Client Security Solution 8.
Note: Before using this information and the product it supports, read the general information in Appendix E “Notices” on page 75. Fourth Edition (December 2011) © Copyright Lenovo 2008, 2011. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS-35F-05925.
Contents Preface . . . . . . . . . . . . . . . . iii Chapter 1. Overview. . . . . . . . . . . 1 Client Security Solution . . . . . . . . . . . Client Security Solution passphrase . . . . Client Security password recovery . . . . . Client Security Password Manager . . . . . Security Advisor . . . . . . . . . . . . Certificate Transfer wizard . . . . . . . . Hardware password reset . . . . . . . . Support for systems without Trusted Platform Module . . . . . . . . . . . . . . . . Fingerprint Software . . .
Scenario 2 . . . . . . . . . . . . . . Switching Client Security Solution modes . . . . Corporate Active Directory rollout . . . . . . . Standalone Install for CD or script files . . . . . System Update . . . . . . . . . . . . . . System Migration Assistant. . . . . . . . . . Generating a certificate using key generation in the TPM . . . . . . . . . . . . . . . . . . . Requirements: . . . . . . . . . . . . . Requesting certificate from the Server . . .
Preface Information presented in this guide is to support Lenovo® computers installed with the ThinkVantage® Client Security Solution program and the Fingerprint Software program. The goal of Client Security Solution and Fingerprint Software is to protect your systems by securing client data and to deflect security breach attempts.
iv Client Security Solution 8.
Chapter 1. Overview This chapter provides an overview of Client Security Solution and Fingerprint Software. The technologies presented in this deployment guide can directly and indirectly help IT professionals because they help make personal computers easier to use, more self-sufficient, and provide powerful tools that facilitate and simplify rollouts. With the help of ThinkVantage Technologies, IT professionals spend less time solving individual computer problems and more time on their core tasks.
Client Security Solution passphrase The Client Security Solution passphrase is an optional feature of user authentication that will provide enhanced security to Client Security Solution applications.
entry related changes can be detected automatically by Client Security Password Manager and allows the user to update their entries with even less work. • Save your information without any extra steps: Client Security Password Manager can automatically detect when sensitive information is being sent to a given web site or application. When such a detection is made, Client Security Password Manager prompts the user to save the information, thus simplifying the process of storing sensitive information.
consistent and secure environment. The systems that have the embedded security chip are more robust against an attack; however, for the systems without the embedded security chip, Client Security Solution will leverage software based cryptographic keys as the root of trust for the system, and the system can also benefit from the additional security and functionality.
Chapter 2. Installation This chapter contains instructions for installing Client Security Solution, and Fingerprint Software. Before installing Client Security Solution or Fingerprint Software, you should understand the architecture of the application you are installing. This chapter provides the architecture of each application, as well as additional information you need before installing either program.
Table 1. Public properties Property Description EMULATIONMODE Specify to force the installation in Emulation mode even if a TPM exists. Set EMULATIONMODE=1 on the command line to install in Emulation mode. HALTIFTPMDISABLED If the TPM is in a disabled state and the installation is running in silent mode, the default is for the installation to proceed in emulation mode. Use the HALTIFTPMDISABLED=1 property when running the installation in silent mode to halt the installation if the TPM is disabled.
Software emulation of the Trusted Platform Module Client Security Solution has the option to run without a Trusted Platform Module on qualified systems. The functionality will be the same except it will use software-based keys instead of using hardware-protected keys. The software can also be installed with a switch to force it to always use software-based keys instead of leveraging the Trusted Platform Module.
The following parameters and descriptions are documented in the InstallShield developer help documentation. Parameters that do not apply to Basic MSI projects were removed. Table 2. Parameters Parameter Description /a : Administrative installation The /a switch causes setup.exe to perform an administrative installation.
Table 3. Command line parameters Parameter Description /I package or product code Use this format to install the product: Othello:msiexec /i "C:\WindowsFolder\Profiles\ UserName\Personal\MySetups \Othello\Trial Version\ Release\DiskImages\Disk1\ Othello Beta.msi" Product code refers to the Globally Unique Identifier (GUID) that is automatically generated in the product code property of your product's project view.
Table 3. Command line parameters (continued) Parameter Description You can separate multiple transforms with a semicolon. Do not use semicolons in the name of your transform, as the Windows Installer service will interpret those incorrectly. Properties All public properties can be set or modified from the command line. Public properties are distinguished from private properties and are all capital letters. For example, COMPANYNAME is a public property.
Table 4. Windows Installer properties (continued) Property Description ARPSYSTEMCOMPONENT Prevents display of application in the Add or Remove Programs list. ARPURLINFOABOUT URL for an application's home page. ARPURLUPDATEINFO URL for application-update information. REBOOT The REBOOT property suppresses certain prompts for a reboot of the system. An administrator typically uses this property with a series of installations to install several products at the same time with only one reboot at the end.
Installing ThinkVantage Fingerprint Software The setup.exe file of the ThinkVantage Fingerprint Software program can be installed through the following methods: Silent installation To silently install ThinkVantage Fingerprint Software, run the setup.exe file located in the installation directory on your CD-ROM drive. Use the following syntax: Setup.exe PROPERTY=VALUE /q /i where q is for silent installation and i is for installation. For example: setup.
Table 7. Options supported by the ThinkVantage Fingerprint Software (continued) Parameter Description PASSPORT Set the default passport type. • 1 = Local passport • 2 = Server passport The default value is 1. POSSSO • 1 = Enable single sign-on. • 0 = Disable single sign-on. The default value is 1. PSLOGON • 0 = Disable the fingerprint logon. • 1 = Enable the fingerprint logon. The default value is 0. REBOOT Suppresses all reboots including prompts during installation by setting to Really Suppress.
Table 7. Options supported by the ThinkVantage Fingerprint Software (continued) Parameter Description LOCKOUT • 1 = Enable the anti-hammering protection. • 0 = Disable the anti-hammering protection. The default value is 1. LOCKOUTCOUNT Maximum retries. The default value is 5, and you can use any value. LOCKOUTTIME Timeout in milliseconds. The default value is 120 000, and you can use any value up to 360 000.
Silent installation To silently install the Fingerprint Software, run the setup32.exe file located in the installation directory on your CD-ROM drive. Use the following syntax: setup32.exe /s /v"/qn REBOOT ="R"" To uninstall the software, use the following syntax: setup32.exe /x /s /v"/qn REBOOT="R"" Options The following options are supported by the Lenovo Fingerprint Software. Table 8.
Table 8. Options supported by the Lenovo Fingerprint Software (continued) Parameter Description SWALLOWIMEXPORT • 0 = Disable the fingerprint import/export for non-administrator users. • 1 = Enable the fingerprint import/export for non-administrator users. The default value is 1. SWALLOWSELECT • 0 = Disable the selection of using fingerprint to replace power-on password for non-administrator users. • 1 = Enable the selection of using fingerprint to replace power-on password for non-administrator users.
Systems Management Server Systems management server (SMS) installations are also supported. Open the SMS administrator console. Create a new package and set package properties in a standard way. Open the package and select New-Program in the Programs item. At the command line type: Setup.exe /m yourmiffilename /q /i You can use the same parameters as used for the silent installation. Setup normally reboots at the end of installation process.
18 Client Security Solution 8.
Chapter 3. Working with Client Security Solution Before you install Client Security Solution, you should understand the customization available for Client Security Solution. This chapter provides customization information about Client Security Solution, as well as information regarding the Trusted Platform Module. The terms used in this chapter referencing the Trusted Platform Module are defined by the Trusted Computing Group (TCG).
enrolled as an active user. Every other user that logs into the system will be automatically requested to enroll into Client Security Solution. • Take Ownership A single Windows administrator user ID is assigned as the sole Client Security Solution Administrator for the system. Client Security Solution administrative functions must be performed through this user ID. The Trusted Platform Module authorization is either this user’s Windows password or Client Security passphrase.
The following diagram provides the structure for the System Level Key: System Level Key Structure - Take Ownership Trusted Platform Module Auth Storage Root Private Key Storage Root Public Key System Base Private Key System Base Public Key System Leaf Private Key System Leaf Public Key One-Way Hash CSS Admin PW/PP One-Way Hash If Passphrase loop n times Encrypted via derived AES Key System Base Private Key System Base Public Key System Base AES Protection Key (derived via output of hash algorithm)
The following diagram provides the structure for the user level key: User Level Key Structure - Enroll User Trusted Platform Module Storage Root Private Key User PW/PP Storage Root Public Key User Base Private Key User Base Public Key User Leaf Private Key User Leaf Public Key Windows PW AES Key One-Way Hash Auth One-Way Hash If Passphrase loop n times PW Manager AES Key Encrypted via derived AES Key User Base Private Key User Base Public Key User Base AES Protection Key (derived via output of hash
The TPM emulation mode cannot be used as a secure substitute for the TPM. The TPM provides the following two key protection methods that are more secure than the TPM emulation mode. • All keys used by the TPM are protected by a unique root-level key. The unique root-level key is created inside the TPM and cannot be seen or used outside of the TPM. In the TPM emulation mode, the root-level key is a software-based key stored on the hard disk drive.
The following diagram provides the structure for the motherboard swap - take ownership: Motherboard Swap - Take Ownership Trusted Platform Module Store Leaf Private Key Store Leaf Public Key System Leaf Private Key System Leaf Public Key CSS Admin PW/PP If Passphrase loop n times One-Way Hash Decrypted via derived AES Key System Base Private Key System Base Public Key System Base AES Protection Key (derived via output of hash algorithm) Figure 3.
EFS protection utility Client Security Solution provides a command line utility that enables TPM-based protection of encryption certificates used by the Encrypting File System (EFS) to encrypt files and folders. This utility supports transfer of third party certificates (certificates generated by a Certificate Authority) and also supports generation of self-signed certificates.
When run in silent mode, the output of the program will be an error level corresponding to the errors numbers shown above. Using the XML Schema The purpose of the XML scripting is to enable IT administrators to create custom scripts that can be used to deploy and configure Client Security Solution. The scripts can be protected by the xml_crypt_tool executable with a password such as AES encryption. Once created, the virtual machine (vmserver.exe) accepts the scripts as input.
0001 DISABLE_TPM_FUNCTION 1.0 password Note: This command is not supported in the emulation mode. ENABLE_PWMGR_FUNCTION This command enables the password manager for all Client Security Solution users. 0001 ENABLE_PWMGR_FUNCTION 1.
2. This command is not supported in the emulation mode. The following command enables the logon with fast user switching support and disables the Client Security Solution Windows logon. The fast user switching is not enabled when the computer is in a domain environment. This is a design from Microsoft. PAGE 35ENABLE_NONE_GINA_FUNCTION If the GINA or CP (Credential Provider) of one of the related ThinkVantage Technologies components, such as ThinkVantage Fingerprint Software, Client Security Solution, or Access Connections, is enabled, this command disables both the ThinkVantage Fingerprint Software logon and the Client Security Solution logon. PAGE 36Note: This command is not supported in the emulation mode. INITIALIZE_SYSTEM_FUNCTION This command initializes the Client Security Solution system function. The system-wide keys are generated through this function call. The following list of parameters explain each function: • NEW_OWNER_AUTH_DATA_PARAMETER This parameter is used to set the new owner password for the system. For the new owner password, the value for this parameter is controlled by the current owner password.
Note: This command is not supported in the emulation mode. ENROLL_USER_FUNCTION This command enrolls a particular user to use Client Security Solution. This function creates all of the user specific security keys for a given user. The parameters are: • USER_NAME_PARAMETER The user name of the user to enroll. • DOMAIN_NAME_PARAMETER The domain name of the user to enroll. • USER_AUTH_DATA_PARAMETER The Trusted Platform Module passphrase Windows password to create the user’s security keys with.
IBM-2AA92582C79 Test1 Test2 Test3 3 20000,20001,20002 Pass1word
1. Go to the following Web site: http://www.rsasecurity.com/node.asp?id=1156 2. Complete the registration process. 3. Download and install the RSA SecurID Software. Requirements 1. Each Windows user must be enrolled with Client Security Solution for the RSA software to work properly after it has been associated with Client Security Solution. 2. The RSA software will get into an endless loop of trying to authenticate with a non-Client Security Solution enrolled Windows user.
Table 10. ThinkVantage\Client Security Solution\Authentication Policies\PKCS# 11 Signature\Custom Mode Fields CSS.ADM Modifiable field Required Field Description Controls whether password or passphrase is required.
• “Certificate Transfer tool” on page 37 • “Activating or deactivating the TPM” on page 38 Security Advisor To use the Security Advisor function, launch the Client Security Solution program, click the Advanced menu, and click Security Advisor button in the Client Security Solution workspace. The system will run the wst.exe file that is located in the C:\Program Files\Lenovo\Common Files\WST\ directory for a default installation. The parameters are: Table 11.
Table 11. Parameters (continued) Parameters Description EmbeddedSecurityChip Sets value that security chip should be enabled, or setting will be flagged. ClientSecuritySolution Sets value of what version Client Security Solution should be on this machine, or setting will be flagged. Client Security Solution setup wizard The Client Security Solution setup wizard is used to generate deployment scripts through XML files.
Table 13. Parameters for encrypting or decrypting Client Security XML deployment files (continued) Parameters Results /encrypt or /decrypt Selects /encrypt for XML files and /decrypt for ENC files. PASSPHRASE Displays the optional parameter that is required if a passphrase is used to protect the file. Examples: xml_crypt_tool.exe "C:\DeployScript.xml" /encrypt "my secret" and xml_crypt_tool.exe "C:\DeployScript.xml.enc" /decrypt "my secret" Deployment file processing tool The tool vmserver.
Table 16. css_cert_transfer_tool.exe : | all_access | usage Parameter Description This is the first required parameter. It must be used as the first switch and include one of the following examples: Examples: cert_store_user Transfers user certificates only. User certificates are assigned to the current user. cert_store_machine Transfers machine certificates only. Machine certificates may be used by all authorized users on a machine.
For desktop computers, do the following to activate the TPM: 1. Go to the Web site at http://support.lenovo.com/en_US/detail.page?LegacyDocID=MIGR-75407. 2. Click Visual Basic sample scripts to use when configuring BIOS settings to download the sample_script_m90.zip file. Then extract the zip file. 3. Type cscript.exe SetConfig.vbs SecurityChip Active in the Command Prompt window to execute the SetConfig.vbs file. 4. Restart your computer.
• Disabled • Activated • Deactivated • Owned • Not owned /setstate: sets the TPM status type you prefer. 0 represents disabled and deactivated. 1 represents enabled. 2 represents activated. 4 represents owned. You can use the adding function (that is, bitwise OR) to set multiple valid status. For example, css_manage_vista_tpm.exe /verbose /setstate:0 sets the TPM status to be disabled and deactivated. css_manage_vista_tpm.exe /verbose /setstate:1 sets the TPM status to be enabled.
The following examples are settings that Active Directory can manage for Client Security Solution: • Security policies. • Custom security policies; such as whether to use a Windows password or Client Security Solution passphrase. Administrative (ADM) template files The ADM (Administrative) template file defines policy settings used by applications on the client computers. Policies are specific settings that govern the application behavior.
HKLM\Software\Lenovo\Client Security Solution\ User preferences: HKCU\Software\Lenovo\Client Security Solution\ Default user preferences: HKLM\Software\Lenovo\Client Security Solution\User defaults Group Policy settings The tables in this section provide policy settings for the Computer Configuration and the User Configuration for Client Security Solution. Max retries The following table provides policy settings for Authentication policies, Max retries. Table 18.
Table 20. Computer Configuration ➙ Administrative templates ➙ ThinkVantage ➙ Client Security Solution ➙ Authentication policies ➙ Default mode (continued) Policy Enabled settings Description Fingerprint You can set the frequency to either Every time, or Once per logon. Controls whether fingerprint is required. Override Set to override the password, passphrase, or fingerprint. Defines “fallback” authentication requirements if normal authentication fails.
Table 22. Computer Configuration ➙ ThinkVantage ➙ Client Security Solution ➙ Password manager (continued) Policy setting Description Disable Auto-fill Controls whether Password manager will auto-fill data into Web sites and Windows applications. Disable Hotkey support Controls whether Password manager will support use of hotkeys for filling in data into Web sites and Windows applications. Use Domain filtering Controls whether Password manager will filter Web sites based on domains.
Table 23. Computer Configuration ➙ ThinkVantage ➙ Client Security Solution ➙ User interface (continued) Policy setting Description Enable/disable Windows password recovery option Show, gray, or hide the option to enable or disable Windows password recovery in the Client Security Solution application. Default: Show Enable/disable Password Manager option Show, gray, or hide the option to enable or disable Password Manager in the Client Security Solution application.
Table 24. Computer Configuration ➙ ThinkVantage ➙ Client Security Solution ➙ Workstation security tool (continued) Policy Setting Description Client Security Embedded Security Chip Select the recommended value as enable or disable or set to ignore this setting. Client Security Client Security Solution Version Set the minimum recommended version of Client Security Solution or set it as Ignore. 46 Client Security Solution 8.
Chapter 4. Working with ThinkVantage Fingerprint Software The fingerprint console must be run from the ThinkVantage Fingerprint Software installation folder. The basic syntax is FPRCONSOLE [USER | SETTINGS]. The USER or SETTINGS command specifies which mode of operation will be used. The full command is then “fprconsole user add TestUser”. When the command is not known or not all parameters are specified, the short command list is shown together with the parameters.
Table 25. User-specific commands (continued) Command Syntax Description Enumerate enrolled users List Lists the enrolled users. Export enrolled user to a file Syntax: EXPORT username [| domain\username] file This command will export an enrolled user to a file on the hard disk drive. The user then can be imported using the IMPORT command on other computer or on the same computer, if the user is deleted.
Secure mode and convenient mode Fingerprint Software can be run in two security modes, a secure mode and a convenient mode. The secure mode is intended for situations when you want to achieve higher security. Special functions are reserved for administrators only. Only administrators can log on using password without additional authentication. The convenient mode is intended for home computers where a high security level is not so important.
Table 28. Options for limited users in the secure mode (continued) Setting Description Delete Passport Limited user can delete only their own passport. Power-on Security Limited user cannot access. Logon settings Limited user cannot modify logon settings. Protected screen saver Limited user can access. Passport type Limited user cannot access. Security mode Limited user cannot modify security modes. Pro Servers Limited user can access - only relevant with server.
Table 30. Options for limited users in the convenient mode (continued) Settings Description Security mode Limited users cannot modify security modes. Pro Servers Limited users can access - only relevant with server. Configurable settings Some fingerprint software options can be configured through registry settings.
The fingerprint software will continue to validate the password at system logon. Note: When the above registry key is set to 1, if the domain administrator changes the user's when the user's system is locked, the fingerprint software will have the old password stored until the user logs off and logs on again. Fingerprint Software and Novell Netware Client To prevent conflicts, Fingerprint Software and Novell Netware Client user names and passwords must match.
8. Log onto Windows. 9. Reboot. Note: Your authentication ID and password for Windows and Novell must be identical. ThinkVantage Fingerprint Software service The upeksvr.exe service is added to the system after the ThinkVantage fingerprint software is installed. It starts running while startup, and then runs all the time the user is logging on. The upeksvr.exe service is the core of the ThinkVantage fingerprint software and runs all the operations with the device and user's data.
54 Client Security Solution 8.
Chapter 5. Working with Lenovo Fingerprint Software The fingerprint console must be run from the Lenovo Fingerprint Software installation folder. The basic syntax is FPRCONSOLE [USER | SETTINGS]. The USER or SETTINGS command specifies what set of operation will be used. The full command is “fprconsole user add TestUser”. When the command is not known or not all parameters are specified, the short command list is shown together with the parameters.
Table 31. Policy settings (continued) Setting Description administrators will only be able to log in using fingerprints. Allow user to retrieve password through fingerprint authentication If you enable this setting, users are able to view the Windows password for their account in the Lenovo Fingerprint Software after fingerprint authentication.
Chapter 6. Best Practices This chapter presents scenarios to illustrate the best practices of Client Security Solution and Fingerprint Software. This scenario starts with the configuration of the hard disk drive, continues through several updates, and follows the life cycle of a deployment. Installation on both Lenovo and non-Lenovo computers is described.
3) Type the Client Security passphrase (for example, CSPP4Admin) for the administrator account, select the Use the Client Security passphrase to protect access to the Rescue and Recovery workspace option, and click Next.
***************************************************** ** Ready to take sysprep backup. ** ** ** ** PLEASE RUN SYSPREP NOW AND SHUT DOWN. ** ** ** ** Next time the machine boots, it will boot ** ** to the Predesktop Area and take a backup. ** ***************************************************** 7. Run your Sysprep implementation. 8. Shut down and restart the computer. It will start the backup process in Windows PE.
b. Double-click the extracted setup.exe file and follow the instructions on the screen to install the ThinkVantage Fingerprint Software. 4. Install the ThinkVantage Fingerprint Software tuturial by doing the following: a. Run the f001zpz7001us00.exe file to extract the tutess.exe file from the Web package. The tutess.exe file will be automatically extracted to the following location: C:\SWTOOLS\APPS\tutorial\TFS5.9.2 Buildxxxx\Tutorial\0409 (where xxxx is the build ID). b. Double-click the tutess.
3. Install the ThinkVantage Fingerprint console on the deployment machine by doing the following: a. Deploy the fprconsole.exe file that has been extracted from the preparation machine to the deployment machine, using your company's software distribution tool. b. Place the fprconsole.exe file to the C:\Program Files\ThinkVantage Fingerprint Software directory. c. Turn off BIOS power-on security support by running the following command: fprconsole.exe settings TBX 0 4.
c. Through Active Directory, enable Antidote Delivery Manager. Place packages to be run and make sure reporting is captured. Standalone Install for CD or script files For a standalone install for CD or script file, complete the following steps: 1. Use one batch file to silently install Client Security Solution, and Fingerprint technology. 2. Configure BIOS password recovery silently. System Update For System Update, complete the following steps: 1.
3. From the File menu, click Add/Remove Snap-in, and then click Add. The Add Standalone snap-in window displays. 4. Double-click Certification Authority in the snap-in list, and click Close. 5. Click OK in the Add/Remove Snap-in window. 6. Click Certificate Templates from the console tree. All of the certificate templates are displayed in the left pane. 7. Click Action ➙ Duplicate Template. 8. In the Display Name field, type TPM User. 9. Click the Request Handling tab, and click CSPs.
This section describes the common usage scenarios and deployment strategies for fingerprint software that is installed on the latest ThinkPad notebook computer models. Note: • Lenovo Fingerprint Software The Lenovo Fingerprint Software is the software for the AuthenTec fingerprint sensor (for example, the internal fingerprint sensor in T400).
Table 32. Registry keys Name Value Description PreferInternalFPSensor 0 (default) Specifies that the external fingerprint sensor is preferred whenever the fingerprint keyboard is connected. 1 Specifies that the internal fingerprint sensor is preferred. Preboot Authentication – using fingerprint instead of BIOS passwords Different from Windows logon, authentication requests for BIOS passwords only work on the fingerprint sensor when BIOS is configured to use.
66 Client Security Solution 8.
Appendix A. Special considerations for using the Lenovo Fingerprint Keyboard with some ThinkPad notebook models The fingerprint device used in some ThinkPad notebook models is different than the fingerprint device used in the Lenovo Fingerprint Keyboard. Special considerations might be required if the fingerprint keyboard is used on some ThinkPad notebook models. For more information, go to the fingerprint software download page on the Lenovo Web site for a list of these ThinkPad notebook models.
• Using the Fingerprint Software logon interface The logon interfaces of both Lenovo Fingerprint Software and ThinkVantage Fingerprint Software must be enabled. When both fingerprint logon interfaces are enabled in the Windows 7 operating system, users can swipe their finger on either the fingerprint keyboard or the integrated fingerprint device to log in.
Appendix B. Synchronizing password in Client Security Solution after the Windows password is reset After the Windows password is reset, Client Security Solution continually prompts you for a new Windows password, but then displays an error message indicating that the password is incorrect. Windows security is designed this way so that your security credentials are invalidated when your Windows password is reset. Windows will prompt a warning message at each attempt to reset your password.
70 Client Security Solution 8.
Appendix C. Using Client Security Solution on a reinstalled Windows operating system If your Windows operating system installed with Client Security Solution has been reinstalled, to use Client Security Solution on the newly installed Windows operating system, you need to clear the installation data of Client Security Solution and reinstall Client Security Solution. The best practice is: 1. Uninstall Client Security Solution from the current Windows operating system. 2. Restart the computer. 3.
72 Client Security Solution 8.
Appendix D. Using the TPM on ThinkPad notebook computers The main use case for the TPM is the BitLocker feature that is included with certain versions of the Microsoft Windows Vista and Windows 7 operating systems. This appendix provides answers to the following frequently asked questions when deploying BitLocker in Windows environments.
• Atmel-ThinkPad T60/R60/X60/X300, ThinkCentre M57 • Intel-ThinkPad T500/R500/X200/X301 • ST Micro-ThinkPad T410/T510/X201/T420/T520/X220, ThinkCentre M90 • Winbond-ThinkCentre M58 These TPMs have different characteristics when they enter lockout mode, as described below: Atmel TPM: • No lockout during the first 15 bad password attempts • The 16th bad password attempt results in a lockout period of 1.1 minutes • Then, no lockout during the next 15 bad password attempts • The next lockout period is 2.
Appendix E. Notices Lenovo may not offer the products, services, or features discussed in this document in all countries. Consult your local Lenovo representative for information on the products and services currently available in your area. Any reference to a Lenovo product, program, or service is not intended to state or imply that only that Lenovo product, program, or service may be used.
Trademarks The following terms are trademarks of Lenovo in the United States, other countries, or both: Lenovo ThinkCentre ThinkPad ThinkVantage Microsoft, Internet Explorer, Windows Server, and Windows are trademarks of the Microsoft group of companies. Other company, product, or service names may be trademarks or service marks of others. 76 Client Security Solution 8.
Glossary Administrator (ThinkCentre)/Supervisor (ThinkPad) BIOS Password The administrator or supervisor password is used to control the ability to change BIOS settings. This includes the capability to enable or disable the embedded security chip and to clear the Storage Root Key stored within the Trusted Platform Module. Advanced Encryption Standard (AES) Advanced Encryption Standard is a symmetric key encryption technique. The U.S.
Symmetric-key encryption Symmetric key encryption ciphers use the same key for encryption and decryption of data. Symmetric key ciphers are simpler and faster, but their main drawback is that the two parties must somehow exchange the key in a secure way. Public-key encryption avoids this problem because the public key can be distributed in a non-secure way, and the private key is never transmitted. Advanced Encryption Standard is an example of a symmetric-key.
Part Number: Printed in USA (1P) P/N: * *
