HP ProtectTools Security Manager Guide

1 HP ProtectTools Security Manager GuideHP Compaq Business Desktops Copyright 2006 Hewlett-PackardDevelopment Company, Theinformation contained herein is subject tochange without and Windows are trademarks ofMicrosoft Corporation in the and and SpeedStep are trademarks of IntelCorporation in the and other only warranties for HP products andservices are set forth in the express warrantystatements accompanying such productsand services. Nothing herein should beconstrued as constituting an additionalwarranty. HP shall not be liable for technicalor editorial errors or omissions document contains proprietaryinformation that is protected by copyright. Nopart of this document may be photocopied,reproduced, or translated to anotherlanguage without the prior written consent ofHewlett-Packard ProtectTools Security Manager GuideHP Compaq Business DesktopsFirst Edition (August 2006)Document Part Number: 431330-001 About This BookThis Guide provides instructions for configuring and using HP ProtectTools Security !

2 Text set off in this manner indicates that failure to follow directions could result inbodily harm or loss of set off in this manner indicates that failure to follow directions could result indamage to equipment or loss of set off in this manner provides important supplemental About This BookENWWT able of contents1 IntroductionHP ProtectTools Security Manager .. 1 Accessing the ProtectTools Security Manager .. 1 Understanding Security Roles .. 2 Managing ProtectTools Passwords .. 2 Multifactor Authentication Credential Manager Logon .. 5 Creating a Secure Password .. 5 Advanced Tasks .. 6 Managing ProtectTools Settings .. 6 Enabling and Disabling Java Card Power-On Authentication Support .. 6 Enabling and Disabling Power-On Authentication Support for EmbeddedSecurity.

3 6 Managing Computer Setup Passwords .. 7 Setting the Power-On Password (if available) .. 7 Changing the Power-On Password (if available) .. 7 System Setup .. 8 Changing Power-On Authentication Support .. 8 Changing User Accounts .. 8 Setting the Computer Setup Administrator Password .. 9 Changing the Computer Setup Administrator Password .. 9 Dictionary Attack Behavior with Power-On Authentication .. 10 Dictionary Attack Defense .. 102 HP BIOS Configuration for ProtectToolsBasic Concepts .. 11 Changing BIOS Settings .. 113 HP Embedded Security for ProtectToolsBasic Concepts .. 13 Setup Procedures .. 144 HP Credential Manager for ProtectToolsBasic Concepts .. 15 Launch Procedure .. 15 Logging On for the First Time .. 165 HP Java Card Security for ProtectToolsBasic Concepts.

4 17 ENWWv6 Third-Party Solutions7 HP Client Manager for Remote DeploymentBackground .. 21 Initialization .. 21 Maintenance .. 218 TroubleshootingCredential Manager for ProtectTools .. 23 Embedded Security for ProtectTools .. 27 Miscellaneous .. 33 Glossary .. 37 Index .. 41viENWW1 IntroductionHP ProtectTools Security ManagerProtectTools Security Manager software provides Security features that help protect againstunauthorized access to the computer, networks, and critical data. Enhanced Security functionality isprovided by the following modules: HP BIOS Configuration for ProtectTools HP Embedded Security for ProtectTools HP Credential Manager for ProtectTools HP Java Card Security for ProtectToolsThe modules available for the computer may vary, depending on the model.

5 ProtectTools modules maybe preinstalled, supplied on CD that shipped with the computer, or available for purchase from the HPWeb site. Visit for more to the ProtectTools Help screens for specific instructions for the use the Trusted Platform Module (TPM), platforms containing a TPM require both a TCG SoftwareStack (TSS) and embedded Security software. Some models provide the TSS; if the TSS is not provided,it can be purchased from HP. Additionally, TPM-enabling software must be purchased separately forsome models. Please see Third-Party Solutions for more the ProtectTools Security ManagerTo access the ProtectTools Security Manager from the Microsoft Windows Control Panel: Windows XP: Click Start > Control Panel > Security Center > ProtectTools SecurityManager.

6 Windows 2000: Click Start > All Programs > HP ProtectTools Security you have configured the Credential Manager module, you can also log in toCredential Manager directly from the Windows logon screen. For more information, refer to HPCredential Manager for ProtectTools Security Manager1 Understanding Security RolesIn managing computer Security (particularly for large organizations), one important practice is to divideresponsibilities and rights among various types of administrators and a small organization or for individual use, these roles may all be held by the ProtectTools , the Security duties and privileges can be divided into the following roles: Security officer Defines the Security level for the company or network and determines the securityfeatures to deploy, such as Java Cards, biometric readers, or USB of the features in ProtectTools can be customized by the Security officer incooperation with HP.

7 For more information, visit IT administrator Applies and manages the Security features defined by the Security officer. Canalso enable and disable some features. For example, if the Security officer has decided to deployJava Cards, the IT administrator can enable Java Card BIOS Security mode. User Uses the Security features. For example, if the Security officer and IT administrator haveenabled Java Cards for the system, the user can set the Java Card PIN and use the card are encouraged to perform best practices in restricting end-user privileges andrestrictive access to ProtectTools PasswordsMost of the ProtectTools Security Manager features are secured by passwords. The following table liststhe commonly used passwords, the software module where the password is set, and the passwords that are set and used by IT administrators only are indicated in this table as well.

8 Allother passwords may be set by regular users or 1-1 Password ManagementProtectTools PasswordSet in this ProtectTools ModuleFunctionComputer Setup administratorpasswordNOTEAlso known as BIOS administrator, F10 Setup, orSecurity Setup passwordBIOS Configuration, by IT administratorProtects access to the BIOS ComputerSetup utility and Security passwordBIOS ConfigurationHP ProtectTools Power-OnAuthentication Support is a TPM-basedsecurity tool designed to preventunauthorized access to the computer asit is powered on. Power-OnAuthentication Support uses the HPProtectTools Embedded Security BasicUser password. Once Power-OnAuthentication is enabled in ComputerSetup, the password is set when the first/2 Chapter 1 IntroductionENWW next Embedded Security Basic User Keyis initialized.

9 The Embedded SecurityTPM chip protects the password forPower-On Card administrator passwordNOTEAlso known as BIOS administrator card passwordJava Card Security , by IT administratorLinks the Java Card to the computer foridentification a computer administrator toenable or disable Computer Setuppasswords, generate a newadministrator card, and create recoveryfiles to restore user or Card PINJava Card SecurityProtects access to the Java Cardcontents and to computer access whenan optional Java Card and reader isused. Checks to see if Java Card userpassword is duplicate to pin; it is used toregister Java Card authenticationJava Card recovery file password (ifavailable)Java Card SecurityProtects access to the recovery file thatcontains the BIOS Card user password (if available)NOTEAlso known as BIOS user card passwordJava Card SecurityLinks the Java Card to the computer a user to create a recovery file torestore a user User passwordNOTEAlso known as:Embedded Security password,TPM Preboot passwordEmbedded SecurityUsed to access Embedded Securityfeatures, such as secure e-mail, file, andfolder encryption.

10 When enabled as theBIOS Power-On Authentication supportpassword, protects access to thecomputer contents when computer isturned on, restarted, or restored fromhibernation. Also used to authenticatethe Personal Secure Drive (PSD) and toregister TPM Recovery Token passwordNOTEAlso known as:Emergency Recovery TokenKeyEmbedded Security , by IT administratorProtects access to the EmergencyRecovery Token, which is a backup filefor the TPM embedded Security chipOwner passwordEmbedded Security , by IT administratorProtects the system and the TPM chipfrom unauthorized access to all ownerfunctions of Embedded Manager logon passwordCredential ManagerThis password offers 2 options: It can be used in place of theWindows logon process, allowingaccess to Windows and CredentialManager simultaneously.