HP ProtectTools Security Software, Version 6.
© Copyright 2009, 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Microsoft, Windows and Windows Vista are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
About This Book This guide provides basic information for upgrading this computer model. WARNING! Text set off in this manner indicates that failure to follow directions could result in bodily harm or loss of life. CAUTION: Text set off in this manner indicates that failure to follow directions could result in damage to equipment or loss of information. NOTE: ENWW Text set off in this manner provides important supplemental information.
iv About This Book ENWW
Table of contents 1 Introduction to security .................................................................................................................................. 1 HP ProtectTools features ..................................................................................................................... 2 HP ProtectTools security products description and common use examples ........................................ 3 Credential Manager (Password Manager) for HP ProtectTools ..................
Specifying device settings ................................................................................................. 16 Configuring Applications Settings ....................................................................................................... 16 Encrypting Drives ............................................................................................................................... 17 Managing Device Access .......................................................................
Logging in after Drive Encryption is activated .................................................................... 30 Advanced tasks .................................................................................................................................. 30 Managing Drive Encryption (administrator task) ................................................................ 30 Activating a TPM-protected password ..............................................................
Setting a shred schedule ................................................................................................... 44 Selecting or creating a shred profile .................................................................................. 44 Selecting a predefined shred profile .................................................................................. 44 Customizing an advanced security shred profile ...............................................................
Creating an extendable JITA for a user or group ............................................................... 55 Disabling a JITA for a user or group .................................................................................. 56 Advanced Settings ............................................................................................................................. 56 10 Computrace for HP ProtectTools .............................................................................................
x ENWW
1 Introduction to security HP ProtectTools security software provides security features that help protect against unauthorized access to the computer, networks, and critical data. Enhanced security functionality is provided by several HP ProtectTools software modules. HP ProtectTools provides two versions that can be utilized: HP ProtectTools Security Manager Administrative Console and HP ProtectTools Security Manager (for general users).
HP ProtectTools features The following table details the key features of HP ProtectTools modules: Module Key features HP ProtectTools Security Manager Administrative Console ● The Security Manager setup wizard is used by administrators to set up and configure levels of security and security logon methods. ● Configure options hidden from basic users. ● Activate Drive Encryption and configure user access. ● Configure Device Access Manager configurations and user access.
Module Key features Smart Card Security (part of Security Manager) ● Provides a management software interface for Smart Card. HP ProtectTools Smart Card is a personal security device that protects authentication data requiring both the card and a PIN number to grant access. The Smart Card can be used to access Password Manager, Drive Encryption, or any number of third party access points. ● Change PIN number.
Example 1: A Purchasing Agent for a large manufacturer makes most of her corporate transactions over the Internet. She also frequently visits several popular web sites that require login information. She is keenly aware of security so does not use the same password on every account. The Purchasing Agent has decided to use Credential Manager to match web links with different user names and passwords. When she goes to a web site to log in, Credential Manager presents the credentials automatically.
Both Embedded Security and Drive Encryption for HP ProtectTools will not allow access to the encrypted data even when the drive is removed because they are both bound to the original motherboard. Example 2: A Hospital Administrator wants to ensure only doctors and authorized personnel can access any data on their local computer without sharing their personal passwords. The IT department adds the Administrator, doctors, and all authorized personnel as Drive Encryption users.
Example 1: A Stock Broker wants to make sure his e-mails only go to specific clients and ensure no one can fake the e-mail account and intercept it. The Stock Broker signs himself and his clients up with Privacy Manager. Privacy Manager issues them a Certificate of Authentication (CA) to each user. Using this tool, the Stock Broker and his clients must authenticate before the e-mail is exchanged.
● Creating strong password policies ● Addressing regulatory security mandates Protecting against targeted theft An example of this type of incident would be the targeted theft of a computer or its confidential data and customer information. This can easily occur in open office environments or in unsecured areas. The following features help protect the data if the computer is stolen: ● The pre-boot authentication feature, if enabled, helps prevent access to the operating system.
Preventing unauthorized access from internal or external locations Unauthorized access to an unsecured business PC presents a very tangible risk to critical data such as information from financial services, an executive, or R&D team, and to private information such as patient records or personal financial records. The following features help prevent unauthorized access: ● ● The pre-boot authentication feature, if enabled, helps prevent access to the operating system.
Additional security elements Assigning security roles In managing computer security, one important practice is to divide responsibilities and rights among various types of administrators and users. NOTE: In a small organization or for individual use, these roles may all be held by the same person.
HP ProtectTools password Set in this HP ProtectTools module Function Smart Card PIN Smart Card Security Can be used as a multifactor authentication option. Can be used as a Windows authentication. Authenticates users of Drive Encryption, if the Smart Card token is selected. Computer Setup password BIOS, by IT administrator Protects access to the Computer Setup utility.
Backing up credentials and settings You can back up credentials in the following ways: ● Use Drive Encryption for HP ProtectTools to select and back up HP ProtectTools credentials. You can also register for Online Drive Encryption Key Recovery Service to store a backup copy of your encryption key, which will enable you to access your computer if you forget your password and do not have access to your local backup. ENWW ● Use Embedded Security for HP ProtectTools to back up HP ProtectTools credentials.
2 HP ProtectTools Security Manager Administrative Console About HP ProtectTools Administrative Console Administration of HP ProtectTools Security Manager is provided through the Administrative Console.
● Management Tools - Opens your default browser to a web page where you can discover additional management applications and tools that extend the features of Security Manager as well as a means to stay notified when new applications and updates are available. ● Links - Provides the following: ◦ Setup Wizard - Launches the Setup Wizard, which guides you through the initial configuration of Security Manager.
Enabling security features The security features enabled here apply to all users of this computer. 1. In the left pane of the Administrative Console, expand Security, and click on Features. 2. To enable a security feature, click the corresponding check box next to Windows Logon Security and/or Protect data (activates Drive Encryption). ● Windows Logon Security - protects your Windows account(s) by requiring the use of specific credentials for access.
4. In the Policy section drop-down list, choose whether ANY (only one) of the specified credentials are required, or if ALL of the specified credentials are required in order to authenticate a user. 5. Click the Apply button. Defining Settings You can specify which advanced security settings to allow. To edit the settings: 1. In the left pane of the Administrative Console, expand Security and click on Settings. 2. Click the appropriate check box to enable or disable a specific setting. 3.
Removing a user NOTE: This procedure does not delete the Windows user account. It only removes that account from Security Manager. To completely remove the user, you must remove the user from both Security Manager and Windows. 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. 2. In the Administrative Console left pane, click User. 3. Click the user name for the account you want to remove, and then click Delete. 4.
Encrypting Drives Drive Encryption for HP ProtectTools allows you to encrypt computer hard drives, making the hard drive unreadable and inaccessible to any unauthorized person who might try to access it even if the drive has been removed from the computer or sent to a data recovery service. To enable or disable Drive Encryption, click on the Setup Wizard in the Administrative Console.
3 HP ProtectTools Security Manager HP ProtectTools Security Manager allows you to significantly increase the security of your computer.
NOTE: If the HP Password Manager level of security has not been configured, users must still enter their Windows password at the Windows login screen, regardless of the security login methods that are required by other levels of security. Managing passwords Password Manager for HP ProtectTools creates and manages logons, which allow you to launch and log on to websites and programs by authenticating with your enrolled credentials.
Initializing the Smart Card HP ProtectTools Security Manager can support a number of different Smart Cards. The number and type of characters used as PIN numbers may vary. The manufacturer of the Smart Card should provide tools to install a security certificate and management PIN that ProtectTools will use in its security algorithm. NOTE: The manufacture's Smart Card software will often provide an unlock key. Most Smart Cards will lock themselves when the PIN is entered wrong 5 times.
Shredding or bleaching files File Sanitizer for HP ProtectTools deletes files by overwriting them with meaningless data. This process, referred to as “shredding,” greatly enhances information security by making the deleted files very difficult to recover. File Sanitizer further enhances information security by overwriting previously used space on the hard drive using a process referred to as “bleaching.
Adding applications Additional applications may be available to add new features to this program. 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Security Manager. 2. In the Security Manager left pane, select the Administration drop-down menu and click Discover More. NOTE: If there is no Discover More link, it has been disabled by the administrator of your computer. 3. On the Add Applications tab, browse for additional applications. 4.
5. Enter your password to verify your identity, then click the arrow button. 6. Enter a path and name for the storage file. By default, the file will be saved to your Documents folder. Click Browse to specify a different location. Click Next. 7. Enter and confirm a password to protect the file. 8. Click Finish. Restoring your data You restore your data from a password-protected, encrypted file that was previously created through Security Manager's Backup and Restore feature.
Changing your Windows user name and picture Your Windows user name and a picture are displayed in the upper left corner of Security Manager. To change your user name and/or picture: 24 1. Click on the upper left section of Security Manager with your user name and picture. 2. To change your user name, type a name in the Windows user name box. 3. To change your picture, click the Choose Picture button and browse to select a picture. 4. Click the Save button to save your changes.
4 Password Manager for HP ProtectTools Logging on to Windows, websites and programs is easier and more secure when you use Password Manager. Password Manager allows you to set up the logon screens of websites and programs for quick and secure access. First, Password Manager learns about your logons and the specific data that you type in the input boxes of each logon screen. Then, once you are at a logon screen, after verifying your identity, Password Manager fills in and submits the data automatically.
● Open Password Manager - Launches the Security Manager dashboard on the Password Manager page. ● Help - Displays online help for the Password Manager application. NOTE: The administrator of the computer may have set up Security Manager to require more than one credential when verifying your identity. Adding logons Adding a logon for a website or program is quick and simple.
4. 5. Edit your logon information. ● Click the arrows to the right of a logon field to populate it with one of several preformatted choices. ● Optionally, click Choose other fields to add additional fields from the screen to your logon. ● Deselect Submit account data if you want the logon fields filled in but do not want them submitted. ● If you want to view the password for this logon, click Show password. The Windows password is required to see the password. Click OK.
Managing your logons Password Manager makes managing your logon information - user names, passwords and multiple logon accounts - painless and intuitive, from one central location. Your logons are listed on the Manage tab. Whenever multiple logons have been created for the same website, each logon is then listed under the website name and indented in the logon list. To manage your logons: In the Security Manager left pane, select Password Manager and click the Manage tab. Open the web site you want to edit.
5 Drive Encryption for HP ProtectTools NOTE: Drive Encryption for HP ProtectTools is available on some models only. In today’s world, a computer belonging to you or anyone on your staff could be stolen, and critical information about your company could be seriously compromised. Encrypting everything on your computer hard drive makes it unreadable and inaccessible to any unauthorized person who might try to access it even if the drive has been removed from the computer or sent to a data recovery service.
Setup procedures Opening Drive Encryption 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. 2. Click Drive Encryption. General tasks Activating Drive Encryption Use the HP ProtectTools Administrative Console Setup Wizard to activate Drive Encryption. Deactivating Drive Encryption Use the HP ProtectTools Administrative Console Setup Wizard to deactivate Drive Encryption.
Encrypting or decrypting individual drives 1. In the Administrative Console left pane, expand Drive Encryption, and click Encryption Management. 2. Click the Change Encryption button. 3. In the Change Encryption dialog box, select or clear the check box next to each hard drive you want to encrypt or decrypt, and then click OK. NOTE: When the drive is being encrypted or decrypted, the progress bar shows the time remaining to complete the process during the current session.
6 Privacy Manager for HP ProtectTools Privacy Manager is a tool used to obtain Certificates of Authority, which verify the source, integrity, and security of communication when using Microsoft mail, Microsoft Office documents, and Instant Messenger. Privacy Manager leverages the security infrastructure provided by HP ProtectTools Security Manager, which includes the following security logon methods: ● Windows password ● Smart card You may use any of the above security logon methods in Privacy Manager.
set up as an account within Microsoft Outlook on the same computer from which you are requesting the Privacy Manager Certificate. Requesting a Privacy Manager Certificate 1. In the Security Manager left pane, expand Privacy Manager, and click Certificates. 2. Click the Request a Privacy Manager certificate button. 3. On the “Welcome” page, read the text, and then click Next. 4. On the “License Agreement” page, read the license agreement. 5.
Renewing a Privacy Manager Certificate When your Privacy Manager Certificate nears expiration, you will be notified that you need to renew it: 1. In the Security Manager left pane, expand Privacy Manager and click Certificate Manager. 2. Click a Privacy Manager Certificate. 3. Click Renew certificate. 4. Follow the on-screen instructions to purchase a new Privacy Manager Certificate. NOTE: The Privacy Manager Certificate renewal process does not replace your old Privacy Manager Certificate.
3. On the “Migration File” page, click Browse to search for the .dppsm file that you created when you installed or exported the Privacy Manager Certificate, and then click Next. 4. On the “Migration File Import” page, click Finish. 5. Click Close, and then click Apply. NOTE: Refer to Installing a Privacy Manager Certificate or Exporting Privacy Manager Certificates and Trusted Contacts for more information.
Adding a Trusted Contact 1. In the Security Manager left pane, expand Privacy Manager and click Trusted Contacts, and then click the Invite Contacts button. – or – In Microsoft Outlook, click the down arrow next to Send Securely on the toolbar, and then click Invite Contacts. 2. If the Select Certificate dialog box opens, click the Privacy Manager Certificate you want to use, and then click OK. 3. When the Trusted Contact Invitation dialog box opens, read the text, and then click OK.
NOTE: When the e-mail is received by the Trusted Contact recipient, the recipient must open the e-mail and click Accept in the lower-right corner of the e-mail, and then click OK when the confirmation dialog box opens. 7. When you receive an e-mail response from a recipient accepting the invitation to become a Trusted Contact, click Accept in the lower-right corner of the e-mail. A dialog box opens, confirming that the recipient has been successfully added to your Trusted Contacts list. 8. Click OK.
Configuring Privacy Manager in a Microsoft Office document 1. Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, highlight File Sanitizer, and then click Shred Now. 2. When the confirmation dialog box opens, click Yes. – or – 1. In the Security Manager left pane, expand Privacy Manager and click Settings, and then click the Documents tab.
To add a suggested signer to a Microsoft Word or Microsoft Excel document: 1. In Microsoft Word or Microsoft Excel, create and save a document. 2. Click the Insert menu. 3. In the Text group on the toolbar, click the arrow next to Signature Line, and then click Privacy Manager Signature Provider. The Signature Setup dialog box opens. 4. In the box under Suggested signer, enter the name of the suggested signer. 5.
5. Click OK. 6. Authenticate using your chosen security logon method. If you later decide to edit the document, follow the steps in Signing a Microsoft Office Document. When the encryption is removed, you can edit the document. Follow the steps in this section to encrypt the document again.
Using Privacy Manager in Microsoft Outlook When Privacy Manager is installed, a Privacy button is displayed on the Microsoft Outlook toolbar, and a Send Securely button is displayed on the toolbar of each Microsoft Outlook e-mail message. NOTE: If you are using Microsoft Office 2007, you must have all the Microsoft updates applied otherwise some signed e-mails will go into the Junk E-mail folder. Configuring Privacy Manager for Microsoft Outlook 1.
Advanced tasks Migrating Privacy Manager Certificates and Trusted Contacts to a different computer You can securely migrate your Privacy Manager Certificates and Trusted Contacts to a different computer. To do this, export them as a password-protected file to a network location or any removable storage device, and then import the file to the new computer.
7 File Sanitizer for HP ProtectTools File Sanitizer is a tool that allows you to securely erase critical files and folders (personal information or files, historical or Web-related data, or other data components) on your computer and periodically bleach your hard drive. NOTE: File Sanitizer currently operates only on the hard drive. About shredding Deleting an asset in Windows does not completely remove the contents of the asset from your hard drive. Windows only deletes the reference to the asset.
Setting a free space bleaching schedule NOTE: Free space bleaching is for those assets that you delete using the Windows Recycle Bin or for manually deleted assets. Free space bleaching provides no additional security to shredded assets. To set a free space bleaching schedule: 1. In the Security Manager left pane, expand File Sanitizer and click Bleaching. 2. Select the Activate Scheduler check box, enter your Windows password, and then enter a day and time to bleach your hard drive. 3.
To select a predefined shred profile: 1. In the Security Manager left pane, expand File Sanitizer and click Settings. 2. Click a predefined shred profile. 3. Click View Details to view the list of assets that are selected for shredding. 4. Under Shred the following, select the check box next to each asset that you want to confirm before shredding. 5. Click Apply.
NOTE: It is highly recommended that you run free space bleaching regularly if you use the simple delete option. 1. In the Security Manager left pane, expand File Sanitizer, click Settings, select Simple Delete Settings, and then click View Details. 2. Select the assets you want to delete: a. Under Available delete options, click an asset, and then click Add. b. To add a custom asset, click Add Custom Option, enter or browse to a file name or folder name, and then click OK.
Manually shredding one asset CAUTION: Shredded assets cannot be recovered. Carefully consider which items you select for manual shredding. 1. Right-click the HP ProtectTools icon in the notification area, at the far right of the taskbar, highlight File Sanitizer, and then click Shred One. 2. When the Browse dialog box opens, navigate to the asset you want to shred, and then click Open. NOTE: The asset you select can be a single file or folder. 3. When the confirmation dialog box opens, click Yes.
Aborting a shred or free space bleaching operation When a shred or free space bleaching operation is in progress, a message above the HP ProtectTools Security Manager icon in the notification area is displayed. The message provides details on the shred or free space bleaching process (percentage complete), and gives you the option to abort the operation. To abort the operation: ▲ Click the message, and then click Stop to cancel the operation.
8 Embedded Security for HP ProtectTools NOTE: The integrated Trusted Platform Module (TPM) embedded security chip must be installed in your computer to use Embedded Security for HP ProtectTools. Most HP commercial desktop computers include the Infineon TPM, which is the only common criteria certified chip to meet TCG specifications. Embedded Security for HP ProtectTools protects against unauthorized access to user data or credentials.
To enable the embedded security chip in Computer Setup: 1. Open Computer Setup by turning on or restarting the computer, and then pressing F10 while the “F10 = ROM Based Setup” message is displayed in the lower-left corner of the screen. 2. If you have not set an administrator password, use the arrow keys to select Security, select Setup password, and then press Enter. 3. Type your password in the New password and Verify new password boxes, and then press F10. 4.
NOTE: To use secure e-mail, you must first configure the e-mail client to use a digital certificate that is created with Embedded Security. If a digital certificate is not available, you must obtain one from a certification authority. For instructions on configuring your e-mail and obtaining a digital certificate, refer to the e-mail client software Help.
Advanced tasks Backing up and restoring The Embedded Security backup feature creates an archive that contains certification information to be restored in case of emergency. Creating a backup file To create a backup file: 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Security Manager. 2. In the left pane, click Embedded Security, and then click Backup. 3. In the right pane, click Configure. The HP Embedded Security for HP ProtectTools Backup Wizard opens. 4.
9 Device Access Manager for HP ProtectTools This security tool is available to administrators only. Device Access Manager for HP ProtectTools has the following security features that protect against unauthorized access to devices attached to your computer system: ● Device profiles that are created for each user to define device access ● Device access that can be granted or denied on the basis of group membership NOTE: Device Access Manager uses Windows Local Users and Groups to manage access.
NOTE: If background service is not running, it attempts to start now. Click Yes to allow it. 5. Click OK. Device class configuration (advanced) More selections are available to allow specific users or groups of users to be granted or denied access to types of devices. Adding a user or a group 1. Click Start, click All Programs, click HP, and then click HP ProtectTools Administrative Console. 2. In the left pane, expand Device Access Manager, and then click Device Class Configuration. 3.
Scenario: A Simple Configuration policy is configured to deny all non-Device Administrators access to the DVD/CD-ROM drive. Result: A JITA enabled user attempts to access the DVD/CD-ROM drive, they receive the same access denied message as a non JITA enabled user. In addition, another popup will display asking for the users credentials. Once the user successfully authenticates to Security Manager they will be granted access to the DVD/CD-ROM drive.
5. Set the JITA period to the required time. 6. Click the Extendable check box. 7. Click the Apply button. The selected user can now login, authenticate to Security Manager and access the device. One minute before the JITA period is about to expire, the user will be prompted to extend their JITA period. Disabling a JITA for a user or group Administrators can disable a users or group access to devices using just-in-time authentication. 1.
10 Computrace for HP ProtectTools Computrace for HP ProtectTools is a tool that can remotely monitor, manage, and track your computer. Once activated, Computrace for HP ProtectTools is configured from the Absolute Software Customer Center. From the Customer Center, the administrator can configure Computrace for HP ProtectTools to monitor or manage the computer. If the system is misplaced or stolen, the Customer Center can assist local authorities to locate and recover the computer.
Glossary activation. The task that must be completed before any of the Drive Encryption features are accessible. Drive Encryption is activated using the HP ProtectTools Security Manager Administrative Console setup wizard. Only an administrator can activate Drive Encryption. The activation process consists of activating the software, encrypting the drive, creating a user account, and creating the initial backup encryption key on a removable storage device. administrator. See Windows administrator. asset.
Drive Encryption key recovery service. The SafeBoot Recovery Service. It stores a copy of the encryption key, enabling you to access your computer if you forget your password and do not have access to your local backup key. You must create an account with the service to set up online access to your backup key. Drive Encryption logon screen. A logon screen that is displayed before Windows starts up. Users must enter their Windows user name and the password or Smart Card PIN.
A task that allows the user to decrypt one or more chat history sessions, displaying the Contact Screen Name(s) in plain text and making the session available for viewing. revocation password. A password that is created when a user requests a digital certificate. The password is required when the user wants to revoke his or her digital certificate. This ensures that only the user may revoke the certificate. seal for trusted contacts.
A communication session during which trusted messages are sent from a trusted sender to a Trusted Contact. trusted message. A communication session during which trusted messages are sent from a trusted sender to a Trusted Contact. Trusted Platform Module (TPM) embedded security chip. The generic term for the HP ProtectTools Embedded Security Chip.
Index A access controlling 53 preventing unauthorized 8 accessing HP ProtectTools Security 6 account basic user 50 advanced tasks Device Access Manager 54 Embedded Security 52 B background service, Device Access Manager 53 backing up and restoring certification information 52 Embedded Security 52 backup and restore 22 basic user account 50 Basic User Key password setting 50 BIOS administrator password 10 C changing Windows password 19 common use examples 3 Computer Setup administrator password 10 Computrace
changing Windows user name 24 changing your picture 24 device access 21 drive encryption status 21 logging in 18 managing communication privacy 20 managing passwords 19 preferences 22 setting credentials 19 shredding or bleaching files 21 theft recovery 21 HP ProtectTools Security Manager Administrative Console configuring application settings 16 configuring your system 13 disallowing device access 17 drive encryption 17 managing users 15 HP ProtectTools Security, accessing 6 I initial setup 13 initializing
viewing Privacy Manager certificate details 33 viewing trusted contact details 37 R restricting access to sensitive data device access 53 7 S security key objectives 6 levels 13 logging in 18 login methods 13 roles 9 setup wizard 13 security setup password 10 shred profile customizing 45 predefined 44 selecting or creating 44 simple delete profile customizing 45 smart card initializing 20 PIN 10 registering 20 setting up 19 T targeted theft, protecting against 7, 57 TPM chip enabling 49 initializing 50 tr
