Technical whitepaper HP Client Security Commercial Managed IT Software August 2016 747889-002
HP Client Security Technical Whitepaper August 2016 747889-002 Table of contents 1 Executive summary ............................................................................................................... 6 2 System requirements and prerequisites ............................................................................... 7 2.1 Supported operating systems ......................................................................................................................... 7 2.
HP Client Security Technical Whitepaper August 2016 747889-002 12.1.2 Define a policy ............................................................................................................................................................... 24 12.1.3 Just In Time Authentication (JITA) Configuration ............................................................................. 25 13 HP Drive Encryption.....................................................................................................
HP Client Security Technical Whitepaper August 2016 747889-002 List of figures Figure 1 HP Client Security Setup Wizard ..................................................................................................... 17 Figure 2 HP Client Security Home Page ........................................................................................................ 19 Figure 3 HP Client Security User Management ............................................................................................
HP Client Security Technical Whitepaper August 2016 747889-002 List of tables Table 1 Data Protection Security Features ..................................................................................................... 9 Table 2 Device Protection Security Features ................................................................................................ 10 Table 3 Identity Protection Security Features ..............................................................................................
HP Client Security Technical Whitepaper August 2016 747889-002 1 Executive summary This whitepaper is intended for IT staff.
HP Client Security Technical Whitepaper August 2016 747889-002 2 System requirements and prerequisites Information regarding minimum hardware requirements for the installation of Windows is available at http://www.microsoft.com. 2.1 Supported operating systems Windows 7 Windows 8.x Windows 10 2.2 Supported hardware options Smart Card readers ○ Windows: All PKI Smart Cards supported via a PKCS#11 or CSP stack.
HP Client Security Technical Whitepaper August 2016 747889-002 3 Introduction HP’s renowned history in personal computer security has been based on the belief that security should be built in and not bolted on. This belief has led to the development of HP Client Security (formerly known as HP ProtectTools), the specially developed multi-layered, hassle-free enterprise-level Windows application. It is the reason why HP includes Client Security on Business Desktops, Notebooks, and Workstations.
HP Client Security Technical Whitepaper August 2016 747889-002 4 HP Security Strategy The HP security strategy to protect users is encompassed through: Data Security (Shown in Table 1) Device Security (Shown in Table 2) Identity Security (Shown in Table 3) HP believes these areas of protection cannot be accomplished with only bolted on solutions.
HP Client Security Technical Whitepaper Hardware-based August 2016 747889-002 Common Criteria EAL4+ Certified TPM A Common Criteria certification Evaluation Assurance Level 4+ (EAL4+) Trusted Platform Module (TPM) provides hardware-based encryption keys and more secure storage. Self-Encrypting Drives (SEDs) Encrypts and decrypts data as it is being written to, or read from the drive. Users get faster encryption performance than that of softwarebased only encryption solutions.
HP Client Security Technical Whitepaper Software-based August 2016 747889-002 Absolute Persistence1 (See Absolute Data & Device Security on page 34) Once subscribed and activated for supported Absolute services (purchased separately), the Persistence Module ensures that activated Absolute software services, such as Absolute Data & Device Security (DDS), formerly Absolute Computrace, have their agent replaced in Windows, if it is ever removed. For more information visit http://www.absolute.com/.
HP Client Security Technical Whitepaper August 2016 747889-002 Table 3 Identity Protection Security Features Layer Identity protection Description BIOS Security Power-on Authentication Requires users to authenticate themselves when turning on the computer before the operating system or any other software will start.
HP Client Security Technical Whitepaper Fingerprint Reader Sensor August 2016 747889-002 The integrated swipe Fingerprint Sensor on HP Business Notebooks and select Desktops is an isolated hardware that is highly spoof-resistant, very secure, does the match of the fingerprint on the sensor, and creates fingerprint templates rather than storing fingerprint images. The Fingerprint Sensor included on the HP Security Jacket is a FIPS 201 certified touch sensor. 1. Requires Windows. User setup required.
HP Client Security Technical Whitepaper August 2016 747889-002 5 HP Client Security – Manageability Options HP Client Security has multiple management options: Local Management - HP Client Security application allows for full policy configuration. ○ Limited users may not change policies. ○ Policies can be set in an image before deployment. HP Drive Encryption– upgrade to WinMagic SecureDoc Enterprise for remote management. ○ HP offers licensing for HP and non-HP PCs.
HP Client Security Technical Whitepaper August 2016 747889-002 6 Remote Management Alternatives to HP Client Security Technology HP Enterprise Device Access Manager ○ Provides similar functionality to HP Device Access Manager but with centralized manageability. ○ Offers administration tools to define and maintain the device access control policy which is stored in Windows Active Directory. ○ Does not support Just In Time Authentication ○ Visit www.hp-protecttools.com/products.
HP Client Security Technical Whitepaper August 2016 747889-002 7 HP Client Security Technology HP Client Security consists of the following key security technologies: 7.1 Security and Encryption Strength HP Client Security’s core host application adheres to a strong security model with the following features: Execute all “secure operations,” such as, user authentication, user provisioning, credential management, and policy configuration from a highly privileged account.
HP Client Security Technical Whitepaper August 2016 747889-002 8 HP Client Security - Setup Wizard The HP Client Security setup wizard helps secure access to your computer via a password, a fingerprint sensor (if available), or the HP SpareKey if a password or other credential is lost. The wizard safeguards hard drive access and data using HP Drive Encryption for robust information protection.
HP Client Security Technical Whitepaper August 2016 747889-002 Fingerprints enrollment (only shown with supported fingerprint readers) ○ Requires enrollment of two fingerprints. If needed, a user can enroll additional fingerprints later using the HP Client Security application. ○ Enrollment process starts immediately upon the user swiping their first finger. ○ Allows the user to login to Windows with their finger(s).
HP Client Security Technical Whitepaper August 2016 747889-002 9 HP Client Security - Application HP Client Security can be accessed from a single, console interface icon in the Windows® system tray, the Control Panel, the Windows 7 Start menu, a Windows 7 desktop gadget, or Windows 8/10 start page. The HP Client Security home page shown in Figure 2 is the central location for easy access to HP Client Security features, applications, and settings.
HP Client Security Technical Whitepaper August 2016 747889-002 “Login policy” applies to the Windows Logon. “Session policy” applies to security applications running in Windows that leverage Credential Manager, such as Password Manager. Figure 3 HP Client Security User Management 9.2 Policies The Administrators Policies window shown in Figure 4 provides the ability to configure login and session policies for the applicable user(s). The Standard Users Policies has a similar interface.
HP Client Security Technical Whitepaper August 2016 747889-002 10 Password Manager Password Manager provides the ability to automatically remember and then supply credentials for websites, applications, and protected network resources. Password Manager includes a personal password vault that makes accessing protected information more secure. Password Manager protects the data with encryption and an Access Control List (ACL).
HP Client Security Technical Whitepaper August 2016 747889-002 11 Synaptics Fingerprint Reader Sensor/Driver (VFS495) 11.1 Technology The VFS495 meets the requirements of FIPS140-2, but is not FIPS 140 certified. The VFS495 uses the following encryption and data security technologies: Advanced Encryption Standard (AES) hardware block - Encrypts/decrypts data stream with AES-CBC-256 and RSA-2048. AES cryptography is performed in CBC mode. Hardware exponentiation block - Performs RSA operations.
HP Client Security Technical Whitepaper August 2016 747889-002 Embedded Secure Template Database will securely protect application-provided user payload data / user credentials bound to the finger enrollment. Up to 50 finger enrollments may be stored in the secure database, beyond this, fingers must be removed before new enrollments can be performed. The following items are included in the manageability scheme for the fingerprint reader: ○ Min/max finger enrollment count.
HP Client Security Technical Whitepaper August 2016 747889-002 12 HP Device Access Manager (HPDAM) HP Device Access Manager speaks to HP’s strong commitment to security and its ability to respond to customer needs with innovative solutions. A common assumption with today’s PC usage model is that users who are authorized to log on to a personal computer and access sensitive data are also able to copy that information. In reality, this is not always the case.
HP Client Security Technical Whitepaper August 2016 747889-002 12.1.3 Just In Time Authentication (JITA) Configuration JITA Configuration shown in Figure 5 allows the administrator to view and modify lists of user groups that are allowed to access devices using JITA. JITA-enabled users will be able to access some devices for which policies created in the Device Class Configuration have been restricted.
HP Client Security Technical Whitepaper August 2016 747889-002 13 HP Drive Encryption (HPDE) HP Drive Encryption (HPDE) shown in Figure 6 provides complete data protection by encrypting your computer's data so it becomes unreadable to an unauthorized person. If an encrypted drive is removed from the system and attached to a USB enclosure, it cannot be read from another PC without proper authorization.
HP Client Security Technical Whitepaper August 2016 747889-002 13.1 Launch via Wizard HPDE can be activated from HP Client Security Setup wizard shown in Figure 7. Figure 7 Wizard Page Completing the wizard performs the following: Allows selection of the location for backing up the encryption key. The user can choose either Removable Media, TPM, and/or OneDrive. If the encryption key backup fails, an error will be displayed to the user and the wizard will not proceed.
HP Client Security Technical Whitepaper August 2016 747889-002 13.1.1 Launch via HP Client Security HPDE can be alternatively activated from HP Client Security under “DATA” category shown in Figure 8. Figure 8 Launch HPDE Using HP Client Security HP Client Security provides the following options: Select partition to encrypt from a list of partitions.
HP Client Security Technical Whitepaper August 2016 747889-002 13.1.2 Notifications HPDE displays various actionable notifications in two ways as shown in Table 4. Color indicates the severity of the notification and the associated message guides the user to what needs to be done. Notifications can be dismissed by clicking on the ‘X’ on the right of the notification. Table 4 Actionable Notifications Color Message Can be dismissed? Yes/No Action Red Your data is at risk. Please encrypt your drive now.
HP Client Security Technical Whitepaper August 2016 747889-002 Cannot configure HPDE policy. Can view the status of the drive. (i.e. if a drive is encrypted or not) Can backup and restore the encryption key. Prerequisites ○ HP Client Security: Version 8.2.x must be installed first ○ 2008 VC ++ version 9.0.30729.6161 Redistributables ○ Microsoft .NET Framework 4.5 Supported OS’s ○ Windows 7 (32-bit and 64 bit) ○ Windows 8 (32-bit and 64-bit) ○ Windows 8.
HP Client Security Technical Whitepaper August 2016 747889-002 13.1.4 Pre-boot Authentication HPDE has it is own pre-boot login environment that requires users to authenticate. Windows 8/10 Native UEFI: When the drive is encrypted, WinMagic’s Pre-boot UEFI (PBU) performs pre-boot authentication (PBA) BEFORE the drive can be accessed by the Windows Boot Loader.
HP Client Security Technical Whitepaper August 2016 747889-002 Offering HPDE (Pre-installed) WinMagic SecureDoc Enterprise (for HP) One Step Logon ✔ (3 Domains with One Step Logon) ✔ (2 Domain) Opal SED Support ✔ ✔ External Storage Encryption ✔ (via eSata) ✔ Multi-factor Authentication ✔ (HP Client Security) ✔ Key back-up to SkyDrive ✔ ✖ Active Directory Integration ✖ ✔ Network Pre-Boot Authentication ✖ ✔ Wireless Pre-Boot Authentication ✖ ✔ Centralized Management Console ✖ ✔
HP Client Security Technical Whitepaper August 2016 747889-002 14 Infineon Trusted Platform Module HP PCs feature a Trusted Platform Module (TPM) embedded security chip on select HP business notebooks, desktops and workstations. This embedded security chip is certified to the Trusted Computing Group (TCG) Evaluation Assurance Level 4+ (EAL4+) standard. HP platforms support the latest TPM v1.2 and TPM v2.0. The Trusted Computing Group (TCG) is an international industry standards group.
HP Client Security Technical Whitepaper August 2016 747889-002 15 Absolute Data & Device Security Absolute provides a single cloud-based console (http://cc.absolute.com) for administrators and users who want to persistently track and secure all of their endpoints. Computers can be remotely managed and secured to ensure - and most importantly prove - that endpoint IT compliance processes are properly implemented and enforced.
HP Client Security Technical Whitepaper August 2016 747889-002 16 Appendix A - Frequently Asked Questions Q. What authentication technologies are supported by HP Client Security? A. HP Client Security Manager is a security platform that has been designed to easily grow with the user's needs. It supports the following authentication technologies currently, but may support additional technologies as they become available.
HP Client Security Technical Whitepaper August 2016 747889-002 Q. What if a user has multiple Microsoft Windows accounts on the same PC? Can Credential Manager still be used? A. Yes, this would function the same as multiple users on a single PC. The user must use different fingers with each account if they would like to login using their fingerprints. Fingerprint sensor will not accept a finger that is currently enrolled. Q.
HP Client Security Technical Whitepaper August 2016 747889-002 17 Appendix B- Certifications and Standards HP Drive Encryption ○ WinMagic Cryptographic Engine 6.1 is FIPS 140-2 Level 1 certified (for HP Business PCs introduced in 2013) Fingerprint Readers (Integrated on notebooks) ○ NIST Compliant: No ○ Not FIPS 201 compliant ○ Even though the HP Fingerprint Reader is very secure, it does not support FIPS 201 mainly because FIPS 201 requires a touch sensor instead of a swipe sensor.
