HP Dc5800 HP Protect Tools Guide - Page 66

Software Impacted—

Short description

Details

Solution

Allow Security Manager to complete services loading

message (seen at top of Security Manager window) and

all plug-ins listed in left column. To avoid failure, allow

a reasonable time for these plug-ins to load.

HP ProtectTools * General

—Unrestricted access or

uncontrolled administrator

privileges pose security

risk.

Numerous risks are possible with

unrestricted access to the client PC:

●

deletion of PSD

●

malicious modification of user

settings

●

disabling of security policies and

functions

Administrators are encouraged to follow “best

practices” in restricting end-user privileges and

restricting user access.

Unauthorized users should not be granted

administrative privileges.

BIOS and OS Embedded

Security password are out

of synch.

If user does not validate a new password

as the BIOS Embedded Security

password, the BIOS Embedded Security

password reverts back to the original

embedded security password through

F10 BIOS.

This is functioning as designed; these passwords can

be re-synchronized by changing the OS Basic User

password and authenticating it at the BIOS Embedded

Security password prompt.

Only one user can log on

to the system after TPM

preboot authentication is

enabled in BIOS.

The TPM BIOS PIN is associated with

the first user who initialize the user

setting. If a computer has multiple users,

the first user is, in essence, the

administrator. The first user will have to

give his TPM user PIN to other users to

use to log in.

This is functioning as designed; HP recommends that

the customer's IT department follow good security

policies for rolling out their security solution and

ensuring that the BIOS administrator password is

configured by IT administrators for system level

protection.

User has to change PIN to

make TPM preboot work

after a TPM factory reset.

User has to change PIN or create

another user to initialize his user setting

to make TPM BIOS authentication work

after reset. There is no option to make

TPM BIOS authentication work.

This is as designed, the factory reset clears the Basic

User Key. The user must change his user PIN or create

a new user to re-initialize the Basic User Key.

Power-on

authentication support

not set to default using

Embedded Security

Reset to Factory

Settings

In Computer Setup, the

Power-on


option is not

being reset to factory settings when

using the Embedded Security Device

option

Reset to Factory Settings

. By

default,

Power-on authentication

support

is set to

Disable

.

The

Reset to Factory Settings

option disables

Embedded Security Device, which hides the other

Embedded Security options (including

Power-on


). However, after re-enabling

Embedded Security Device,

Power-on authentication

support

remained enabled.

HP is working on a resolution, which will be provided in

future Web-based ROM SoftPaq offerings.

Security Power-On

Authentication overlaps

BIOS Password during

boot sequence.

Power-On Authentication prompts the

user to log on to system using the TPM

password, but, if the user presses F10 to

access the BIOS, Read rights access

only is granted.

To be able to write to BIOS, the user must enter the

BIOS password instead of the TPM password at the

Power-on Authentication window.

The BIOS asks for both

the old and new

passwords through

Computer Setup after

changing the Owner

password in Embedded

Security Windows

software.

The BIOS asks for both the old and new

passwords through Computer Setup

after changing the Owner password in

Embedded Security Windows software.

This is as designed. This is due to the inability of the

BIOS to communicate with the TPM, once the operating

system is up and running, and to verify the TPM pass

phrase against the TPM key blob.

60

Chapter 8

Troubleshooting

Section	Page
Introduction to security	7
HP ProtectTools features	8
Accessing HP ProtectTools Security	10
Achieving key security objectives	11
Protecting against targeted theft	11
Restricting access to sensitive data	11
Preventing unauthorized access from internal or external locations	12
Creating and using strong passwords	12
Additional security elements	13
Assigning security roles	13
Managing HP ProtectTools passwords	13
Creating a secure password	14
HP ProtectTools Backup and Restore	15
Backing up credentials and settings	15
Restoring credentials	16
Configuring settings	16
Credential Manager for HP ProtectTools	17
Setup procedures	18
Logging on to Credential Manager	18
Using the Credential Manager Logon Wizard	18
Logging on for the first time	18
Registering credentials	18
Registering fingerprints	18
Setting up the fingerprint reader	19
Using your registered fingerprint to log on to Windows	19
Registering a Java Card, USB eToken, or virtual token	19
Registering a USB eToken	19
Registering other credentials	19
General tasks	20
Creating a virtual token	20
Changing the Windows logon password	20
Changing a token PIN	20
Managing identity	21
Clearing an identity from the system	21
Locking the computer	21
Using Windows Logon	21
Logging on to Windows with Credential Manager	21
Adding an account	22
Removing an account	22
Using Single Sign On	22
Registering a new application	22
Using automatic registration	22
Using manual (drag and drop) registration	23
Managing applications and credentials	23
Modifying application properties	23
Removing an application from Single Sign On	23
Exporting an application	24
Importing an application	24
Modifying credentials	24
Using Application Protection	25
Restricting access to an application	25
Removing protection from an application	25
Changing restriction settings for a protected application	25
Advanced tasks (administrator only)	27
Specifying how users and administrators log on	27
Configuring custom authentication requirements	27
Configuring credential properties	28
Configuring Credential Manager settings	28
Example 1—Using the “Advanced Settings” page to allow Windows logon from Credential Manager	29
Example 2—Using the “Advanced Settings” page to require user verification before Single Sign On	29
Embedded Security for HP ProtectTools	30
Setup procedures	31
Enabling the embedded security chip	31
Initializing the embedded security chip	31
Setting up the basic user account	32
General tasks	33
Using the Personal Secure Drive	33
Encrypting files and folders	33
Sending and receiving encrypted e-mail	33
Changing the Basic User Key password	33
Advanced tasks	34
Backing up and restoring	34
Creating a backup file	34
Restoring certification data from the backup file	34
Changing the owner password	34
Resetting a user password	34
Enabling and disabling Embedded Security	34
Permanently disabling Embedded Security	35
Enabling Embedded Security after permanent disable	35
Migrating keys with the Migration Wizard	35
Java Card Security for HP ProtectTools	36
General tasks	37
Changing a Java Card PIN	37
Selecting the card reader	37
Advanced tasks (administrators only)	38
Assigning a Java Card PIN	38
Assigning a name to a Java Card	38
Setting power-on authentication	38
Enabling Java Card power-on authentication and creating an administrator Java Card	39
Creating a user Java Card	39
Disabling Java Card power-on authentication	40
BIOS Configuration for HP ProtectTools	41
File	42
Storage	43
Security	44
Power	45
Advanced	46
Device Access Manager for HP ProtectTools	47
Starting background service	48
Simple configuration	49
Device class configuration (advanced)	50
Adding a user or a group	50
Removing a user or a group	50
Denying access to a user or group	50
Allowing access to a device class for one user of a group	50
Allowing access to a specific device for one user of a group	51
Drive Encryption for HP ProtectTools	52
Encryption management	53
User management	54
Recovery	55
Troubleshooting	56
Credential Manager for HP ProtectTools	56
Embedded Security for HP ProtectTools	59
Miscellaneous	65
Glossary	67

HP Dc5800 HP Protect Tools Guide - Page 66

Power-on, authentication support, Reset to Factory, Settings, Reset to Factory Settings

Page 66 highlights