Manualshelf

BIOS-enabled security features in HP business notebooks - Technical white paper

ManualsBrandsHP ManualsDesktopsHP ProBook 4520s Notebook PC
123456789
3
Multiuser architecture in BIOS
Multiuser architecture relies on role-based user groups. The BIOS can separate functions and access among these
different user groups. The separation promotes higher security in the following ways:
Users no longer need to share passwords.
BIOS administrators do not have to share setup passwords with users.
BIOS administrators can assign granular control of setup features to users.
Currently the BIOS defines two user types.
BIOS AdministratorPrivileges include management of other BIOS users, full access to f10 BIOS settings, and the
ability to control f10 access of other users and unlock the system when other BIOS users fail the preboot
authentication.
BIOS UserPrivileges include the ability to use an authentication password to boot the BIOS and access f10 BIOS
settings as defined by the BIOS administrator.
Enabling BIOS preboot authentication
Before a BIOS user can be provided with preboot authentication, a BIOS administrator password must be created.
1. Boot the system, and press f10 to enter the BIOS setup.
2. Select Setup BIOS Administrator Password from the Security menu.
3. Follow the prompts to create and confirm the new administrator password.
The BIOS administrator sets up the BIOS user password as follows:
1. Boot the system, and then press f10 to enter the BIOS setup.
2. Select User Management from the Security menu. To add a BIOS user, select Create new BIOS User account.
3. Follow the steps on the screen to create the user ID, and then press Enter to continue. By default, the BIOS user
password is the same as the BIOS user ID. For example, if the BIOS administrator creates a “user1” ID, then the
default password is also “user1”.
4. Repeat the steps to create a BIOS User account for each new user.
The BIOS will now prompt for a BIOS user password during boot. The BIOS user can change the default password as
follows:
1. Boot the system, and then press f10 to enter the BIOS setup.
2. Select Change Password from the Security menu and follow prompts to change to a new password.
NOTE: For maximum system protection, strong BIOS administrator and BIOS user passwords must be selected, and the
BIOS administrator password must be different from the user password.
If an incorrect password is entered three times, the system prevents any further retries until the system is powered
down and restarted. This feature further protects the system from unauthorized access by forcing the user to enter the
password manually, thereby preventing dictionary attacks. Users can set up HP SpareKey to regain access if credentials
are lost or forgotten. HP SpareKey allows users to answer a series of questions (established during the HP SpareKey
enrollment process) to access their notebooks. See the Forgotten passwords section for more information about HP
SpareKey.
Preboot authentication using ProtectTools
Another way to enable BIOS preboot authentication is to use ProtectTools Security Manager within Windows. The
ProtectTools Security Manager wizard enables various security levels to protect the computer system and the data.
ProtectTools users can set the following security levels:
Preboot SecurityProtects the system before it boots to the OS. This ProtectTools function initiates the BIOS preboot
authentication process.
HP Drive EncryptionProtects computer data by encrypting the hard drive.