HP ProtectTools User Guide
© Copyright 2007 Hewlett-Packard Development Company, L.P. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries. AMD, the AMD Arrow logo, and combinations thereof are trademarks of Advanced Micro Devices, Inc. Bluetooth is a trademark owned by its proprietor and used by Hewlett-Packard Company under license. Java is a US trademark of Sun Microsystems, Inc.
Table of contents 1 Introduction to security HP ProtectTools features ..................................................................................................................... 2 Accessing HP ProtectTools Security .................................................................................................... 4 Achieving key security objectives ......................................................................................................... 5 Protecting against targeted theft .......
Using manual (drag and drop) registration ....................................... 17 Managing applications and credentials ............................................................. 17 Modifying application properties ....................................................... 17 Removing an application from Single Sign On ................................. 17 Exporting an application ................................................................... 18 Importing an application ..............................
Disabling Java Card power-on authentication ................................................... 34 5 BIOS Configuration for HP ProtectTools File ...................................................................................................................................................... 36 Storage ............................................................................................................................................... 37 Security .................................................
vi
1 Introduction to security HP ProtectTools Security Manager software provides security features that help protect against unauthorized access to the computer, networks, and critical data.
HP ProtectTools features The following table details the key features of HP ProtectTools modules: Module Key features Credential Manager for HP ProtectTools ● Credential Manager serves a dual role acting as a personal password vault, providing single sign on capability, and allowing the user to define and deploy more stringent security for user authentication beyond a password. ● Password storage is protected through encryption and can be hardened through the use of a TPM embedded security chip.
Module Key features Drive Encryption for HP ProtectTools ● Drive Encryption provides complete, full-volume hard drive encryption. ● Drive Encryption utilizes pre-boot authentication to decrypt and access the data. ● Drive Encryption provides an authentication management tool used to encrypt partitions, hard drives, and multiple hard drives.
Accessing HP ProtectTools Security To access HP ProtectTools Security from Windows® Control Panel: ▲ Select Start > All Programs > HP ProtectTools Security Manager (or HP ProtectTools Security Manager for Administrators In Windows Vista) NOTE: After you have configured the Credential Manager module, you can also open HP ProtectTools by logging on to Credential Manager directly from the Windows logon screen. For more information, refer to “Logging on to Windows with Credential Manager on page 15.
Achieving key security objectives The HP ProtectTools modules can work together to provide solutions for a variety of security issues, including the following key security objectives: ● Protecting against targeted theft ● Restricting access to sensitive data ● Preventing unauthorized access from internal or external locations ● Creating and using strong passwords Protecting against targeted theft An example of this type of incident would be the targeted theft of a computer containing confidential da
Preventing unauthorized access from internal or external locations If a PC containing confidential data and customer information is accessed from an internal or external location, unauthorized users may be able to gain entry to corporate network resources or data from financial services, an executive, or R&D team. The following features help prevent unauthorized access: ● ● ● The pre-boot authentication feature, if enabled, helps prevent access to the operating system.
Additional security elements Assigning security roles In managing computer security (particularly for large organizations), one important practice is to divide responsibilities and rights among various types of administrators and users. NOTE: In a small organization or for individual use, these roles may all be held by the same person.
HP ProtectTools password Set in this HP ProtectTools module Function Owner password Embedded Security, by IT administrator Protects the system and the TPM chip from unauthorized access to all owner functions of Embedded Security. Java™ Card PIN Java Card Security Protects access to the Java Card contents and authenticates users of the Java Card. When used for power-on authentication, the Java Card PIN also protects access to the Computer Setup utility and to the computer contents.
HP ProtectTools Backup and Restore HP ProtectTools Backup and Restore provides a convenient and quick way to back up and restore credentials from all supported HP ProtectTools modules. Backing up credentials and settings You can back up credentials in the following ways: ● Use the HP ProtectTools Backup Wizard to select and back up HP ProtectTools modules ● Back up preselected HP ProtectTools modules NOTE: You must set backup options before you can use this method.
5. Click Set Password and type and confirm your password in the Set Password dialog box. Click OK. 6. Click Apply. Click the Schedule tab. Click the Schedule Task arrow and select the automatic backup frequency. 7. Under Start time, use the Start time arrows to select the exact time for the backup to begin. 8. Click Advanced to select a start date, an end date, and recurring task settings. Click Apply. 9.
2 Credential Manager for HP ProtectTools Credential Manager serves a dual role in that it allows the user to define and deploy more stringent security for user authentication beyond a password, and it acts as a personal password vault which provides single sign on capability.
Setup procedures Logging on to Credential Manager Depending on the configuration, you can log on to Credential Manager in any of the following ways: ● Credential Manager Logon Wizard (preferred) ● HP ProtectTools Security Manager icon in the notification area ● HP ProtectTools Security Manager NOTE: If you use the Credential Manager Logon prompt on the Windows Logon screen, you are logged on to Windows at the same time.
Setting up the fingerprint reader 1. After logging on to Credential Manager, swipe your finger across the fingerprint reader. The Credential Manager Registration Wizard opens. 2. Follow the on-screen instructions to complete registering your fingerprints and setting up the fingerprint reader. 3. To set up the fingerprint reader for a different Windows user, log on to Windows as that user and then repeat steps 1 and 2. Using your registered fingerprint to log on to Windows 1.
General tasks All users have access to the “My Identity” page in Credential Manager. From the “My Identity” page, you can perform the following tasks: ● Creating a virtual token ● Changing the Windows logon password ● Managing a token PIN ● Managing identity ● Locking the computer NOTE: This option is available only if the Credential Manager classic logon prompt is enabled. See “Example 1—Using the “Advanced Settings” page to allow Windows logon from Credential Manager on page 23.
Managing identity Clearing an identity from the system NOTE: This does not affect your Windows user account. 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, click Credential Manager. 3. In the right pane, click Clear Identity for this Account. 4. Click Yes in the confirmation dialog box. Your identity is logged off and removed from the system. Locking the computer This feature is available if you log on to Windows using Credential Manager.
5. 6. Select More > Wizard Options. a. If you want this to be the default user name the next time that you log on to the computer, select the Use last user name on next logon check box. b. If you want this logon policy to be the default method, select the Use last policy on next logon check box. Follow the on-screen instructions. If your authentication information is correct, you will be logged on to your Windows account and to Credential Manager. Adding an account 1.
3. Type your password for the program or Web site, and then click OK. The Credential Manager Single Sign On dialog box opens. 4. Click More and select from the following options: 5. ● Do not use SSO for this site or application. ● Prompt to select account for this application. ● Fill in credentials but do not submit. ● Authenticate user before submitting credentials. ● Show SSO shortcut for this application. Click Yes to complete the registration. Using manual (drag and drop) registration 1.
Exporting an application You can export applications to create a backup copy of the Single Sign On application script. This file can then be used to recover the Single Sign On data. This acts as a supplement to the identity backup file, which contains only the credential information. To export an application: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, click Credential Manager, and then click Services and Applications. 3.
6. Follow the on-screen instructions. 7. Click OK. Using Application Protection This feature allows you to configure access to applications. You can restrict access based on the following criteria: ● Category of user ● Time of use ● User inactivity Restricting access to an application 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, click Credential Manager, and then click Services and Applications. 3.
NOTE: If the category is not Everyone, you may need to click Override default settings to override the settings for the Everyone category. 5. Click the application you want to change, and then click Properties. The Properties dialog box for that application opens. 6. Click the General tab. Select one of the following settings: 7.
Advanced tasks (administrator only) The “Authentication and Credentials” page and the “Advanced Settings” page of Credential Manager are available only to those users with administrator rights.
9. Click OK. 10. Click Apply, and then click OK. Configuring credential properties On the Credentials tab of the “Authentication and Credentials” page, you can view the list of available authentication methods, and modify the settings. To configure the credentials: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, click Credential Manager, and then click Authentication and Credentials. 3. In the right pane, click the Credentials tab. 4.
Example 1—Using the “Advanced Settings” page to allow Windows logon from Credential Manager 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, click Credential Manager, and then click Settings. 3. In the right pane, click the General tab. 4. Under Select the way users log on to Windows (requires restart), select the Use Credential Manager with classic logon prompt check box. 5. Click Apply, and then click OK. 6. Restart the computer.
3 Embedded Security for HP ProtectTools NOTE: The integrated Trusted Platform Module (TPM) embedded security chip must be installed in your computer to use Embedded Security for HP ProtectTools. Embedded Security for HP ProtectTools protects against unauthorized access to user data or credentials.
Setup procedures CAUTION: To reduce security risk, it is highly recommended that your IT administrator immediately initialize the embedded security chip. Failure to initialize the embedded security chip could result in an unauthorized user, a computer worm, or a virus taking ownership of the computer and gaining control over the owner tasks, such as handling the emergency recovery archive, and configuring user access settings.
Setting up the basic user account Setting up a basic user account in Embedded Security accomplishes the following tasks: ● Produces a Basic User Key that protects encrypted information, and sets a Basic User Key password to protect the Basic User Key. ● Sets up a personal secure drive (PSD) for storing encrypted files and folders. CAUTION: Safeguard the Basic User Key password. Encrypted information cannot be accessed or recovered without this password.
General tasks After the basic user account is set up, you can perform the following tasks: ● Encrypting files and folders ● Sending and receiving encrypted e-mail Using the Personal Secure Drive After setting up the PSD, you are prompted to type the Basic User Key password at the next logon. If the Basic User Key password is entered correctly, you can access the PSD directly from Windows Explorer.
Advanced tasks Backing up and restoring The Embedded Security backup feature creates an archive that contains certification information to be restored in case of emergency. Creating a backup file To create a backup file: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, click Embedded Security, and then click Backup. 3. In the right pane, click Backup. The Embedded Security Backup Wizard opens. 4. Follow the on-screen instructions.
Permanently disabling Embedded Security To permanently disable Embedded Security: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, click Embedded Security, and then click Advanced. 3. In the right pane, under Embedded Security, click Disable. 4. Type your owner password at the prompt, and then click OK. Enabling Embedded Security after permanent disable To enable Embedded Security after permanently disabling it: 1.
4 Java Card Security for HP ProtectTools Java Card Security for HP ProtectTools manages the Java Card setup and configuration for use with the HP Smart Card keyboard. HP's Java Card is a personal security device that protects authentication data requiring both the card and a PIN number to grant access – like using an ATM card with a PIN. The Java Card can be used to access Credential Manager, Drive Encryption, HP BIOS, or any number of third party access points.
General tasks The “General” page allows you to perform the following tasks: ● Change a Java Card PIN ● Select the card reader or smart card keyboard NOTE: The card reader uses both Java Cards and smart cards. This feature is available if you have more than one card reader on the computer. Changing a Java Card PIN To change a Java Card PIN: NOTE: The Java Card PIN must be between 4 and 8 numeric characters. 1. Select Start > All Programs > HP ProtectTools Security Manager. 2.
Advanced tasks (administrators only) The “Advanced” page allows you to perform the following tasks: ● Assign a Java Card PIN ● Assign a name to a Java Card ● Set power-on authentication ● Back up and restore Java Cards NOTE: You must have Windows administrator privileges in order to display the "Advanced" page. Assigning a Java Card PIN You must assign a name and a PIN to a Java Card before it can be used in Java Card Security.
The process of enabling Java Card power-on authentication involves the following steps: 1. Enable Java Card power-on authentication support in BIOS Configuration or Computer Setup. 2. Enable Java Card power-on authentication in Java Card Security. 3. Create and enable the administrator Java Card. Enabling Java Card power-on authentication and creating an administrator Java Card To enable Java Card power-on authentication: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2.
3. Insert a Java Card that will be used as a user card. 4. In the right pane, under Power-on authentication, click Create next to User card identity. 5. Type a PIN for the user Java Card, and then click OK. Disabling Java Card power-on authentication When you disable Java Card power-on authentication, the use of the Java Card is no longer needed to access the computer. 34 1. Select Start > All Programs > HP ProtectTools Security Manager. 2.
5 BIOS Configuration for HP ProtectTools BIOS Configuration for HP ProtectTools provides access to the Computer Setup utility security and configuration settings giving users Windows access to system security features that are managed by Computer Setup. The options within BIOS Configuration for HP ProtectTools are: ● File ● Storage ● Security ● Power ● Advanced NOTE: Support for specific Computer Setup options may vary depending on the hardware configuration.
File The File option within BIOS Configuration for HP ProtectTools provides system information such as processor type, system BIOS name and version, chassis, serial number, etc. The only File data that can be edited is the asset tracking number. All other data is read only.
Storage The Storage option within BIOS Configuration for HP ProtectTools provides information about all bootable devices configured in the computer system and allows you to specify settings for these devices.
Security The Security option within BIOS Configuration for HP ProtectTools is the central location for all settings related to security and passwords.
Power The Power option within BIOS Configuration for HP ProtectTools provides settings that control power management at a hardware level.
Advanced The settings within the Advanced option of BIOS Configuration for HP ProtectTools are intended for advanced users.
6 Device Access Manager for HP ProtectTools This security tool is available to administrators only. Device Access Manager provides customizable control of data storage and transmission hardware (USB, COM & LPT ports, CD drives, network interface cards, personal music players, etc.) Device Access Manager can also manage users and user groups to provide read, write, allow or deny access to data on the hardware.
Starting background service For device profiles to be applied, the HP ProtectTools Device Locking/Auditing background service must be running. When you first attempt to apply device profiles, HP ProtectTools Security Manager opens a dialog box to ask if you would like to start the background service. Click Yes to start the background service and set it to start automatically whenever the system boots.
Simple configuration This feature allows you to deny access to the following classes of devices: ● All removable media (floppy disks, pen drives, USB, etc.) for all non-administrators ● All DVD/CD-ROM drives for all non-administrators ● All serial and parallel ports for all non-administrators ● All Bluetooth, infra-red, modem, PCMCIA, personal music players, and all 1394 (FireWire) devices for all non-administrators. To deny access to a class of device for all non-administrators: 1.
Device class configuration (advanced) More selections are available to allow specific users or groups of users to be granted or denied access to types of devices. Some classes allow the option to configure Read Only or Write access. Adding a user or a group 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, click Device Access Manager, and then click Device Class Configuration. 3. In the device list, click the device class that you want to configure. 4.
6. Navigate to the folder below that of the required class and add the specific user. Click Allow to grant this user access. 7. Click Apply, and then click OK. Allowing access to a specific device for one user of a group You can allow one user access to a specific device while denying access to all other members of that user's group for all devices in the class. To allow access to a specific device for one user but not the group: 1. Select Start > All Programs > HP ProtectTools Security Manager. 2.
7 Drive Encryption for HP ProtectTools Drive encryption for HP ProtectTools can encode every bit of information on a single hard drive, partition or multiple hard drives so that it becomes unreadable to an unauthorized person. CAUTION: If you decide to uninstall the Drive Encryption module, you must first decrypt all encrypted drives. If you do not, you will not be able to access the data on encrypted drives unless you have registered with the Drive Encryption recovery service (see “Recovery on page 49”).
Encryption management Encrypting a drive 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, click Drive Encryption, and then click Encryption Management. 3. In the right pane, click Activate. The Drive Encryption for HP ProtectTools Wizard opens. 4. Follow the on-screen instructions to activate encryption. NOTE: You will need to specify a diskette, flash storage device, or some other USB-connected storage media on which the recovery information will be stored.
User management Add a user 1. Select Start > All Programs > HP ProtectTools Security Manager. 2. In the left pane, click Drive Encryption, and then click User Management. 3. In the right pane, click Add. Click a user name in the User Name list or type a user name in the Username box. Click Next. 4. Type the Windows password for the selected user, and then click Next. 5. Select an authentication method for the new user, and then click Finish. Remove a user 1.
Recovery The following two safety measures are available to you: ● If you forget your password, you cannot access your encrypted drives. You may, however, register with the Drive Encryption recovery service to enable you to access your computer if you forget your password. ● You may back up your Drive Encryption keys on a diskette, flash storage device, or some other USB-connected storage media. Registering with the Drive Encryption recovery service 1.
8 Troubleshooting Credential Manager for HP ProtectTools Short description Details Solution Using Credential Manager Using TPM authentication, the user is Network Accounts option, only logged into the local computer. a user can select which domain account to log into. When TPM authentication is used, this option is not available. All other authentication methods work properly. Using Credential Manager Single Sign On tools allows user to authenticate other accounts.
Short description Details Solution Windows password from Credential local PC, Credential Manager can only change the Manager, the administrator gets an error password used to log in. logon failure: User account restriction. Credential Manager Single Sign On default settings should be set to prompt to prevent loop. Single Sign On default is set to log users automatically.
Short description Details Solution Credential Manager not During Windows 2000 install, the logon being set as primary logon policy is set for manual or auto logon in Windows 2000. admin. If auto logon is chosen, then the Windows default registry settings sets the default auto admin logon value at 1, and Credential Manager does not override this. This is as designed. Fingerprint logon message appears whether or not fingerprint reader is installed or registered.
Short description Details Solution Restoring Embedded Security causes Credential Manager to fail. Credential Manager fails to register any credentials after the ROM is restored to factory settings. The HP Credential Manager for ProtectTools fails to access the TPM if the ROM was reset to factory settings after the Credential Manager installation. The TPM embedded security chip can be enabled in the BIOS Computer Setup utility, BIOS Configuration for ProtectTools, or HP Client Manager.
Short description Details Solution This is true whether or not an Embedded Security TPM is installed. EFS does not require a password to view encrypted files in Windows 2000. If a user sets up the Embedded Security, logs on as an administrator, then logs off and back on as the administrator, the user can subsequently see files/folders in Windows 2000 without a password. This occurs only in the first administrator account on Windows 2000.
Short description Details Solution Errors occur after experiencing a power loss while taking ownership during the Embedded Security Initialization.
Short description Details Solution certificate, it shows as non-trusted. While the certificate can be installed at this point by clicking the install button, installing it does not make it trusted. Intermittent encrypt and decrypt error occurs: The process cannot access the file because it is being used by another process.
Short description Details Solution unchecked in User Initialization Wizard or if secure e-mail configuration is disabled in user policies. mail client (Outlook, Outlook Express, or Netscape) settings directly in e-mail client. Usage of secure e-mail is set and controlled by 3rd party applications. The HP wizard allows linkage to the three reference applications for immediate customization.
Short description Details An internal error has been If the user detected restoring from clicks Restore under Backup ● Automatic Backup option of Embedded Security in Archive. HPPTSM to restore from the automatic backup Archive ● Solution If the user selects SpSystemBackup.xml when the SpBackupArchive.xml is required, Embedded Security Wizard fails with: An internal Embedded Security error has been detected. User must select the correct .xml file to match the required reason. selects SPSystemBackup .
Miscellaneous Software Impacted— Short description Details Solution HP ProtectTools Security Manager—Warning received: The security application can not be installed until the HP Protect Tools Security Manager is installed. All security applications such as Embedded Security, Java Card, and biometrics are extendable plug-ins for the HP Security Manager interface. Security Manager must be installed before an HP-approved security plug-in can be loaded.
Software Impacted— Short description Details Solution Allow Security Manager to complete services loading message (seen at top of Security Manager window) and all plug-ins listed in left column. To avoid failure, allow a reasonable time for these plug-ins to load. HP ProtectTools * General Numerous risks are possible with —Unrestricted access or unrestricted access to the client PC: uncontrolled administrator deletion of PSD ● privileges pose security risk.
Glossary Authentication Process of verifying whether a user is authorized to perform a task, for example, accessing a computer, modifying settings for a particular program, or viewing secured data. Biometric user. Category of authentication credentials that use a physical feature, such as a fingerprint, to identify a BIOS profile Group of BIOS configuration settings that can be saved and applied to other accounts.
Migration A task that allows the management, restoration, and transfer of keys and certificates. Network account domain. Windows user or administrator account, either on a local computer, in a workgroup, or on a NTFS partition NT File System, a method of indexing storage media. This method is standard with Windows Vista and Windows XP. Personal secure drive (PSD) Provides a protected storage area for sensitive information.
Index A access controlling 41 preventing unauthorized 6 accessing HP ProtectTools Security 4 account basic user 26 Credential Manager 12 administrator tasks Credential Manager 21 Java Card 32 advanced BIOS configuration for HP ProtectTools 40 advanced tasks Credential Manager 21 Device Access Manager 44 Embedded Security 28 Java Card 32 B background service, Device Access Manager 42 backing up and restoring certification information 28 Embedded Security 28 HP ProtectTools modules 9 Single Sign On data 18 b
Embedded Security, permanently 29 Java Card power-on authentication 34 Drive Encryption for HP ProtectTools adding a user 48 changing a token 48 changing authentication 48 changing encryption 47 decrypting a drive 47 Drive Encryption keys 49 Drive Encryption recovery service 49 encrypting a drive 47 removing a user 48 setting a password 48 E Embedded Security for HP ProtectTools backup file, creating 28 basic user account 26 Basic User Key 26 Basic User Key password, changing 27 certification data, restorin
security roles 7 security setup password 8 Single Sign On automatic registration 16 exporting applications 18 manual registration 17 modifying application properties 17 removing applications 17 storage BIOS configuration for HP ProtectTools 37 T targeted theft, protecting against 5 token, Credential Manager 13 TPM chip enabling 25 initializing 25 troubleshooting Credential Manager for HP ProtectTools 50 Embedded Security for HP ProtectTools 53 Miscellaneous 59 U unauthorized access, preventing 6 USB eToken,
