Security accomplishes the following tasks: ● Produces a Basic User Key that protects encrypted information, and sets a Basic User Key password to protect the Basic User Key. ● Sets up a personal secure drive (PSD) for storing encrypted files and folders. CAUTION: Safeguard the Basic User Key password. Encrypted information cannot be accessed or recovered without this password.
General tasks After the basic user account is set up, you can perform the following tasks: ● Encrypting files and folders ● Sending and receiving encrypted e-mail Using the personal secure drive After setting up the PSD, you are prompted to type the Basic User Key password at the next logon. If the Basic User Key password is entered correctly, you can access the PSD directly from Windows Explorer.
Changing the Basic User Key password To change the Basic User Key password: 98 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Security Manager. 2. In the left pane, click Embedded Security, and then click User Settings. 3. In the right pane, under Basic User password, click Change. 4. Type the old password, and then set and confirm the new password. 5. Click OK.
Advanced tasks Administrators can perform the following tasks in Embedded Security: ● Backing up and restoring Embedded Security credentials, Embedded Security settings, and Personal Secure Drives ● Changing the owner password ● Resetting a user password ● Securely migrating user security credentials from a source platform to a destination platform Backing up and restoring The Embedded Security backup feature creates an archive that contains certification information to be restored in case of emerge
Changing the owner password Administrators can change the owner password: 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. 2. In the left pane, click Embedded Security, and then click Advanced. 3. In the right pane, under Owner Password, click Change. 4. Type the old owner password, and then set and confirm the new owner password. 5. Click OK. Resetting a user password An administrator can help a user to reset a forgotten password.
Migrating keys with the Migration Wizard Migration is an advanced administrator task that allows the management, restoration, and transfer of keys and certificates. For details on migration, refer to the Embedded Security software Help.
11 Localized password exceptions At the Preboot Security level and the HP Drive Encryption level, password localization support is limited, as described in the following sections. Windows IMEs not supported at the Preboot Security level or the HP Drive Encryption level In Windows, the user can choose an IME (input method editor) to enter complex characters and symbols, such as Japanese or Chinese characters, by using a standard western keyboard.
Password changes using keyboard layout that is also supported If the password is initially set with one keyboard layout, such as U.S. English (409), and then the user changes the password using a different keyboard layout that is also supported, such as Latin American (080A), the password change will work in HP Drive Encryption, but it will fail in the BIOS if the user uses characters that exist in the latter but not in the former (for example, ē).
Special key handling ● Chinese, Slovakian, Canadian French and Czech When a user selects one of the preceding keyboard layouts and then enters a password (for example, abcdef), the same password must be entered while pressing the shift key for lower case and the shift key and caps lock key for upper case in BIOS Preboot Security and HP Drive Encryption. Numeric passwords must be entered using the numeric keypad.
Language Windows BIOS Drive Encryption Czech ◦ The ğ key is rejected. n/a n/a ◦ The į key is rejected. ◦ The ų key is rejected. ◦ The ė, ı, and ż keys are rejected. ◦ The ģ, ķ, ļ, ņ, and ŗ keys are rejected. Slovakian The ż key is rejected. ◦ The š, ś, and ş keys are rejected when typed, but they are accepted when entered with the soft keyboard. ◦ The ţ dead key generates two characters. n/a Hungarian The ż key is rejected. The ţ key generates two characters.
What to do when a password is rejected Passwords can be rejected for the following reasons: ● ● A user is using an IME that is not supported. This is a common issue with double-byte languages (Korean, Japanese, Chinese). To resolve this issue: 1. Click Start, click Control Panel, and then click Regional and Language Options. 2. Click the Languages tab. 3. Click the Details button. 4. On the Settings tab, click the Add button to add a supported keyboard (add U.S.
Glossary activation The task that must be completed before any of the Drive Encryption features are accessible. Drive Encryption is activated using the HP ProtectTools Setup Wizard. Only an administrator can activate Drive Encryption. The activation process consists of activating the software, encrypting the drive, creating a user account, and creating the initial backup encryption key on a removable storage device. administrator See Windows administrator.
The means by which a user proves eligibility for a particular task in the authentication process. cryptographic service provider (CSP) A provider or library of cryptographic algorithms that can be used in a well-defined interface to perform particular cryptographic functions. cryptography The practice of encrypting and decrypting data so that it can be decoded only by specific individuals.
Encryption File System (EFS) A system that encrypts all files and subfolders within the selected folder. fingerprint A digital extraction of your fingerprint image. Your actual fingerprint image is never stored by Security Manager. free space bleaching The secure writing of random data over deleted assets to distort the contents of the deleted asset. group A group of users that have the same level of access or denial to a device class or a specific device.
Personal secure drive, which provides a protected storage area for sensitive information. reboot The process of restarting the computer. restore A process that copies program information from a previously saved backup file into this program. revocation password A password that is created when a user requests a digital certificate. The password is required when the user wants to revoke his or her digital certificate. This ensures that only the user may revoke the certificate.
suggested signer A user who is designated by the owner of a Microsoft Word or Microsoft Excel document to add a signature line to the document. token See security logon method. Trusted Contact A person who has accepted a Trusted Contact invitation. Trusted Contact invitation An e-mail that is sent to a person, asking them to become a Trusted Contact. Trusted Contact list A listing of Trusted Contacts. Trusted Contact recipient A person who receives an invitation to become a Trusted Contact.
Index A aborting a shred or bleach operation 78 access controlling 79 preventing unauthorized 8 account, basic user 96 activating Drive Encryption for selfencrypting drives 44 Drive Encryption for standard hard drives 44 activating free space bleaching 78 adding signature line 62 suggested signer's signature line 63 suggested signers 62 Administrative Console configuring 18 using 17 Advanced Settings 89 advanced tasks, Embedded Security 99 allowing access 84 Applications tab, settings 22 applications, conf
revoking 56 setting a default 55 setting up 54 viewing details 55 Drive Encryption for HP ProtectTools activating 44 backup and recovery 50 deactivating 44 decrypting individual drives 49 encrypting individual drives 49 logging in after Drive Encryption is activated 44 managing Drive Encryption 49 E e-mail message sealing for Trusted Contacts 61 signing 60 viewing sealed message 61 e-mailing encrypted Microsoft Office document 64 Embedded Security for HP ProtectTools backup file, creating 99 basic user acco
Microsoft Word, adding signature line 62 O objectives, security 8 opening Device Access Manager for HP ProtectTools 80 File Sanitizer for HP ProtectTools 71 opening Drive Encryption 43 opening HP ProtectTools Administrative Console 16 opening Privacy Manager 52 opening Security Manager 24 owner password changing 100 setting 95 P password Basic User Key 98 changing 33 changing owner 100 emergency recovery token 95 guidelines 12 HP ProtectTools 10 managing 10 owner 95 policies 9 resetting user 100 secure 12 p
T theft recovery 92 theft, protecting against 8 third-party certificate, importing 54 TPM chip enabling 94 initializing 95 Trusted Contacts adding 57 backing up 66 checking revocation status 59 deleting 59 restoring 66 viewing details 59 U unauthorized access, preventing 8 unmanaged device classes 90 updates 22 user allowing access 84 denying access 84 removing 86 V VeriSign Identity Protection (VIP) 32 viewing encrypted Microsoft Office document 65 sealed e-mail message 61 signed Microsoft Office document