Client Security Solution 8.
Note: Before using this information and the product it supports, read the general information in Appendix D “Notices” on page 75. Third Edition (February 2012) © Copyright Lenovo 2008, 2012. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS-35F-05925.
Contents Preface . . . . . . . . . . . . . . . . iii Chapter 1. Overview. . . . . . . . . . . 1 Client Security Solution . . . . . . . . . . . Client Security Solution passphrase . . . . Client Security password recovery . . . . . Client Security Password Manager . . . . . Security Advisor . . . . . . . . . . . . Certificate Transfer wizard . . . . . . . . Hardware password reset . . . . . . . . Support for systems without Trusted Platform Module . . . . . . . . . . . . . . . . Fingerprint Software . . .
Deployment examples for installing Client Security Solution . . . . . . . . . . . . . . . . . Scenario 1 . . . . . . . . . . . . . . Scenario 2 . . . . . . . . . . . . . . Switching Client Security Solution modes . . . . Corporate Active Directory rollout . . . . . . . Standalone Install for CD or script files . . . . . System Update . . . . . . . . . . . . . . System Migration Assistant. . . . . . . . . . Generating a certificate using key generation in the TPM . . . . . . . . . . . . . . . . . . .
Preface This guide is intended for IT administrators, or those responsible for deploying ThinkVantage® Client Security Solution and ThinkVantage Fingerprint Software to computers throughout their organizations. This guide provides the information required to install Client Security Solution and Fingerprint Software on one or more computers, provided that licenses for the software are available for each target computer.
iv Client Security Solution 8.
Chapter 1. Overview This chapter provides an overview of Client Security Solution and Fingerprint Software. The technologies presented in this deployment guide can directly and indirectly help IT professionals because they help make personal computers easier to use, more self-sufficient, and provide powerful tools that facilitate and simplify rollouts. With the help of ThinkVantage Technologies, IT professionals spend less time solving individual computer problems and more time on their core tasks.
Client Security Solution passphrase The Client Security Solution passphrase is an optional feature of user authentication that will provide enhanced security to Client Security Solution applications.
• Autofill user IDs and passwords: Automates your login process when you access an application or web site. If your logon information has been entered into Client Security Password Manager, then Client Security Password Manager can automatically fill in the required fields and submit the web site or application. • Edit entries using the Client Security Password Manager interface: Enables you to edit your account entries and set up all optional features in one easy-to-use interface.
you create. Create this secure environment as soon as possible, before a password is forgotten. You cannot reset a forgotten hardware password until this secure environment is created on your hard drive and after you have enrolled. This tool is available on select computers only. Support for systems without Trusted Platform Module Client Security Solution Version 8.2 supports Lenovo-branded systems that do not have a compliant embedded security chip.
Chapter 2. Installation This chapter contains instructions for installing Client Security Solution, and Fingerprint Software. Before installing Client Security Solution or Fingerprint Software, you should understand the architecture of the application you are installing. This chapter provides the architecture of each application, as well as additional information you need before installing either program.
Custom public properties The installation package for the Client Security Software program contains a set of custom public properties that can be set on the command line when running the installation. The following table provides the custom public properties for Windows XP and Windows 2000: Table 1. Public properties Property Description EMULATIONMODE Specify to force the installation in Emulation mode even if a TPM exists. Set EMULATIONMODE=1 on the command line to install in Emulation mode.
After ownership of the system is configured, each additional Windows user that logs into the system is automatically prompted with the Client Security sSetup wizard in order to enroll and initialize the user’s security keys and credentials. Software emulation of the Trusted Platform Module Client Security Solution has the option to run without a Trusted Platform Module on qualified systems. The functionality will be the same except it will use software-based keys instead of using hardware-protected keys.
customizations are made, the user calls msiexec.exe from the command line, passing the name of the unpacked MSI file. The following parameters and descriptions are documented in the InstallShield Developer Help Documentation. Parameters that do not apply to Basic MSI projects were removed. Table 2. Parameters Parameter Description /a : Administrative installation The /a switch causes setup.exe to perform an administrative installation.
Table 3. Command line parameters Parameter Description /I package or product code Use this format to install the product: Othello:msiexec /i "C:\WindowsFolder\Profiles\ UserName\Personal\MySetups \Othello\Trial Version\ Release\DiskImages\Disk1\ Othello Beta.msi" Product code refers to the Globally Unique Identifier (GUID) that is automatically generated in the product code property of your product's project view.
Table 3. Command line parameters (continued) Parameter Description You can separate multiple transforms with a semicolon. Do not use semicolons in the name of your transform, as the Windows Installer service will interpret those incorrectly. Properties All public properties can be set or modified from the command line. Public properties are distinguished from private properties and are all capital letters. For example, COMPANYNAME is a public property.
Table 4. Windows Installer properties (continued) Property Description ARPSYSTEMCOMPONENT Prevents display of application in the Add or Remove Programs list. ARPURLINFOABOUT URL for an application's home page. ARPURLUPDATEINFO URL for application-update information. REBOOT The REBOOT property suppresses certain prompts for a reboot of the system. An administrator typically uses this property with a series of installations to install several products at the same time with only one reboot at the end.
Table 6. Installation examples using Client Security - Password Manager.msi Description Example Installation msiexec /i “C:\CSS82\Client Security Solution - Password Manager.msi” Silent installation with no reboot msiexec /i “C:\CSS82\Client Security Solution - Password Manager.msi” /qn REBOOT=”R” Silent uninstallation msiexec /x “C:\CSS82\Client Security Solution - Password Manager.msi” /qn Installing Client Security Solution 8.
Table 7. Options supported by the Fingerprint Software Parameter Description CTRLONCE Displays the Control Center only once. The default value is 0. CTLCNTR Runs the Control Center on startup. The default value is 1. DEFFUS • 0 = will not use Fast User Switching (FUS) settings. • 1 = Will try to use FUS settings. The default value is 0. INSTALLDIR Defaults to the fingerprint software installation directory.
Table 8. Options supported by the Lenovo Fingerprint Software Parameter Description SWAUTOSTART • 0 = will not start fingerprint software on Windows startup. • 1 = will start fingerprint software on Windows startup. The default value is 1. SWFPLOGON • 0 = will not use fingerprint logon (GINA or Credential Provider). • 1 = will use fingerprint logon (GINA or Credential Provider). The default value is 0. SWPOPP • 0 = will disable power-on password protection.
Table 8. Options supported by the Lenovo Fingerprint Software (continued) Parameter Description SWANTIHAMMERRETRIES Specifies the maximum retries. The default value is 5. Note: This setting works only when SWANTIHAMMER is enabled. SWANTIHAMMERTIMEOUT Specifies the timeout duration in seconds. The default value is 120. Note: This setting works only when SWANTIHAMMER is enabled. SWAUTHTIMEOUT • 0 = disable authentication timeout. • 1 = enable authentication timeout. The default value is 1.
16 Client Security Solution 8.
Chapter 3. Working with Client Security Solution Before you install Client Security Solution, you should understand the customization available for Client Security Solution. This chapter provides customization information about Client Security Solution, as well as information regarding the Trusted Platform Module. The terms used in this chapter referencing the Trusted Platform Module are defined by the Trusted Computing Group (TCG).
enrolled as an active user. Every other user that logs into the system will be automatically requested to enroll into Client Security Solution. • Take Ownership A single Windows administrator user ID is assigned as the sole Client Security Solution Administrator for the system. Client Security Solution administrative functions must be performed through this user ID. The Trusted Platform Module authorization is either this user’s Windows password or Client Security passphrase.
The following diagram provides the structure for the System Level Key: System Level Key Structure - Take Ownership Trusted Platform Module Auth Storage Root Private Key Storage Root Public Key System Base Private Key System Base Public Key System Leaf Private Key System Leaf Public Key One-Way Hash CSS Admin PW/PP One-Way Hash If Passphrase loop n times Encrypted via derived AES Key System Base Private Key System Base Public Key System Base AES Protection Key (derived via output of hash algorithm)
The following diagram provides the structure for the user level key: User Level Key Structure - Enroll User Trusted Platform Module Storage Root Private Key User PW/PP Storage Root Public Key User Base Private Key User Base Public Key User Leaf Private Key User Leaf Public Key Windows PW AES Key One-Way Hash Auth One-Way Hash If Passphrase loop n times PW Manager AES Key Encrypted via derived AES Key User Base Private Key User Base Public Key User Base AES Protection Key (derived via output of hash
The TPM emulation mode cannot be used as a secure substitute for the TPM. The TPM provides the following two key protection methods that are more secure than the TPM emulation mode. • All keys used by the TPM are protected by a unique root-level key. The unique root-level key is created inside the TPM and cannot be seen or used outside of the TPM. In the TPM emulation mode, the root-level key is a software-based key stored on the hard disk drive.
The following diagram provides the structure for the motherboard swap - take ownership: Motherboard Swap - Take Ownership Trusted Platform Module Store Leaf Private Key Store Leaf Public Key System Leaf Private Key System Leaf Public Key CSS Admin PW/PP If Passphrase loop n times One-Way Hash Decrypted via derived AES Key System Base Private Key System Base Public Key System Base AES Protection Key (derived via output of hash algorithm) Figure 3.
EFS protection utility Client Security Solution provides a command line utility that enables TPM-based protection of encryption certificates used by the Encrypting File System (EFS) to encrypt files and folders. This utility supports transfer of third party certificates (certificates generated by a Certificate Authority) and also supports generation of self-signed certificates.
Using the XML Schema The purpose of the XML scripting is to enable IT administrators to create custom scripts that can be used to deploy and configure Client Security Solution. The scripts can be protected by the xml_crypt_tool executable with a password such as AES encryption. Once created, the virtual machine (vmserver.exe) accepts the scripts as input. The virtual machine calls the same functions as the Client Security Solution Setup Wizard to configure the software.
password Note: This command is not supported in the emulation mode. ENABLE_PWMGR_FUNCTION This command enables the password manager for all Client Security Solution users. 0001 ENABLE_PWMGR_FUNCTION 1.
The following command enables the logon with the fast user switching support and disables the Client Security Solution Windows logon. The fast user switching might not be enabled according to the system settings. < registry_settings /> < /tvt_deployment 0001 ENABLE_UPEK_GINA_WIH_FUS_FUNCTION 1.
ENABLE_NONE_GINA_FUNCTION If one of GINA related TVT components such as ThinkVantage Fingerprint Software, Client Security Solution, or Access Connection logon is enabled, this command disables both the ThinkVantage Fingerprint Software and the Client Security Solution logons. PAGE 34Note: This command is not supported in the emulation mode. INITIALIZE_SYSTEM_FUNCTION This command initializes the Client Security Solution system function. The system-wide keys are generated through this function call. The following list of parameters explain each function: • NEW_OWNER_AUTH_DATA_PARAMETER This parameter is used to set the new owner password for the system. For the new owner password, the value for this parameter is controlled by the current owner password.
Note: This command is not supported in the emulation mode. ENROLL_USER_FUNCTION This command enrolls a particular user to use Client Security Solution. This function creates all of the user specific security keys for a given user. The parameters are: • USER_NAME_PARAMETER The user name of the user to enroll. • DOMAIN_NAME_PARAMETER The domain name of the user to enroll. • USER_AUTH_DATA_PARAMETER The Trusted Platform Module passphrase Windows password to create the user’s security keys with.
IBM-2AA92582C79 Test1 Test2 Test3 3 20000,20001,20002 Pass1word
Using RSA SecurID tokens Levering the encryption algorithm method of encrypting data, using RSA SecurID tokens in addition to Client Security Solution will provide your enterprise with multi-factor security. Using RSA SecurID tokens, users authenticate into networks and software using their user ID or PIN and a token device. The token device displays a string of numbers that change every sixty seconds.
To leverage the PKCS #11 module of Client Security Solution, the following policies must be set for Active Directory: 1. PKCS #11 Signature 2. PKCS #11 Decryption The following table provides the modifiable field and description of policies for PKCS# 11: Table 10. ThinkVantage\Client Security Solution\Authentication Policies\PKCS# 11 Signature\Custom Mode Fields CSS.ADM Modifiable field Required Field Description Controls whether password or passphrase is required.
• “Security Advisor” on page 33 • “Client Security Solution setup wizard” on page 34 • “Deployment file encrypt or decrypt tool” on page 34 • “Deployment file processing tool” on page 35 • “TPMENABLE.EXE” on page 35 • “Certificate Transfer tool” on page 35 • “TPM activate tool” on page 36 Security Advisor To run Security Advisor from the Client Security Solution, click Start->Programs->ThinkVantage->Client Security Solution. Click Advanced, and choose Audit Security Settings.
Table 11. Parameters (continued) Parameters Description FileSharing Sets the value for the file sharing. 1 will show this section, 0 will hide. If not present then it is shown by default. AuthorizedAccessOnly Sets value that authorized access should be set for file-sharing, or setting will be flagged. ClientSecurity Sets the value for Client Security. 1 will show this section, 0 will hide. If not present then it is shown by default.
Table 13. Parameters for encrypting or decrypting Client Security XML deployment files Parameters Results /h or /? Displays the help message FILENAME Displays path name and filename with either .xml or .enc extension encrypt or decrypt Selects /encrypt for .xml files and /decrypt for .enc files PASSPHRASE Displays the optional parameter that is required if a passphrase is used to protect the file. Examples: xml_crypt_tool.exe "C:\DeployScript.xml" /encrypt "my secret" and xml_crypt_tool.
Table 16. css_cert_transfer_tool.exe : | all_access | usage Parameter Description This is the first required parameter. It must be used as the first switch and include one of the following examples: Examples: cert_store_user Transfers user certificates only. User certificates are assigned to the current user. cert_store_machine Transfers machine certificates only. Machine certificates may be used by all authorized users on a machine.
Table 17. Parameters for activating or deactivating the TPM on the Lenovo system (continued) Parameter Description /deactivate Deactivates the TPM. Note: If you run tpm_activate_cmd.exe without parameter /deactivate, it will activate the TPM by default. /verbose Displays a text output. Example: tpm_activate_cmd.exe /? tpm_activate_cmd.exe /verbose tpm_activate_cmd.exe /biospw:pass Active Directory Support Active Directory is a directory service.
• Default user preferences As described previously, computer and user policies are defined by the administrator. These settings can be initialized through the XML configuration file or through a Group Policy in the Active Directory. Computer and user preferences are set by the user on the client computer through options in the applications interface. Default user preferences are initialized by the XML configuration script. Users do not change the values directly.
Table 19. Computer Configuration ➙ Administrative templates ➙ ThinkVantage ➙ Client Security Solution ➙ Authentication policies ➙ Secure mode Policy Enabled settings Description Password Set the frequency to either Every time, or Once per logon. Controls whether password is required. Passphrase Set the frequency to either Every time, or Once per logon. Controls whether passphrase is required. Fingerprint Set the frequency to either Every time, or Once per logon.
Table 21. Computer Configuration ➙ Administrative templates ➙ ThinkVantage ➙ Client Security Solution ➙ Authentication policies Policy Enabled settings Description Password Set the frequency to either Every time, or Once per logon. Controls whether password is required. Passphrase Set the frequency to either Every time, or Once per logon. Controls whether passphrase is required. Fingerprint Set the frequency to either Every time, or Once per logon. Controls whether fingerprint is required.
Table 23. Computer Configuration ➙ ThinkVantage ➙ Client Security Solution ➙ User interface Policy setting Description Fingerprint software option Show, gray or hide the Fingerprint software option in the Client Security Solution application. Default: Show. File encryption option Show, gray or hide the File encryption option in the Client Security Solution application. Default: Show.
Table 24. Computer Configuration ➙ ThinkVantage ➙ Client Security Solution ➙ Workstation security tool (continued) Policy Setting Description Windows Users Passwords Password Select the recommended value as enable or disable or select to ignore this setting. Windows Users Passwords Password Age Max number of days the password is allowed to be. Windows Users Passwords Password never expires Recommended value can be set to 'True', 'False', or 'Ignore'.
Active Update Parameter File The Active Update parameter file contains the settings to be passed to Active Update. The TargetApp parameter is passed as shown in this example: ACCESSLENOVO 1EA5A8D5-7E33-11D2-B802-00104B21678D Chapter 3.
44 Client Security Solution 8.
Chapter 4. Working with ThinkVantage Fingerprint Software The fingerprint console must be run from the Fingerprint Software installation folder. The basic syntax is FPRCONSOLE [USER | SETTINGS]. The USER or SETTINGS command specifies which mode of operation will be used. The full command is then “fprconsole user add TestUser”. When the command is not known or not all parameters are specified the short command list is shown together with the parameters.
Table 25. User-specific commands (continued) Command Syntax Description Export enrolled user to a file Syntax: EXPORT username [| domain\username] file This command will export an enrolled user to a file on the hard disk drive. The user then can be imported using the IMPORT command on other computer or on the same computer, if the user is deleted. Import enrolled user Syntax: IMPORT file The command will import the user from the specified file.
Secure mode and convenient mode Fingerprint Software can be run in two security modes, a secure mode and a convenient mode. The secure mode is intended for situations when you want to achieve higher security. Special functions are reserved for administrators only. Only administrators can log on using password without additional authentication. The convenient mode is intended for home computers where a high security level is not so important.
Table 28. Options for limited users in the secure mode (continued) Setting Description Delete Passport Limited user can delete only their own passport. Power-on Security Limited user cannot access. Logon settings Limited user cannot modify logon settings. Protected screen saver Limited user can access. Passport type Limited user cannot access. Security mode Limited user cannot modify security modes. Pro Servers Limited user can access - only relevant with server.
Table 30. Options for limited users in the convenient mode (continued) Settings Description Security mode Limited users cannot modify security modes. Pro Servers Limited users can access - only relevant with server. Configurable settings Some fingerprint software options can be configured through registry settings.
The fingerprint software will continue to validate the password at system logon. Note: When the above registry key is set to 1, if the domain administrator changes the user's when the user's system is locked, the fingerprint software will have the old password stored until the user logs off and logs on again. Fingerprint Software and Novell Netware Client To prevent conflicts, Fingerprint Software and Novell Netware Client user names and passwords must match.
9. Reboot. Note: Your authentication ID and password for Windows and Novell must be identical. ThinkVantage Fingerprint Software service The upeksvr.exe service is added to the system after the ThinkVantage fingerprint software is installed. It starts running while startup, and then runs all the time the user is logging on. The upeksvr.exe service is the core of the ThinkVantage fingerprint software and runs all the operations with the device and user's data.
52 Client Security Solution 8.
Chapter 5. Working with Lenovo Fingerprint Software The fingerprint console must be run from the Lenovo Fingerprint Software installation folder. The basic syntax is FPRCONSOLE [USER | SETTINGS]. The USER or SETTINGS command specifies what set of operation will be used. The full command is “fprconsole user add TestUser”. When the command is not known or not all parameters are specified, the short command list is shown together with the parameters.
Table 31. Policy settings (continued) Setting Description Always show power-on security options If you enable this setting, users will be able to select using the Fingerprint Reader instead of power-on and hard disk drive passwords when the computer is turned on. In the Lenovo Fingerprint Software enrollment window, power-on fingerprint authentication can be enabled or disabled for each enrolled finger.
Chapter 6. Best Practices This chapter presents scenarios to illustrate the best practices of Client Security Solution and Fingerprint Software. This scenario starts with the configuration of the hard disk drive, continues through several updates, and follows the life cycle of a deployment. Installation on both Lenovo and non-Lenovo computers is described.
• Type the Client Security passphrase (for example, CSPP4Admin) for the administrator account, check the Use the Client Security passphrase to protect access to the Rescue and Recovery workspace box, and click Next. • Select three questions and answers for the administrator account and click Next. a. What was the name of your first pet? (Snowball, for example.) b. What is your favorite movie? (Gone With The Wind, for example.) c. What is your favorite athletic team? (Carolina Hurricanes, for example.
***************************************************** ** Ready to take sysprep backup. ** ** ** ** PLEASE RUN SYSPREP NOW AND SHUT DOWN. ** ** ** ** Next time the machine boots, it will boot ** ** to the Predesktop Area and take a backup. ** ***************************************************** 7. Run your Sysprep implementation. 8. Shutdown and reboot your machine. It will start the backup process in Windows PE. Note: The message: “Restore in progress but a backup is occurring” is displayed.
4. Install ThinkVantage Fingerprint tutorial by running the f001zpz7001us00.exe to extract the tutess.exe file from the Web package. This will automatically extract the setup.exe to the following location: C:\SWTOOLS\APPS\tutorial\TFS5.8.2 Buildxxxx\Tutorial\0409\tutess.exe 5. Install ThinkVantage Fingerprint console by running the f001zpz5001us00.exe to extract the fprconsole.exe file from the Web package. Running the f001zpz5001us00.exe will automatically extract the setup.
5. After rebooting the system, configure the system with the XML script file through the following procedure: • Copy the ThinkPad.xml.enc file prepared early to the C:\ directory. • Open a different command prompt and run "C:\Program Files\Lenovo\Client Security Solution\vmserver.exe" C:\ThinkPad.xml.enc XMLScriptPW 6. After a reboot, the system is now ready for Client Security Solution user enrollment. Each user can log into the system with their user ID and Windows password.
2. Over install all three different versions of older software (Rescue and Recovery 1.0/2.0/3.0, Fingerprint, Client Security Solution 5.4–6, FFE). Settings should be kept when installing the new version over the old version. System Migration Assistant Migrate from T40 with Client Security Solution 7.0 to a T60 with Client Security Solution 8.21.
1. Open Certification Authority. 2. In the console tree, click Certificate Templates. 3. From the Action menu, click New ➙ Certificate to Issue. 4. Click TPM and click OK. Applying certificate from the Client To apply certificate from the Client, complete the following procedure as below: 1. Connect to the Intranet, start Internet Explorer, and type in the IP address of the server where CA service is installed. 2. Input your domain user name and password in the prompt window. 3.
4. Use the ThinkVantage fingerprint software to enroll your fingerprints with the external fingerprint sensor. If it does not automatically start, click Start ➙ Programs ➙ ThinkVantage ➙ ThinkVantage Fingerprint Software to start the enrollment. 5. Enter your Windows password when prompted and then select a finger to enroll. 6. Follow the prompts on the computer screen to enroll your finger using the external fingerprint sensor. 7. Click Settings at the top of the window. 8.
11. Click Start ➙ Programs ➙ ThinkVantage ➙ ThinkVantage Fingerprint Software to start the enrollment. 12. Click Fingerprints ➙ Enroll or Edit Fingerprints, and then click Next to display the Windows password window. 13. Enter your Windows password when prompted and then select a finger to enroll. 14. Follow the on-screen prompts to enroll your finger using the external fingerprint sensor in the USB keyboard. 15. Complete the fingerprint enrollment wizard, and then click Finish to close the wizard. 16.
Client Security Solution and Password Manager Different from Windows logon, authentication requests from Client Security Solution and Password Manager only work on the preferred fingerprint sensor. For example, when a fingerprint keyboard is connected, its fingerprint sensor is the preferred device. When a fingerprint keyboard is not connected, the ThinkPad internal fingerprint sensor is the preferred device.
Note: If the setting Power-on Security is not available, create a registry entry as follows to display this setting: [HKEY_LOCAL_MACHINE\SOFTWARE\Protector Suite QL\1.0] REG_DWORD "BiosFeatures" = 2 3. Select the Require fingerprint for computer startup check box, and then click OK to close the window. 4. Click Fingerprints ➙ Enroll or Edit Fingerprints to display the window. 5. Swipe your finger, or enter your Windows password when prompted. 6.
66 Client Security Solution 8.
Appendix A. Considerations when using OmniPass OmniPass from Softex© is a program that can be used to securely login to Web sites and applications, as well as protect data on a computer. OmniPass can take advantage of the computer's TPM by accessing it through interfaces provided by Client Security Solution. In order to leverage the TPM, Client Security Solution must be installed before OmniPass is installed.
Table 33. Omnipass feature overlap (continued) Function Feature overlap Considerations User authentication Both Client Security Solution and OmniPass may prompt for user authentication. If using both Client Security Solution and OmniPass, ensure that users understand the difference between the authentication prompts and provide the appropriate authentication information (including fingerprints) when prompted.
Appendix B. Special considerations for using the Lenovo Fingerprint Keyboard with some ThinkPad notebook models The fingerprint device used in some ThinkPad notebook models is different than the fingerprint device used in the Lenovo Fingerprint Keyboard. Special considerations might be required if the fingerprint keyboard is used on some ThinkPad notebook models. For more information, go to the fingerprint software download page on the Lenovo Web site for a list of these ThinkPad notebook models.
Windows XP - Welcome Screen To support logging on with either the Lenovo Fingerprint Keyboard or the built-in ThinkPad fingerprint sensor with the Windows XP Welcome Screen, the logon interfaces for both the Lenovo Fingerprint Software and the ThinkVantage Fingerprint Software must be enabled.
2. The Windows Vista logon screen may only show one “tile, or button, for fingerprint logon, although either fingerprint sensor can be used to log on. Alternatively, to support logon with either the fingerprint keyboard or the integrated fingerprint device, the Client Security Solution logon interface can be used instead of the fingerprint software logon interfaces. However, capability is only available in Client Security Solution 8.21 or later.
72 Client Security Solution 8.
Appendix C. Synchronizing password in CSS after the Windows password is reset After the Windows password is reset, Client Security Solution continually prompts you for a new Windows password, but then displays an error message indicating that the password is incorrect. Windows security is designed this way so that your security credentials are invalidated when your Windows password is reset. Windows will prompt a warning message at each attempt to reset your password.
74 Client Security Solution 8.
Appendix D. Notices Lenovo may not offer the products, services, or features discussed in this document in all countries. Consult your local Lenovo representative for information on the products and services currently available in your area. Any reference to a Lenovo product, program, or service is not intended to state or imply that only that Lenovo product, program, or service may be used.
Trademarks The following terms are trademarks of Lenovo in the United States, other countries, or both: Lenovo Rescue and Recovery ThinkCentre ThinkPad ThinkVantage Microsoft, Windows, and Windows Vista are trademarks of the Microsoft group of companies. Other company, product, or service names may be trademarks or service marks of others. 76 Client Security Solution 8.
Glossary Administrator (ThinkCentre)/Supervisor (ThinkPad) BIOS Password The administrator or supervisor password is used to control the ability to change BIOS settings. This includes the capability to enable or disable the embedded security chip and to clear the Storage Root Key stored within the Trusted Platform Module. Advanced Encryption Standard (AES) Advanced Encryption Standard is a symmetric key encryption technique. The U.S.
Symmetric-key encryption Symmetric key encryption ciphers use the same key for encryption and decryption of data. Symmetric key ciphers are simpler and faster, but their main drawback is that the two parties must somehow exchange the key in a secure way. Public-key encryption avoids this problem because the public key can be distributed in a non-secure way, and the private key is never transmitted. Advanced Encryption Standard is an example of a symmetric-key.