Home » HP Manuals » Desktops » HP t420 » Manual Viewer

HP t420 Administrator Guide 8 - Page 62

Local Accounts, Encryption, Options,

Add to My Manuals
Save this manual to your list of manuals

Page 62 highlights

● Local Accounts on page 50 ● Encryption on page 50 ● Options on page 50 Local Accounts The Local Accounts tab can be used to change the local root and user account passwords or to disable authentication using those accounts. CAUTION: Disabling the root and/or user accounts might leave your system in an unusable state unless Active Directory authentication is enabled. For example, if the root account is disabled, you will only be able to change to administrator mode using domain credentials of an administrator. However, disabling the local accounts might improve security when Active Directory authentication is enabled because you no longer have to maintain and update a shared secret such as the thin client's root password. If Active Directory authentication has been used and there is any cached data for domain users on the thin client, you can also delete the user's cached data from this tab. NOTE: If the user logged in using a domain account, they cannot delete their own account's data because it would leave the system in an indeterminate state. Encryption Active Directory credentials and other secrets can be hashed for functions like screen-unlock and/or encrypted and stored on the system for single sign-on. The hash algorithm for creating a password's hash can be selected from this menu. The default, scrypt, is a well-accepted key derivation function. Argon2, another key derivation function is also available, as well as conventional hashes SHA-256 and SHA-512. The advantage of a key derivation function is that it is computationally expensive to compute a rainbow table that matches plain-text passwords to precomputed hash values, whereas conventional hashes are meant to execute as fast as possible. All hashes are stored with 128 or more bits of random salt which changes each time the password hash is computed and stored. Encrypted passwords are used in situations where they can be reversed and supplied to connections when they start (single sign-on). The encryption algorithm can be selected here from a wide variety supported by OpenSSL. Unless there is a good reason to select a different value, HP recommends using the default encryption algorithm, which is generally regarded as a modern, secure algorithm by the security community. The number of salt bits and key bits will vary from one algorithm to another and you can get details by pressing the info button next to the algorithm selector. Encryption keys are unique per thin client and are stored in a place that only administrators can read. Furthermore, only certain authorized applications on the system can do decryption. Both hashes and encrypted secrets can be set with a time-to-live. If the amount of time between when the secret was hashed or encrypted and the time when it is used or decrypted exceeds the time-to-live, the hashmatch or decryption will fail. By default, the single sign-on password is usable for only one day, but any passwords stored with connection or network settings can be used indefinitely. Options Local user must log in: If this option is selected when Active Directory authentication is disabled, the login screen still appears at startup and logout. In this situation, the local user or root credentials must be used to gain access to the system. Enable secret peek: If enabled, most password and secret entry fields on the system display a small eyeball icon on the right side. When that eyeball icon is selected by pressing and holding down the left mouse button, 50 Chapter 8 Control Panel

Section	Page
Getting started	13
Finding more information	13
Choosing an OS configuration	14
Choosing a remote management service	15
Starting the thin client for the first time	15
Switching between administrator mode and user mode	15
GUI overview	16
Desktop	16
Taskbar	17
Connection configuration	18
Desktop connection management	18
Connection Manager (ThinPro only)	19
Advanced connection settings	19
Kiosk mode	20
Connection types	22
Citrix	22
Citrix Connection Manager	22
Connection	22
Configuration	23
General Settings	24
Options	24
Local Resources	25
Window	25
Firewall	26
Keyboard Shortcuts	26
Session	27
Advanced	27
RDP	27
RDP per-connection settings	27
Network	27
Service	28
Window	29
Options	29
Local Resources	30
Experience	31
Diagnostics	31
Advanced	32
RemoteFX	32
RDP multi-monitor sessions	32
RDP multimedia redirection	33
RDP device redirection	33
RDP USB redirection	33
RDP mass storage redirection	33
RDP printer redirection	34
RDP audio redirection	34
RDP smart card redirection	35
VMware Horizon View	35
VMware Horizon View per-connection settings	35
Network	35
General	36
Security	37
RDP Options	37
RDP Experience	38
Advanced	39
VMware Horizon View multi-monitor sessions	39
VMware Horizon View keyboard shortcuts	39
VMware Horizon View device redirection	40
VMware Horizon View USB redirection	40
VMware Horizon View audio redirection	40
VMware Horizon View smart card redirection	40
VMware Horizon View webcam redirection	41
Changing the VMware Horizon View protocol	41
VMware Horizon View HTTPS and certificate management requirements	41
Web Browser	42
Web Browser per-connection settings	42
Configuration	43
Preferences	43
Advanced	43
Additional connection types (ThinPro only)	43
TeemTalk	43
Configuration	43
TeemTalk Session Wizard	44
Advanced	45
XDMCP	45
Configuration	45
Advanced	45
Secure Shell	45
Configuration	46
Advanced	46
Telnet	46
Configuration	46
Advanced	47
Custom	47
Configuration	47
Advanced	47
HP True Graphics	48
Server-side requirements	48
Client-side requirements	48
Client-side configuration	48
Compression settings	48
Window settings	49
Monitor layout and hardware limitations	49
Enabling HP True Graphics for multiple monitors on the HP t420	49
Tips & best practices	50
Active Directory integration	51
Login screen	51
Single sign-on	51
Desktop	51
Screen lock	52
Administrator mode	52
Settings and the domain user	52
Start menu	53
Connection management	53
Switch to Administrator/Switch to User	53
System Information	53
Control Panel	53
Tools	53
Power	54
Search	54
Control Panel	55
System	55
Network settings	55
Wired network settings	56
Wireless network settings	56
DNS settings	58
IPSec rules	59
Configuring VPN settings	59
Configuring HP Velocity	59
DHCP options	60
Component Manager	60
Removing components	60
Undoing a change	61
Applying the changes permanently	61
Security	61
Security settings	61
Local Accounts	62
Encryption	62
Options	62
Certificates	63
Certificate Manager	63
SCEP Manager	63
Manageability	64
Active Directory configuration	64
Status tab	64
Options tab	65
HP ThinState	65
Managing an HP ThinPro image	65
Capturing an HP ThinPro image to an FTP server	65
Deploying an HP ThinPro image using FTP or HTTP	66
Capturing an HP ThinPro image to a USB flash drive	66
Deploying an HP ThinPro image with a USB flash drive	67
Managing a client profile	67
Saving a client profile to an FTP server	67
Restoring a client profile using FTP or HTTP	67
Saving a client profile to a USB flash drive	68
Restoring a client profile from a USB flash drive	68
VNC Shadowing	68
Input Devices	69
Hardware	69
Display preferences	70
Redirecting USB devices	70
Configuring printers	71
Appearance	71
Customization Center	72
System Information	73
HP Smart Client Services	74
Supported operating systems	74
Prerequisites for HP Smart Client Services	74
Obtaining HP Smart Client Services	74
Viewing the Automatic Update website	75
Creating an Automatic Update profile	75
MAC-address-specific profiles	75
Updating thin clients	76
Using the broadcast update method	76
Using the DHCP tag update method	76
Example of performing DHCP tagging	76
Using the DNS alias update method	77
Using the manual update method	77
Performing a manual update	77
Profile Editor	78
Opening Profile Editor	78
Loading a client profile	78
Client profile customization	78
Selecting the platform for a client profile	78
Configuring a default connection for a client profile	79
Modifying the registry settings of a client profile	79
Adding files to a client profile	79
Adding a configuration file to a client profile	79
Adding certificates to a client profile	80
Adding a symbolic link to a client profile	80
Saving the client profile	80
Serial or parallel printer configuration	81
Obtaining the printer settings	81
Setting up printer ports	81
Installing printers on the server	81
Troubleshooting	83
Troubleshooting network connectivity	83
Troubleshooting Citrix password expiration	83
Using system diagnostics to troubleshoot	83
Saving system diagnostic data	84
Uncompressing the system diagnostic files	84
Uncompressing the system diagnostic files on Windows-based systems	84
Uncompressing the system diagnostic files in Linux- or Unix-based systems	84
Viewing the system diagnostic files	84
Viewing files in the Commands folder	84
Viewing files in the /var/log folder	85
Viewing files in the /etc folder	85
USB updates	86
HP ThinUpdate	86
BIOS tools (desktop thin clients only)	87
BIOS settings tool	87
BIOS flashing tool	87
Resizing the flash drive partition	88
Registry keys	89
Audio	89
CertMgr	90
ComponentMgr	90
ConnectionManager	90
ConnectionType	91
custom	91
firefox	94
freerdp	98
ssh	108
teemtalk	112
telnet	115
view	119
xdmcp	127
xen	131
DHCP	143
Dashboard	143
Display	144
Imprivata	146
Network	146
Power	156
SCIM	158
ScepMgr	158
Search	159
Serial	159
SystemInfo	160
TaskMgr	160
USB	160
auto-update	161
background	163
config-wizard	164
desktop	165
domain	166
entries	167
firewall	167
hwh264	168
keyboard	168
logging	169
login	169
mouse	170
restore-points	170
screensaver	170
security	172
shutdown	173
sshd	173
time	173
touchscreen	175
translation	175
usb-update	176
users	176
vncserver	179
zero-login	181

Match case Limit results 1 per page

●

Local Accounts

on page

●

Encryption

on page

●

Options

on page

Local Accounts

The Local Accounts tab can be used to change the local root and user account passwords or to disable

authentication using those accounts.

CAUTION:

Disabling the root and/or user accounts might leave your system in an unusable state unless

Active Directory authentication is enabled. For example, if the root account is disabled, you will only be able to

change to administrator mode using domain credentials of an administrator. However, disabling the local

accounts might improve security when Active Directory authentication is enabled because you no longer have

to maintain and update a shared secret such as the thin client’s root password.

If Active Directory authentication has been used and there is any cached data for domain users on the thin

client, you can also delete the user’s cached data from this tab.

NOTE:

If the user logged in using a domain account, they cannot delete their own account’s data because it

would leave the system in an indeterminate state.

Encryption

Active Directory credentials and other secrets can be hashed for functions like screen-unlock and/or

encrypted and stored on the system for single sign-on.

The hash algorithm for creating a password’s hash can be selected from this menu. The default, scrypt, is a

well-accepted key derivation function. Argon2, another key derivation function is also available, as well as

conventional hashes SHA-256 and SHA-512. The advantage of a key derivation function is that it is

computationally expensive to compute a rainbow table that matches plain-text passwords to precomputed

hash values, whereas conventional hashes are meant to execute as fast as possible. All hashes are stored

with 128 or more bits of random salt which changes each time the password hash is computed and stored.

Encrypted passwords are used in situations where they can be reversed and supplied to connections when

they start (single sign-on). The encryption algorithm can be selected here from a wide variety supported by

OpenSSL. Unless there is a good reason to select a

diﬀerent

value, HP recommends using the default

encryption algorithm, which is generally regarded as a modern, secure algorithm by the security community.

The number of salt bits and key bits will vary from one algorithm to another and you can get details by

pressing the info button next to the algorithm selector. Encryption keys are unique per thin client and are

stored in a place that only administrators can read. Furthermore, only certain authorized applications on the

system can do decryption.

Both hashes and encrypted secrets can be set with a time-to-live. If the amount of time between when the

secret was hashed or encrypted and the time when it is used or decrypted exceeds the time-to-live, the hash-

match or decryption will fail.

By default, the single sign-on password is usable for only one day, but any passwords stored with connection

or network settings can be used

indeﬁnitely.

Options

Local user must log in

: If this option is selected when Active Directory authentication is disabled, the login

screen still appears at startup and logout. In this situation, the local user or root credentials must be used to

gain access to the system.

Enable secret peek

: If enabled, most password and secret entry

ﬁelds

on the system display a small eyeball

icon on the right side. When that eyeball icon is selected by pressing and holding down the left mouse button,

Chapter 8

Control Panel